Monday, October 05, 2009
Getting Privacy RightThe Burton Group's Bob Blakley writes ("Gartner Gets Privacy Dead Wrong") a seminal piece on privacy - what it is, what it isn't and how to protect it. In the course of his blog entry he manages to pretty much dismiss most of the work that's been done under the rubric of "privacy" (which, as he notes, is really about secrecy) over the past dozen years.
As he writes: "That's how privacy works; it's not about secrecy, and it's not about control: it's about sociability. Privacy is a social good which we give to one another, not a social order in which we control one another."
It's an issue I've brought up a number of times in the past. Last year, for example, I discussed where many "...have gone wrong is to equate privacy with anonymity. You don’t have to be anonymous to maintain the privacy of your data. Again going back 100 years when you went into the bar and everybody knew your name there was also much about you that wasn’t known. Most things about you, in fact, weren’t known. Those things we want to keep private - our medical data, financial data, legal situation, etc. - were kept private. But people did know who you were, and perhaps where you lived, or worked, who your family was - and no one thought that was strange."
Secrecy and anonymity are not privacy, and the quicker we all understand that the quicker we can move to protect privacy.
Wednesday, July 15, 2009
Who knew Hospitality suites could do that?In a posting on the Burton Group Catalyst website, Mountain View's Centrify says:
Visit Centrify in our Hospitality Suite in Aqua 311 on Wednesday, July 29!
I usually visit the suite to eat, drink and play games. Who knew you could also "improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure [your] heterogeneous computing environment"! I'm gonna be first in line...
Wednesday, May 13, 2009
"Entitled" to an opinion?My good friend Ian Glazer, over at the Burton Group, had an interesting post today called Nailing Down the Definition of "Entitlement Management". Unfortunately, he missed.
Ian started out pointing to Ian Yip’s definition ("Entitlement management is simply fine-grained authorisation + XACML") and showing why it's wrong. And I do completely agree with Glazer on that.
But he goes on to say that the enterprises that Burton is talking to use the term differently. He says:
"The enterprises that we talked to use 'entitlement management' to mean:
My first question to Ian, then, is this: if your clients (as many have in the past) referred to the enforcement of access controls/policies as "authorization" would you assume that definition for further discussion or try to get people to use the term properly?
"AD groups" are not, but any stretch of the definition, an entitlement. Nor should an "entitlement" be assigned to "an individual". Let's use entitlement at least in an analogous way to the real world - no one is "entitled" to something based on their name. All entitlement comes from their group or role. The same should be said of digital entitlements. So gather users' access rights, please. But then group those rights into an entitlement and grant them to a role and/or group.
Differentiate entitlement management from access management, also (else, why use both terms?). Individuals get access, roles/groups get entitlements. Access is granted to resources (hardware, applications, services, etc.) while entitlements specify what a particular role/group can do with or within that resource.
If we all try really hard, maybe we can all speak the same language! That said, we should always be aware of what Richard Feynman said: "You can know the name of a bird in all the languages of the world, but when you're finished, you'll know absolutely nothing whatever about the bird... So let's look at the bird and see what it's doing -- that's what counts. I learned very early the difference between knowing the name of something and knowing something."
Tuesday, September 16, 2008
Identity-centricPam Dingle has a bit of a rant today about the term "user-centric." Well, not about the term itself but about people's desire (e.g., the entire Burton Group) to get away from it.
"Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems. "
I think it's about more than just a term, more than just a feel-good quality, Pam. The "User-centric" term was coined, initially, to try to differentiate internet-based individual identity protocols from those used within the enterprise. But it's really all identity, and there doesn't need to be a distinction. That's why I wrote, last month, "Why there's no 'user-centric' or 'enterprise-centric' identity," where I said:
"Enterprise-centric identity management, we postulated, is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form; while user-centric identity is about keeping various parts of your online life totally separated so that they aren't accessible and no report can be drawn.
Tuesday, July 01, 2008
The role of rolesIan Glazer has just released his first post since signing on with the Burton Group, and it's a good one, about the wrong-headed notion which appears to be taking hold in the market place that roles and role management are needed before provisioning can occur. As Ian puts it:
Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true.In fact, the opposite is true - roles, while not requiring it, will benefit from a good provisioning implementation.
Look at it this way, even without computer-based Identity Services people need to be provisioned into the resources they will use. eProvisioning simply automates that task. While the concept of roles may be present, roles-as-a-tool is only useful within a digital context.
Acquiring, piloting, prepping and rolling-out provisioning services should really be a no-brainer decision, especially today - almost 10 years after eProvisioning was first introduced - when so much of the setup and rollout is scripted, wizard-ed, template-ed and cookie cutter-ed. It's easy to demonstrate the efficiency gains (and the budget gains) from provisioning apps & services. There's also the fact that the successful launch of a provisioning service establishes a baseline and a platform for creating the rest of a full-blown identity services implementation, even beyond role management. Govenance, Risk Management, Entitlement Management, Security Audit, Simplified Signon, Priveleged Account Management and more have a much better chance of being successful if they follow a well executed provisioning rollout.
Friday, January 25, 2008
Unexpected movesRight out of left field comes the announcement that Mike Neuenschwander, formerly Burton Group Vice President and Research Director, has joined Mycroft, Inc. as General Manager. I covered Mycroft ("A marriage, a hot couple, and a single looking for a date at Catalyst") at last summer's Catalyst conference where they announced the merger with Talisen Technologies. Their business is implementing IdM solutions from other vendors - they're in the service delivery and solution implementation business.
The press release said little about what Mike's role will be, so we'll just have to see how it evolves, but I am saddened that I won't have Mike to "kick around" anymore after his Catalyst speeches!
© 2003-2006 The Virtual Quill, All Rights Reserved Home