Posted 12:33 PM (0) comments

Getting Privacy Right

The Burton Group's Bob Blakley writes ("Gartner Gets Privacy Dead Wrong") a seminal piece on privacy - what it is, what it isn't and how to protect it. In the course of his blog entry he manages to pretty much dismiss most of the work that's been done under the rubric of "privacy" (which, as he notes, is really about secrecy) over the past dozen years.

As he writes: "That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another."

It's an issue I've brought up a number of times in the past. Last year, for example, I discussed where many "...have gone wrong is to equate privacy with anonymity. You don’t have to be anonymous to maintain the privacy of your data. Again going back 100 years when you went into the bar and everybody knew your name there was also much about you that wasn’t known. Most things about you, in fact, weren’t known. Those things we want to keep private - our medical data, financial data, legal situation, etc. - were kept private. But people did know who you were, and perhaps where you lived, or worked, who your family was - and no one thought that was strange."

Secrecy and anonymity are not privacy, and the quicker we all understand that the quicker we can move to protect privacy.

Labels: Burton Group, privacy, social networks

Posted 4:30 PM (0) comments

Who knew Hospitality suites could do that?

In a posting on the Burton Group Catalyst website, Mountain View's Centrify says:

Visit Centrify in our Hospitality Suite in Aqua 311 on Wednesday, July 29!
More than 1000 enterprise customers, including 38% of the Fortune 50, have selected the Centrify Suite to improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure their heterogeneous computing environment.

I usually visit the suite to eat, drink and play games. Who knew you could also "improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure [your] heterogeneous computing environment"! I'm gonna be first in line...

Labels: Burton Group, Catalyst, humor

Posted 1:25 PM (0) comments

"Entitled" to an opinion?

My good friend Ian Glazer, over at the Burton Group, had an interesting post today called Nailing Down the Definition of "Entitlement Management". Unfortunately, he missed.

Ian started out pointing to Ian Yip’s definition ("Entitlement management is simply fine-grained authorisation + XACML") and showing why it's wrong. And I do completely agree with Glazer on that.

But he goes on to say that the enterprises that Burton is talking to use the term differently. He says:

"The enterprises that we talked to use 'entitlement management' to mean:
· The gathering of entitlements from target systems (for example, collecting all the AD groups or TopSecret resource codes)
· Reviewing these entitlements to see if they are still valid
· Reviewing the assignment of these entitlements to individuals to see if the assignments are appropriate
· Removing and cleaning up excessive or outdated entitlements"

My first question to Ian, then, is this: if your clients (as many have in the past) referred to the enforcement of access controls/policies as "authorization" would you assume that definition for further discussion or try to get people to use the term properly?

"AD groups" are not, but any stretch of the definition, an entitlement. Nor should an "entitlement" be assigned to "an individual". Let's use entitlement at least in an analogous way to the real world - no one is "entitled" to something based on their name. All entitlement comes from their group or role. The same should be said of digital entitlements. So gather users' access rights, please. But then group those rights into an entitlement and grant them to a role and/or group.

Differentiate entitlement management from access management, also (else, why use both terms?). Individuals get access, roles/groups get entitlements. Access is granted to resources (hardware, applications, services, etc.) while entitlements specify what a particular role/group can do with or within that resource.

If we all try really hard, maybe we can all speak the same language! That said, we should always be aware of what Richard Feynman said: "You can know the name of a bird in all the languages of the world, but when you're finished, you'll know absolutely nothing whatever about the bird... So let's look at the bird and see what it's doing -- that's what counts. I learned very early the difference between knowing the name of something and knowing something."

Labels: Burton Group, entitlement

Posted 1:52 PM (0) comments

Identity-centric

Pam Dingle has a bit of a rant today about the term "user-centric." Well, not about the term itself but about people's desire (e.g., the entire Burton Group) to get away from it.

"Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems. "

"If, on the other hand, all this is about is finding a positive, all-encompassing touchy-feely name to give to the systems-formerly-known-as-user-centric so that isn’t all about conflict, fine — pick a new name already. I only ask that if you’re going to diss the current buzzword, can you please at least supply an alternative suggestion. Otherwise we end up in limbo where nobody wants to use the old term, but nobody has a new term either, making us all look like indecisive idiots."

I think it's about more than just a term, more than just a feel-good quality, Pam. The "User-centric" term was coined, initially, to try to differentiate internet-based individual identity protocols from those used within the enterprise. But it's really all identity, and there doesn't need to be a distinction. That's why I wrote, last month, "Why there's no 'user-centric' or 'enterprise-centric' identity," where I said:

"Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
So how do we have a framework that allows for both tying together all of a user’s activities (enterprise-centric) while at the same time allowing distinct separation of activities as decided by the user?
We start by defining identity as a group of “personas” (see 'Defining identity, persona, role'). Any persona can be made up of a group of personas or roles. Each of those personas can be linked, or separated, as the entity identified by them wishes. One of those personas is (or, rather, could be) an 'enterprise persona.' That one brings together '…all the activities and attributes of a single entity' performed for or related to that enterprise '...into a readily accessible (and reportable and auditable) form.'
So there is no 'user-centric' or 'enterprise-centric' identity. There is just an entity with AN identity made up of various personas some of which may be controlled or limited in some way by an outside organization – not only by the enterprise but also by governments, social organizations, etc. The ability to keep these personas separate, where legally able to do so, must be a given. Each persona will have different identity needs and requirements, of course, but that’s what will drive the 'identity economy' as vendors seek to satisfy those needs and requirements in accordance with the laws. The government’s laws, the enterprise’s 'laws', the fraternal and social organization’s 'laws' and the Laws of Identity as laid down by [Kim] Cameron. "

Labels: Burton Group, digital identity, enterprise, identity, Laws of Identity, persona, roles, user centric

Posted 8:21 AM (1) comments

The role of roles

Ian Glazer has just released his first post since signing on with the Burton Group, and it's a good one, about the wrong-headed notion which appears to be taking hold in the market place that roles and role management are needed before provisioning can occur. As Ian puts it:

Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true.

In fact, the opposite is true - roles, while not requiring it, will benefit from a good provisioning implementation.

Look at it this way, even without computer-based Identity Services people need to be provisioned into the resources they will use. eProvisioning simply automates that task. While the concept of roles may be present, roles-as-a-tool is only useful within a digital context.

Acquiring, piloting, prepping and rolling-out provisioning services should really be a no-brainer decision, especially today - almost 10 years after eProvisioning was first introduced - when so much of the setup and rollout is scripted, wizard-ed, template-ed and cookie cutter-ed. It's easy to demonstrate the efficiency gains (and the budget gains) from provisioning apps & services. There's also the fact that the successful launch of a provisioning service establishes a baseline and a platform for creating the rest of a full-blown identity services implementation, even beyond role management. Govenance, Risk Management, Entitlement Management, Security Audit, Simplified Signon, Priveleged Account Management and more have a much better chance of being successful if they follow a well executed provisioning rollout.

Labels: Burton Group, provisioning, roles

Posted 9:10 AM (0) comments

Unexpected moves

Right out of left field comes the announcement that Mike Neuenschwander, formerly Burton Group Vice President and Research Director, has joined Mycroft, Inc. as General Manager. I covered Mycroft ("A marriage, a hot couple, and a single looking for a date at Catalyst") at last summer's Catalyst conference where they announced the merger with Talisen Technologies. Their business is implementing IdM solutions from other vendors - they're in the service delivery and solution implementation business.

The press release said little about what Mike's role will be, so we'll just have to see how it evolves, but I am saddened that I won't have Mike to "kick around" anymore after his Catalyst speeches!

Labels: Burton Group, Catalyst