• Shortcuts : 'n' next unread feed - 'p' previous unread feed • Styles : 1 2

» Publishers, Monetize your RSS feeds with FeedShow:  More infos  (Show/Hide Ads)


Date: Thursday, 08 Nov 2012 10:31

ZDNet‘s John Fontana has written about the Webinar on Identity Management as a Service hosted last week by Craig Burton of Kuppinger Cole.  The session began with a presentation by Craig on the revolutionary impact of the API economy in shaping the requirements for cloud identity.  Then I spoke about the characteristics of Identity Management as a Service as they were shaping the industry and, especially Azure Active Directory, while Chuck Mortimer gave a good description of what we will be seeing in Salesforce.com’s emerging cloud directory service.  The Webinar is available to those who want the details.

John highlights a number of the key emerging concepts in his piece, titled “Trust will make or break cloud ID management services”:

If identity-management-as-a-service is to take hold among enterprises it will need to be anchored by well-crafted rules for establishing trust that incorporate legal parameters and policy requirements, according to a pair of identity experts.

“Where we have seen trust frameworks be really successful in the past is where member organizations have some means and motivation for cooperation be that altruistic, economic, etc.,” said Chuck Mortimore, senior director of product management for identity and security at Salesforce.com. He cited the Shibboleth Project deployed in academia that highly incents universities to collaborate and cooperate.

“We are seeing both the U.S. government and the British government selecting trust frameworks for their respective identity initiatives,” said Kim Cameron, Microsoft’ identity architect. “You need a bunch of people who share the interest of having a trust framework.”

Trust frameworks ensure trust between those issuing an identity and the providers that accept that ID for authentication to access services or data, and in increasing cases, to tap application programming interfaces (APIs).

To wit, 62% of the traffic on Salesforce.com is API calls, mobile clients and desktop clients.

Mortimore and Cameron appeared together Tuesday on a Webinar hosted by Kuppinger Cole analyst Craig Burton.

The identity-management-as-a-service (IdMaaS) concept is rising in importance due to an emerging “API economy,” according to Burton. That economy is characterized by billions of API calls to support services sharing data on a massive, distributed scale that stretches across the enterprise and the cloud.

IdMaaS defines a cloud service that manages identity for an organization’s employees, partners and customers and connects them to applications, devices and data either in the enterprise or the cloud.

“This won’t be a point-to-point situation,” said Cameron. He said existing systems can’t handle the identity, security and privacy requirements of the cloud and its API economy. “The domain-based identity management model of the ‘90s and early 2000s is a non-starter because no one will be staying within the enterprise boundary.”

Cameron said the only way all the requirements can be met is with an identity service that fosters simplification and lower costs. And the only way that gets off the ground is through the use of trust frameworks that simplify the legal and policy requirements.

Cameron pointed to a number of current trust frameworks certification programs including Kantara and the Open Identity Exchange.

Mortimore said end-users need to start with a “baseline of security and trust” and go from there.

He said he believes most enterprises will use a hybrid identity management configuration – enterprise infrastructure plus cloud.

“We firmly believe we will see that architecture for a long time,” said Mortimore. “If you look at the core imperatives for IT, cloud and mobile apps are forcing functions for IT investments, as well as, people looking at existing IDM infrastructure that is running up against friction like how do I expose this API.”

Mortimore said cloud identity management services represent a nice transition path.

Salesforce.com backed up that idea last month when it introduced Salesforce Identity, a service baked into its applications, platform, and development environment.

Mortimore ran the list of features: a directory that anchors identity management, reliance on standard schemas and wire protocols, extensibility and programmability.

“We are not running this as a Salesforce identity service, we are running it on behalf of customers. That is a critical part of these identity cloud systems. We need to facilitate the secure exchange of identities, federation, collaboration and attribute exchange,” said Mortimore.

Cameron concurred, saying “the identity management service operates your directory for you, that has to be the model.”

Microsoft’s service is called Azure Active Directory, and it offers the cloud-based services in a similar fashion to what Active Directory and other Microsoft infrastructure products (authentication, federation, synchronization) do within the enterprise.

“You need to use the efficiencies of the cloud to enable new functions in identity and provide more capability for less money,” he said.

While they are giants, Microsoft and Salesforce.com represent just a handful of providers that offer or are building cloud identity services. (Disclaimer: My employer offers a cloud identity service).

 

Author: "admin" Tags: "Identity Management, IdMaaS"
Send by mail Print  Save  Delicious 
Date: Monday, 05 Nov 2012 22:06

In mid-August I got an email athat made me do a real double-take.  The subject line read:  Legacy Service End of Life – Action Required. 

Action Required:

Legacy Service End of Life

Dear Kim,

We’ve been analyzing customer usage of Joyent’s systems and noticed that you are one of the few customers that are still on our early products and have not migrated to our new platform, the Joyent Cloud.

For many business reasons, including infrastructure performance, service quality and manageability, these early products are nearing their End of Life. We plan to sunset these services on October 31, 2012 and we’d like to walk you through a few options.

We understand this might be an inconvenience for you, but we have a plan and options to make this transition as easy as possible.  We’ve been developing more functionality on our new cloud infrastructure, the Joyent Cloud, for our customers who care about performance, resiliency and security.  Now’s the time to take advantage of all the new capabilities you don’t have today. Everyone that’s moved to our new cloud infrastructure has been pleased with the results.

As a new user to the Joyent Cloud, you are eligible to take advantage of Joyent Cloud’s 30-Day Free Trial using this promotional code… [etc. - Kim]

Sincerely,

Jason Hoffman
Founder and CTO
Joyent
jason@joyent.com

Of course I spend a lot of my time thinking about the cloud: people who’ve heard me speak recently know that I’ve increasingly become a zealot about the new capabilities it opens up, the API economy and all that..

So I suppose that getting a pail of cold salt water thrown in my face by joyent was probably a good thing!  Imagine telling customers their infrastructure will be shut down within three months in an “action required” email!

We understand this might be an inconvenience for you.

Or even more surrealistic, after the hurricane,

We want you to take the time you need to focus on your personal safety, so we are extending the migration deadline from October 31, 2012 to the end of day Wednesday, November 7, 2012.

By the way, don’t think I was using a free service or an unreasonably priced plan.  I had been on a joyent “dedicated accelerator” for many years with an upgraded support plan – on which I only ever made a single call.  This site was the very one that was breached due to a wordpress cross-site scipting bug as described here [note that my view of Joyent as a professional outfit has completely changed in light of the 2 month fork-lift ultimatum they have sent our way].

Anyway, to make a long and illuminating story short, I’ve decided to leave joyent in the dust and move towards something more professionally run.  Joyent served up what has to be one of the nightmare cloud scenarios – the kind that can only give the cloud a bad name.  Note to self:  Read fine print on service end-of-lfe.  Tell customers to do same.

Meanwhile, I’ve taken advantage of the platform change to move to the latest version of wordpress.  This meant paying the price for all the modifications to wordpress I had made over the years to experiment with InfoCards, OpenID, U-Prove, SAML, WS-Trust and the like on a non-Microsoft platform.

So friends, please bear with me while I get through this – with a major goal of keeping all the history of the site intact.  There are still “major kinks” I’m working out – including dealing with the picture in the theme, re-enabling comments and porting the old category system to the new wordpress mechanisms [categories now work - Kim].  None the less if you see things that remain broken please email me or contact me by twitter or linkedin.

OK – I now “throw the big DNS switch in the sky” and take you over to the new version of Identityblog.

Author: "admin" Tags: "Uncategorized"
Send by mail Print  Save  Delicious 
Date: Friday, 13 Jul 2012 04:36

Today Alex Simons, Director of Program Management for Active Directory, posted the links to the Developer Preview of Windows Azure Active Directory.  Another milestone.

I'll write about the release in my next post.  Today, since the Developer Preview focuses a lot of attention on our Graph API, I thought it would be a good idea to respond first to the discussion that has been taking place on Twitter about the relationship between the Graph API and SCIM (Simple Cloud Identity Management).

Since the River of Tweets flows without beginning or end, I'll share some of the conversation for those who had other things to do:

@NishantK: @travisspencer IMO, @johnshew’s posts talk about SaaS connecting to WAAD using Graph API (read, not prov) @IdentityMonk @JohnFontana

@travisspencer: @NishantK Check out @vibronet’s TechEd Europe talk on @ch9. It really sounded like provisioning /cc @johnshew @IdentityMonk @JohnFontana

@travisspencer: @NishantK But if it’s SaaS reading and/or writing, then I agree, it’s not provisioning /cc @johnshew @IdentityMonk @JohnFontana

@travisspencer: @NishantK But even read/write access by SaaS *could* be done w/ SCIM if it did everything MS needs /cc @johnshew @IdentityMonk @JohnFontana

@NishantK: @travisspencer That part I agree with. I previously asked about conflict/overlap of Graph API with SCIM @johnshew @IdentityMonk @JohnFontana

@IdentityMonk: @travisspencer @NishantK @johnshew @JohnFontana check slide 33 of SIA322 it is really creating new users

@IdentityMonk: @NishantK @travisspencer @johnshew @JohnFontana it is JSON vs XML over HTTP… as often, MS is doing the same as standards with its own

@travisspencer: @IdentityMonk They had to ship, so it’s NP. Now, bring those ideas & reqs to IETF & let’s get 1 std for all @NishantK @johnshew @JohnFontana

@NishantK: @IdentityMonk But isn’t that slide talking about creating users in WAAD (not prov to SF or Webex)? @travisspencer @johnshew @JohnFontana

@IdentityMonk: @NishantK @travisspencer @johnshew @JohnFontana indeed. But its like they re one step of 2nd phase. What are your partners position on that?

@IdentityMonk: @travisspencer @NishantK @johnshew @JohnFontana I hope SCIM will not face a #LetTheWookieWin situation

@NishantK: @johnshew @IdentityMonk @travisspencer @JohnFontana Not assuming anything about WAAD. Wondering about overlap between SCIM & Open Graph API

Given these concerns, let me explain what I see as the relationship between SCIM and the Graph API.

What is SCIM?

All the SCIM documents begin with a commendably unambiguous statement of what it is:

The Simple Cloud Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns of exchanging this schema using standard protocols. In essence, make it fast, cheap and easy to move users in to, out of and around the cloud. [Kim: emphasis is mine]

I support this goal. Further, I like the concept of spec writers being crisp about the essence of what they are doing: “Make it fast, cheap and easy to move users in to, out of and around the cloud”.  For this type of spec to be useful we need it to be as widely adopted as possible, and that means keeping it constrained, focussed and simple enough that everyone chooses to implement it.

I think the SCIM authors have done important work to date.  I have no comments on the specifics of the protocol or schema at this point – I assume those will continue to be worked out in accordance with the spec's “essence statement” and be vetted by a broad group of players now that SCIM is on a track towards standardization.  Microsoft will try to help move this forward:  Tony Nadalin will be attending the next SCIM meeting in Vancouver on our behalf.

Meanwhile, what is ”the Graph”? 

Given that SCIM's role is clear, let's turn to the question of how it relates to a “Graph API”.  

Why does our thinking focus on a Graph API in addition to a provisioning protocol like SCIM?  There are two answers.

Let's start with the theoretical one.  It is  because of the central importance of graph technology in being able to manage connectedness - something that is at the core of the digital universe.  Treating the world as a graph allows us to have a unified approach to querying and manipulating interconnected objects of many different kinds that exist in many different relationships to each other.

But theory only appeals to some… So let's add a second answer that is more… practical.  A directory has emerged that by August is projected to contain one billion users. True, it's only one directory in a world with many directories (most agree too many).  But beyond the importance it achieves through its scale, it fundamentally changes what it means to be a directory:  it is a directory that surfaces a multi-dimensional network.  

This network isn't simply a network of devices or people.  It's a network of people and the actions they perform, the things they use and create, the things that are important to them and the places they go.  It's a network of relationships between many meaningful things.  And the challenge is now for all directories, in all domains, to meet a new bar it has set.    

Readers who come out of a computer science background are no doubt familiar with what a graph is.  But I recommend taking the time to come up to speed on the current work on connectedness, much of which is summarized in Networks, Crowds and Markets: Reasoning About a Highly Connected World (by Easley and Kleinberg).  The thesis is straightforward:  the world of technology is one where everything is connected with everything else in a great many dimensions, and by refocusing on the graph in all its diversity we can begin to grasp it. 

In early directories we had objects that represented “organizations”, “people”, “groups” and so on.  We saw organizations as “containing” people, and saw groups as “containing” people and other groups in a hierarchical and recursive fashion.  The hierarchy was a particularly rigid kind of network or graph that modeled the rigid social structures (governments, companies) being described by technology at the time.

But in today's flatter, more interconnected world, the things we called “objects” in the days of X.500 and LDAP are better expressed as “nodes” with different kinds of “edges” leading to many possible kinds of other “nodes”.  Those who know my work from around 2000 may remember I used to call this polyarchy and contrast it with the hierarchical limitations of LDAP directory technology.

From a graph perspective we can see ”person nodes” having “membership edges” to “group nodes”.  Or “person nodes” having “friend edges” to other “person nodes”.  Or “person nodes” having “service edges” to a “mail service node”.  In other words the edges are typed relationships between nodes that may possibly contain other properties.  Starting from a given node we can “navigate the graph” across different relationships (I think of them as dimensions), and reason in many new ways. 

For example, we can reason about the strength of the relationships between nodes, and perform analysis, understand why things cluster together in different dimensions, and so on.

From this vantage point, directory is a repository of nodes that serve as points of entry into a vast graph, some of which are present in the same repository, and others of which can only be reached by following edges that point to resources in different repositories.  We already have forerunners of this in today's directories – for example, if the URL of my blog is contained in my directory entry it represents an edge leading to another object.  But with conventional technology, there is a veil over that distant part of the graph (my blog).  We can read it in a browser but not access the entities it contains as structured objects.  The graph paradigm invites us to take off the veil, making it possible to navigate nodes across many dimensions.

The real power of directory in this kind of interconnected world is its ability to serve as the launch pad for getting from one node to a myriad of others by virtue of different  relationships. 

This requires a Graph Protocol

To achieve this we need a simple, RESTful protocol that allows use of these launch pads to enter a multitude of different dimensions

We already know we can build a graph with just HTTP REST operations.  After all, the web started as a graph of pages…  The pages contained URLs (edges) to other pages.  It is a pretty simple graph but that's what made it so powerful.

With JSON (or XML) the web can return objects.  And those objects can also contain URLs.  So with just JSON and HTTP you can have a graph of things.  The things can be of different kinds.  It's all very simple and very profound.

No technology ghetto

Here I'm going to put a stake in the ground.  When I was back at ZOOMIT we built the first commercial implementation of LDAP while Tim Howes was still at University of Michigan.  It was a dramatic simplification relative to X.500 (a huge and complicated standard that ZOOMIT had also implemented) and we were all very excited at how much Tim had simplified things.  Yet in retrospect, I think the origins of LDAP in X.500 condemned directory people to life in a technology ghetto.  Much more dramatic simplifications were coming down the pike all around us in the form of HTML, latter day SQL and XML.  For every 100 application programmers familiar with these technologies, there might have been - on a good day – one who knew something about LDAP.  I absolutely respect and am proud of all the GOOD that came from LDAP, but I am also convinced that our “technology isolation” was an important factor that kept (and keeps) directory from being used to its potential.

So one of the things that I personally want to see as we reimagine directory is that every application programmer will know how to program to it.  We know this is possible because of the popularity of the Facebook Graph API.  If you haven't seen it close up and you have enough patience to watch a stream of consciousness demo you will get the idea by watching this little walkthrough of the Facebook Graph Explorer.   Or better still just go here and try with your own account data.

You have to agree it is dead simple and yet does a lot of what is necessary to navigate the kind of graph we are talking about.  There are many other similar explorers available out there – including ours.  I chose Facebook's simply because it shows that this approach is already being used at colossal scale.  For this reason it reveals the power of the graph as an easily understood model that will work across pretty much any entity domain – i.e. a model that is not technologically isolated from programming in general.

A pluggable namespace with any kind of entity plugging in

In fact, the Graph API approach taken by Facebook follows a series of discussions by people now scattered across the industry where the key concept was one of creating a uniform pluggable namespace with “any” kind of entity plugging in (ideas came from many sources including the design of the Azure Service Bus).

Nishant and others have posed the question as to whether such a multidimensional protocol could do what SCIM does.  And my intuition is that if it really is multidimensional it should be able to provide the necessary functionality.  Yet I don't think that diminishes in any way the importance of or the need for SCIM as a specialized protocol.  Paradoxically it is the very importance of the multidimensional approach that explains this.

Let's have a thought experiment. 

Let's begin with the assumption that a multidimensional protocol is one of the great requirements of our time.  It then seems inevitable to me that we will continue to see the emergence of a number of different proposals for what it should be.  Human nature and the angels of competition dictate that different players in the cloud will align themselves with different proposals.  Ultimately we will see convergence – but that will take a while.   Question:  How are we do cloud provisioning in the meantime?  Does everyone have to implement every multidimensional protocol proposal?  Fail!

So pragmatism calls for us to have a widely accepted and extremely focused way of doing provisioning that “makes it fast, cheap and easy to move users in to, out of and around the cloud”.

Meanwhile, allow developers to combine identity information with information about machines, services, web sites, databases, file systems, and line of business applications through multidimensional protocols and APIs like the Facebook and the Windows Azure Active Directory Graph APIs.  For those who are interested, you can begin exploring our Graph API here:  Windows Azure AD Graph Explorer (hosted in Windows Azure) (Select ‘Use Demo Company’ unless you have your own Azure directory and have gone through the steps to give the explorer permission to see it…)

To me, the goals of SCIM and the goals of the Graph API are entirely complementary and the protocols should coexist peacefully.  We can even try to find synergy and ways to make things like schema elements align so as to make it as easy as possible to move between one and the other. 

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Tuesday, 03 Jul 2012 13:41

As I wrote here, Mary Jo Foley's interpretation of one of the diagrams in John Shewchuk's second WAAD post made it clear we needed to get a lot visually crisper about what we were trying to show.  So I promised that we'd; go back to the drawing board.  John put our next version out on twitter, got more feedback (see comments below) and ended up with what Mary Jo christened “Diagram 2.0″.  Seriously, getting feedback from so many people who bring such different experiences to bear on something like this is amazing.  I know the result is infinitely clearer than what we started with.

In the last frame of the diagram, any of the directories represented by the blue symbol could be an on-premise AD, a Windows Azure AD, something hybrid, an OpenLDAP directory, an Oracle directory or anything else.  Our view is that having your directory operated in the cloud simplifies a lot.  And we want WAAD to be the best possible cloud directory service, operating directories that are completely under the control of their data owners:  enterprises, organizations, government departments and startups.

Further comments welcome.

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Monday, 02 Jul 2012 20:22

Reading the following SFGate story was a real rollercoaster ride: 

DOVER, Del. (AP) — State lawmakers have given final approval to a bill prohibiting universities and colleges in Delaware from requiring that students or applicants for enrollment provide their social networking login information.

The bill, which unanimously passed the Senate shortly after midnight Saturday, also prohibits schools and universities from requesting that a student or applicant log onto a social networking site so that school officials can access the site profile or account.

The bill includes exemptions for investigations by police agencies or a school's public safety department if criminal activity is suspected.

Lawmakers approved the bill after deleting an amendment that expanded the scope of its privacy protections to elementary and secondary school students.

First of all there was the realization that if lawmakers had to draft this law it meant universities and colleges were already strong-arming students into giving up their social networking credentials.  This descent into hell knocked my breath away. 

But I groped my way back from the burning sulfur since the new bill seemed to show a modicum of common sense. 

Until finally we learn that younger children won't be afforded the same protections…   Can teachers and principals actually bully youngsters to log in to Facebook and access their accounts?  Can they make kids hand over their passwords?  What are we teaching our young people about their identity?

Why oh why oh why oh? 

 

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Wednesday, 27 Jun 2012 18:03

Mary Jo Foley knows her stuff, knows identity and knows Microsoft.  She just published a piece called ”With Azure Active Directory, Microsoft wants to be the meta ID hub“.  The fact that she picked up on John Shewchuk's piece despite all the glamorous announcements made in the same timeframe testifies to the fact that she understands a lot about the cloud.  On the other hand, I hope she won't mind if I push back on part of her thesis.  But before I do that, let's hear it:

Summary: A soon-to-be-delivered preview of a Windows Azure Active Directory update will include integration with Google and Facebook identity providers.

Microsoft isn’t just reimaginging Windows and reimaginging tablets. It’s also reimaginging Active Directory in the form of the recently (officially) unveiled Windows Azure Active Directory (WAAD).

In a June 19 blog post that largely got lost among the Microsoft Surface shuffle last week, Microsoft Technical Fellow John Shewchuk delivered the promised Part 2 of Microsoft’s overall vision for WAAD.

WAAD is the cloud complement to Microsoft’s Active Directory directory service. Here’s more about Microsoft’s thinking about WAAD, based on the first of Shewchuk’s posts. It already is being used by Office 365, Windows InTune and Windows Azure. Microsoft’s goal is to convince non-Microsoft businesses and product teams to use WAAD, too.

This is how the identity-management world looks today, in the WAAD team’s view:

And this is the ideal and brave new world they want to see, going forward.


WAAD is the center of the universe in this scenario (something with which some of Microsoft’s competitors unsurprisingly have problem).

[Read more of the article here]

The diagrams Mary Jo uses are from John's post.  And the second clearly shows the “Active Directory Service”  triangle in the center of the picture so one can understand why Mary Jo (and others) could think we are talking about Active Directory being at the center of the universe. 

Yet in describing what we are building, John writes,

“Having a shared directory that enables this integration provides many benefits to developers, administrators, and users.”

“Shared” is not the same as “Central”.  For the Windows Azure AD team the ”shared directory” is not “THE hub” or “THE center”.  There is no one center any more in our multi-centered world.  We are not building a monolithic, world-wide directory.  We are instead consciously operating a directory service that contains hundreds of thousands of directories that are actually owned by individual enterprises, startups and government organizations.  These directories are each under the control of their data owner, and are completely independent until their data owner decides to share something with someone else.

The difference may sound subtle, but I don't think it is.  When I think of a hub I think of a standalone entity mediating between a set of claims providers and a set of relying parties.  

But with Azure Active Directory the goal is quite different:  to offer a holistic “Identity Management as a Service” for organizations, whether startups, established enterprises or government organizations – in other words to “operate” on behalf of these organizations.  

One of the things such a service can do is to take care of connecting an organization to all the consumer and corporate claims providers that may be of use to it.  We've actually built that capability, and we'll operate it on a 24/7 basis as something that scales and is robust.  But IdMaaS involves a LOT of other different capabilities as well.  Some organizations will want to use it for authentication, for authorization, for registration, credential management and so on.  The big IdMaaS picture is one of serving the organizations that employ it – quite different from being an independent hub and following a “hub” business model. 

In this era of the cloud, there are many cloud operators.  Martin Kuppinger has pointed out that “the cloud” is too often vendor-speak for “this vendor's cloud”.  In reality there are “clouds” that will each host services that are premium grade and that other services constructed in different clouds will want to consume.  So we will all need the ability to reach accross clouds with complete agility, security and privacy and within a single governance framework.  That's what Identity Management as a Service needs to facilitate, and the Active Directory Service triangle in the diagram above is precisely such a service.  There will be others operated by competitors handling the identity needs of other organizations.  Each of us will need to connect enterprises we serve with those served by our competitors. 

This said, I really accept the point that to express this in a diagram we could (and should)  draw it very differently.  So that's something John and I are going to work on over the next few days.  Then we'll get back to you with a diagram that better expresses our intentions.

 

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Monday, 25 Jun 2012 12:02

New generations of digital infrastructure get deployed quickly even when they are incompatible with what already exists.  But old infrastructure is incredibly slow to disappear.   The complicated business and legal mechanisms embodied in computer systems are risky and expensive to replace..  But existing systems can't function without the infrastructure that was in place when they were built…  Thus new generations of infrastructure can be easily added, but old and even antique infrastructures survive alongside them to power the applications that have not yet been updated to employ new technologies.

This persistence of infrastructure can be seen as a force likely to slow changes in Identity Management, since it is a key component of digital infrastructure.

Yet global economic and technological trends lead in the opposite direction. The current reality is one of economic contraction where enterprises and governments are under increasing pressure to produce more with less. Analysts and corporate planners don’t see this contraction as being transient or likely to rebound quickly. They see it as a long-term trend in which organizations become leaner, better focused and more fit-to-purpose – competing in an economy where only fit-to-purpose entities survive.

At the same time that these economic imperatives are shaking the enterprise and governments, the introduction of cloud computing enables many of the very efficiencies that are called for.

Cloud computing combines a number of innovations. Some represent new ways of delivering and operating computing and communications power.  But the innovations go far beyond higher density of silicon or new efficiencies in cooling technologies…  The cloud is ushering in a whole new division of labor within information technology.

Accelerating the specialization of functions

The transformational power of the cloud stems above all else from its ability to accelerate the specialization of functions so they are provided by those with the greatest expertise and lowest costs.

I was making this “theoretical” point while addressing the TSCP conference recently, which brings together people from extremely distributed industries such as aeronautics and defense.  Looking out into the audience I was suddenly struck by something that should have been totally obvious to me.  All the industries represented in that room, except for information technology, had an extensive division of labor across a huge number of parties.  Companies like Boeing or Airbus don't manufacture the spokes on the wheels of their planes, so to speak.  They develop specifications and assemble completed products in cost effective ways that are manufactured and refined by a whole ecosystem.  They have massively distributed supply chains.  Yet our model in information technology has remained rather pre-industrial and there are innumerable examples of companies expending their own resources doing things they aren't expert at, rather than employing a supply chain.  And part of the reason is because of the lack of an infrastructure that supports this diversification.  That infrastructure is just arriving now – in the form of the cloud.   

Redistributing processes to be most efficiently performed

So  technologically the cloud is an infrastructure honed for multi-sourcing – refactoring processes and redistributing them to be most efficiently performed.

The need to become leaner and more fit-to-purpose will drive continuous change.  Organizations will attempt to take advantage of the emerging cloud ecology to substitute off-the-shelf commoditized systems offered as specialized services. When this is not possible they will construct their newly emerging systems in the cloud using other specialized ecosystem services as building blocks.

Given the fact that the best building blocks for given purposes may well be hosted on different clouds, developers will expect to be able to reach across clouds to integrate with the services of their choice. Cloud platforms that don’t offer this capability will die from synergy deficiency.

Technological innovation will need to take place before services will be able to work securely in this kind of loosely coupled world – constituting a high-value version of what has been called the “API Economy”. The precept of the API economy is to expose all functionality as simple and easily understood services (e.g. based on REST) – and allow them to be consumed at a high level of granularity on a pay-as-you-go basis.

In the organizational world, most of the data that will flow through these APIs will be private data. For enterprises and governments to participate in the API Economy they will require a system of access control in which many different applications run by different administrations in different clouds are able to reuse knowledge of identity and security policy to adequately protect the data they handle.  They will also need shared governance.

Specifically, it must be possible to reliably identify, authenticate, authorize and audit across a graph of services before reuse of specialized services becomes practicable and economical and the motor of cloud economics begins to hum.

 

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Thursday, 21 Jun 2012 21:44

The second part of John Shewchuk's blog on Windows Azure Active Directory has been published here.  John goes into more detail about a number of things, focusing on the way it allows customers to hook their Cloud AD into the API Economy in a controlled and secure way.  

Rather than describe John's blog myself I'm going to parrot the blog post that analyst Craig Burton put up just a few hours ago.  I find it really encouraging to see his excitement:  it's the way I feel too, since I also think this is going to open up so many opportunities for innovation, make developing services simpler and make the services themselves more secure and respectful of privacy.  Here's Craig's post:

As a follow up to Microsoft’s announcement of IdMaaS, the company announced the — to be soon delivered — developer preview for Windows Azure Active Directory (WAzAD). As John Shewchuk puts it:

The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology.

Together, the existing and new capabilities mean a developer can easily create applications that offer an experience that is connected with other directory-integrated applications. Users get SSO across third-party and Microsoft applications, and information such as organizational contacts, groups, and roles is shared across the applications. From an administrative perspective, Windows Azure Active Directory provides a foundation to manage the life cycle of identities and policy across applications.

In the Windows Azure Active Directory developer preview, we added a new way for applications to easily connect to the directory through the use of REST/HTTP interfaces.

An authorized application can operate on information in Windows Azure Active Directory through a URL such as:

https://directory.windows.net/contoso.com/Users(‘Ed@Contoso.com’)

Such a URL provides direct access to objects in the directory. For example, an HTTP GET to this URL will provide the following JSON response (abbreviated for readability):

{ “d”: {
“Manager”: { “uri”:”https://directory.windows.net/contoso.com/Users(‘User…’)/Manager” },
“MemberOf”: { “uri”:”https://directory.windows.net/contoso.com/Users(‘User…’)/MemberOf” },
“ObjectId”: “90ef7131-9d01-4177-b5c6-fa2eb873ef19″,
“ObjectReference”: “User_90ef7131-9d01-4177-b5c6-fa2eb873ef19″,
“ObjectType”: “User”,
“AccountEnabled”: true,
“DisplayName”: “Ed Blanton”,
“GivenName”: “Ed”,
“Surname”: “Blanton”,
“UserPrincipalName”: Ed@contoso.com,
“Mail”: Ed@contoso.com,
“JobTitle”: “Vice President”,
“Department”: “Operations”,
“TelephoneNumber”: “4258828080″,
“Mobile”: “2069417891″,
“StreetAddress”: “One Main Street”,
“PhysicalDeliveryOfficeName”: “Building 2″,
“City”: “Redmond”,
“State”: “WA”,
“Country”: “US”,
“PostalCode”: “98007″ }
}

Having a shared directory that enables this integration provides many benefits to developers, administrators, and users. If an application integrates with a shared directory just once—for one corporate customer, for example—in most respects no additional work needs to be done to have that integration apply to other organizations that use Windows Azure Active Directory. For an independent software vendor (ISV), this is a big change from the situation where each time a new customer acquires an application a custom integration needs to be done with the customer’s directory. With the addition of Facebook, Google, and the Microsoft account services, that one integration potentially brings a billion or more identities into the mix. The increase in the scope of applicability is profound. (Highlighting is mine – Craig).

Now that’s What I’m Talking About

There is still a lot to consider in what an IdMaaS system should actually do, but my position is that just the little bit of code reference shown here is a huge leap for usability and simplicity for all of us. I am very encouraged. This would be a major indicator that Microsoft is on the right leadership track to not only providing a specification for an industry design for IdMaaS, but also is on well on its way to delivering a product that will show us all how this is supposed to work.

Bravo!

The article goes on to make commitments on support for OAuth, Open ID Connect, and SAML/P. No mention of JSON Path support but I will get back to you about that. My guess is that if Microsoft is supporting JSON, JSON Path is also going to be supported. Otherwise it just wouldn’t make sense.

JSON and JSON Path

The API Economy is being fueled by the huge trend of accessibility of organization’s core competence through APIs. Almost all of the API development occurring in this trend are based of a RESTful API design with data being encoded in JSON (JavaScript Object Notation). While JSON is not a new specification by any means, it is only in the last 5 years that JSON has emerged as the preferred — in lieu of XML — data format. We see this trend only becoming stronger.

[Craig presents a table comparing XPath to XML - look at it here.]

Summary

As an industry, we are completely underwater in getting our arms around a workable — distributed and multi-centered identity management metasystem — that can even come close to addressing the issues that are already upon us. This includes the Consumerization of IT and its subsequent Identity explosion. Let alone the rise of the API Economy. No other vendor has come close to articulating a vision that can get us out of the predicament we are already in. There is no turning back.

Because of the lack leadership (the crew that killed off Information Cards) in the past at Microsoft about its future in Identity Management, I had completely written Microsoft off as being relevant. I would have never expected Microsoft to gain its footing, do an about face, and head in the right direction. Clearly the new leadership has a vision that is ambitious and in alignment with what is needed. Shifting with this much spot on thinking in the time frame we are talking about (a little over 18 months) is tantamount to turning an aircraft carrier 180 degrees in a swimming pool.

I am stunned, pleased and can’t wait to see what happens next.
 

I think it goes without saying that “turning an aircraft carrier 180 degrees in a swimming pool” is a fractal mixed metaphor of colossal and recursive proportions that boggles the mind – yet there is more than a little truth to it.  In fact that's really one of the things the cloud demands of us all.

Craig's question about JSON Path is a good one.  The answer is that JSON Path is essentially a way of navigating and extracting information from a JSON document.  WAzAD's Graph API returns JSON documents and if they are complex documents we expect programmers will use JSON Path – which they already know – to extract specific information.  It will be part of their local programming environment on whatever device or platform they are issuing a query from.

On the other hand, one can imagine supporting JSON Path queries in the RESTful interface itself.  Suppose you have a JSON document with many links to other JSON documents.  Do you then support “chaining” on the server so it follows the links for you and returns the distributed JSON Path result?  The problem with this approach is that a programming model we want to be ultra-simple and transparent for the programmer turns into something opaque that can have many side effects, become unpredictable and exhibit performance issues.  As far as I know, the social network APIs that are most sophisticated in their use of links don't support this.  They just get the programmer to chase the links that are of interest.

So for these reasons server support is something we have talked about but don't yet have a position on.  This is exactly the kind of thing we'd; like to explore by collaborating with developers and getting their input.  I'd; also like to hear what other people have experienced in this regard.

 

Author: "Kim Cameron"
Send by mail Print  Save  Delicious 
Date: Tuesday, 19 Jun 2012 08:48

It was a remarkable day at the annual conference of the Digital Enlightenment Forum  in Luxembourg.  The Forum is an organization that has been set up over the last year to animate a dialog about how we evolve a technology that embodies our human values.  It describes its vision this way: 

The DIGITAL ENLIGHTENMENT FORUM aims to shed light on today’s rapid technological changes and their impact on society and its governance. The FORUM stimulates debate and provides guidance. By doing so, it takes reference from the Enlightenment period as well as from transformations and evolutions that have taken place since. It examines digital technologies and their application openly with essential societal values in mind. Such values might need to be given novel forms taking advantage of both today’s knowledge and unprecedented access to information.

For the FORUM, Europe’s Age of Enlightenment in the 18th century serves as a metaphor for our current times. The Enlightenment took hold after a scientific and technological revolution that included the invention of book printing, which generated a novel information and communication infrastructure. The elite cultural Enlightenment movement sought to mobilise the power of reason, in order to reform society and advance knowledge. It promoted science and intellectual interchange and opposed superstition, intolerance and abuses by the church and state. (more)

 The conference was intended to address four main themes:

  • What can be an effective organisation of governance of ICT infrastructure, including clouds? What is the role of private companies in relation to the political governance in the control and management of infrastructure? How will citizens be empowered in the handling of their personal data and hence in the management of their public and private lives?
  • How do we see the relation between technology and jurisdiction? Can we envisage a techno-legal ecosystem that ensures compliance with law (’coded law’), and how can sufficient political control be ensured in a democratic society?
  • What are the consequences for privacy, freedom and creativity of the massive data collection on behaviour, location, etc. by private and public organisations and their use through mining and inferencing for profiling and targeted advertising?
  • What needs to be done to ensure open discussion and proper political decision-making to find an appropriate balance between convenience of technology use and social acceptability?
  • The day was packed with discussions that went beyond the usual easy over-simplifications.  I won't try to describe it here but will post the link to the webcast when it becomes available.

    One of the highlights was a speech by Mme Viviane Reding, the Vice President of the European Union (who also serves as commissioner responsible for Justice, Fundamental Rights and Citizenship) about her new proposed Data Protection legislation.   Speaking later to the press she emphasized that the principle of private data belonging to the individual has applied in the European Union since 1995, and that her new proposals are simply a continuation along three lines.  First, she wants users to understand their rights and get them enforced;  second she is trying to provide clarity for companies and reduce uncertainty about how the data protection laws will be applied;  and third, she wants to make everyone understand that there will be sanctions.  She said,

    “If you don't have sanctions, who cares about the rules?  Who cares about the law?”

    And the sanctions are major:  2% of world-wide turnover of the company.  Further they apply to all companies, anywhere in the world, that collect information from Europeans.

    I very much recommend that everyone involved with identity and data protection read her speech, “Outdoing Huxley: Forging a high level of data protection for Europe in the brave new digital world”.

    In my view, the sanctions Mme Reding proposes will, from the point of view of computer science, be meted out as corrections for breaking the Laws of Identity.  John Fontana asked me about this very dynamic in an article he did recently on the relevance of the Laws of Identity seven years after they were written (2005).

    ZDNet: The Laws of Identity predicted that government intervention in identity and privacy would increase, why is that happening now?

    Cameron: There are many entities that routinely break various of these identity laws; they use universal identifiers, they collect information and use it for different purposes than were intended, they give it to parties that don’t have rights to it, they do it without user control and consent. You can say that makes the Laws irrelevant. But what I predicted is that if you break those Laws there will be counter forces to correct for that. And I believe when we look at recent developments – government and policy initiatives that go in the direction of regulation – that is what is happening. Those developments are providing the counter force necessary to bring behavior in accordance with the laws. The amount of regulation will depend on how quickly entities (Google, Facebook, etc.) respond to the pressure.

    ZDNet: Do we need regulation?

    Cameron: It’s not that I am calling for regulation. I am saying it is something people bring upon themselves really. And they bring it on themselves when they break the Laws of Identity.

     

    Author: "Kim Cameron"
    Send by mail Print  Save  Delicious 
    Date: Tuesday, 19 Jun 2012 07:30

    The First Generation Identity Ecosystem Model

    The biggest problem of the “domain based model of identity management” was that it assumed each domain was an independent entity whose administrators had complete control over the things that were within it – be they machines, applications or people.

    During the computational Iron Age – the earliest days of computing – this assumption worked.

    But even before the emergence of the Internet we began to see domains colliding within closed organizational boundaries – as discussed here.  The idea of organizations having an “administrative authority” revealed itself to be far more complicated than anyone initially thought, since enterprises were evolving into multi-centered things with autonomous business units experiencing bottoms-up innovation. The old-fashioned bureaucratic models, probably always somewhat fictional, slowly crumbled.

    Many of us who worked on IT architecture were therefore already looking for ways to transcend the domain model even before the Internet began to flood the enterprise and wear away its firewalls. Yet the Internet profoundly shook up our thinking. On the one hand organizations began to understand that it was now possible – and in fact mandatory – to interact with people as individuals and citizens and consumers. And on the other any organization that rolled up its sleeves and got to work on this soon saw that it needed a model where it could “plug in” to systems run by partners and suppliers in seamless and flexible ways.

    With increasing experience enterprise and Internet architects concluded that standardization of identity architecture and components was the only way to achieve the flexibility essential for business agility, whether inside or outside the firewall. It simply wasn’t viable to recode or “change out” systems every time organizations were realigned or restructured.

    Technologists introduced new protocols like SAML that implemented a clear separation of standardized identity provider (IdP) and relying party (RP) roles so components would no longer be hard-wired together. In this model, when users want a service the service provider sends them to an IdP which authenticates them and then returns identifying information to the service provider (an RP within the model).  All the CRUD is performed by the IdP which issues credentials that can be understood and trusted by RPs.  It is a formal division of labor – even in scenarios where the same “Administrative Domain” runs both the IdP and the RP.

    The increasing need for inter-corporate communications, data-sharing and transactions led these credentials to become increasingly claims-based, which is to say the hard dependencies on internal identifiers and proprietary sauce that only made sense inside one party’s firewall gave way to statements that could be understood by unrelated systems. This provided the possibility of making assertions about users that could be understood in spite of crossing enterprise boundaries. It also allowed strategists to contemplate outsourcing identity roles that are not core to a company’s business (for example, the maintenance of login and password systems for retirees or consumers).

    Many of the largest companies have successfully set up relations with their most important partners based on this model. Others have wisely used it to restructure their internal systems to increase their flexibility in the future. The model has represented a HUGE step forward and a number of excellent interoperable products from a variety of technology companies are being deployed. 

    Yet in practice, most organizations have found federation hard to do. New technology and ways of doing things had to be mastered, and there was uncertainty about liability issues and legal implications.  These difficulties grow geometrically for organizations that want to establish relationships with a large number of other other organizaitons.  Establishing configuration and achieving secure connectivity is hard enough, but keeping the resultant matrix of connections reliable in an operational sense can be daunting and therefore seen as a real source of risk. 

    When it came to using the model for internet facing consumer registration, service providers observed that individual consumers use many different services and have accounts (or don’t have accounts) with many different web entities. Most concluded that it would be a gamble to switch from registering and managing “their own users” to figuring out how to successfully reuse peoples’ diverse existing identities. Would they confuse their users and lose their customers? Could identity providers be trusted as reliable? Was there a danger of losing their customer base? Few wanted to find out…

    As a result, while standardized architecture makes identity management systems much more pluggable and flexible, the emergence of an ecosystem of parties dedicated to specialized roles has been slow. The one notable entity that has gained some momentum is Facebook, although it has not so much replaced internet-facing registration systems as supplemented them with additional information (claims). 

    [Next in this series: Disruptive Forces: The Economy and the Cloud]

    Author: "Kim Cameron"
    Send by mail Print  Save  Delicious 
    Date: Thursday, 14 Jun 2012 08:14

    I want to return to Nishant's concerns with the way I've presented IdMaaS:

    What I was surprised to find missing from Kim’s and Craig’s discussion about IdMaaS were the governance controls one needs in identity management (and therefore IdMaaS) – like approval workflows, access request and access recertification. In other words, those crucial business tools in identity management that have led many analysts and vendors (including me) to repeat on stage many, many times that “Identity Management is about process, not technology”. And this is the part that makes identity management, and therefore IdMaaS, really hard, as I alluded to in my talk about ‘Access Provisioning in a Services World‘ at Catalyst a couple of years ago.

    Let me begin by saying I agree completely with Nishant about the importance of governance.  In fact, in my first blog about IdMaaS I highlighted two fundamental aspects of IdMaaS and digital identity being:

    • confidential auditing; and
    • assurance of compliance.

    I also agree with him on the urgent requirement for “approval workflows, access request and access recertification.”  I believe we need identity and access process control.

    I'm therefore surprised about the confusion on whether or not I think governance is important, but I'm glad to get this cleared up right at the beginning.

    Let me explain what I had in mind as a way to achieve some depth in this discussion.  It seemed to me we need to decompose the overall service capabilities, rather than trying to discuss “everything simultaneously”.  I started by trying to talk about the IdM models that have led us to the current point in time, in order to set the stage for the exploration of the new emerging model of  Identity Management as a Service and its capabilities, as illustrated in this graphic: 

    Composable capabilities of IdMaaS

    Now my point here is not to argue that this  graphic captures all the needed IdMaaS capabilities – it's very much a work in progress.  It is simply that, when you look at the whole landscape, you see there are a number of areas that warrant real discussion in depth…  My conclusion was that we will only succeed at this by looking at things one at a time.

    The point can be made, and perhaps this is what Nishant was saying, that governance applies to everything.  I accept that this is true, but governance still can be factored out for purposes of discussion.  I think we'll achieve more clarity if that's what we do.  For one thing, it means we can dive more deeply into governance itself.

    Let me know if this decompositional approach seems wrong-headed and we should just have a free-for-all where we discuss everything as it relates to everything else.  I agree that this can be interesting too.

    That said, I want to take up some of the points Nishant makes when talking about governance in the Domain Identity Model.

    In…  ‘Identity management before the cloud (part one)‘, Kim says “In the domain paradigm identity management was thought to be the CRUD and little more.”. But that is not true. What made identity management so hard and expensive was the need to supplement the CRUD features with a governance layer that included policy and process to manage over the entirety of the identity management infrastructure. The responsibility for this was early on thrust upon the provisioning products like Thor Xellerate and Waveset, and later on spawned more specialized handling in IAG products like Sailpoint and Aveksa. Kim alludes to these when he says “A category of Identity Management integration products arose … often brittle point products and tools that could only be deployed at high cost by skilled specialists”. That’s accurate, but not because they were pointless or overhead or overkill. These products were difficult to deploy and needed customization because it wasn’t well understood how to introduce the controls needed in IAM in a manner that was practical and usable. And it was always assumed that every customer would demand unique business processes, so the approach was a toolkit approach rather than a solution approach.

    Reading this, I hold even more strongly than before to the statement that the Domain Model was about CRUD and absolute control by The Domain.   The fact that businesses required governance is historically true but doesn't change the way Domains were conceptualized, built and sold by everyone in the industry.  So I agree with Nishant about the importance of governance but don't think this changes the essence of what domains actually were.

    For a at least several decades computer governance was provided as an outcome of security analysts configuring domain based systems to implement a variety of well-known techniques (physical security, separation of duties, multiple approvers and the like) in order to satisfy business objectives and comply with normative standards prevalent in the industries and national or geographical jurisdictions. 

    I'm sure many of us witnessed the calisthenics of colleagues in banks and financial institutions, who, as security officers, figured out how to use mainframes and LANS in both their nascent and more evolved forms to be effective at this.  I know I used to marvel at some of what they accomplished. 

    We are talking about a time when governance wasn't synonymous with government regulation. Governance was more or less orthogonal to the way products were built by the industry.  Domain products could be used in ways that accorded with asset protection requirements if the right expertise was present to set the systems up to achieve these ends.  And on a pessimistic note, has so much really changed in this regard since then?

    Many of the provisioning concepts that appeared in products like Waveset and Xellerate appeared earlier in products like ZOOMIT VIA and Metamerge.  But those, like Waveset, Xellerate and Aveksa were actually, in my view,  ”post-domain” products that attempted a holistic solution working across product boundaries.  

    Still, while being post-domain in some ways (e.g. meta),  they continued to require extensive manual intervention by security experts to coax ”compliant” behaviors out of them, and this intervention was embodied in detailed configurations and scripts dependent on the behaviors of underlying products.  This meant they were often fragile:  if the underlying products were upgraded, for example, they might no longer be compatible with the framework intended to manage them. 

    Nishant goes on to say,

    And an IdMaaS architecture as alluded to by Kim and illustrated by Craig in this diagram just makes the solving of this problem more difficult and even more critical due to the zero trust environment. Since the identities have not been created and are not controlled by the organization that needs to make the access decisions, approval and review controls become even more important because they’re all the enterprise has. The ability to de-provision access based on events or manual intervention becomes a crucial component of access lifecycle management. These are the safety measures the organization needs to put in place for security and compliance.

    I agree the ability to de-provision is key and in fact it is key to what we will be delivering.  On the other hand, Nishant's conclusion that “the [IdMaaS] architecture.. must make the solving of this problem more difficult… due to the zero trust environment” is I think absolutely unfounded.  As I will show when we go through the requirements for IdMaaS, Trust Frameworks are a necessity, and I know of few Trust Frameworks that are based on “zero trust”. 

    There is a bit too much flailing at paper tigers for me to take all of this apart in a single post.  Let's take a deep breath and delve systematically both into requirements and the details of what is being proposed in WAzAD.

     

    Author: "Kim Cameron"
    Send by mail Print  Save  Delicious 
    Date: Monday, 11 Jun 2012 16:41

    I am happy to see that Nishant Kaushik (@NishantK)  has responded to the posts I’ve been doing on IdMaaS.  Nishant has strong ideas, having led product architecture and strategy within the Identity Management & Security Products group at Oracle for many years.  Nowadays he is with a startup called Identropy and writes the blog TalkingIdentity.

    Nishant’s main concern in his first post was that I’ve gone as far as I have without discussing the importance of governance controls.  I’m going to save this issue for my next piece, since Nishant also ended up in a spirited conversation with Craig Burton that is really worth following.  He wrote:

    Craig Burton thinks that this vision, and the associated work Microsoft is doing on Windows Azure Active Directory (as described in this post by John Shewchuck) is “profoundly innovative”. I’ll be honest, I’m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build/attach other Azure applications to that different from Oracle saying that deploying a Fusion Application will include an OUD based identity store that the enterprise can also use for other applications? Apart from being in the cloud and therefore far easier to use in federated identity (SAML, OpenID, OAuth) scenarios. But I’ll wait to hear more before commenting any further (though John Fontana and others have already weighed in).

    Craig Burton, as is his trademark, includes a few lightning bolts in his response:

    Nishant must not have read my post very carefully. In my explanation of why Microsoft’s vision for IDMaaS is so profound, he failed to notice that I never once mentioned WAAD (Windows Azure Active Directory) or Office 365. There is a reason for that. I am not applauding Microsoft’s — or any other vendor’s — implementation of IDMaaS.

    What is so profound about this announcement is that Microsoft is following Kim Cameron’s directives for building a Common Identity Framework for the planet, not just for a vendor.

    In 2009 Kim Cameron, Reinhard Posch and Kai Rannenberg wrote Proposal for a Common Identity Framework: A User-Centric Identity Metasystem.

    In section 5.4 of that document, the authors spell out the requirement for customer Freedom of Choice.

    Freedom of Choice

    Freedom of choice for both users and relying parties refers to choice of service operators they may wish to use as well as to the interoperability of the respective systems.

    This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece. I posit that the Microsoft vision is so profound because it is built on a definition of Freedom of Choice that fits the above description and not where the customer is free to choose a particular captor.

    And so I state again:

    Freedom of Choice != Your Choice of Captor

    Microsoft’s vision has changed the playing field. Any vendor building IdMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone — but mostly the customer.

    With these remarks Craig starts really getting to the bare bones of what it takes to be trusted  to manage identity for enterprises and governments. 

    It didn’t take long before Nishant fired off a second dispatch accepting Craig’s  points and clarifing what he saw as the real issues:

    I want to be clear: I am not questioning the vision that Kim Cameron has started to talk about in his posts about IDMaaS (though I was bringing up a part – the governance controls – that I felt was missing and that I believe has a major impact on the architecture of a Common Identity Framework, as Craig called it). And I am completely in agreement with what Craig described in his original post in the section “Stop Gushing and Lay it Out for Me”.

    Craig talks about how Freedom of Choice necessarily includes Freedom from Captor. He then says “This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece“.  I’m not sure why he thinks that, because what I am saying is exactly in line with what Craig and Kim are saying. It is what I have been saying since back in 2006 when I first started talking about the Identity Services Platform, which talks about the framework through which identity-enabled applications (essentially any application) consume identity from standardized services that can plug into any identity system or metasystem.

    What I was pointing out was that John Shewchuck’s post about WAAD seemed to indicate a lack of Freedom of Choice in what Microsoft is rolling out, at least right now. Becoming an Office 365 customer would “automatically create a new Windows Azure Active Directory that is associated with the Office 365 account“, forcing you to store and manage your identities in WAAD.  It should simply ask for the domain from which users could use this, and you could simply point to the Google Apps domain of your company, sign up for WAAD if needed, or grant access to contractors/partners using whatever identity they choose (traditional AD environment, Facebook or Twitter accounts, even personal OpenIDs). By the way, the governance controls I was talking about are essential here in order to define the process of granting, managing and taking away access in this deployment model.

    When I said “I’m having a little trouble seeing what is so innovative about WAAD itself”, I was pointing out my opinion that the details in John’s post did not seem to match up with the vision being outlined in Kim’s post, representing the kind of disconnect that Craig himself called out as a risk at various times in his post, but most notably in the section titled Caveats. I guess I’m not quite ready to make the leap that Microsoft’s work will line up Kim’s vision, and was calling out the disconnect I was seeing. And when Craig said “Microsoft is not only doing something innovative – but profoundly innovative”, I assumed he was talking about WAAD and related work, and not just referring to what Kim is talking about.

    Nishant goes on to give more examples of how he thinks Office 365 could be implemented.  I won’t discuss those at this point since I think we should save our implementation discussions for later.  First we need a more thorough conversation about what IdMaaS actually involves given all the changes that are impacting us.  It is these definitions that must lead to implementation considerations.  I hope Nishant will bear with me on this so we can continue the discussion begun so far.

    I also want, in deference to Nishant and others who may have similar concerns, make a few remarks on what we have rolled out right now.  I want to be really clear that while I think we already do a number of things really well and in a robust way at very high scale, there are all kinds of things we still don’t do that form an integral part of our vision for what must be done.  Anyone who says they can do all that is needed just doesn’t, in my view, have a vision.

    On the other hand, I hope we can steer clear of overly simplified recipies for what complicated offerings like Office 365 require as identity management.  For example, applications like Office need directories and places to store information about people in them, and nowhere is it written in stone that this should be done by sending realtime queries to dozens or thousands of systems.   Enterprise users want directory lookup that is as fast and reliable when served from the cloud as it is on premises.  And so on.  My point here is not to argue for one solution versus another, but to invite Nishant and others who may be interested to zero in on the broad set of requirements before getting overly committed to possible ways of meeting them.

          

    Author: "Kim Cameron" Tags: "Identity, Identity Management, Identity ..."
    Send by mail Print  Save  Delicious 
    Date: Wednesday, 06 Jun 2012 08:58

    Since identity is a fundamental requirement of computing infrastructure, organizations have been involved in digital identity management for decades.  Over the years, three models have emerged and co-existed.  Of course I’m tempted to skip the history and jump headfirst into what’s new and fresh today.  But I think it is important to begin by reviewing the earlier models so we can get crisp about how the IdMaaS model differs from what has gone before. (Some day people who want to skip the previous models will be able to click here.)

    Firewall Era Identity Model

    Domain boundariesEnterprise identity technology evolved incrementally from mainframe days using the concept of administrative and security “domains”: collections of resources tightly integrated under a single, closed organizational administration.

    To control access to networks, computers, applications and information stores, it was necessary to identify them and recognize their legitimate users – whether people or software services. This required registration systems – often called directories – through which human and non-human identity records could be created, retrieved, updated and deleted (CRUD). In the domain paradigm identity management was thought to be the CRUD and little more.

    While closed administrative domains were simple in theory, business requirements drove enterprises to adopt an assortment of unrelated internal systems and applications. Most came with their own independent user directories. Enterprises ended up with hundreds of different systems that had to be administered independently and would soon diverge.

    With the advent of network PCs, we began to see Network Operating System domains that were collections of PC’s working in conjunction with servers.  Banyan’s StreetTalk and Novell’s Netware were both gamechanging products that introduced LAN directory coupled with identity management and authentication capabilities, but over time Active Directory achieved predominance as the administrative and security domain for PC users and applications. These products greatly simplified management of personal computers but the plethora of specialized business systems remained.  In fact some enterprises ended up with multiple Active Directories.

    A category of Identity Management integration products arose as a response to these problems: a dizzying array of often brittle point products and tools that could only be deployed at high cost by skilled specialists. They generally had to be customized to the point of being one-off solutions that paradoxically made the legacy even harder for customers to unravel.

    In retrospect the most striking characteristic of the domain based model is that each domain spoke with absolute authority.  It named things and asserted their attributes.  The machines, services and administrators that were part of the domain took its assertions as being unquestionable.  Trust for the domain was a condition of membership.  There was no need for the evaluation of assertions since they came from the domain and the domain was right by definition.

    Another characteristic was that each domain created identifiers within a namespace it controlled and they  could be used to access the information about domain members and components by any entity the domain authorized.  Systems typically employed a single namespace, and services used the same identifiers that were associated with domain components and users at authentication time.

    In other words, until domains began to collide, it was a pretty simple world.  Conversely, in todays interconnected and permeable world, most of the assumptions underlying the domain apply with growing caveats.   

    Internet-facing Identity Model

    The explosion of the Internet surrounded the closed enterprise security domains with outward-facing systems aimed at customers and suppliers.

    Once Web usage went beyond public applications like PR and advertising, organizations discovered that to enhance relationships with individual customers – and ultimately do e-Business - they needed ways to register them over the web.   Customers and suppliers were seen as a different category of domain object, but the systems built for them still followed the domain model.  Anything the domain said about its customer or supplier was taken to be true by all the applications in it.

    Consumer and supply chain identity management was most often customized on top of existing business databases that were completely independent from the directories of employees maintained inside the corporate firewall. 

    This created problems in linking employees with customers. In the wake of mergers and acquisitions, companies struggled to deliver a unified experience to customers across multiple business units with diverse origins, and competition drove them to seek more unified identity and resource management services.

    The Identity Management market thus expanded to include products that performed single sign-on and unified access control across a set of colliding domains, accompanied by large expenditures on hand-crafted integration projects.

    Next:  Identity Management before the cloud - the Identity Ecosystem Model

    Author: "Kim Cameron" Tags: "Identity, Identity Management"
    Send by mail Print  Save  Delicious 
    Date: Wednesday, 06 Jun 2012 00:22

    Craig Burton first achieved prominence as the Senior Vice President of Corporate Marketing and Development who drove Novell’s innovation and market strategies in the days when it was aggressively turning computing upside down. Some years later he founded the Burton Group with Jamie Lewis.  Today he is a Distinguished Analyst for Kuppinger Cole, where he just published an intriguing response to the blogs John and I have been doing:  Microsoft is Finally Being Relevant.

    For now I’ll refrain from comment and just offer up the goods:

    Microsoft is Finally Being Relevant
    Surprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative — but profoundly innovative.

    In a dual post by Microsoft’s John Shewchuk and Kim Cameron, the announcement was made about what Kim Cameron alluded to at the KuppingerCole EIC in April — Identity Management as a Service (IDMaaS). This is not trivial, and does not suck. It ROCKS.
    Why is Identity Management as a Service a Big Deal
    From a technical perspective, the place where innovation really makes a difference is the place where the rubber meets the road — infrastructure. Infrastructure is not only fundamental—as it provides the technical framework and underpinning to support big change — but infrastructure is hard.

    It’s also hard to get funded and hard to sell both outside and inside of companies that make infrastructure.

    This is because there is little possibility of showing a direct ROI in core infrastructure investment. It takes vision and guts to invest in infrastructure.

    Nobody wants to buy identity infrastructure. In fact no one should have to pay for identity infrastructure. It should be ubiquitous, work, and be free to everyone and controlled by no one. Infrastructure at this level is as fundamental as air. You don’t think about it, you don’t buy it; you just breathe it in and out and get on with the details.

    Metaphorically, when it comes to the maturity of identity infrastructure today—we are all sucking on thin air from teeny tubes of infrastructure veneer connected to identity silos (Facebook Connect, Twitter, Federated Identity and so on.)

    It’s much like the other core suite of protocols of the Internet — like TCP/IP. TCP/IP is free as far as a piece of software goes. No one ever pays for the transport anymore.

    So should be the protocols and infrastructure for doing Identity Management.  With this announcement Microsoft is showing that it understands Identity Infrastructure is fundamental to everything in the hybrid world of social-mobile-cloud networking that we are stumbling towards.

    Further, Microsoft is making it clear it understands that the current identity provider-centric world we live in now is broken and simply will not work for the future. Significant movement forward from this wretched state requires massive change — which is what Microsoft is proposing.

    From a political and business perspective, Kim Cameron’s vision of a ubiquitous Identity Metasystem has somehow prevailed inside Microsoft and is starting to emerge. This is a big deal. Finally a company with lots of talent that has been wallowing from lack of leadership has stepped up and put a stake in the ground about Identity. Bravo!

    Everybody else of significance that could be doing something significant with identity infrastructure — Google, Facebook, and Amazon for starters — are trapped in their current business models of trafficking your identity for short term profit. For each of them, the little piece they hold captive of your identity is the product by which they are making money. This is both short sighted and unsustainable.

    Microsoft’s plan is much grander. Invest in the hard stuff, solve the really tough identity infrastructure problems across the board—simple, private, and scalable. By taking this high road, Microsoft is betting it can take the leadership role by increasing the size of the pie for other SaaS services and apps that organizations and individuals want and are willing to pay for. Much more visionary that continuing to fight over whatever crumb you can get based on the current broken model.

    If Microsoft is allowed to pull this off, it is a good thing.
    Stop Gushing and Lay it Out for Me
    To understand the significance of IDMaaS, it’s useful to take a quick look at how identity management systems have evolved.

    Figure 1 shows how identities started out being managed within the boundaries of a domain. Domain-based identity managed need hardly be mentioned here as it can’t possibly meet any of the requirements for identity management in today’s organizational environments. For its day, it worked and it was a good place to start.

    Figure 1: Domain Contained Identity

    Figure 2 illustrates the first generation of federated identity management systems. This is a powerful model and was a big step forward from the domain model. In this model there is a service provider that accepts claims from an identity provider. A person can then prove who they are to the identity provider and present claims to the service provider to assure proper access to services and resources. This model works when these a relatively small number of parties involved. But as soon as there a diverse number of parties, it quickly breaks down.

    Figure 2: Identity Federation Model

    Figure 3 shows the scenario with diverse people with diverse relationships with different IPs. When you add diverse and numerous types of devices — cell phones, tablets, laptops and so on — it even makes the case stronger as to why the current federated identity model is reaching its limits.

     

    Figure 3: Diverse People and Devices

    So if the Federated Identity model doesn’t work, what will? Figure 4 shows one school of thought were a single IP can somehow grow big enough and inclusive enough, it can manage all of the identity claims of all entities. This architecture is both frightening and poorly thought out. People and organizations need to have the freedom of choice of how their identities are managed and not be locked into an identity management silo of a single provider.

    Figure 4: Omni Identity Provider

    Figure 5 is another — simpler — graphic showing how a single organization could have federated relationships with multiple constituents. Again, this approach works to a point, but as soon as you consider the impact of the identity explosion brought on by — cloud computing, social computing, mobile computing, and the API economy — this approach simply won’t do the job.

    Figure 5: Organization Federated to Many Constituents

    Figure 6 then, shows the simplified notion of the IDMaaS architecture. Any number of organizations, constituents or entities can generate and consume claims through the service in the cloud.

    Figure 6: Any Entity and Any Number of Entities

    Of course Figure 6 doesn’t very effectively illustrate what the three black dots really mean. With the identity explosion we are talking about, the number of entities that are inevitable are several orders of magnitude bigger than anything we have even thought about up to this point.

    We are in new territory, it is very unclear what is going to happen as a result all of this.

    The fact that Microsoft seems to be acknowledging this fact and is working with vision to address the matter is highly encouraging.

    We are not seeing this kind of vision — or anything close to it — from any other major vendor to date.
    Caveats
    The biggest problem I see here is Microsoft itself. It isn’t like Microsoft has the reputation of always taking the high road to enhance technology to the benefit of all. To the contrary, Microsoft has the reputation of pretending to take the high road with an “embrace and extend-like” position while executing an exacting and calculating “embrace and execute” practice. Microsoft has become the arrogant elephant to dance with that IBM once was. Microsoft’s past is going to be difficult to shed and it will be a significant effort to convince others that the elephant won’t trample on everyone when it gets the chance.

    Figure 7: The New Microsoft?

    (Source: Craig Burton, drawn on the iPhone with Autodesk SketchBook Pro)

    So the tough questions are:

    • Can Microsoft really execute on such a brave direction?
    • Will Microsoft follow up on allowing true “Freedom of Choice” for the customer? (Think interoperability. i.e. IDMaaS from any vendor, not just MSFT)
    • Will the RESTful implementation be usable?
    • Can the technology transcend the limitations of Kerberos and LDAP as it moves Active Directory to the cloud?

     

    Summary
    My explanation is a simplified one, but if you study it a bit, you will start to see where Microsoft is going.

    In short, the vision of an Identity Metasystem based on Identity Management as a Service is brilliant thinking.

    The proof will be found in how Microsoft executes.

    There is a lot to work out here to show if this can really work. But I believe it can happen. Microsoft is in a good position to garner the expertise to give us this first implementation so organizations and people can start to vet the idea and see if this can really fly.

    I will be anxious to watch carefully at the progress of this direction.

    I don’t mind taking a few knocks from Craig, and don’t think this would be the place to respond to them, even if I do think that the interoperable claims based identity technology we have been building and shipping for the last few years is the rocket fuel needed to “transcend the limitations of Kerberos and LDAP as we move Active Directory to the cloud” - one of his main concerns.

    But why quibble?  Craig really gets what’s important.  I like the fact that he takes the time to explain why Identity Management as a Service really is a big deal.  I suspect part of what he is saying is that it dwarfs the incremental changes we have seen over the last few years because it will impact every mainstream technology.

    Craig’s points about why infrastructure is hard are all golden, as is his wonderfully simple statement that “the current identity provider-centric world we live in now is broken and simply will not work for the future.”

    As for the tough questions, execution can only be judged by looking at what is shipped and how it evolves over time.  I’d like to take up the more general, IdMaaS-related questions in upcoming posts.  John will be talking in his posts specifically about our RESTful implementation and providing readers with access so they can judge for themselves and give us feedback.  At a practical level, we will be making things available incrementally in cloud time, adding breadth and depth as we go on.  This whole aspect of cloud innovation makes it hugely exciting.

    By the way, I love Craig’s elephant - I only wish I could dance so well, metaphorically at least.  I also love his graphics: he improved and extended the amateur ones I used in my European Identity and Cloud Conference keynote.  So if it’s OK with him, I’m going to pitch my own and go with his in my upcoming posts.  Thanks Craig.

     

    Author: "Kim Cameron" Tags: "Identity, Identity Industry, Identity Ma..."
    Send by mail Print  Save  Delicious 
    Date: Thursday, 31 May 2012 15:56

    John Fontana of ZDNet has written a pretty high octane report on the blog posts John Shewchuk and I published last week.  The article starts with a summary:

    The software giant begins talking publicly about Windows Azure Active Directory service and its strategy to use it as the foundation for its Identity Management as a Service strategy.

    That’s an interesting take on things.   But is “Identity Management as a Service” actually a strategy?  I wonder.  In my thinking it is an inevitability.  In other words, IDMAAS is the world we will end up in rather than the means of getting there.

    So I think it is more accurate to say, as ZDNet also does, that Microsoft’s strategy is to use Windows Azure Active Directory as the vehicle through which it offers Identity Management as a Service.   

    I hope this distinction doesn’t appear overly picky…   I just call it out because I would like to see our conversation focus primarily on what Identity management as a service must be.  After all, if we don’t get that right, the best strategy for getting there will be largely irrelevant.

    But enough of this.  John Fontana cuts to the chase:

    After two years of work, Microsoft has unveiled details and its strategy around Active Directory for the cloud, anointing it the centerpiece of a comprehensive online identity management services strategy it thinks will profoundly alter the ID landscape. 

    The company said changes to the current concepts around identity management need a “reset” to handle the “social enterprise.” Microsoft says it is “reimagining” how its Windows Azure Active Directory (WAAD) service helps developers create apps that connect the directory to SaaS apps and cloud platforms, corporate customers and social networks.

    “The term ‘identity management’ will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world,” Kim Cameron, an icon in the identity field and now a distinguished engineer working on identity at Microsoft, said on his blog. “This is so profound that it constitutes a ‘reset’.”

    At the center is WAAD, which is in use today mostly with Office 365 and Windows Intune customers. WAAD is a multitenant service designed for high availability and Internet scale.

    In a companion blog post to Cameron’s, John Shewchuk, a Microsoft Technical Fellow and key cog in the company’s cloud identity engineering, provided some details on WAAD, including new Internet-focused connectivity, mobility and collaboration features to support applications that run in the cloud.

    Shewchuk said the aim is to support technologies such as Java, and apps running on mobile devices including the iPhone or other cloud platforms such as Amazon’s AWS.

    Shewchuk said WAAD will be the cloud extension to on-premises Active Directory deployments enterprises have already made. The two are married using identity federation and directory synchronization.

    He said Microsoft made “significant changes to the internal architecture of Active Directory” in order to create WAAD.

    As an example, he said, “Instead of having an individual server operate as the Active Directory store and issue credentials, we split these capabilities into independent roles. We made issuing tokens a scale-out role in Windows Azure, and we partitioned the Active Directory store to operate across many servers and between data centers.”

    Some analysts are already noting the challenges Microsoft will have with its cloud directory.

    Mark Diodati, a research vice president at Gartner focusing on identity issues, told me in a conversation about changes the cloud is forcing on enterprise ID management that, “the addition of tablets and smartphones into the enterprise device mix exceeds Active Directory’s management capabilities and there is an impedance mismatch using Kerberos across the cloud.”

    While Shewchuk laid out the set-up for a Part 2 of his blog that will focus on enhancements to WAAD, Kim Cameron painted the bigger picture on cloud identity going forward.

    He said companies adopting cloud technology will see dramatic changes over the next decade in the way identity management is delivered. “We all need to understand this change,” he stressed.

    Cameron said identity management as a service “will use the cloud to master the cloud”, and will provide the most reliable and cost-effective options.

    “Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.”

    And he added that enterprises will have to move beyond concepts that have guided their thinking to date.

    [Full article and links to interviews and related pieces.]

    I’ll be interested in hearing more about Mark Diodati’s views.  I think he is right to say that you can’t just hoist Kerberos-based AD into the sky and claim you’ve solved the world’s problems.  

    But that’s why we have spent years now embedding web protocols like SAML into AD so that it could federate and become part of the Cloud.  The truth is that Windows Azure Active Directory has already transcended Kerberos - it tips its hat to the predominance of things like OpenID and OAuth on the Internet.  And this is but one example of a whole change in attitude.

    Wait.  I’m already ahead of myself - getting into details about my little corner of reality before we’ve even defined a landscape…

    [While we're at it, I notice that John Fontana, a tried and true bellweather when it comes to language, happily uses the acronym "WAAD" while refusing to taint himself with  "IDMAAS":  hmmmm... could it be a sign?]

      

    Author: "Kim Cameron" Tags: "Identity, Identity Industry, Identity Ma..."
    Send by mail Print  Save  Delicious 
    Date: Wednesday, 30 May 2012 23:04

    By now everyone has seen the ”this stuff matters” box on Google’s search page.   The “This stuff matters” message is pretty interesting - it sounds like Google understands our concerns and is taking them seriously.  On that basis I expect many people - fearing another 80 page privacy policy - will just move on to get their search result.

    Google has its way with us

    But some will actually take the time to follow the link.  And what they’ll see actually is important.

    First, they’ll find out that beginning this Thursday Google will amalgamate all the information it has about their activities and postings on all of Google’s sites and services into a single account profile.  This in spite of the fact that most people put content on those sites and entered queries into Google search pages thinking the information was limited to the specific context in which they were participating.

    Second, they’ll find out that as customers they have no choice about the matter.  Even though in many cases they have helped create the knowledge and content that makes Google successful, their option if they dislike the policy is to completely stop using Google sites by Wednesday February 29th 2012. 

    Of course all of this is perfectly in keeping with the creepy “Real Names” initiative forced upon us a few months ago.  At that time, we were told “Real Names” only applied to “certain Google sites” - like Google+.  What a surprise that so little time later, ALL account and profile information from ALL Google properties is being amalgamated under a single privacy and identity policy!  As we predicted, Real Names is slithering into the whole fabric of the company’s offerings, whether specific sites benefit from what will often be “over-identification” or not.

    Happily, one group of people who actually bothered to look into the change were the Attorneys General of the United States.  Today they published a cogent and devastating letter that does an admirable job of enumerating the many deeply disturbing implications of Google’s latest identity initiative.  It begins,

    “Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail. Likewise, consumers may be comfortable with Google knowing their Search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy. It rings hollow to call their ability to exit the Google products ecosystem a “choice” in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google product on a regular basis.”

    The Attorneys General then go on to discuss the contagion between Google’s consumer offerings and their enterprise ones…  What does this kind of identity grab mean for companies and governments who have put corporate and state information under Google’s stewardship?  Can the companies who steward the resources of the World Wide Web change their privacy and other policies in radical and even maniacal ways without regard to the policies in effect when those resources were created?   Can they simply tell those who have bought into previous promises to either accept their brave new world or “take a walk”?  As the attorneys put it,

    “This invasion of privacy will be costly for many users to escape. For users who rely on Google products for their business – a use that Google has actively promoted1 – avoiding this information sharing may mean moving their entire business over to different platforms, reprinting any business cards or letterhead that contained Gmail addresses, re-training employees on web-based sharing and calendar services, and more. The problem is compounded for the many federal, state, and local government agencies that have transitioned to Google Apps for Government at the encouragement of your company, and that now will need to spend taxpayer dollars determining how this change affects the security of their information and whether they need to switch to different platforms.”

    I urge everyone to read the letter in full and think deeply about the consequences.  

    Not long ago, John Fontana suggested we get together to discuss the degree to which the Laws of Identity remain relevant seven years after they were published.  I look forward to that conversation.  Google’s actions show there are still companies who could benefit from reading them.  After all, it is clearly breaking three Laws of Identity:

    • Law 1:  User Control and Consent.  Users should never have identity information merged or divulged without their consent.
    • Law 2:  Minimal Disclosure for a Constrained Use.  It is wrong to link all information pertaining to a user across different contexts when it was provided for specific uses.
    • Law 4:  Directed Identity.  Systems should not create unnecessary correlation across different contexts unless people opt to do that.  They thus should be able support identitfiers that are limited to specific scopes - as has been the case at Google’s sites until now.

    And the Attorneys General are onto it…

    Attorneys General Swarm Google

    Author: "Kim Cameron" Tags: "Identity"
    Send by mail Print  Save  Delicious 
    Date: Thursday, 24 May 2012 16:19

    A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I’ve been doing over the last year on understanding what cloud computing means for identity - and vice versa.

    The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” - and most important, to the discussion of many important nuances.

    It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

    So today I’d like to take a first step in that direction and lay out a few high level ideas that I’ll flesh out more concretely in upcoming posts.  I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

    Preparing for dramatic change

    To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

    We all need to understand this change.

    Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service - i.e. using the cloud to master the cloud.

    We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

    Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

    Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

    Redefining Identity Management

    The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world.  This is so profound that it constitutes a “reset”.

    As a category, Identity Management will expand to encompass all aspects of identity:

    • registration of people, organizations, devices and services;
      management of credentials;
    • collection and proofing of attributes;
    • claims issuance;
    • claims acceptance;
    • assignment of roles;
    • management of groups;
    • cataloging of relationships;
    • maintenance of personalization information;
    • storage and controlled publication of information through directory;
    • confidential auditing; and
    • assurance of compliance.

    The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

    There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

    Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

    Going forward, the term Identity Management As A Service will come up so often that we need an acronym.  For the time being I’m going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we’re at it, it is worth looking at Eric’s prescient article in ZDNet - he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” - a view that certainly described the way enterprises felt at that time.  These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations.  These new variables will be ones we want to drill into going forward.

    Microsoft and IDMaaS

    One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering. 

    I’m therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is.  Here’s a quote from today’s blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right: 

    What is Windows Azure Active Directory?

    We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

    Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

    In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

    The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

    Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

    John’s post is called Reimagining Active Directory for the Social Enterprise.  It’s done in two parts, and following that John will join into our broader conversation about the identity management reset.   I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft’s identity service offering.

    Later this week:  The Changing Model of Identity Management.  I hope to see you there.

     

    Author: "Kim Cameron" Tags: "Digital Identity, Identity, Identity Man..."
    Send by mail Print  Save  Delicious 
    Date: Wednesday, 02 Nov 2011 08:10

    It seems a number of people take the use of ”real names” on the Internet as something we should all just accept without further thought.  But a recent piece by Gartner Distinguished Analyst Bob Blakley shows very clearly why at least a bit of thought is actually called for - at least amongst those of us building the infrastructure for cyberspace: 

    … Google is currently trying to enforce a “common name” policy in Google+. The gist of the policy is that “your Google+ name must be “THE” name by which you are commonly known”.

    This policy is insane. I really mean insane; the policy is simply completely divorced from the reality of how names really work AND the reality of how humans really work, and it’s also completely at odds with what Google is trying to achieve with G+.  (my emphasis - Kim)

    The root of the problem is that Google suffers from the common – but false – belief that names are uniquely and inherently associated with people. I’ve already explained why this belief is false elsewhere, but for the sake of coherence, I’ll summarize here.

    There isn’t a one-to-one correspondence between people and names. Multiple people share the same name (George Bush, for example, or even me: George Robert Blakley III), and individual people have multiple names (George Eliot, George Sand, George Orwell, or Boy George – or even me, George Robert “Bob” Blakley III). And people use different names in different contexts; King George VI was “Bertie” to family and close friends.

    THERE IS NO SUCH THING AS A “REAL” NAME.

    A name is not an attribute of a person; it is an identifier of a person, chosen arbitrarily and changeable at will. In England, I can draw up a deed poll in my living room and change my name at any time I choose, without the intervention or assistance of any authority. In California, I apparently don’t even need to write anything down: I can change my name simply by having people call me by the new name on the street.

    COMMON NAMES ARE NOT SINGULAR OR UNIQUE.

    Richard Garriott is COMMONLY known as “Richard Garriott” in some contexts (check Wikipedia), and COMMONLY known as Lord British in other contexts (go to a computer gaming convention). Bob Wills and Elvis are both “The King”.

    Despite these complexities, Google wants to intervene in your choice of name. They want veto power over what you can call yourself.

    Reversing the presumption that I choose what to be called happens – in the real world – only in circumstances which diminish the dignity of the individual. We choose the names of infants, prisoners, and pets. Imposing a name on someone is repression; free men and women choose their names for themselves.

    But the Google+ common name policy isn’t even consistently repressive; it sometimes vetoes names which ARE “common” in the sense Google intends (Violet Blue is an example), it sometimes accepts plausible names based on clearly fraudulent evidence, and it even “verifies” fraudulent names.

    Google+’s naming policy isn’t failing because it’s poorly implemented, or because Google’s enforcement team is stupid. It’s failing because what they’re trying to do is (1) impossible, and (2) antisocial.

    (2) is critical. Mike Neuenschwander has famously observed that social software is being designed by the world’s least sociable people, and Google+ seems to be a case in point. Google wants to be in the “social” business. But they’re not behaving sociably. They’re acting like prison wardens. No one will voluntarily sign up to be a prisoner. Every day Google persists in their insane attempt to tell people what they can and can’t call themselves, Google+ as a brand becomes less sociable and less valuable. The policy is already being described as racist and sexist; it’s also clearly dangerous to some disadvantaged groups.

    If you want to be the host of a social network, you’ve got to create a social space. Creating a social space means making people comfortable. That’s hard, because people don’t fit in any set of little boxes you want to create – especially when it comes to names. But that’s table stakes for social – people are complicated; deal with it. Facebook has an advantage here; despite its own idiotic real-names policy and its continual assaults on privacy, the company has real (i.e. human) sociability in its DNA – it was created by college geeks who wanted to get dates; Google+ wasn’t, and it shows.

    If Google’s intention in moving into social networking is to sell ads, Google+’s common names policy gives them a lock on the North American suburban middle-aged conservative white male demographic. w00t.

    The Google+ common name policy is insane. It creates an antisocial space in what is supposed to be a social network. It is at odds with basic human social behavior; its implementation is NECESSARILY arbitrary and infuriating, and it is actively damaging the Google+ brand and indeed the broader Google brand.

    The problem is not flawed execution; it is that the policy itself is fundamentally unsound, unworkable, and unfixable.

    Google can be a social network operator, or they can be the name police. They can’t be both. They need to decide – soon. If I were Google, I’d scrap the policy – immediately – and let people decide for themselves what they will be called.

     [Read the whole piece.  BTW,  Mike Neuenschwander has hit the nail on the head yet again.]

    Author: "Kim Cameron" Tags: "Digital Rights, Identity, User control"
    Send by mail Print  Save  Delicious 
    Date: Tuesday, 18 Oct 2011 06:51

    New York TImes Technology ran a story yesterday about the publishing industry that is brimming with implications for almost everyone in the Internet economy.  It is about Amazon and what marketing people call “disintermediation”.  Not the simple kind that was the currency of the dot.com boom;  we are looking here at a much more advanced case:

    SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

    Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

    It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

    Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

    Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

    “It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

    But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

    “Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

    If disintermediation is something you haven’t thought about much, you might start with a look at wikipedia:

    In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

    Note that the “removal” normally proceeds by “inserting” someone or something new into transactions.  We could call the elimination of bookstores “first degree disintermediation” - the much-seen phenomenon of replacement of the existing distribution channel.   But it seems intuitively right to call the elimination of publishers “second degree disintermediation” - replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.  

    The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on.  Of course nothing ensures that Amazon’s execution will cause it to succeed in a venture quite different from its current core competency.  But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

    I know.  You’re asking what all this has to do with identityblog.

    In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user’s relationship with the relying parties (e.g. the services who reuse the identity information they provide).  Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits.   If we simply ignore this issue and pretend it isn’t there, it will become an Achilles Heel.

    Let me fabricate an example so I can be more concrete.  Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site.  And let’s suppose the retailer is super successful.  With Facebook’s redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer’s customers and their log-on patterns.  Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself.  This knowledge represents significant leakage of the retailer’s core intellectual property - its relationships with its customers.

    All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing. 

    By the time this becomes obvious as an issue we can also predict there will be broader understanding of ”second degree disintermediation” among marketers.  This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks.  Paradoxically disintermediation is actually a by-product of the privacy problems of social networks.  But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions. 

    This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities.  With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system. 

    Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

    I hope to write more about this more going forward, and show concretely how this can work.

    Author: "Kim Cameron" Tags: "Business Model, Digital Identity, Federa..."
    Send by mail Print  Save  Delicious 
    Date: Thursday, 13 Oct 2011 15:02

    If you are interested in social networks, don’t miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information.  Click on the red “CC” in the lower right-hand corner to see the English subtitles.

    Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues.  In Europe there is a requirement that entities with data about individuals make it available to them if they request it.  That’s how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection.  He argues that the record Facebook provided him finds them to be in flagrante delicto.  

    The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).  This was followed by another perfectly executed move:  setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

    Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel.  As part of the documentation, they publicised the procedure Max used to get his personal CD.  Somehow this recipe found its way to reddit  where it ended up on a couple of top ten lists.  So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

    If that seems to be enough, it’s not all.  As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it.  The response ratchets the battle up one more notch: 

    Dear Mr. Schrems:

    We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

    To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

    Please note that certain categories of personal data are exempted from subject access requests.
    Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

    Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

    Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

    Thanks for contacting Facebook,
    Facebook User Operations Data Access Request Team

    What a spotlight

    This throws intense light on some amazingly important issues. 

    For example, as I wrote here (and Max describes here), Facebook’s “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months. 

    If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile - even if you never click the “like” button.  These long lists of pages visited, tied in Facebook’s systems to your “Real Name identity”, were not included on Max’s CD. 

    Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”? 

    It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max’s media talent is able to do with the answers once they become public. 

    The result may well impact the whole industry for a long time to come.

    Meanwhile, students of these matters would do well to look at Max’s many complaints:

    no

    date

    topic

    status

    files

    01

    18-AUG-2011

    Pokes.
    Pokes are kept even after the user “removes” them.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    02

    18-AUG-2011

    Shadow Profiles.
    Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    03

    18-AUG-2011

    Tagging.
    Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out).
    Info: Facebook announced changes.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    04

    18-AUG-2011

    Synchronizing.
    Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    05

    18-AUG-2011

    Deleted Postings.
    Postings that have been deleted showed up in the set of data that was received from Facebook.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    06

    18-AUG-2011

    Postings on other Users’ Pages.
    Users cannot see the settings under which content is distributed that they post on other’s pages.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    07

    18-AUG-2011

    Messages.
    Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    08

    18-AUG-2011

    Privacy Policy and Consent.
    The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    09

    18-AUG-2011

    Face Recognition.
    The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    10

    18-AUG-2011

    Access Request.
    Access Requests have not been answered fully. Many categories of information are missing.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    11

    18-AUG-2011

    Deleted Tags.
    Tags that were “removed” by the user, are only deactivated but saved by Facebook.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    12

    18-AUG-2011

    Data Security.
    In its terms, Facebook says that it does not guarantee any level of data security.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    13

    18-AUG-2011

    Applications.
    Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    14

    18-AUG-2011

    Deleted Friends.
    All removed friends are stored by Facebook.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    15

    18-AUG-2011

    Excessive processing of Data.
    Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
    It seems Facebook is a prime example of illegal “excessive processing”.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    16

    18-AUG-2011

    Opt-Out.
    Facebook is running an opt-out system instead of an opt-in system, which is required by European law.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

     

    24-AUG-2011

    Letter from the Irish DPC.

     

    Letter (PDF)

     

    15-SEPT-2011

    Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.

     

    Letter (PDF)

    17

    19-SEPT-2011

    Like Button.
    The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    18

    19-SEPT-2011

    Obligations as Processor.
    Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    19

    19-SEPT-2011

    Picture Privacy Settings.
    The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    20

    19-SEPT-2011

    Deleted Pictures.
    Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    21

    19-SEPT-2011

    Groups.
    Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

    22

    19-SEPT-2011

    New Policies.
    The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

    Filed with the Irish DPC

    Complaint (PDF)
    Attachments (ZIP)

     

    Author: "Kim Cameron" Tags: "Blog, Digital Eternity, Digital Rights, ..."
    Send by mail Print  Save  Delicious 
    Next page
    » You can also retrieve older items : Read
    » © All content and copyrights belong to their respective authors.«
    » © FeedShow - Online RSS Feeds Reader