Why is the Identity leg of the stool missing?

[Many thanks to Gerry Gebel for giving me the nucleus for this post]

In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have.

The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

The inevitable absorption into business process that never happened

Speaking as an identity professional, I don’t think we claimed our seat at the table because, in part, we didn’t expect to be around IT for so long. 10 to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management, for example, should have absorbed identity management, at least for employee identity. I still remember the Catalyst In San Francisco where the Burton Group identity team (I was just a newbie in the audience at the time) had Oracle and SAP talk about their plans (or lack there of) for synergy between HRMS and IAM. What was clear to Burton Group was that the systems that managed your job role and responsibilities ought to be managing that in both on- and offline worlds.

Employee identity really ought to be a function of HR and an extension of HRMS’s. In doing so, identity professionals would become the technical arm of HR. Some companies tried this. Some companies put their technical role management programs within HR. Although some companies tried this approach, for political/organizational/cultural reasons, those approaches did not last.

If HR was to be the home of employee identity, then what of customer identity? Looking to the business process engines that manage customer information, one could see CRM systems absorbing customer identity functions. In such a world, the teams overseeing sales, service, and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.

In both scenarios the job of “standalone” identity management technology and professionals would be greatly diminished. The path forward for professionals in such a world was to become technical HR, Sales, Service, Marketing, etc professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful. These worlds did not fully materialize. Continue reading Why is the Identity leg of the stool missing?

Identity: The Missing Leg of the Stool

I had the pleasure of representing the Identity Ecosystem Steering Group (IDESG) at the International Association of Privacy Professionals’ Global Privacy Summit this week. Laura Hamady of PayPal, Heidi Wachs of Jenner and Block, and I talked about navigating the maze of online retail. My part in the talk was to illustrate the flow of personal data between the various players in different online retail scenarios. (Here’s a copy of our presentation if you are curious.) Now, as the only non-lawyer in the bunch, and likely the only identity person at the conference, I had a blast pointing out all of the data protection and handling issues that stem from identity interactions.

The movement of identity data between social identity providers, your back-office systems, and third-party service providers is a dance of varying elegance. Regardless of how well those pieces are integrated, the information being shared helps your organization delight your customer. But in order to do so, the customer’s privacy needs and expectations must be met. (Not to mention sectoral and legal data protection requirements as well.)

And that got me thinking. The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy and security professionals can fully meet these challenges in part because their default tools are the wrong ones for the job. What’s missing from the conversation is identity management.

Identity is the missing third leg of the stool. Identity helps mitigate a vast number of security threats including insider threat through the minimization of access. Identity also helps address privacy requirements but governing access control to customer data. In this regard, we can think of identity management as the operational means by which privacy implements some of its required controls. And to be clear I am not saying that identity meets all of the requirements on its own; there are many other privacy controls that require security, and not identity, to meet – traditional data protection and event monitoring being just a couple.

By working with identity professionals, privacy teams can better understand the flow of customer data. They can sharpen the focus of their privacy impact assessments and can more easily identify third-parties provide services and whose terms of service need to be harmonized with the organization’s privacy policy and notices.

Simply put – an organization that coordinates the efforts of its privacy, security, and identity professionals is more likely to not only meet its customers privacy requirements and most importantly, more likely to delight its customers.

Identity is having its TCP/IP moment

[This is my keynote from Cloud Identity Summit 2015. Unlike most of my talks, this one did not start with a few phrases and then an outline and then a speech and then a deck. This one dropped out of my noggin in basically one whole piece. I wrote this on a flight back home from London based on a conversation with a friend in the industry. Oh, there is no deck. I delivered this as a speech.]

[Credit where credit is due: Josh Alexander gave me the idea for the username and password as cigarettes and the sin tax. Last year, Nat Sakimura around 2 in the morning in my basement talked about service providers charging for username and passwords to cover externalities, and I completely forgot about the conversation. Furthermore, at the time, I didn’t fully track with his idea. I totally get it now and want to make sure I assign full and prior art credit to Nat – the smartest guy in identity, sent from the future to save us all.]



Remember when we used to pay for a TCP/IP stack. Remember when we paid for network stacks in general? Hell, we had to buy network cards that would work with the right stack.

But think about it… Paying for a network stack. Paying for TCP/IP. Paying for an implementation of a standard.

How quaint that sounds. How delightfully old school that sounds.

But it was. And we did.

And now? No one pays for a TCP/IP stack. Or at least no one pays for it directly. I suppose you can say that what you spend on an OS includes the cost of the network stack. It’s not a very good argument but I suppose you can make it.

When network stacks became free (or essentially cost free) networking jobs didn’t go away. I would posit that we have more networking engineers now than we’ve ever had before. Their jobs morphed with the times and changes in tech.

It’s mid-2015 and I think we need to admit as that the identity industry now looks a lot like the networking industry did back then. The standards are mature enough. The support for them is broad enough. Moreover, not taking a standards-based approach is antithetical to the goals of the modern enterprise.

Simply put, identity is having its TCP/IP moment.

Continue reading Identity is having its TCP/IP moment

Stop Treating Your Customers Like Your Employees

Unlike many of my other talks, this one didn’t start are a speech and didn’t start with a few phrases. This talk started as an analyst briefing deck. It had become clear that many of the identity industry analysts, if they covered customer identity at all, did so with a very narrow view of it. I put the progenitor of this deck together so show how broad customer identity is and, more importantly,  how amazingly large the opportunity ahead of us is.

Speaking  season came upon me and I needed something to talk about. I took out all of the Saleforce-specific bits and turned the briefing deck into the keynote below.

The gist is simple: customer identity presents the opportunity to grow the business and move identity professionals from being in a cost center to being in a revenue generation center. We, identity professionals, can be business enablers, something we have never been before.  But, and this is a big one, customer identity is larger than employee identity and applying enterprise-centric techniques to customer-centric use cases is a major mistake. What follows is my attempt to show big the world of customer identity really is.

Continue reading Stop Treating Your Customers Like Your Employees