Wednesday, November 24, 2010

Identity Trust Frameworks - Can they achieve what Visa, MC have?

Identity in the Cloud is here... almost! Facebook, Google, Twitter, LinkedIn, (my new personal favorite Empire Avenue) implement Oauth and Relaying Parties are able to use the Oauth implementation to register, authenticate and authorize users based on their identity data.   In other words, FacebookGoogleTwitterLinkedIn, and Empire Avenue are Identity Providers.  Most Relaying Parities trust these very well known IdPs, but their level of trust is only good enough for Social Networks.

Can these identities be used in some way by organizations during the hiring process?  Can a financial institution trust a user based on a third party Identity Provider? Can this be extended to Healthcare systems to reduce the registration process? Well, that is the goal, but we are not there yet, and the bridge to achieve these goals is "Trust"

There are some initiatives to Identity Trust Frameworks to achieve what the credit card industry was able to accomplish with its payment system networks. One of those initiatives is the Open Identity Exchange which is working with different groups, including the government, to create an environment where identities can be trusted at different levels of assurance.

We are yet to see how successful these implementations are, but they are dependent on the demand of identity data and the cost of the implementations.   We are still at the early stages of Identity Trust Frameworks, but initiatives such as the Open Identity Exchange are very interesting and very promising.

Monday, September 13, 2010

Making Identity Portable in the Cloud by xmlgrrl

I thought I would repost this presentation because I find it very informational as it relates to Identity in the Cloud.

Note: You will have to register or have been previously registered at BrightTALK  (what about using an external IdP BrightTALK) ;)

A BrightTALK Channel

Thank you xmlgrrl

Wednesday, September 8, 2010

Identity Management - a form of Control or a Service

I was reading the following article "Iris Scanners Create the Most Secure City in the World. Welcome, Big Brother" from Fast Company and it got me thinking on the thin line between security and privacy and when a security service becomes a form of control specifically around Identity and Access Management.

Individuals seem to be more concerned about the misuse of identity data by a private organization than a government office.  What is the difference between Facebook and the city of Leon?  Not to say that Facebook does not have its own issues with privacy, but at least we have the option to use it and I have to say, they have responded pretty well to the privacy demands from their end-users.   But when it comes to governments and the use of identity data, we are dealing with entities that today may use it for the benefit of the public, yet, tomorrow identity data might be used for other means that interfere with the privacy of law abiding citizens.

Therefore it is important in this new age where digital identity is really king (see this article for some proof: Young will have to change names to escape cyber past warns Google) to allow for Open User Centric Identity.  In a User Centric Identity model the end-user has control over their privacy.

I have become a big fan of the IdCommons organization since they are the only well known organization promoting user centric identity management and their purpose gives me hope for the future: The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet -- one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.  But, even if this sounds a little Utopian,  we do have hope and it is in our hands (either individuals or professionals in the Identity Management field) to promote and expect identity data providers (facebook, your local governments, etc) to have the best controls in place that allow you as the end-user management over your identity in the cloud.

Sunday, April 18, 2010

Next Identity Trend: Governance or Cloud?

A few weeks ago I had a conversation with a friend and co-worker about the next trend in Identity Management.  My point (and a bit biased based on my interests) was that Identity in the Cloud is definitely the next trend based on the current environment of services being provided and the need.  His thought was Governance is next.  Now I really don't know what is the right answer, but I do think both are important.  Governance is driven by regulation, easier access to information and regulation cost savings, and Cloud by ease of use, faster implementation and implementation cost savings.

Matt Flynn posted an entry on his blog on "Governance - Next era of Identity" that has some interesting points and information about Governance.  Another example of this trend is Oracle with their Sun acquisition and the decision to re-brand Sun Role Manager as Oracle Identity Analytics.

What about Cloud?  Oracle on their next release of the Oracle Identity Management suite 11g is creating a framework that will allow for service-oriented security or (SOS) to be consumed by application providers with greater ease.   Tim Brown from CA posted on the CA IAM blog about "Trust and the Cloud - Identities are critical"

This tells me that that Governance and Identity as a Service (either private or public in the cloud) are in the radar of all vendors and clients are the only ones that will drive that trend.

Monday, January 18, 2010

OASIS Identity in the Clouds

I just found out that a group of folks are putting together a Technical Committee named for Identity in the Clouds.  The main function of this Technical Committee will be "to collect and harmonize definitions, terminologies and vocabulary of Cloud Computing" as it relates to Digital Identities.

I did find it interesting though, that the following is out-of-scope for the TC: Access Control, Levels of Assurance (LOA) and Personally Identifiable Information (PII) in the context of cloud computing, because these have important relations to an Identity.  An Identity is not useful if it does not require "access" to a resource and risk cannot be quantified without "Level of Assurance".  If that was the case, Identities would not be needed.   Personal Identifiable Information is in the context of any Identity, and in some cases the only unique identifier of an Identity.  So, I would like to see more information on the reasoning behind deeming these out-of-scope.