A Maturity Model for De-Weaponizing Identity Systems – Part 1

It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing.

And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.”

Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

Who are these attackers?

There are two kinds of attackers: bulk and single data subject attackers; let’s look at both.

Bulk Attackers, as the name implies, want bulk data… they want all the data. Why they want all the data can vary widely. They might be interested in a single vendor’s customers. Or they might be interested in everyone in a region who shares a medical condition or ethnic heritage, or employer. They might be setting up for a later spear phishing attack. They might be putting the pieces together for an ethnic minority oppression campaign or a voter suppression campaign.

On the other hand, Single Data Subject Attackers are only interested in a single data subject. They are focused just one individual. Why? They might want to take control of a celebrity’s mobile phone for the lulz or leak personal photos to the web. They might be interested in dox’ing an adversary. They might want to make an ex-spouse’s life a living hell.

Continue reading A Maturity Model for De-Weaponizing Identity Systems – Part 1

Professionalizing Identity: What happens next?

Apologies for not getting this out sooner.

After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback.

There was a common theme to these conversation – I signed the pledge; so now what happens?

From a long term perspective, I simply don’t know.

On a shorter timeline, here’s what I do know. Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group. This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc. My hope is that around the beginning of 2017 the organization gets going in earnest.

Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization – 180 more days isn’t going to kill anyone. Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset.

In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.

The Moments Ahead for Identity

[My address to the European Identity Conference 2016. Although this starts like my TCP/IP Moment talk it goes in a very different direction. In some regards, I think this might be the most important talk I have ever written and delivered.

Giving credit where credit is due – the ideas in this piece are the distillation of many many conversations over the years. I am deeply indebted to the following peers for their help, encouragement, ideas, and support: Allan Foster, Robin Wilton, Nat Sakimura, Josh Alexander, Chuck Mortimore, Joni Brennan, and Josh Nanberg.]

Remember when we used to pay for a TCP/IP stack? Remember when we paid for network stacks in general? Hell, we had to buy network cards that would work with the right stack.

But think about it… Paying for a network stack. Paying for TCP/IP. Paying for an implementation of a standard.

How quaint that sounds. How delightfully old school.

But that’s what we did!

And now? No one pays for a TCP/IP stack.

When network stacks became free networking jobs didn’t go away. I would posit that we have more networking engineers now than we’ve ever had before. Their jobs morphed with the times and changes in tech.

It’s mid-2016 and I think we need to admit as that the identity industry now looks a lot like the networking industry did at its TCP/IP moment. The standards are mature enough. The support for them is broad enough. And another thing, not taking a standards-based approach is antithetical to the goals of the modern enterprise.

Simply put, identity is having its TCP/IP moment. And this TCP/IP moment will spawn other moments in identity management.

I want to talk about three impactful moments ahead for our industry:

Standards-based identity
Outcomes-based identity
Professionalized identity

I want to talk about these moments and changes associated with them, but keep in mind that although great change is ahead, we need not be afraid of that change. Continue reading The Moments Ahead for Identity

Why is the Identity leg of the stool missing?

[Many thanks to Gerry Gebel for giving me the nucleus for this post]

In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have.

The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

The inevitable absorption into business process that never happened

Speaking as an identity professional, I don’t think we claimed our seat at the table because, in part, we didn’t expect to be around IT for so long. 10 to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management, for example, should have absorbed identity management, at least for employee identity. I still remember the Catalyst In San Francisco where the Burton Group identity team (I was just a newbie in the audience at the time) had Oracle and SAP talk about their plans (or lack there of) for synergy between HRMS and IAM. What was clear to Burton Group was that the systems that managed your job role and responsibilities ought to be managing that in both on- and offline worlds.

Employee identity really ought to be a function of HR and an extension of HRMS’s. In doing so, identity professionals would become the technical arm of HR. Some companies tried this. Some companies put their technical role management programs within HR. Although some companies tried this approach, for political/organizational/cultural reasons, those approaches did not last.

If HR was to be the home of employee identity, then what of customer identity? Looking to the business process engines that manage customer information, one could see CRM systems absorbing customer identity functions. In such a world, the teams overseeing sales, service, and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.

In both scenarios the job of “standalone” identity management technology and professionals would be greatly diminished. The path forward for professionals in such a world was to become technical HR, Sales, Service, Marketing, etc professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful. These worlds did not fully materialize. Continue reading Why is the Identity leg of the stool missing?