Posted May 13th, 2009 Ian Yip’s take on access management versus entitlement management can be partially summed up with this equation:
Entitlement management is simply fine-grained authorisation + XACML
I have four problems with this.
First, definitions that include a protocol are worrisome as they can overly restrict the definition. For example, if I defined federation as authentication via SAML, people would quickly point out that authentication via WS-Fed was just as viable as a definition. So in terms of an industry conversation, we need to make sure that our terms are not too narrow.
Second, I fear that this definition is a reflection of products in the market today and not a statement on what “entitlement management” is meant to do. Yes, most of today’s products can use XACML. Yes, they facilitate authorization decisions based on a wider context. But who’s to say that these products, and the market as a whole, have reached their final state? Along these lines, I wonder if externalized authorization stores are a required part of an “entitlement management” solution?
Third, there is something missing from the definition – the policy enforcement point. A fine-grained authorization engine provides a policy decision point, but that still leaves the need for an enforcement point. This holds true whether an application has externalized its authorization decisions or not. Continue reading "Nailing Down the Definition of “Entitlement Management”"...
Posted May 11th, 2009 There are plenty of reasons to come to Catalyst. Engaging workshops, great sessions, interesting speakers, the chance to see the entire Identity and Privacy Strategies team on stage with bags on their heads - you know, the kinds of thing you’d expect. For those of you with a Certified Information Privacy Professional (CIPP) certification, this year we’ve a little something extra for you – continuing education credits. By attending IdPS’ Privacy Risks Get Realtrack, you’ll earn 3.5 hours of continuing privacy education (CPE) credit. Attend SRMS’ Risk Management: Programs You Can’t Afford to Cut and receive another 3.5 hours of credit.
And here’s a second bonus: we are making it easier than ever for you privacy professionals out there who haven’t attended a Catalyst before to attend this year. By registering with promo code IAPP, you’ll be able to attend the conference at $300 off the Early Bird rate. See you in July!
(Cross-posted from Burton Group’s Identity blog.)
Posted April 6th, 2009 Over the last 6 or so months, Bob Blakley and I have been doing a lot of listening and thinking about privacy. To successfully re-launch our privacy coverage, we needed to lay a wide foundation that would serve to support future research. We needed to provide a meaningful starting point for our customers. Since our customers’ jobs are not typically focused on privacy, we needed to start with a form of first principles and build outward.
I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told. Use the blog if you want to address the audience directly. Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge. We had to work hard not to write without using “you.” And why was that? Privacy discussions are and must be inclusive. They involve each of us on a far more personal level than a discussion of, say, account lifecycle management. Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.
Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone. You. Me. Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors: Continue reading "The beginning of the beginning: our privacy report publishes"...
Posted March 6th, 2009 Being the new-ish addition to the IdPS team is, well, an interesting place to be. Besides the requisite induction activities (ask me at Catalyst how you pick up the dry cleaning for a team who lives all across the country), I’ve been working with my peers on vastly different pieces of research. And being curious by nature, I’m loving the chance to not only dig into different topics, but also observe how different people go about the actual process of analyzing a topic or a market. One technique that Burton Group uses is Contextual Research (CR). Essentially, the CR process is meant to challenge an analyst’s knowledge of a subject and their associated preconceived notions as to what problems enterprises face and how they are facing them. It turns seasoned veterans, experts in the field, into beginners again. This is what practitioners of Zen Buddhism call “beginner’s mind.”
Here’s how it works in a nutshell. Kevin (seasoned vet) and Ian (newbie) identify a bunch of organizations to talk to. So far nothing out of the ordinary as compared to our other approaches to research. That being said, the conversations we have with these organizations is very different from typical research techniques. Instead of coming to the conversation with a fixed hypothesis that we want to prove out, we come to the conversation with nothing. No leading questions. No surveys. No preconceptions. Continue reading "Zen Mind, Newb Mind"...
Posted February 13th, 2009 When you think of “the usual” privacy risks you think of things like brand and reputation damage, fines, and increased regulations. You don’t think of jail time for executives. But jail time is exactly what some Google executives face if an Italian prosecutor has his way.
The arrest of Peter Fleischer, Google’s Paris-based Global Privacy Counsel, in Milan on January 23 stems from video that was briefly available on Google’s site in Italy. The video showed high school students bullying a classmate with Down Syndrome. Google took down the video in less than 24 hours after receiving complaints about it. The view of Milan’s public prosecutor is that permitting posting of the video for any period of time was a criminal offense. Fleischer and three other Google employees have been charged with defamation and failure to control personal information.
In our forthcoming report, Bob and I explore the contextual nature of privacy. Google clearly operates in multiple geographic and legal contexts. In the US, Google enjoys protections similar to those afforded “common carriers”. However, in Italy, Google is being treated as a content provider and not a content distributor, and thus is not receiving any such protection. Continue reading "Privacy risks get real"...
|
|
what others say