The Canadian Privacy Commissioner recently completed an in-depth review of Facebook after receiving a wide-ranging complaint about the privacy practices and policies of Facebook.
I won't go into the details here, I suggest you read the report yourself. It is a good read and has stirred discussion both here in Canada, the US, and around the world.
Not discussed, but I think equally important is the lack of identity "proofing" in these systems. There have been all sorts of reports of celebrity impersonations and now instances of kids creating profiles of their friends or teachers (for good or bad purposes). Since there is no identity-proofing in these systems, there is nothing to stop one person from spoofing another person - except for maybe a use agreement. Nothing procedurally or technically, except the general honesty of users, protects the rights of the people being spoofed. After all, if imitating people is not allowed in the agreement, that should be enough right?
At first look,social networking sites seem benign and have huge curiosity and networking value for us as individuals. As a society, we've been tending to minimize the privacy issues, saying "social sites don't make much money, let's give them a break." But as we are learning now, social networking sites are subject to the same kinds of criminal activities as the real-world. The possibility for fraud and identity-theft remains huge. Social networking sites need to step up their game and ensure that they know who their customers really are before they can begin to get the privacy of their customers (and those who aren't customers) under control.
Friday, July 17, 2009
Wednesday, June 17, 2009
IDM and the Enterprise Social
Not sure why I had not seen this before. But there is an interesting post on the Oracle AppsLab showing how my colleague, Clayton Donley build an iPhone app in his spare time that takes advantage of secure access to enterprise identity sources (e.g. directory) and leverage social networking information found in Oracle Connect, our internal social network service.So, you can find people, and when you do, the app uses Connect API goodness to show you the person’s profile and Connect activity. The profile actually combines the person’s Connect and corporate directory profiles into a single view. Tapping the person’s phone number/s open the Phone app; tapping the person’s email address opens the Email app.But wait, there's more!
Beyond all the contact stuff, the app also surfaces a lot of Connect’s functionality to your iPhone. You can view your network (Connections) and various activity logs, and you can reply and comment on items in your activity logs, by email and by OraTweet.
What is nice about this app is that it starts from a familiar paradigm: the lowly corporate address book. By using OracleConnect, the Oracle People app quickly takes you to new and interesting places by exploring the social relationships that naturally exist in an enterprise.
For example, I have been using Twitter (@independentid), and I have mixed feelings about the whole technology. I just don't need to communicate that broadly about what I'm doing (after-all, I have a blog). So the idea of enterprise tweets seemed strange. Oracle People and OraTweet have created another way to find out what others are doing in a very compelling way. OraTweet really boosts the ability to communicate and interact with colleagues around the world.
Friday, May 8, 2009
Talking IGF at the European Identity Conference
Felix Gaehtgens of Kuppinger Cole interviews Oracle's Dr. Prateek Mishra about IGF and its role in setting a foundation for privacy at this week's European Identity Conference.
Check out more interviews, and comments about the EIC here.
Check out more interviews, and comments about the EIC here.
Thursday, May 7, 2009
Aristotle Project Wins Award
I am happy to announce that Project Aristotle won an award for "Best new or improved standard" at the European Identity Conference. The win is shared with the Open Authentication (OAuth) and the Information Card Foundation (ICF).The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity Governance Frameworks) and CARML, which enhances user-friendliness of these important standards for IAM and GRC. This particular innovation had been promoted and supported by Oracle. The standardization initiative OAuth (Open Authentication) receives an award for their streamlined approach for authentication standardization, which finds a lot of market interest. The last award in this category goes to the Information Card Foundation (ICF) for standardizing the important approach of Information Cards for future identity management.Congrats to the contributors of openLiberty, the members of Liberty Alliance TEG, as well as my colleagues at Oracle, who all contributed to the effort. Congratulations to OAuth and ICF as the co-winners!
A special thanks to Kuppinger Cole for organizing the event and for taking the time to recognize the efforts of all the award winners and of standards development in general.
Friday, April 24, 2009
A more perfect union of ID management schemes
William Jackson of Government Computer News writes about the Kantara Initiative in the article "A more perfect union of ID management schemes."
Tuesday, April 21, 2009
Big Changes!
Yesterday, my plan was to write a post announcing some changes at Project Liberty. I was distracted by the announcement that Oracle has entered into an agreement to acquire Sun Microsystems! Some other interesting coverage can be found here.
Now, the other big news!
The Liberty Alliance Project announced formation of a new organization known as the Kantara Initiative. Kantara is an organization with a much more accessible approach to its membership. It carries an Intellectual Property structure that is much more flexible and should allow for a greater ability to bridge between industry communities working on identity services. Brett McDowell, Executive Director of Liberty Alliance Project, gives an overview of the Kantara Initiative here:
One of the first big differences between Project Liberty and Kantara is that Kantara will be not be setting standards. Instead work groups will define recommendations to share with other standards setting organizations (SSOs). For example, the work on IGF AAPML, and various protocol profiles for IGF will likely each be referred to the SSO organization responsible for the parent specification.
For those following IGF and Project Aristotle, the work continues under the Kantara Initiative. One of the cool new features of the Kantara Initiative is the ability to support multiple open source projects with different licenses. This means it will be a lot easier to support a more diverse open source community. As an example, for Project Aristotle, it will make it a lot easier to work with the Higgins community now that we have a way to bridge between EPL and Apache licensing.
It seems that the themes of bridging and harmonization are in the air!
Now, the other big news!
The Liberty Alliance Project announced formation of a new organization known as the Kantara Initiative. Kantara is an organization with a much more accessible approach to its membership. It carries an Intellectual Property structure that is much more flexible and should allow for a greater ability to bridge between industry communities working on identity services. Brett McDowell, Executive Director of Liberty Alliance Project, gives an overview of the Kantara Initiative here:
One of the first big differences between Project Liberty and Kantara is that Kantara will be not be setting standards. Instead work groups will define recommendations to share with other standards setting organizations (SSOs). For example, the work on IGF AAPML, and various protocol profiles for IGF will likely each be referred to the SSO organization responsible for the parent specification.
For those following IGF and Project Aristotle, the work continues under the Kantara Initiative. One of the cool new features of the Kantara Initiative is the ability to support multiple open source projects with different licenses. This means it will be a lot easier to support a more diverse open source community. As an example, for Project Aristotle, it will make it a lot easier to work with the Higgins community now that we have a way to bridge between EPL and Apache licensing.
It seems that the themes of bridging and harmonization are in the air!
Friday, April 3, 2009
Qualcomm's Todd Beets on Identity Management
Todd Beets, Senior Enterprise Architect at Qualcomm is interviewed by Oracle's Hormazd Romer about Oracle Identity Management. See the video here:
Todd talks about a new phase of their identity services offering where Qualcomm can offload the responsibility of managing identity from within applications and move identity management to a shares services infrastructure -- letting developers focus on business logic!
Todd talks about a new phase of their identity services offering where Qualcomm can offload the responsibility of managing identity from within applications and move identity management to a shares services infrastructure -- letting developers focus on business logic!
Saturday, March 14, 2009
Building Internet Identity (WWDS Pt 2)
Last week, I responded to Dave Kearn's article "How a universal directory might work". I commented that there does not need to be some centralized service managed by one or a few vendors to unify directories or virtual directories. Rather, the solution needs to be akin to the kind of thing that created the Internet itself, TCP/IP's stack architecture.Project Aristotle is the beginning of one such "stack" for identity services. Project Aristotle uses CARML (Client Attribute Requirements Markup Language) to act as an application's identity object model for identity services. When an application has declared an identity data model, it becomes possible to have a technology "stack" that can service an application's requirements in a protocol neutral way -- much the same way that TCP/IP could interconnect networks across many different types of media. Because the services layers below the application can understand the application's requirements (from the CARML data object model), they can begin to automate the complex processing it takes to map, route, and adapt to the necessary wire protocols. Further, this stack can also service other components of an application server, namely authentication and authorization services - bringing disperate components together to use a common identity service.
Aside: The idea of using an identity object information model for application development may seem radical and new. But actually, this has been done before in the database world. TopLink is an object-relational mapping package that was developed for SmallTalk and later Java. Learning from TopLink, means we can move ahead with a proven programming concept combined with proven technology such as virtual directories that can act as just one possible implementation of many in an open identity market.
For Oracle, Project Aristotle will make it much easier to develop applications that can use almost any type of identity service at a much lower cost, and with a lot more flexibility and reliability. More importantly it gives the businesses that deploy these applications, the ability to decide what protocols, policies, and technology systems are most appropriate for their enterprise environment without requiring customization of the application. Application developers are freed from having to become expert in many different types of identity services infrastructures and protocols. After-all developers shouldn't need to have a deep knowledge of identity protocols - they should be able to just use a well tested, easy-to-use stack-based approach that allows any vendor or open source technology to be used.
Project Aristotle is being developed at OpenLiberty. While OpenLiberty is receiving major contributions from Oracle, Project Aristotle is being developed in an open community of participants. Accordingly Project Aristotle (ArisID) welcomes and encourages contributions to this project! All that is required is the signing of the Apache CLA agreement. Oh, and by the way, if anyone wants to work on other programming language bindings for Project Aristotle, we're looking for that too!
Isn't it interesting that all this started from a desire to improve the transparency about how applications use identity-related information and to create Identity Governance within applications. The side-effect of governance, has been a new approach for dramatically improved identity services in the future!
Sunday, March 8, 2009
Dave Kearns Suggests "World Wide Directory Service"
In his most recent column, Dave Kearns comments on IGF and how it could be used with virtual directories to form a world wide directory service.
This is a very interesting thought, but Mark Wilcox and I agree, a universal directory service operated or controlled by a single vendor isn't the right way to solve federated provisioning. For one thing, LDAP isn't the only requirement. Today's techniques for exchanging identity information involve many methods, and many modes (browser-based and backend-based). Any solution has to handle multiple identity protocols and should have no central point of control or storage. The implementation should not be owned by one vendor, it should be open, available for anyone to adopt and use. Rather than anything that approaches vendor lock-in, the solution has to be adjustable - preferably on-the-fly. The solution should be configurable and policy driven so that multiple technologies and providers can be used.
The need to link separate identity repositories around the world reminds me of the early days of enterprise networks. We used to talk about Ethernet networks, Token Ring, or even AppleTalk networks. These were standalone networks that tended to be isolated and self-sufficient with no concept of outside connectivity. Connections between networks were rare and expensive to implement. In part because the media (type of wire) for the network meant new protocols to handle communication. The TCP/IP "stack" came along and abstracted issues of network media and inter-network routing into layers. Everything changed. The Internet itself was born.
Applications today are at a similar crossroads. If they use identity services, the services are isolated to a single enterprise directory service. The problem? We as humans cross organization boundaries all the time. Applications are unable to expoit the power of the "Internet" when it comes to identity services. In the same way as TCP/IP solved media and inter-network challenges, applications need some way to handle the different protocols used in different enterprise networks. Most importantly, if we start networking identity information, applications and the enterprises that use them need a way to be able to respect privacy and ensure that the information being transferred is appropriate and secure.
What is needed is a multi-protocol identity networking "stack" that developers and service providers can use to interconnect systems. Instead of solving media and networking issues, this stack needs to solve identity mapping, routing, and protocol conversion. While IGF was originally specified for Identity Goverance, it turns out Dave Kearns is right, the IGF specifications may be an important part of the solution. More on that next time...
This is a very interesting thought, but Mark Wilcox and I agree, a universal directory service operated or controlled by a single vendor isn't the right way to solve federated provisioning. For one thing, LDAP isn't the only requirement. Today's techniques for exchanging identity information involve many methods, and many modes (browser-based and backend-based). Any solution has to handle multiple identity protocols and should have no central point of control or storage. The implementation should not be owned by one vendor, it should be open, available for anyone to adopt and use. Rather than anything that approaches vendor lock-in, the solution has to be adjustable - preferably on-the-fly. The solution should be configurable and policy driven so that multiple technologies and providers can be used.
The need to link separate identity repositories around the world reminds me of the early days of enterprise networks. We used to talk about Ethernet networks, Token Ring, or even AppleTalk networks. These were standalone networks that tended to be isolated and self-sufficient with no concept of outside connectivity. Connections between networks were rare and expensive to implement. In part because the media (type of wire) for the network meant new protocols to handle communication. The TCP/IP "stack" came along and abstracted issues of network media and inter-network routing into layers. Everything changed. The Internet itself was born.
Applications today are at a similar crossroads. If they use identity services, the services are isolated to a single enterprise directory service. The problem? We as humans cross organization boundaries all the time. Applications are unable to expoit the power of the "Internet" when it comes to identity services. In the same way as TCP/IP solved media and inter-network challenges, applications need some way to handle the different protocols used in different enterprise networks. Most importantly, if we start networking identity information, applications and the enterprises that use them need a way to be able to respect privacy and ensure that the information being transferred is appropriate and secure.
What is needed is a multi-protocol identity networking "stack" that developers and service providers can use to interconnect systems. Instead of solving media and networking issues, this stack needs to solve identity mapping, routing, and protocol conversion. While IGF was originally specified for Identity Goverance, it turns out Dave Kearns is right, the IGF specifications may be an important part of the solution. More on that next time...
Tuesday, February 17, 2009
Defining Identity Modality
During my last webcast about Project Aristotle at OpenLiberty Project, I introduced a new concept called Identity Modality. The idea occurred to me as I was trying to describe the different types of identity exchange protocols and methodologies and how they impact developers.
I noticed there are several different ways and modes in which information is exchanged. There are times when the user is present (online) or is absent (offline), there are times when the transfer occurs through a backend system (such as with a database), and times when it occurs directly via the user. Finally, there are simple transactions (atomic) and then there are multi-step or workflow like transactions.
If you take these 3 different dimensions and place them on a 3-dimensional axis and plot popular means of exchanging identity information (based on typical usage), there are some interesting observations that can be made.
What struck me is how the notion of a front-end or browser-based protocols create a 3rd dimension of information exchange. The diagram also shows why SQL based systems are so ubiquitous - because it fully encompasses user-online/offline, atomic vs. workflow based transactions. Likewise LDAP, covers a smaller area, because it was intended as a lightweight, atomic (single-operation at a time) protocol. Where SQL fully exists in 2-dimensions, LDAP exists only in the atomic space handling both user online and offline scenarios.
Considering the challenges of developers writing applications and the objectives of Project Aristotle, the chart suggests why applications dealing with multiple modes of identity communication face a huge challenge. It becomes one the reasons why most applications end up with their own identity "silos" -- it's much easier to ignore systems outside the application.
One of the objectives behind the architecture of ArisID is to be able to handle all of these modalities through a single API. A loosely-coupled architecture means Identity modality does not have to be restricted to a specific hard-coded set of choices, but rather be configuration-based leveraging policy and environmental requirements.
I noticed there are several different ways and modes in which information is exchanged. There are times when the user is present (online) or is absent (offline), there are times when the transfer occurs through a backend system (such as with a database), and times when it occurs directly via the user. Finally, there are simple transactions (atomic) and then there are multi-step or workflow like transactions.
If you take these 3 different dimensions and place them on a 3-dimensional axis and plot popular means of exchanging identity information (based on typical usage), there are some interesting observations that can be made.
What struck me is how the notion of a front-end or browser-based protocols create a 3rd dimension of information exchange. The diagram also shows why SQL based systems are so ubiquitous - because it fully encompasses user-online/offline, atomic vs. workflow based transactions. Likewise LDAP, covers a smaller area, because it was intended as a lightweight, atomic (single-operation at a time) protocol. Where SQL fully exists in 2-dimensions, LDAP exists only in the atomic space handling both user online and offline scenarios.
Considering the challenges of developers writing applications and the objectives of Project Aristotle, the chart suggests why applications dealing with multiple modes of identity communication face a huge challenge. It becomes one the reasons why most applications end up with their own identity "silos" -- it's much easier to ignore systems outside the application.
One of the objectives behind the architecture of ArisID is to be able to handle all of these modalities through a single API. A loosely-coupled architecture means Identity modality does not have to be restricted to a specific hard-coded set of choices, but rather be configuration-based leveraging policy and environmental requirements.
Subscribe to:
Posts (Atom)
Posts
