• Analogous?

    26Jan
    Categories: General Identity Stuff Comments: 1

    For whatever reason, I’ve been pondering similarities and differences between financial and IT risk lately, and one big difference seems to be around reputation in these two areas.  The financial world painstakingly maintains institutionalized memory of credit issues through standardized credit ratings.  Companies, cities, and even countries are rated based on current and past performance, and a ratings downgrade is a BIG deal.

    Why isn’t there an analogous service for systems security risk?  For example,  Mike Ramirez just pointed out a data breach at Monster.com,  I’d love to go somewhere and see, was that the first time?  Have they been breached before, and I simply didn’t hear about it? How about Heartland Payment Systems?  It seems to me that right now, companies can get away with repeat offenses,  simply by flying under the radar.

    Of course, there is always the Listeriosis Clause to consider — who do you trust more, the company with a dedication to quality that is forced to disclose, or the lazy/ignorant company who never even looks, and therefore never has to tell?

    In any case, I’d like to see collections of disclosures about the various services I choose to use or do business with.  I’d like to see data collection for the purposes of comparing privacy policies,  TOSs, known breaches of or challenges to those policie. Another issue that I believe could gain prominence is being able to easily research whether the companies I interact with are sending/storing my information across international borders.   I think there would be some really interesting discoveries in such a body of data.

  • On Aggregation

    03Dec
    Categories: General Identity Stuff Comments Off

    Do you remember this quote from the movie “The Incredibles”?

    … And when I’m old and I’ve had my fun, I’ll sell my inventions so that *everyone* can have powers. *Everyone* can be super! And when everyone’s super– [chuckles evilly]  –no one will be.

    Sometimes I think that this is the end game we’re looking at with Social Media.  Right now, we’re so busy hooking every acquaintance we ever had to every other acquaintance as virally as possible on every site everywhere, that we forget who it is we’re going to end up talking to, and to whom our words have meaning.

    It’s great that we’ve gotten to the point where I can broadcast a single thought simultaneously to all of my many services – but what happens when everybody does that?  What happens when the majority of the people you know are on two or more of the sites you visit and all of them are broadcasting across services? I like seeing tweets from people I know.  But when I see the tweet on twitter, then the next time I get onto Facebook the identical tweet shows up as a status update, and then I see it yet again in a weekly digest of tweets that shows up in my RSS reader from that person’s blog -  it gets old fast, and it takes away from the unique character of any one service.  As a very subjective judgement, I personally start to feel more like I’ve been spammed than confided in.

    Right now, I would choose an aggregation service not for the combination of what’s different so much as the elimination of what’s redundant. As all these services bleed into each other, the ratio of new to redundant will become very pronounced;  I imagine that creative solutions to this problem will be an important future differentiator.

  • Just got off the Schemas WG Call

    24Nov
    Categories: General Identity Stuff, Identity Theory, MS/AD/InfoCards/CardSpace Comments Off

    I love working with smart people.  I went into the ICF schemas working group call with my set of gobbled-together proposals, and everybody seized on it and started breaking those ideas down into their separate pieces, using language with far more structure than my own words.

    There were some excellent points made:

    • What are the expectations of the “Display Claim” versus the actual claim in providing human-readable claim values?  Is it reasonable (or even preferable) to define a claim value that is not human-readable and trust that the STS will be responsible for mapping that value to something useful?
    • Is it expected that the selector will do a metadata discovery on each and every claim passed?  I had never even thought of such a thing, so will have to learn more.

    I will keep you up to date with the conversation, which is expected to continue on the working group mailing list this week.  The mailing group is:  http://groups.google.ca/group/icf-wg-schemas,  I believe anyone can read, but you have to be an ICF member to participate.   If you are keen to participate, let me know.

  • We MUST get this Right

    24Nov
    Categories: General Identity Stuff, Identity Theory, MS/AD/InfoCards/CardSpace Comments: 1

    During IIW, the ICF Schema Working Group proposed and approved its first standardized claim definition.  I’ve been following the workings of the schema group but not closely, and I was taken by surprise at the values defined as part of this precedent-setting claim element:

    Claim Name:  age-18-or-over

    Proposed Values:

    • 0
    • 1
    • 2

    What?  Want to know what the values MEAN?  Sorry, you’ll have to look that up.  What you see above is what a Mother or Father will see when they view values passed between the Identity Provider they are trusting to make claims about their children’s age, and a website that may restrict content based on that value.

    Do you see the problem?  Why on earth even have a selector if the standard claims we propose are not understandable by end users?  Why use a meaningless number?  To make it easier for the machines?  For the developers? That’s crazy!  Why don’t we make it easier for the people that are making selector-level security decisions on a daily basis?  These schema types have to be created so that whenever possible, the data passed is legible to those attempting to understand the context of identity data flowing around them.  Heck, if we created a vocabulary for content that could be distinctly identified and parsed by Selectors, we could even localize.

    It’s taken me since IIW to really get my head around this – but I believe we need to set some very specific best practices around these schema elements, first and foremost being the primary design principle that these atomic elements should be designed for regular people, not for developers, and not for machines.

    I’m going to do my best to argue this point today on the ICF working group call.   If you think this is important, whatever your stance on the issue might be, I urge you to join the Information Card Foundation and to make your voice heard.   Contact me if you aren’t sure what you need in order to join, I will put you in touch with the right people.

    I think that best practices around claims schema is THE MOST IMPORTANT thing happening right now.  It is worth taking the time to get this right.  We’ll only get one shot at it.

    The public version of the claim catalog is here:   https://informationcard.net/wiki/index.php/Claim_Catalog

  • IIWish I was there

    09Nov
    Categories: General Identity Stuff, conferences Comments: 3

    Go ahead.  Have fun without me

    *whimper* *pout*

    I’ll just stay home and feel sorry for myself while you all solve the worlds problems.  Maybe leave a few just so we can meet again in May, ok?

    The least you can do is take lots of pictures,  and write GOOD NOTES so us remoteys can keep up.

    Enjoy,

    Pamela

  • Of Trolls & TOSs

    30Oct
    Categories: General Identity Stuff, Identity Theory Comments Off

    Electronic Arts has just backed into an interesting twist to the TOS story.   They are linking your online terms of service to the physical video games you buy — if you violate their online TOS, your right to run every video game linked to that account will be revoked.

    This adds a massive lightning stroke of accountability into the affair, doesn’t it?   Suddenly, the forums aren’t just a “value-add”, they are also a potential “value-take-away”.   I have this picture in my head of Family Member A explaining to Family Members B and C how A lost his/her temper in the EA forums last night, and now the whole family has lost not only their access to their games, but possibly their game statistics & reputations too, depending on what EA does to enforce the ban and the subsequent serial number invalidation.    Ah, it all comes back to Identity mgmt and asset mgmt, doesn’t it?

    I suppose you could consider this the Real-time Blackhole List approach to reputation & social networking.

  • Laws of Identity (Pamela-style)

    27Aug
    Categories: General Identity Stuff Comments: 2

    Kim has been working on a less internerdy version of the Laws of Identity – but I’m not sure the current version would resonate with people like my Mom. So – being the go-getter that I am, I had to take a minute and come up with alternatives. What do you think?

    If I could use any terms I wanted and assume that everyone understood them, I could get even shorter:

    1. Don’t share my information behind my back.
    2. Don’t take more information than you need.
    3. Don’t expose my information unnecessarily.
    4. Don’t link me or allow others to link me unless I want to be linked.
    5. Don’t lock me into silos.
    6. Don’t tell me to RTFM in order to be secure.
    7. Don’t let the product interfere with the ceremony.

  • What ARE we trying to do? And how do we measure success?

    24Jul
    Categories: General Identity Stuff Comments: 1

    In my last blog post, I complained that we’re a bit lost.   I would like to even be more specific.   In the world of Identity, there are theoretically two types of people — those whose job it is to pay attention, and those who rely on the first type of people.  I don’t mind if the second group are lost.  I worry when the first group are lost.

    So, why is it that we actually deploy these systems in the first place?  And, if this world of Identity is a journey and not a destination, how do we know when we’ve seen and done enough?

    Here is my definition of what a given Enterprise may wish to accomplish by spending money on Identity technology:

    1. Simplification of Sign-on & Sign-on related procedures
    2. Access to assets granted on basis of least privilege
    3. Process-driven Account Automation
    4. Delegation of Identity Data Maintenance & Workflow to the person/resource most able to enter correct, timely & knowledgeable data
    5. Ability to interact with partners or outsourced services securely & efficiently
    6. Accountability for all of the above through Approvals, Audit

    Why do we wish to accomplish these things?

    1. To make the Enterprise workforce as productive as possible.
    2. To protect corporate assets against theft or abuse.

    There.  That’s it, assuming I haven’t forgotten anything obvious.   The problem is, you can’t just tick off these items like some kind of grocery list.  All you can do is make a qualitative assessment of how close the processes & technologies your company has implemented from the first list bring you towards the end goals described in the second list. Every organization of every size should be making these evaluations – but the sweet spot between cost undertaken and value returned will be different. For smaller companies everything could be manual, and there is nothing wrong with that as long as the risk and overhead are tolerable.

    Is this characterization just an invitation for vendors to get lazy?  It’s hard for me to imagine.  There is so much work to do in these areas, so many things that can improve, that I can’t imagine any of the vendors having time to slack off.  Besides, I think there are revolutions to come.

    The really interesting question will be whether or not the big vendors will ever start enabling truly integrated provisioning and SSO support for the full range of their products.   Imagine if every web enabled product sold by Oracle had a configuration property called “trust OAM session cookie”, and if the configuration property was set, the application ceased to prompt users for credentials, and instead simply looked for a set of pre-agreed-upon header values to determine the identity of the user.   Imagine if your provisioning workflows for employee and manager self-service came built into your HR product, but only a configuration page later, you could hook the interface into your provisioning system.   Imagine if all of the application-specific roles in all of your stack applications were consistent and complimentary, both at the fine-grained application level and at the enterprise middleware level. That is the potential, if not the reality, of a stack offering.  Integral adherence to an identity vision, instead of bolted-on adherence.    Sigh, what a lovely thought.

    I wouldn’t put money on it though.  Too bad.

  • The right way to go about it

    28May
    Categories: General Identity Stuff Comments: 4

    On my way to go watch bad American Infomercials last week, I spent a lot of time in the airport, in this case the Vancouver airport. The usual time-honored geek-at-an-airport rituals were observed: the scurrying around with lowered head, looking for the elusive power outlet behind a seat, the plugging in of as many gadgets as the outlets allow, and then the groan that comes forth as you open your browser to see how much you get to pay for internet access for today’s airport tenure.

    Many of you have probably had the airport wifi experience. You get online just enough to be given options for payment — 1 hour, 1 day, 1 month, or ongoing support. If you already have an account with the wifi provider, you are off to the races. If not, you have to (1) Register. (2) Pay. (3) Get a username and password that you will never remember. (4) Use it once. My favorite at SFO was always the fact that the usernames stuck around but that you (or at least I) couldn’t recover the password, so you had to end up appending numbers to the end of your usual username choice to get a new account for every visit. If you were optimistic enough to pay for multiple visits at once, well good luck getting in on the second visit. The experience is uniformly time-consuming and frustrating.

    And so, as I started my browser and saw that Wifi was managed by Telus (not Bell, my own provider), I braced myself. Suddenly — at the bottom of the page, I saw the following:

    Canadian wireless providers have created a provider centric wireless service offering, where instead of having to give your information to whatever provider happens to run the hotspot, you can alternatively authenticate to a wireless provider you already have a relationship with, and and do the deal there. Once negotiated, your provider deals with payment on your behalf, your internet access charge shows up on your monthly bill, and you gain access to Vancouver airport wireless service, never having had to pull out your credit card or fill in a registration form.

    Yes!!! This is exactly the experience that I want to see! Instead of having to hand over my data & credit info to someone I had no reason to trust, I instead chose an entity with whom I already had a relationship to act on my behalf. The transaction was easier for me, and I assume profitable both for Bell and for Telus. Wins, all around.

    This is what needs to happen in general on the internet. By whatever means. I of course have my technology preferences, but it is the end result that matters the most.

  • Alrighty then – let’s talk roles.

    04Apr
    Categories: General Identity Stuff, Grrrlgeeks, Identity Theory Comments: 2

    In my post on user context decisions in the Enterprise, I built on a foundation that perhaps should have been better defined before drawing conclusions. A few people noticed it, and I think they make great points — so let’s step away from the fancy schmancy terms and look at [my conception of] the underlying issue.

    Here is my problem with current technical definitions/applications of roles. In most organization, roles are expected to be true of a given person 100% of the time. Jenny is *always* a “production accountant level II” if that role is present in her profile.

    Roles are indeed in the domain of the “identity weenie” — but alone, roles are nothing but a maintenance nightmare – they exist to be leveraged. Rules on the other hand, are the problem of the “authorization weenie” and are written (for example) as a WAM policy that says “All Production Accountant Level II resources can access the accounting SharePoint instance”. When you collect roles into a profile and collect rules into a policy and then evaluate for a given user, resource, and point in time, what you eventually get is an entitlement, ie “Jenny should get into the accounting SharePoint instance”. The goal is to have transitive logic between roles and rules, such that two different people can take on the two different statements being made. Jenny’s Manager can authoritatively state (through a workflow approval) that Jenny is indeed a production accountant. The owner of the Accounting Sharepoint instance can authoritatively state (through an authorization policy) that all production accountants should have access to their site.

    This is, of course, just my interpretation of the verbage. Heaven knows there are many many other interpretations out there, I could be waay behind the times. Still, the basic logic I’ve just outlined forms (I believe) a simplistic basis for most identity projects out there. All of it is based on the idea that whatever set of roles are present for a given account at a given time are all simultaneously true.

    What happens when the system detects the static presence of two conflicting roles? What happens if one role is “truer” than another at some point in time?

    There is no simple way to say that John is a broker 100% of the time, but 50% of the time he represents Client A and only Client A, and the other 50% he solely represents Client B. There is no way to represent mutual exclusivity of roles in a single user profile (that I’m aware of).

    In the case where two roles are assigned to the same person, but should never be simultaneously applicable, Enterprises have limited choices. If, however, there is a layer in between the consumer and the provider that lets you mask roles based on user-chosen context, in my mind this problem goes away. I don’t see how you can do it without the user part — but perhaps I’m just not thinking hard enough :)

    I hope I’ve now managed to dig myself in sufficiently deep that pretty well anyone will be able to take potshots — have fun :)

« Previous Page

Disclaimer


These thoughts are mine. Everyone else can get their own blog.