I still remember the fun that was had when Dick Hardt first made his cool presentations on User Centric Identity Management and regaining control of who would access to what attribute of your multiple personas, be it online, at home or at work. We all know, that his company sxip identity failed because it did not gain enough momentum to monetize on the idea. Still, concepts such as the (also “failed”, much to my demise) Information Cards by Microsoft or the OpenID approach share some aspects of the sxipper product – putting you in control of your data. The current hype around the new EU privacy and data security legislation is putting some more focus to this!
Apparently, only very tech savvy users – geeks like you and me  – seem to widely adopt and use OpenID. I, personally was attracted to Clavid, a Swiss IDP who combines OpenID with the one thing missing everywhere else: Strong Authentication! Most of you know that this is sort of my pet topic here at KCP and so I was really amazed to see them offer Yubikeys, Avionics’ Internet Passport and even SwissID Government issued certificates as a means of strong authentication – making Clavid an early representative of the prospering “Authentication as a Service” market segment. Not prospering enough, I guess, as I did not see the Clavid guys buying fast cars and castles at Lake Geneva’s´ shores…
Anyway, the concept of letting us – the users/consumers/customers – decide on who gets access to which detail of my life and (digital) identity remains an unsolved issue. Be it the tedious task of filling out forms after forms to get your kid into day-care or getting new insurance for your car – you have to share information about yourself and your loved ones and wonder: do they REALLY need that info? And if so: why do they ask me the same questions over and over again?
Wouldn´t it be nice if more of these form-fields could be “auto-filled”, depending on your choice of what to disclose and what not? Wouldn´t it be great to have one common place to securely store all the insurance information, account information and whatnot? Just like putting your valuables in a bank deposit box (or your high-security safe in your secret lair downstairs, depending if you are a super villain or not)? You could even “compartmentalize” your life into stuff belonging to work/career (like digital versions of all your certifications and endorsements), your personal leisure activities (like memberships in sportsclub and your fishing license, Open Water Diver certificate), your kids info (school district, Headmaster contacts, the football team coach) and the list continues.
I recently tried to gather my families´ core identity data, such as passport and ID card numbers, SSN, healthcare ID, tax ID etc. and it took me full Sunday. Last week I did it all over again, as I misplaced the sheet of paper I used – pretty old school, don´t you think?
But all personal stupidity aside: wouldn´t it be great to use that “digital vault” full of your own personal data to actually ERASE all the personal detail that are stored at the gazillion of companies and organizations you interact with day to day? Why must I put my CC info and full address with “your airline of choice”, if I could use their services “pseudonymously” and only allowing access to those details “on demand” while I actually book a flight? Currently, if I lose my CC or it expires the internet economy burdens me with changing my CC info in each of the gazillion pages I do business with. Why?
I am looking forward to a (hopefully very near) future, where I can actually manage my data in one place and have those who need access to it authorized on a configurable basis. Sure, my employer should have continuous access to my bank account information! But if I am leaving – how can I make them erase that info on file today?
Look put for some colnew announcements and blogs on KCP on this – my colleagues will provide more info as it becomes “freely available”

We have been discussing IRM, DRM, DLP and other acronyms back and forth for a quite a while now and I am sure there are a good bunch of solutions out there for those organizations, that have policies and procedures in place to sufficiently plan, build and run thus a tool. Thus, I was pretty much „meh“ about any discussions revolving around the pros and cons of approaches…
Well, our close friends sometimes surprise us with problems, we never seem to have „seen“ before. One of those friends runs a small System Integrator / VAR company and approached me with a problem, that is common among these service providers: handling of RMAs…
Usually, if you have outsourcing agreements and service contracts, you would also have a number of SLAs that cover the use, transport, protection and security of data and mobile data storage devices such as flash-disks, thumb-drives or the very useful external hard drives, which are used to back-up full Virtual Servers if no SAN/NAS is available on-site.
Well, these SLAs cover exactly that: the STANDARD operating procedures and day-to-day handling of those devices. But what happens, if one or more of the external hard-drives becomes defective and is not accessible because the controller is broken? You just had a full back-up pushed onto that drive last Friday and – during your standard tests of back-up media – you find the disk to irresponsive due to controller failure. You KNOW that your client´s full data-center including Domain Controller, Exchange and ERP systems are on that drive. You are unable to read the data, you can also not delete the drive and you cannot “open” the casing because it voids the warranty under which you would like to get the drive replaced by your vendor/distributor.
Actually, you would have to send in the defective drive as-is (with all your client-data on it) and wait to have it replaced or repaired. If replaced – what happens to the “raw disks”? They could easily be put into a computer or hooked up to another controller and data extracted. If repaired, the controller will be exchanged and at least QA tests will reveal the sensitive nature of the data stored…
According to the System Integrator community it is impossible to negotiate a special data-protection agreement with the Distributors, as their margins are already too low to invest in legal advisory regarding a set of 150 € products. Also, the clients are rather unwilling to sign a waiver, which reduces or fully removes liability for any data breach from the SI. I would really LOVE to talk to some lawyers of the HD manufacturers and/or Distributors about this topic, as I fear that a large number of these RMAs happen without any thought about data protection…

I recently bought a very expensive high-end Sony VAIO VGN-z31 and was more than surprised and downright angry, when I found out they had disabled the “VT”support of the Intel CPU, making it almost useless when it comes to virtualization with Virtual PC, VMware Workstation, Xen or what ever your favourite Hypervisor was.

With their latest set of updates for their EFI (the new BIOS technology) now finally they gave in to the numerous customer complaints, all coming from power users and professionals, who were upset to just have spent 2.000 -3.000 €/$ on a machine, that was basically leaving them without support for virtualization.

Vaio customers, rejoice! Check the update sources for your machine, and hopefully you will find a matching update. For all others: check out the “reverse engineered” hacks for activating VT…
Happy VMwaring

Sebastian
PS: off to get that SQL Server running…

Well, I thought nothing could puzzle me regarding the IAM market these days - acquisitions, mergers, emerging start-ups.

This ONE “acquisition” really hit me: Dick Hardt joins Microsoft! I almost dropped my morning espresso shot, when I received his (mass-)email… Once I read through his blog-posts here and here  though, I fully understand and congratulate both Dick and my former co-workers at Microsoft! It almost makes me wish I was still there  - now with even more big AND versatile brains in Redmond it must feel like the “in the old days”… Nevertheless, I think the (not so evil) empire really was able to “strike back”. Hiring Dick shows that Microsoft really wants this IAM thing to work – not only product-wise for the enterprise market, but also for the general population “BORGrosoft drones”, which most of us still tend to be…

It really makes me book a flight to Seattle next spring to have some good Mac&Jack´s Amber, deep-fried turkey (see Dick´s blog) and most of all: some great discussion on Identity 2.1 , as I would call it from now on!

Dick & Jennifer: I wish you all the best in and around Redmond, it IS a great place to stay in the US!

Ray & Kim: nice catch

Howdy?
I am sitting in the lounge of IIW2008b, or the Internet Identity Workshop, Fall 2008, in the Computer History Museum, Mountain View, CA. Well, I am expecting the start of the event, as it will be kick off at 1 PM… I am really looking forward to this as I travelled all around California the last two weeks and the impression have been overwhelming so far. According to Dave Kearns, (thanks for a delicious dinner!) it will be quite a nice event!

Stay tuned for some up-to-date info what´s happening here!

Sebastian

Hello World, hello Bay-Dwellers!

Either you look forward to meeting me or to avoid me   – pay special attention between October 27th and November 13th as I will be in the Bay Area and Silicon Valley to meet some people. Especially the IIW in Mountain View at the end of the trip will be a highlight – but if you like to meet me before, please contact Levent or myself, so we can make an appointment. Looking forward to meet as many “gentle people” in SF as possible, regardless of flowers in their hair or big ideas on identity management in their brains!

Comment or email me, if you have stuff that you think us “old world people” need to know!

One of our jobs as analysts to provide insight and vision on what an when things are going to change and how it is going to happen. Sometimes though, my fellow analysts are far off with their predictions, sometimes one just underestimates the market pull or some impressive marketing stunt one of the vendors pulls to push the cause. Other times, for example with PKI, the real hype never materializes – but nevertheless the technology silently grows and matures and never really vanishes.

Lately, I was doing some work with Entrust and they were curious to hear that I had been tlaking to some companies who had actually come up with plans of deploying a PKI in near future. No kidding! We even saw the complete raza&rebuild of PKIs where Fraunhofer has created a new competence center around PKI and set up a new, TeleSec signed root-CA. Fun thing is, they are even offering 3rd person certificates free of charge! At least to their communication partners – and it is a still in the evaluation phase.

Besides, PKI “v2″  seems to have become more or less part of the infrastructure, as some smaller companies just decide to go the KISS way and deploy a Microsoft PKI (not that it is easy to create one works, and works the way you like it to work – thorough planning is recommended!). Fun thing is, I even heard vendors say: “uhhh, if it is only x,000 people and it is just for authentication – do your customer a favour and stick with a ´simple´ solution”. By `simple` one meant “low on license cost and maintanence”, at least that is what I derived from it.

Anyway, integration and proper use is always key to the success of such a technology and thus I am pretty sure that if there is a use case and a direct application, any company can benefit from setting up a PKI. Especially in those situations where there are tokens and/or smartcards available as certificate containers, that are used as comapny badges or access tokens for PACs or time & attendance solutions. Hm, … now I do sound like Mr. Self-Fulfilling Prophecy, don´t I? Anyway, if I use my crystal ball I definitly see more integration and thus convergence, and PKI with multifunctional smartcards are part this as well as the use of SSO and centralized IAM!

Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit – do I hear a muffled sobbing, or – is it somebody screaming loud and running away in pain?

The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights – and especially restrictions! – may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go:
imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany.
Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like – could and would this be done by internal resources?
I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills!
With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the “external editor” model. So far – so good!
Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps – the way through the HR hiring process – will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers.
In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or – even worse – that guy would need administrative access to some production machines!
Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources – thus making exceptions the norm.
Really sounds like a nightmare huh?
Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session “Managing External Identities”!
Looking forward to meet you in Munich and find ways to wake up from that nightmare!

I talked to my Sensei-san, Dr. Kpatcha Bayarou of Fraunhofer SIT, recently and allthough only having a few minutes, we came to some extreme views on what User Centric IAM really was about.

Power!

The power to control who gets access to what of my content and information! You are reading this text without disclosing anything about yourself, which is due to  my totally hedonistic way of “sharing the knowledge” . Ok, one might say it is to lure some of you into registering for this site, for our newsletters and even some of the reports. That is, to get YOUR IDENTITY and YOUR MONEY   Do you get a feeling where this will go?

Until recently, anybody who had something to offer on the internet (or elsewhere in the brick&mortar world) would request your registration to do business with you. This was tedious, had lots of flaws and still puts a  lot of burden on us consumers, especially the ones with the infamous “Geiz ist geil” attitude, always hunting for the best price of a merchandise. These bargain hunters would willingly subscribe anywhere and register with any online-shop where they would be able to buy something marginally cheaper of get their hands on a shiny new gagdet first. Well, we all did this sometime, somewhere, didn´t we? It may even have been just to get a special software that we would need to get something done quickly…

There the bargain hunters end up with a multitude of logins and passwords, as if we had known it. The background is the same everywhere: somebody who has something we want won´t let us have it until we sacrifice/disclose some of our identity information. Actually these people have power over us, and they are executing it freely. We seem to ignore this fact, as we are so much used to “register for free…”. This is seldomly “free”, we pay with facettes of our identity, and those are valuable to me.

Ok, nothing is more boring than yesterdays news, I guess!

Despite this oh so true statement, especially in the blogosphere, I would like to rant about SUN’s recent acquisition of VAAU, a small company that offers tools around role mining and role engineering as well as compliance.

I had the sincere pleasure to work with some of the VAAU EMEA people and found both their tools and their approach to be very exciting. SUN in Germany is also very excited – at least the SUN guys I talked to lately – and they are eager to put their new tools to work exclusively, bearing in mind that VAAU was open to most IAM vendors before and will now probably go exclusive with SUN ID Management solutions. I´d say this is quite a punch for the remaining bunch…

Same as SAP has to prove that their Maxware deal was worth the prize, SUN now has to make sure that the competitive advantage of exclusive access to VAAU technology can be supported with special ties and deeper integration with their IAM solutions. I intend to closely watch these guys next year, and probably have a chat or two with representatives of both sides! This is an invitation – but you know that, don´t you?

See you all soon

Sebastian