Identity & Access Management Predictions For 2010

I should point out that I am not psychic. I haven't found a way to see into the future just yet. (If I had managed to do that, I'm quite sure I wouldn't be writing this article!)

Identity and Access Management has promised much in recent years and in the case of Identity Management, the promise has yet to be realised in a lot of deployments. I hear potential customers making claims that there has never been a successful identity management project and any organisation intent on attempting to realise the benefits of such a project are doomed.

Thankfully, I have been involved in many successful deployments that have realised some, if not all, of the anticipated benefits. The problems I've seen have typically been political issues rather than technical issues. Does that sound familiar?

It would seem to me that there is a disconnect between what technology can offer, what businesses can afford and the political will-power to ensure that an IAM programme will succeed. Which brings me on to my predictions...

1. Ding-Ding - Round 2
The early adopters of IDM technology went through the pain and heartache of spending big on new technology in an effort to leverage their legacy technology in the "always connected" world. Their 18 month programmes a number of years ago are probably starting to provide some benefit around about now and the political collateral required to leverage their infrastructure will be in place because it has become too darn expensive to rip out all that kit that was deployed all those years ago. In other words, the initial hype surrounding the technology that was followed by disillusionment is now starting to pay for itself.

The rotation of staff around the various enterprises that exist will ensure that every enterprise now has "someone" in their team who has been involved in a successful IDM deployment. These people will become crucial in pushing their new employers down the path of embracing IDM as a workable solution.

2. Risk
I'm on thin ice with this one but the days of locking down everything because a manual said it could be locked down are disappearing. We used to live in a world which had adopted the 80/20 rule. An 80% delivery rate on a project was usually enough to get businesses working effectively and the remaining 20% was usually too expensive and made a mockery of the original business case. I see those days returning. For example, a two-factor authentication system for high-net worth banking users or treasury departments may be a great idea bearing in mind the risk of a security breach for either user but such a system may not be necessary for the thousands of people who only have a few coppers in their deposit account.

The same rule can be applied within the enterprise as well. Do we want to lock-down our enterprise systems to the point where they become difficult to use? Do we want our users fed-up with the tedium of trying to do their job with a system that seems hell-bent on preventing them to do so?

IT Security professionals will finally find the word pragmatism in their dictionary and understand that they are there to help rather than hinder.

3. Personal Ownership
For many, the notion of an Identity Management System may seem crazy. Surely it is up to the individual to manage their identity properly rather than delegate such responsibility to a "system". 2010 will see IT users taking ownership of their identities (and not just those binary-speaking geeks we all like to poke fun at). Real people performing real duties in the real world will start to take more care of their online persona. Facebook and Twitter have become vital tools  - they are no longer being used to merely jabber on about what was on television the previous night!

Most people are sensitive about how others perceive them. Now is the time to protect our online personae. It is time to manage our own identities.

4. Compliance
Enterprises need to demonstrate that they have control over their processes. In a nutshell, that seems to be what Sarbanes Oxley is all about. How an enterprise demonstrates their control, however, is up to the enterprise. Quill and Parchment record keeping may actually suffice.

There are tools available which can help an enterprise keep control over its systems. Identity Management systems typically look after the provisioning aspect of a system and can certainly be beneficial in achieving compliance. But what about those systems that aren't managed by such a clever tool? Log file scraping and database dumps can provide an auditor with the necessary data to determine how an application is being managed but unless she is super-human, she will need an analysis tool to help her make sense of the information.

Compliance has always been a tricky topic because there are legacy bespoke systems which contain data that nobody else on Earth could possibly understand. How do you build a tool capable of analysing information from every possible application without major customisation and significant up-front consultancy fee hell. How can "SOX IN A BOX" be achieved?

This year should see the major vendors of IDM solutions attempt to address this area.

5. The Cloud
I've written about "The Cloud" before and 2009 has already seen a quickening in pace of Cloud Services and IDM solutions specifically for The Cloud. I can see one or two niche players operating in the "IDM proxy" world being gobbled up by the big boys.

Until now, enterprises have attempted to manage access to The Cloud from within their perimeter. 2010 will see the start of a mirror-imaging of this approach, ie The Cloud will start to manage access within the enterprise.

Conclusion
The above five predictions are safe bets, to be honest. All of these things are already happening so I guess my predictions aren't really predictions. Maybe they are "realisations"? This year will be the year that the IT user base will become more aware of the above.

The Power Of Twitter & God's IT Usage

When I posted my musings on "Identity & Access Management In The Cloud" the other day, I did something I don't normally do. I advertised the fact that I had posted something via Twitter.

Now, my blog is mainly a way of recording my own thoughts as I travel through space and time and I treat it like an online diary that I can look back on with fondness. I don't really expect anyone to read the stuff. I certainly don't expect anyone to agree with my thoughts. And the notion that people would even take the time to comment on the ramblings never entered my head. But then there was Twitter!

My "tweet" mentioned the words identity, access, management and cloud and seems to have been picked up by quite a large number of people - comparatively speaking! I had 3x more visitors in one day than I normally do in a month!

If anything, this turn of events impresses upon me the following:

• People are interested in the Cloud
• People are interested in security when it comes to the Cloud
• If people are interested in what I have to say, I need to be very careful what I say!

That last one might seem strange, but I've always been careful with my online persona - I think. I don't use bad language whether it be within my blog entries, on Twitter, on Facebook or wherever. There's no need for it and we should remember that it's permanent! I'm also a little nervy about writing anything that is controversial. (I guess I just wanna be loved and can't bear the thought of upsetting anyone?)  In other words, my reputation is obviously very important to me.

Facebook & Twitter
There has been a lot of online discussions surrounding the management of identity with regards to online services such as Facebook & Twitter. While enterprises won't be too impressed with this notion, it is quite understandable that the likes of Facebook & Twitter could emerge as identity provider kings! I can't afford to have my Facebook account suspended and I certainly don't want my Twitter feed to suffer any kind of service interruption. As such, behaving appropriately when using these services is important to me. And, of course, because I'm a well behaved boy on these services, there's a good chance that they could be used to assert my identity quite faithfully.

Think about it. Would I be keen to authenticate myself to a dubious website using my reputable Facebook credentials? Reputation management, for me, is just as important as identity management (if not more so).

God
DISCLAIMER: If Pope Benedict and Richard Dawkins were lined up in the school playground pulling together their "gangs", I'd line up behind Dawkins. Sorry Benny.

Someone told me today that they doubted whether they would make it to heaven because they reckoned that God's choice of IT components would be akin to how government's go about their purchasing of IT components. It got me thinking...

• Would God choose Oracle, DB2, MS SQL Server or MySQL? Nobody ever got fired by buying IBM, but who could fire God?
• Would God choose Windows, AIX, Solaris or Linux for his servers?
• Would God go Mac?
• Would God deploy IIS or WebSphere?
• Would God embrace open-source?

And what about Dawkins? Presumably he would prefer to select IT services based on the survival of the fittest model?

I'm having a laugh, of course. But the selection of any IT component can't possibly be determined to be right or wrong based on the component itself. It can be determined to be right or wrong based on how it interacts with the user and other IT components but I can't tell you that Macs are better than PCs. I can't tell you that Apache HTTP Server is better than Sun's offering. I can't tell you that PHP is better than Python which is better than COBOL which is better than C#, etc.

And the point? Well, I was asked yesterday whether I could help a customer select a database vendor and the options were Oracle and IBM. My answer? Technically, I come from the "a DBMS is a DBMS". The real questions are:

• Do you have in-house skills in one of the technologies
• Do you have existing relationships with either vendor
• What is the cost to you - TCO-wise

Technically? Maybe I'm past caring. The "religious" questions are so much more important!

NOTE: The answer is DB2. No. Oracle. No. MySQL. Yeah. That's the one. Oh. Maybe not :-)

Identity & Access Management In The Cloud

Last week I was asked to give a presentation at the IBM Tivoli User Group on Identity & Access Management In The Cloud to IBM employees, IBM Business Partners and customers of IBM Tivoli Security products. I soon realised that my first problem was going to be defining The Cloud. Not everyone I spoke to in advance of the presentation knew what The Cloud was!

So What Is The Cloud?
The Cloud seems to be a term bandied about all too readily these days and for many people it merely represents everything that happens on the Internet. Others, however, are a little more strict with their definition:

"For me, cloud computing is a commercial extension of utility computing that enables scalable, elastic, highly available deployment of software applications while minimizing the level of detailed interaction with the underlying technology stack itself."

"Computing on tap - you get what you want literally from a socket in the wall."

"Cloud computing is just a virtual datacenter."

Wikipedia, naturally, has its own definition.

Cloud computing is Internet based development and use of computer technology. In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure "in the cloud" that supports them.

Of course, there are different levels of computing that a provider in the Cloud can offer. The usage of a particular software application (eg Google Docs) is just one such offering. Another would be akin to a software development platform (think Google App Engine, Microsoft Azure and Salesforce's force.com). Then, of course, there are the raw infrastructure services - servers provisioned "on-tap" for end-user usage (eg Amazon Ec2).

We are probably all users of Cloud services if we think about it. A quick look inside my Password Safe vault reveals almost 300 different User ID & Password combinations for services on the net including:

• Blogger [blogging platforms]
• Twitter [divulging incoherent thoughts]
• Facebook [staying in touch]
• LinkedIn [professional networking]
• Google Docs [MS Office Alternative]
• Gmail [eMail]
• Screenr [screencasting]
• ChartGo [charting application]

The Enterprise Model
While it is easy to see how personal usage of Cloud applications has grown over recent years, it may come more of a surprise to learn how the Enterprise is adopting Cloud usage.

According to EDL Consulting, 38% of enterprises will be using a SaaS based eMail service by December 2010. Incisive Media report that 12% of Financial Services firms have already adopted SaaS, mainly in the CRM, ERP & HR fields. And our friends at Gartner reckon that one-third of ALL new software will be delivered via the SaaS model by 2010.

My guess? SaaS is already happening in the enterprise. It's here and it's here to stay.

With any change to the enterprise operating model there will be implications - some real and, just as critical, some perceived.

In the Perceived Risks category, I'd place risks such as loss of control; storing business critical data in the Cloud; reliability of the Cloud provider; longevity of the Cloud provider. Of course, these are only perceived risks. Who is to say that storing business critical data in the Cloud is any less risky that storing in the enterprise's own data centre? There may be different attack vectors that need to be mitigated against, but that doesn't mean the data is any less secure, does it? And who says the enterprise has to lose control!

Real risks, however, would include things like the proliferation of employee identities across multiple providers; compliance to company policies; the new attack vectors (already described); privacy management; the legislative impact of data storage locations; and, of course, user management!

Cloud Standards
As with any new IT delivery methodology, a raft of "standards" seem to appear. This is great as long as there is wide-spread adoption of the standards and the big suppliers can settle on a specific standard. Thanks goodness for:

• The Open Cloud Manifesto (http://www.opencloudmanifesto.org/)
• The Cloud Security Alliance (http://www.cloudsecurityalliance.org/)

These guys, at least, are attempting to address the standards issue and I am particularly pleased to see CSA's Domain 13 on Identity & Access Management insisting on the use of SAML, WS-Federation and Liberty ID-FF.

Access Control
And on that point, the various Cloud providers should be congratulated on their adoption of security federation. Security Assertion Markup Language (SAML) has been around for over 6 years now and is an excellent way of providing a Single Sign On solution across the enterprise firewall. OpenID, according to Kim Cameron, is now supported by 50,000 sites and 500 million people have an OpenID (even if the majority don't realise it!)

The problem, historically, has been the problem of identity ownership. All major providers want to be the Identity Provider in the "federation" and Relying Parties were few and far between. Thankfully, there has been a marked shift in this stance over the last 12 months (as Kim Cameron's figures support).

Then there are the "brokers". Those companies designed to make the "federation" process a lot less painful. The idea is that a single-authentication to the broker will allow wider access to the SaaS community, as such:

Symplified (http://www.symplified.com/) and Ping Identity (http://www.pingidentity.com/) seem to be the thought leaders in this space and their marketing blurb comes across as comprehensive and impressive. They certainly tick the boxes marked "Speed To Market" and "Usability" but again those perceived risks may be troublesome for the wary enterprise. The "Keys To The Kingdom" issue rears its ugly head once more!

Identity Management
SPML is to identity management as SAML is to access management. Right? Well, almost. Service Provisioning Markup Language (SPML) was first ratified in October 2003 with v2.0 ratified in April 2006. My guess? We need another round of ratification! Let's examine the evidence. Who is currently using it? A Google search returns precious little. Google Apps uses proprietary APIs. Salesforce uses proprietary APIs. Zoho uses proprietary APIs. What is the point of a standard if nobody uses it?

Compliance & Audit
Apparently, forty times more information will be generated during 2009 than during 2008 AND the "digital universe" will be ten times bigger in 2011 than it was in 2006! Those are staggering figures, aren't they? And the bulk of that data will be quite unstructured - like this blog or my tweets!

The need for auditing the information we put out into the digital universe is greater than ever but there is no standards based approach to Compliance & Audit in the Cloud!

Service Providers are the current custodians of the Compliance & Audit process and will likely continue to do so for the time being. Actually, the Service Providers are quite good at this as they already have to comply with many different regulations across many different legislative jurisdictions. Typically, however, they present Compliance & Audit dashboards tailored to vertical markets only.

It's understandable, I guess, that for a multi-tenancy service there will be complications separating out relevant data for the enterprise compliance check.

Moving To The Cloud
There are providers out there who claim to be capable of providing an Identity Management as a Service (IDaaS) which sounds great, doesn't it? Take away all that pain of delivering an enterprise robust IdM solution? In practice, however, it works well for enterprises who operate purely in the Cloud. These solutions already understand the provisioning requirements of the big SaaS operators. What they can't do quite as well, though, is the provisioning back into our enterprise systems! It's not enough to assume that an enterprise runs everything from their Active Directory instance, after all. Also, we have to remember that using an IDaaS is akin to giving away the "Keys To The Kingdom". Remember our perceived risks?

An alternative is to move the enterprise IdM solution into the Cloud. Existing installations of IBM Tivoli Identity Manager or Sun Identity Manager or {insert your favourite vendor here} Identity Manager could be moved to the cloud using the IaaS model - Amazon EC2. The investment in existing solutions would be retained with the added benefit of scalability, flexibility and cost-reduction. Is this a model that can be adopted easily? Most certainly, as long as the enterprise in question can get its head around the notion of moving the "Keys To The Kingdom" beyond its firewall.

Conclusion
The next generation of user is already web-aware - SaaS is here to stay - and SSO is finally within our grasp with only a handful of big players dragging their heels when it comes to implementing standards such as SAML v2.0. It was also intriguing to play with Chrome OS last week (albeit an early prototype version). Integrating desktop sign on with the web just tightens things that bit further (in a Google way, of course).

Provisioning (whether it is Just-In-Time or Pre-Populated) is still the pain-point. Nobody seems to be using SPML and proprietary APIs abound. Nailing this is going to be critical for mass adoption of SaaS solutions.

While Provisioning is the current pain-point, however, Governance, Risk & Compliance will be the next big-ticket agenda item. The lack of standards and proliferation of point solutions will surely start to hurt. Here, though, I run out of ideas.... for now. Seems to me that there is an opportunity for a thought leader in this space!

Identity Mapping

I got to thinking the other day about my online "presence". I do the Facebook thing, the Twitter thing, the LinkedIn thing and I have a .tel domain now!

Some of these "things" talk to each other. Twitter feeds Facebook and Plaxo, for example. I thought it would be quite cool to try to map these services to show the linkages (and it was more difficult than I thought). I haven't included Flickr, Trip IT, Friends Re-United and probably a whole host of other services that I use but here is the current map:


I pulled together this map not by merely recalling the services that I use (although I could've done that quite easily with this particular map) but rather by taking a look at my Password Safe datbase and going through the various accounts I have. My Password Safe now has 257 items in it and I know there are some accounts missing!

257 account details. Whatever way you cut it, that's a lot of accounts. Thankfully, I only know the password to a couple of services (and have never known, and probably will never know my Facebook password, for example). I rely almost entirely on Password Safe to access my online accounts.

And here's the issue... So paranoid am I about losing my Password Safe database that I have it copied from my desktop PC to my Mac Mini (on a nightly backup). It is synchronised with my 8gb Freecom USB disk. It is then synchronised with my two laptops (one personal and one work) and it is copied to a secure location on a server I have in a data centre.

So, my precious information is stored in a number of locations. That's a few opportunities for the baddies to try to get it from me. What are the options, though?

Well, of the 257 accounts that I have, hardly any of them support some kind of federated security model. It is true that I can log in to some services using my Google ID or my Yahoo ID, but not many. OpenID? Again, hardly any of my service providers support this. In fact, it seems that I have THREE amazon accounts - one for purchasing; one for Affiliation and one for Amazon Advantage! (I may have an amazon developer account for their API, but can't remember!)

So managing my identity is a fairly manual process just now. Not the case, necessarily, for big corporations who can throw a Sun, Oracle or IBM Identity Management solution at their various data repositories. Could these tools be used "in the cloud" for web users? Would I want to pay for that? Could I host IBM Tivoli Identity Manager on a server on the net, build some connectors to the major websites (such as Facebook, Twitter, Google & Yahoo) for managing accounts? Could I, host a reverse-proxy on this internet-facing server which would provide me with a web-based single-sign on solution to these services?

Technically? Everything is possible. Is it likely? Not a chance... well... not yet. Too many companies are trying to gear themselves towards offering this terrific opportunity to be the master of identity related data but you've got to question why any organisation would want to do it. For your benefit? Not likely.

Maybe I'll build an IdM service just for me :-)

Within Six Degrees?

There is a saying that we are within "six degrees of everyone in the world". At least, that was the saying when I was growing up and we believed there were 4 billion people on the planet - maybe it is seven now!

Anyway, knowing someone, who knows someone else, who knows someone else, etc., etc. seems a little fanciful, doesn't it? Not really...

I found out recently that I am only 3 degrees away from David Kearns - a man whose work I read every week and I have the utmost respect for, though sadly, I have no contact with. Having said ithat, I did sit beside him at lunch one sunny day in 2004 at an Identity Conference in Sydney, Australia!

How did I find this out? http://www.linkedin.com/ that's how!

I know someone, who knows someone else, who knows David. Judging by the number of contacts David has on LinkedIn, I might be only four degrees away from everyone on the planet.

Anyway, http://www.linkedin.com/ is quite a powerful tool in that only people I truly respect and trust are listed as my contacts. I'm quite sure this is true of most people who use http://www.linkedin.com/. Why is this relevant? Well, the ability to verify who you are isn't just a matter of producing a passport, or entering a UserID/Password into a keyboard, or typing a PIN into a "hole in the wall", or using any of the myriad of authentication devices available today. In the old days, verifying your identity could have been as simple as having someone else "vouch" for you.

This still occurs today to some degree - joining some exclusive clubs is more a matter of who you know rather than who you are or what you know! Password resets could potentially be performed in the work-place not by the forgetful employee herself, but by her colleague who is already trusted (although ideally, two colleagues).

Can we computerise the concept of a vouch-for authentication system in the future? Maybe. And maybe, it will be social networks like http://www.linkedin.com/ that will hold the key. After all, I'm not going to let any Tom, Dick or Harry be listed as a contact against my name! My identity is too precious to have it be let down by some unsavoury type!

BTW... If you are desperately interested, my LinkedIn profile can be viewed at http://www.linkedin.com/in/stephenswann.

Open ID get MS Backing

I typically try to talk about technology in the enterprise which is why I haven't yet mentioned Open ID on this blog - while I approve of the concept and the ideas which the Open ID group are working towards, I don't see that it is something that enterprises looking for staff authentication mechanisms are ever going to have to look into.

However, in the big bad world that is the WWW, a more joined-up approach to user authentication is no longer a nice-to-have. It is an absolute necessity. Personally, I dread to think just how many UserIDs I have online - my last count was ~150 and that is just a record of the ones I have recorded (securely, of course).

According to the BBC (http://news.bbc.co.uk/1/hi/technology/6339813.stm), the Open ID group have been given a boost by the news that Microsoft will give it their backing to the extent that they will share their own technology with the Open ID developers. This has got to be good news if only from the perspective that it will raise awareness of Open ID. After all, an article on the BBC website will only do it the world of good.

Microsoft are to bring their Infocards technology to the Open ID table. (Kim Cameron demonstrates the power of Infocards on MSDN TV: http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060209InfoCardKC/manifest.xml). So are we likely to finally get our joined-up-thinking as for as identity and access control on the internet are concerned? Looks that way, but it's still going to take time.

Federation v ESSO

It's well understood that achieving single-sign on in the enterprise is an admirable target. The complexities of rolling out such an infrastructure may mean that integrating all enterprise applications with a common security infrastructure will take some time (if it is even possible).

But what happens when single-sign on to a third party is a target?

Readers will already be aware that I am a fan of the concept of security federation but how many organisations have federation-aware applications? Over the last 2 years I have been met with a consistent answer to this question when broaching the subject of federation with third-parties. None!

Maybe we have just been unlucky with the third-parties we have been dealing with but I suspect the real answer to the question is still pretty close to "none".

So, do we force these third-parties to migrate to a federated security approach or do we just accept that our employees will have to have a separate UserId/Password for the third-party site/application? Or is there another way?

Well, I'm quite sure with just a little bit of effort we could provide a mechanism to automate the sign-on process on behalf of the employee. I'm quite sure that with a bit more effort, we could automate the process of changing passwords upon password expiry. I'm also reasonably confident that with (considerably) more effort, we could automate the provisioning process. And everyone is happy once more... until the third-party changes the various screens used for each of these functions.

You see, it would seem that most of these third-parties haven't even exposed an API catering for these functions.

However, the idea of scripting the logon process seems like a reasonable stop-gap until full federation is achievable and this is the focus of applications like Passlogix's V-GO suite (available at http://www.passlogix.com/). Indeed, this little application seems to tick so many boxes that the guys at Passlogix have struck deals to allow some of the big boys in enterprise computing to sell the software in rebranded form: IBM Tivoli and Oracle to name just two.

Are there any downsides?

• It is a client application that needs to be deployed onto the desktops/laptops within the organisation
• It is a Windows only application
• It doesn't seem to support Firefox

The upsides, of course, are that is should be a relatively quick and easy approach to achieving SSO with a third-party. I can't help thinking that an amalgamation of Password Safe and Auto-It could achieve the same thing.

• http://passwordsafe.sourceforge.net/
• http://www.hiddensoft.com/autoit3/

So, do I feel compelled to develop a freeware alternative to Passlogix's offering? No, I'm afraid not despite the fact it would be an interesting exercise. The additional features of V-GO would sway me towards buying the off-the-shelf package (although I have no idea how much it costs!)

And what about our federated security solution? Unfortunately, we are faced with a tricky situation. This type of solution requires both parties within the federation to have security federation aware systems. Deploying such systems is a "leap of faith" - faith that others will follow suit. Within my experience, none of our third-parties are ready to take that leap... yet!

Identity & Behaviour

I spend my working day devising ways of consolidating people's identities in order to help them minimise the number of UserIDs/Passwords they have to remember and in order to help them portray a consistent online "persona".

I have to admit that I have assumed that this is what people want. But is it?

It would seem that the younger generation are more fickle than that. The BBC, in a recent "bill board" article (available at http://news.bbc.co.uk/1/hi/technology/6234663.stm), reported that research in the US suggests that teenagers are happy to ditch their UserIDs or eMail Addresses in favour of new ones on a quite random basis.

Indeed, it would also seem that they are quite keen on having multiple identities portraying very different personalities. This, I can understand. After all, I have my "Identity Management Consultant" persona online in the form of this blog but I also have my "Sporting Athlete" persona online in the form of my hockey club website (available at http://www.eastantrim.co.uk/). I am very much the same person but the personality I portray through each is very different.

I can also understand that teenagers don't know who they are and will constantly change their online identity until they find an identity that they feel comfortable with. Maybe I have aged sufficiently to either be happy with my current identity or just too busy to attempt to alter it.

I will readily admit to having had the same email address and the same phone number for as long as I can remember. The kids at my hockey club seem to change both quite regularly.

So, maybe the world of Identity Management has a new challenge. Maybe there are users who would be horrified at the thought of only having a single identity? Thankfully for those users, Identity Management is still struggling to gain momentum within the enterprise world. The world where multiple identities are common place (and where those users live) is a social world within which Identity Management is not yet welcome. Does anyone remember Microsoft Passport?

Time for Fun!

It's the last working day before Christmas and therefore the time to ensure that everything is in order for the holiday period.

More importantly, it's time for some "resting" and fun.

My friends and I had great fun this morning discussing the results of the Hobbit Name Generator which can be found at http://www.chriswetherell.com/hobbit/ - it is well worth a 5 minute visit.

My Hobbit name is "Mungo Loamsdown of Deephallow" with which I'm quite pleased. We were also particularly impressed with "Minto Hamwich of Buckleberry Fern".

We all have a name yet we are known by various names & identities depending on who is addressing us. I respond to the following:

• Stephen (and sometimes Steve)
• Sir
• Son
• Daddy
• Mr. Swann
• Oi You
• (and now Mungo Loamsdown)

Nothing particularly unique in much of that unfortunately. When it comes to accessing systems (whether they be web based or not), the combination of identities that I have is even greater. I like to think I know who I am but it is a sorry state of affairs when you not only have to commit your passwords to some medium other than your brain, but you also have to have a serious think about recording (and transporting) your "name" in a similar manner.

• At my bank, I am a number.
• On my blog, I am an email address.
• At work, I am a combination of letters and numerals.
• On my web based training site, I am a nickname.

Will there ever be a time when I can be considered truly unique and known by all as a single name?

Nah... I'll always be either a son, daddy or husband. But there must be a chance that the number of identities I own can be reduced significantly. The utopian world which includes an Identity Provider as a service which can be utilised by all these various systems sounds great (if a little dangerous if it were ever compromised). The world of security federation is just around the corner and I for one can't wait - my brain is stuffed to capacity with UserIDs and Passwords!

In the meantime, I might just change all my UserIDs to "Mungo Loamsdown" :-)

Merry Christmas everyone...

My Poor Wallet

I have a Samsonite wallet that I bought at Heathrow a few years ago. Upon opening it today, however, I noticed that it was torn and will need replaced - which sounds like a good Christmas present if ever there was one.

The problem, as I see it, is that the wallet is stuffed full of cards and has been under considerable straing for far too long:

• 4 credit cards
• 2 debit cards
• 3 hotel loyalty cards
• 2 air operator loyalty cards
• 6 store loyalty cards

Note: For some reason I have Sterling, Dollars and Euros in there as well just now.

Almost all of these cards have a chip on them - I'm guessing a lot of them are only single-function chips, unfortunately. I say unfortunately because if I could in someway amalgamate the functions of these cards, then I wouldn't be in the position of having to replace my wallet!

Why can't we live in a world whereby I have a single card which has a chip capable of:

• identifying myself for cash withdrawal
• recording my spending habits (and thus accumulate cashback points from my various "suppliers")
• identifying myself when gaining access to airport lounges

The reason why I can't have this? The world of Federated Security is too immature and no one company seems to want to take the leap of faith required to change our lives.

An identity provider/service provider model would certainly ease the strain on my poor wallet. In the meantime, I will have to continue carrying the lorryload of cards I need to go about my daily business.

Who Are You Anyway?

I'm particularly interested in understanding how technology can help identify people. Identity Management is a "buzz-phrase" that has been on the go for a couple of years and lots of very talented people/organisations are trying to join up their thinking with regards to the problems posed by "identification".

Are the enterprises up to speed?

Yes and no. The techies often have an understanding of the problem and a view of how to solve the problem. The rest of the organisation still thinks IM means instant messaging!

How do you identify your customer - User ID and Password? That's one way - not very reliable though. Iris scanning? That's another way and the technology is improving all the time - bit expensive though.

My organisation is a financial institution and as such we can identify our customers by:

• User ID, Password and Shared Secret Q&A
• Credit/Debit Card and PIN
• User ID, Password and Location ID on a direct link ISDN line
• Signatures
• Photographic lookup (just like passport control)
• Smart Card

What's the best way to identify our customers? Dunno yet - what I do know is that our customers might appreciate a rationalisation of mechanisms.