Wednesday, August 10, 2011

Identity, Society, and Politics

I was reading Paul Hartzog's blog ( and his view on society, technology and politics.  Specifically, the "Panarchy" poster:

This got me thinking about Identity and the complexity of the Internet ecosystem and how hierarchical systems  for Identity might work for an organization but cannot be translated to "The Cloud"  So, lets frame the conversation by looking at the definition of some terms:

  • Politics: Social relations involving authority or power
  • Identity: Whatever makes an entity (such as an individual) definable or recognizable
  • Society: A group of individuals related to each other through persistent relations
Let's begin with Society and our current relations occurring online and face to face because of technology.  Prior to the communications revolution, societies were concentrated to a geographical area, therefore our Politics were confined to these geographical boundaries.   

Today, although still confined to a geographical area physically, our relations are much more complex.  We work online, we travel more often to places as far as around the world, faster and more frequently.  We spend time online with family in different areas of the world chatting "face to face."  Our Social relations are more complex and have moved ahead of our Politics.  Our economies are no longer confined to geographical markets, we transact online with everyone in the world.   The purchase of a product or a service is the collective work of individuals in several countries.

The hierarchy of most governments implies the acceptance of a set of norms that may not correspond to the sentiment of its citizens due to the accessibility of information.  We now know the difference between something that we want and something we don't want being enforced by a government.  Governments prefer to know who their citizens are (Identify them) to maintain their power hierarchies.  Prior to the communication revolution, government issued identification was important.  It helped social interactions that required to identify the validity of who a person claimed to be.  But in a complex system, such the Internet, hierarchies are not efficient, costly and almost impossible to control.    

Paul Hartzog writes in his poster (see image above), that we are seeing "the emergence of new forms of social action that function independently of and in parallel to traditional forms of the State."   Identity, of course, is part of the complexity, but a complexity that is currently leading to "self organization" (you have to look at the poster and read it).  

This Identity "self organization" can be seen on the different standard groups working on defining how to organize Identity in the Cloud.   Identity is no longer for (and by) the State, it is about an individual, their privacy and how they interact with other members of society.  It is not even about an organization (look at the interesting conversations about anonymity, pseudonymity and privacy happening because of Google+ policy on names).

These are interesting times for Identity, Society and Politics and thanks to Paul Hartzog I am going to call myself a "Panarchist" (it sounds cool!).

Thursday, July 7, 2011

User Managed Access

You maybe wondering: what is the big deal about UMA?   Well, it is the answer to control over your data and privacy concerns many users have in the form of an internet protocol.  The protocol allows for the implementation of Authorization Managers that give you the ability to control your data at any host that is UMA enabled. Anyone (service or person) attempting to access your protected data will have to interact with the Authorization Manager before getting access.  The beauty of creating a protocol for such interactions is that it allows for a marketplace for the best implementations of the protocol.  User experience, usability, privacy and security will be the measure of the best players at protecting your data.  With UMA you are in control!

The internet draft recommendation contributed to the IETF is an important milestone and just the beginning of many things to come...

Friday, April 1, 2011

Trusted Managed Identities Services Business Model

I have been giving some thought about what the Business Model would be for Managed Identity Services in a trusted identity ecosystem.  

I decided to start by defining the main actors in the ecosystem:  

  • Identity Owner:  Normally considered the end-user, the subject the digital identity represents.
  • Identity Provider:  The service provider that stores and manages the digital identity for the Identity Owner 
  • Relying Party:  The subject requesting authentication and/or authorization to the digital identity data.
  • Trust Provider:  The service provider that assures the relying party the validity of the digital identity stored at the Identity Provider.

Now what?  How can we make money from Managed Identity Services?   What benefits are there to each actor in the ecosystem to validate the capability of such a system?

The Identity Owner benefits from such an ecosystem by allowing them to maintain identity data in a central place where stronger authentication can be used.  When identity data is stored in duplicated disperse stores, as it is today, the end-users demand ease of use over security.   Will the Identity Owner be willing to pay for such service by an Identity Provider for its benefits?  Probably not!

Identity Providers only benefit when someone pays for their services.  Identity Owners do not want to pay for the service; will the Relying Parties be willing to pay for it?  Let’s see…

Relying Parties, in this business model, benefit the most.  The Relying Party reduces costs of authentication and authorization services and passes the risk for such service to the Identity Provider.   Relying Parties, when possible, can maintain the privacy of their end-users by trusting the validity of the identity data to the Identity Provider.   Relying Parties, due to the reduced costs, have the ability to pay and Identity Provider for their services.   Assuming a trusted identity ecosystem, Relying Parties can accept identity data from different Identity Providers by also enrolling in trust services from a Trust Provider.  

Trust Providers allow Relying Parties to be certain the Identity Provider is known to be responsible for due diligence in assuring Identity Owners legitimacy.  Once again, the Relying Party assumes the cost of trust services, since it benefits by passing the cost to validate the identity data from an Identity Provider.

Will Relying Parties be willing to pay for such services?  I think they already are --> Janrain 

The closest ecosystem that resembles Trusted Managed Identity Services is the Credit Card industry where:

Identity Owners = Credit Card Holders
Identity Providers = Credit Card Companies
Relying Parties = Merchants
Trust Providers = Credit Card Networks

The Business Model for Trusted Managed Identity Services has a lot of potential to produce profits.  The technology is there, the standards need to mature but that can only happen if they are used.  We just need someone to be the first to accept the risks and take the profits.  Who is first?

Monday, January 10, 2011

National Strategy for Trusted Identities in Cyberspace (NSTIC)

According to the media and the headlines, the Obama administration is trying to implement a "National Internet Identity for all Americans", similar to what the Bush administration attempted through the department of Homeland Security a few years ago.  User centric identity advocates, such as myself see it different.  Kaliya (Identity Woman), expressed on her recent blog post at Fast Company that user centric-identity is about "1) maintaining the freedom to be who you want to be on the Internet AND 2) having the freedom and ability to share verified information about yourself when you do want to." 

Unfortunately, I also believe in limited government and citizen privacy and many like minded individuals feel skeptic of the governments involvement when it comes to Internet Identities.  And, although, it is not the Homeland Security Department who is driving this initiative, but the Commerce Department, it is still the government.  A government where the President (Obama or any future President) has the ability to change the rules of the game at any time.  Today's plans maybe to protect the privacy of citizens and improve trust in online commerce, but who says that may not change tomorrow?

But, for us, limited government believers, the reality must set in.  We live in a society where governments do provide services (regardless of effective or wasteful) and those services are exposed to the Internet.   Citizens as end-users must access those services.   Standards for Digital Identities that give control to the end user, allow for consumer's privacy and benefit commerce (e.g. Kantara Initiative) are important.  The private sector as well as Governments as Relaying Parties, Identity Providers, Trust Providers and resource hosts of these services have a need to be involved in these standard groups and in some cases, as it is with NSTIC, lead the Internet community in implementing these standards.

So, all in all, NSTIC is a great initiative that I wish would not be "National" but Global, where private sector, governments, privacy groups, technology groups, security groups, etc, would be involved.  At a global level and with involvement from different groups interested in the "common" service, this initiative would be more welcome, be more flexible to improve and not have a chance to be controlled by just one group.

Wednesday, November 24, 2010

Identity Trust Frameworks - Can they achieve what Visa, MC have?

Identity in the Cloud is here... almost! Facebook, Google, Twitter, LinkedIn, (my new personal favorite Empire Avenue) implement Oauth and Relaying Parties are able to use the Oauth implementation to register, authenticate and authorize users based on their identity data.   In other words, FacebookGoogleTwitterLinkedIn, and Empire Avenue are Identity Providers.  Most Relaying Parities trust these very well known IdPs, but their level of trust is only good enough for Social Networks.

Can these identities be used in some way by organizations during the hiring process?  Can a financial institution trust a user based on a third party Identity Provider? Can this be extended to Healthcare systems to reduce the registration process? Well, that is the goal, but we are not there yet, and the bridge to achieve these goals is "Trust"

There are some initiatives to Identity Trust Frameworks to achieve what the credit card industry was able to accomplish with its payment system networks. One of those initiatives is the Open Identity Exchange which is working with different groups, including the government, to create an environment where identities can be trusted at different levels of assurance.

We are yet to see how successful these implementations are, but they are dependent on the demand of identity data and the cost of the implementations.   We are still at the early stages of Identity Trust Frameworks, but initiatives such as the Open Identity Exchange are very interesting and very promising.

Monday, September 13, 2010

Making Identity Portable in the Cloud by xmlgrrl

I thought I would repost this presentation because I find it very informational as it relates to Identity in the Cloud.

Note: You will have to register or have been previously registered at BrightTALK  (what about using an external IdP BrightTALK) ;)

A BrightTALK Channel

Thank you xmlgrrl

Wednesday, September 8, 2010

Identity Management - a form of Control or a Service

I was reading the following article "Iris Scanners Create the Most Secure City in the World. Welcome, Big Brother" from Fast Company and it got me thinking on the thin line between security and privacy and when a security service becomes a form of control specifically around Identity and Access Management.

Individuals seem to be more concerned about the misuse of identity data by a private organization than a government office.  What is the difference between Facebook and the city of Leon?  Not to say that Facebook does not have its own issues with privacy, but at least we have the option to use it and I have to say, they have responded pretty well to the privacy demands from their end-users.   But when it comes to governments and the use of identity data, we are dealing with entities that today may use it for the benefit of the public, yet, tomorrow identity data might be used for other means that interfere with the privacy of law abiding citizens.

Therefore it is important in this new age where digital identity is really king (see this article for some proof: Young will have to change names to escape cyber past warns Google) to allow for Open User Centric Identity.  In a User Centric Identity model the end-user has control over their privacy.

I have become a big fan of the IdCommons organization since they are the only well known organization promoting user centric identity management and their purpose gives me hope for the future: The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet -- one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.  But, even if this sounds a little Utopian,  we do have hope and it is in our hands (either individuals or professionals in the Identity Management field) to promote and expect identity data providers (facebook, your local governments, etc) to have the best controls in place that allow you as the end-user management over your identity in the cloud.