Jeffrey Huth on Product and Identity Management

Canada Defeats the Fourth Largest Country

2009-09-03T12:25:00.000-07:00

Behind only India, China, and US in total population Facebook with over 250 subscribers will change the way it handles privacy over next year. Net result is much more control and awareness for users (and probably a little annoyance for some) as users will have to provide explicit approval to third party applications to access their information. http://tinyurl.com/kjc2k2

“Check the Guys to the North”

2009-08-24T12:33:00.001-07:00

While it is a quote from the old movie “Top Gun” during one of those great dog fight scenes the same can be said today as Canada is leading world in social networking privacy protection against Facebook.

Here is the recent PC World Canada update on the situation which says Facebook is cooperating with Office of Privacy Commissioner (OPC).

“Hayden indicated the discussions are going well. "We continue to have positive discussions with Facebook," she said.

The OPC will make the outcomes of its discussions with Facebook public, but needs time to review and assess the undertakings first, she explained. "We need to do a thorough review and look at it carefully and once we've done so, we will determine the next steps," said Hayden.”

Expecting changes in privacy education, more informed consent, and technical controls over third party developers. Certainly looking forward to the full details.

Here are some stunning facts from the PC World article:

Canadians represent 12 million of Facebook's 250 million users around the world, with a national population of 33 million. They continue to rank among the top in terms of per capita use.
There are currently more than 950,000 Facebook developers in roughly 180 countries around the world as third party developers of Facebook applications.

Thank you Canada. Other countries around the world you should take notice.

Privacy of Social Networking Platforms

2009-08-07T11:20:00.001-07:00

Traditional news outlets and the blogosphere are full of hacking reports and privacy invasions on social networking and cloud computing platforms. This is opportunity – opportunity to bring the right technologies to the party but sadly just another opportunity for your personal information to be taken without your consent. Take just a few recent examples:

Ian Glazer created Privacy Mirror to demonstrate the privacy flaw in Facebook applications (e.g., anytime you “Allow” your personal information to be read). His results show that 3rd party developers get more information than your “Application Privacy Settings” allow.

It appears what’s going on is that if Alice and Bob both have authorized the same application, that application no longer respects either user’s Application Privacy settings. Instead, it respects the Profile Privacy settings of each person. In essence, App X acts (from a privacy settings point of view) as if it were a friend of Alice and Bob and not a third-party application.

The net result is that 3rd party application developers get ALL your information and not just what you've authorized them to get. This is so bad in fact that Facebook has a complaint against them filed in Canada. What makes it worse is that Facebook does a terrible job informing you of how your information can be accessed. From the Privacy Commissioner in Canada:

On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded. In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.

Another example. Last month the cloud applications from Google (Google Docs) that Twitter executives use were hacked and corporate information and user account information was taken. Username and password protection to cloud applications holding this kind of information is not acceptable.

Twitter accounts are hacked so often now it seems mainstream. Just today I got a direct message in Twitter from someone I know that was clearly SPAM. Later this person tweeted an apology to all their followers that their account was hacked. Twitter account hacks are usually to spread spam but again your account information is and should be private, right? Username and password to social networking sites is not good enough.

Security related, this week a successful distributed denial of service attack occurred which stopped Twitter but only slowed down Facebook and LiveJournal. While this attack was apparently politically motivated to deny social networking services it demonstrates how sophisticated hacking has become. This was a coordinated and simultaneous attack across multiple platforms involving likely thousands of computers. If this is the security threat we need to step up security and privacy controls commensurately.

The use of social networking and cloud computing applications is skyrocketing and it is a great market to be in. Unfortunately, in the time-to-market race for these companies it appears proper privacy controls and security controls is lagging.

As I said at the beginning of this post this is opportunity. This is the opportunity for multi-factor authentication, trust, and identity federation technologies to protect who you are online and what you can do. This is also opportunity for your personal information to be taken. For now a good rule of thumb – if you don’t want the public to know it, don’t put it in your profile.

What is Innovation?

2009-07-17T10:58:00.001-07:00

You’ve probably heard the quote:

“If I’d have asked my customers what they wanted, they would have told me ‘A faster horse’ ” - Henry Ford

I love that quote and it is often sighted as the reason innovation exists. So when do you innovate and when do you listen to your customers? At what point are you just using your own ideas from personal, albeit expert, opinion without market facts and calling it innovation?

Perhaps as bad as that practice sounds to a Product Manager that in a nutshell is really what innovation is all about isn’t it? You have to envision something so big and game changing that you think the market would buy it without a clear view into a specific problem to be solved. It is only after some time the process would be considered bad practice when the idea doesn’t take off and called innovation when it does. If the gas-powered auto failed would Henry Ford still have been an innovator?

Sadly I do not have the answers to all these but have begun embarking on a quest for the answers and I am finding that innovation is actually not well defined. Most of the descriptions of innovation are based on the outcome of an innovative culture. “Find something that is really breakout and build that”. That is helpful but that is the outcome of innovation, not innovation itself.

There are two companies known for their innovation – Apple and Disney. Check these out, it is a good place to start:

“You Can’t Innovate Like Apple”, The Pragmatic Marketer, Volume 6, Issue 4, 2008
“How Disney perfected the Brainstorm”, Business Innovation Forum, July 2009.

If you’ve found any particularly good material on innovation please comment, my quest has just begun.

UPDATE: Good interview on Creating a Culture of Innovation with James Andrew who leads Boston Consulting Group's Innovation Practice.

Your Personal Information May Be More Exposed Than You Think

2009-06-30T14:02:00.001-07:00

The Identity Theft Resource Center (ITRC) is a not-for-profit organization dedicated to “the understanding and prevention of identity theft”.

IRTC has been recording data breaches by category, type, and number of records accessed since 2005. Data breaches are instances when Personally Identifiable Information is unprotected and could represent an opportunity for someone to steal your identity. They even separate those data breaches across Data on the Move, Accidental Exposure, Insider Theft, Subcontractors, and Hacking and they update their data every Tuesday. This is wonderful raw data…and if you haven’t perused it before quite scary.

If identity theft has happened to you or you are afraid of identity theft you better stop reading now.

In the first 6 months of 2009 alone there have been 268 reported breaches with 12,322,887 records exposed. Not every breach reports the number of records exposed so the actual number is probably substantially higher. Consider the following table:

	# of Breaches	# of Records	% of Breaches	% of Records
Medical/Healthcare	35	8,656,673	13.1%	70.2%
Government/Military	48	2,929,158	17.9%	23.8%
Educational	39	420,235	14.6%	3.4%
Business	113	292,039	42.2%	2.4%
Banking/Credit/Financial	33	24,782	12.3%	0.2%

	268	12,322,887

Business by category have by far the highest number of breaches by percentage but a very low percentage of records exposed. When you examine the data in detail you discover that less than half of those breaches have “unknown” next to the number of records exposed.

Medical/Healthcare is low by percentage for breaches but highest by records exposed. This is largely due to one breach - Virginia Department of Health Professions - with over 8M records exposed. In this particular case the thieves are demanding a ransom for the data!

So how does this compare to 2008? Actually we are better off than last year. Assuming the second half of 2009 is like the first half we’d be somewhere between 2007 and 2008. According to the ITRC

“…2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.”

And here are a few more interesting tidbits from IRTC for 2008

“… only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.”

And finally a comment buried deep in their explanation for what constitutes a data breach:

“When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. However, we do not consider password protection as adequate, and we do consider those events to be a data exposure.”

Is it time to resurrect Dave Kearn’s Passwords and Buggy Whips discussion?

Biometric Data You Leave Behind, What’s the Fear?

2009-06-25T10:30:00.001-07:00

I read a few comments about the now defunct Fly Clear program and specifically what is happening to the data, namely biometric data. This isn’t a post about the business model and what may or may not have happened to bring about this conclusion but pointing out the dichotomy in the fears over personal data and biometric data.

Kevin Kampman wonders about the data. Jackson Shaw wonders about his biometric data, and Jeff Bohren references these and throws the technology under the bus. I’m sure there are others but I stopped here.

Kevin asks the best question: What about ALL the data? There is personal information, background checks, biometric information, and payment information. What is happening to it indeed? Specifically Jackson and Jeff wonder about the biometric information. My question in response is “what are you afraid of?” Why is the biometric data more sinister than your personal information or payment information?

As I have talked about before, the biometric is a mathematical representation of a physical characteristic. Once it is acquired it is converted into a template – or this mathematical map. A template can not effectively be reverse engineered back into a fake finger or a fake eyeball. And even if it could why would someone do it? What is the threat? What is to be gained? How is that going to be more worthwhile than getting your personal information or payment information?

I suspect the answer to “what are you afraid of” really is cultural. As a society we are familiar and have grown accustomed to providing personal and payment information to 3rd parties. Remember when submitting your credit card information online to a computer, knowing it was encrypted, was more scary than speaking it over a phone, in plain language, to another human? It was new, wasn’t well understood, and wasn’t yet mainstream. For the most part we’ve gotten past this and culturally are no longer afraid.

The same holds true with your biometric data. When your biometric data is used it feels more personal (it feels about you because it really is about you). It is new, it isn’t well understood, and certainly isn’t mainstream. The public is not culturally sensitized to providing biometric data and having it also be left behind even though the impact of leaving it behind to you as a person is far less significant than your personal and payment data. Another example: How many times did you buy something online over the last few years only later to find out the store went bankrupt or was acquired? Same issue as Fly Clear. We don’t freak out because we are accustomed to this.

Biometrics is a technology and not a perfect one. It holds promise for certain applications. What is evident to me is that society still has a ways to go in how it understands biometric data. It doesn’t help adoption that law enforcement uses biometrics for criminals. It doesn’t help when consumer programs like Fly Clear and Pay-by-Touch fail. Society will come around when there are enough successful applications it becomes mainstream and the fear is either well understood or accepted just like it is with personal and payment data.

Security Risk of Legacy Accounts

2009-06-16T08:13:00.001-07:00

Courion completed a survey in May after the California Water Services Company security breach to assess how pervasive is this problem. They found:

“…a vast majority (93%) of organizations are confident that terminated employees pose no security risk to their systems by virtue of legacy access, many have limited or no knowledge of the systems to which their active and terminated employees have access.”

Conversely said, 7% of surveyed organizations believe terminated employees pose a risk. Directly translated this means 7% of our addressable market believes they have a problem right now, 93% needs to be convinced, and some percentage between the two is the actual marketplace. Indirectly translated (and a slight stretch), you could use this data to say that you have a 7% chance of a terminated employee posing a security risk. Reviewing the top down business case for Cal Water I outlined in a previous post I arrived at a 8% chance. Are we are actually converging on an approach to construct a business case for de-provisioning?

Since we all love facts and figures as Product Managers the rest of Courion’s posted results are also interesting.

236 business managers from large enterprises – more than half from companies with at least 10,000 employees – reveals that 53% of IT managers are largely unaware of employee access rights to systems. This causes a proliferation of zombie accounts – accounts that remain active after employees have left the company. However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite evidence to the contrary, such as the recent CWSC incident.
Nearly one in three companies (30%) still manually provision user accounts, increasing the likelihood of human error or delays when de-provisioning departing employees – and ultimately the risk of data theft via zombie accounts.
Almost half (48%) of organizations currently take more than one business day to alert IT departments of employee terminations.
Close to one quarter (23%) of companies surveyed also take another day or more to switch off employee access to their systems, creating a substantial window of opportunity for malicious former employees.
Almost 1 in 10 companies (9%) said they could never be completely certain that terminated employees no longer have access to IT systems.
More than one third (34%) of business managers reported that it can take up to a week or longer to be completely certain that terminated employees do not have access to systems.

Thank you Courion for sharing your market research with those of us on more restrictive budgets.

Government’s “Cyberspace Policy Review” and IAM

2009-06-04T10:44:00.001-07:00

The White House released its Cyberspace Policy Review last Friday. For 60 days of effort its not bad and it is nice to see focused attention on this topic. It takes a pretty comprehensive view across cyber security from intrusion detection, viruses, digital leak protection, privacy and network integrity. It is not technical at all; it is a document used to begin policy discussions. The review also takes a view the the US is not in it alone and this all needs to be done as a global initiative. I like that.

What does it say about IAM? There are some interesting comments in Section V: “Establish Identity Management as an Option”

The first paragraph of this section focuses on authentication.

“Authentication mechanisms also can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices. With the systems available today for most Internet transactions, the electronic equivalent of cues people use to establish trust might be absent, incomplete, or difficult to understand and act upon. Identity management has the potential to help individuals and organizations form trusted communities based on varying degrees of identity exposure and mutually agreed accountability, while helping exclude unwanted intruders or inappropriate membership.”

I hear in this identity federation, online strong authentication, and better mechanisms to build trust between parties that need to trust each other better. Things like user-centric identity and the Vendor Relationship Management (VRM) initiative Eve Maler talked about in her keynote at EIC 2009 come to mind. Coincidentally I also had a two part blog about building trust relationships and how the phases of trust work so it was nice to read this. I still think going back to the basics of trust relationships is an area of substantial opportunity for the community.

The second part of this section talks to the need for privacy enhancements. It reiterates again about online trust for transactions. It also says:

“The Nation should implement…an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.”

Sounds like cloud computing concepts to me. More specifically offering identity services in the cloud to allow persons to quickly build and assert relationships. Also technologies to represent yourself through a set of different personas thereby being able to control privacy. Most likely this would not be a government led thing, however, but possibly government supported. Our government can be very good at getting things done indirectly.

“The National Science and Technology Council’s (NSTC’s) Subcommittee on Biometrics and Identity Management in 2008 published a report that provides a vision for future federal identity management and a series of research and development recommendations. The Federal government should use this report as a starting point for identity management strategies.”

Personally haven’t read this yet but you can guess what’s next on my reading list (and possibly future post).

This next one was so tactical and specific it is out of place with everything else in the review that is much higher level and strategic. It makes you wonder if it was included for political reasons. It basically says the government should get on with the program it started years ago, get it done, and consider that technology elsewhere.

“The Federal government, following the guidance of Homeland Security Presidential Directive 12 (HSPD-12), is seeking to leverage the federal interoperable identity credentialing mechanism across the federal enterprise. The Federal government should ensure resources are available for full federal implementation of HSPD-12. The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies.”

I’ve blogged about HSPD-12 recently and its current status. There is work to do but isn’t that stating the obvious in a strategy review document by the acting Cyber security Czar? The second part relating to emergency response was covered in Part 2 of the building trust post. I am a little more skeptical there and still hold the opinion there may be a better way. But again, why was HSPD-12 in there? It is one specific, albeit the largest, government identity management program.

The review concludes with a recommended set of near and mid-term proposed action plans. Specific to IAM in the near-term:

“9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.

10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”

Specific to IAM in the mid-term:

“13. Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.”

“14. Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.”

So in summary I take away the following areas of relevance:

Better, stronger authentication online
User-centric identity
Vendor relationship management
Identity services in the cloud
identity federation
Strong authentication with smart cards

Note, I realize these are not mutually exclusive.

All in all a fairly typical government document – at least the ones not classified. Again, it is nice to see the emphasis on cyber security in our federal government. Our homeland is much more than the land we walk on.

Cal Water’s IAM Business Case

2009-05-29T13:47:00.001-07:00

This story is getting quite a bit of press. By far the best accounting of the story is from CSO Online which is reprinting the Computer World Article.

In short, former employee returns to the office, hours after resigning, electronic card key is still active, logs onto two separate computer systems, initiates three wire transfers totaling $9.2M. According to the story the only way it was detected was because a suspicious janitor saw him coming in after hours. The person is still at large. The money has been returned. Quite a few folks have pointed out what Cal Water should have done – access control, employee off boarding, destroying accounts, etc. etc. It is all true but how do you break it down into a business case?

The California Water Services Company (Cal Water) is publically traded. Last year they did about $410M annual revenue with 929 employees and approximately $40M income. They had cash assets around $13M. I’m sure someone would have noticed a huge $9.2M hole in these numbers even if the Janitor didn’t notice the former employee. Ironically in their latest 10k filing, prior to the event:

Our business is dependent on several complex business systems, certain of which are owned by third parties. The business systems must function reliably in order for us to operate effectively. Among other things, system malfunctions and security breaches could prevent us from operating or monitoring our facilities, billing accurately and timely analysis of financial results. Our profitability and cash flow could be affected negatively in the event these systems do not operate effectively or are circumvented.

None-the-less $9.2M to a company with these numbers is huge hit, possibly something that would have taken years to recover from. If you were trying to create a business case for them, $9.2M across all your employees is about $10k. Not all these employees are head office personnel – only about 400 are supervisory, non-union, so it is probably like $20k-$30k per person. Presumably it would cost far less on a per employee basis to implement access control and de-provisioning systems - both physical and logical. Let’s say it would be $1M investment. That is a mere $2500 per person (compared to $30k) or approximately 8%. Would you consider they had a 8% chance one of these employees would do this? This doesn’t even take into account the “soft costs” like public embarrassment and drop in stock prices.

But a malicious insider is so rare. right? The CSO article states:

Security analysts have been cautioning about the insider risk for a some time, but an increase in incidents highlights the continuing challenges companies face in dealing with the issue. A recent survey by SailPoint Technologies of 125 large companies found that eight out of 10 of the businesses were concerned about insider threats.

At the same time, though, about 57% of the respondents said they did not have the visibility they needed across their networks to prevent insiders from abusing their access. Less than two in 10 felt they had the controls needed to deal with insider threats.

The threat is substantial, the stakes are high. The market opportunity is real. The question is really how do you make it mainstream. How do you get a stalwart company like Cal Water to see the need?

Does California’s Privacy Law Help the Business Case for IAM?

2009-05-18T12:20:00.001-07:00

Interesting things have been happening in California since they changed their privacy laws this year. The latest being a $250,000 fine to Kaiser Permanente's Bellflower hospital for having “failed to prevent unlawful or unauthorized access to, or use or disclosure of a patient's medical information, as required by Section 1280.15 of the Health and Safety Code.”

Through California’s privacy laws a stronger business case is developing to implement identity authorization and access controls. Or is it? I mean when you read a quote like this and you are in identity management you get excited.

Dr. Deborah Peel, founder of Patient Privacy Rights Foundation in Austin, Texas, said new technologies should be used to prevent unauthorized workers from accessing data in the first place.
"Fines are a last resort and I'm sure they will help," Peel said, but unprotected patient information is "like leaving money in an unlocked room."

But when you break it down is it really creating a meaningful business case? Is it harsh enough that it is a call to action? At first $250,000 sounds like a lot and it is the maximum fine under the new California law. But Kaiser employs around 160,000 employees across 32 medical centers and makes about $38B (taken from Hoover’s public data for 2007). That’s an average of 5,000 employees per center and an average of $237,500 in revenue per employee. If you assume not all employees have access to medical files $250k puts you in the range of $100 per employee who has access rights. There are a lot of things you could do to save $100 per employee. Do you go to the trouble of implementing identity access control solutions which probably will cost much more than $100 per employee?

If you assume a risk your organization gets caught – in other words the chance you are taking by not putting in access control tools and employees still peek despite being told not to and are exposed – you are in the $5-$10 range per employee. Do you solve for something that would impact your organization at $5-$10/employee or do you prioritize something that saves more money per employee?

It is great this is happening but breaking the rules has to have meaningful consequences.

Weather Forecast: Cloudy With a Chance of Confusion

2009-05-13T09:04:00.001-07:00

Breaking from the theme of this Blog I’m posting on Cloud Computing. I started by reading Andre Yee’s definition of Cloud Computing. I’ve known Andre for many years and greatly respect his opinions and vision.

Independently we both discovered the National Institute for Standards (NIST), ITL recently came out with their draft definition of Cloud Computing…and I like it…not because I agree with the definition, which I do, but it provides structure.

It is not a simple elevator pitch like Andre was proposing but it is good. It provides much needed structure around the characteristics, delivery models, and deployment models. It basically says Cloud Computing is the overarching terms for everything and provides a definition of where things fit – like SaaS.

This will go along way to creating consistency. We will know for sure we have a good definition when we can equally focus on what Cloud Computing isn’t AND we clearly demonstrate value to the user/buyer personas.

Will the Feds get HSPD-12 done? Then What?

2009-05-11T09:42:00.000-07:00

If public sector, namely federal government, identity management is something you do few conversations are held without talking about HSPD-12. After reviewing Implementation Status Government-Wide published by Office of Management and Budget (OMB) I will share a few highlights. If you know what HSPD-12 is skip the next paragraph. The bullets below it will save you time and give you the highlights. What I keep coming back to, however is …“Where does the money and technological advances take us in identity management? That will be the topic of a different post.

Homeland Security Presidential Directive-12 (HSPD-12) - "Policy for a Common Identification Standard for Federal Employees and Contractors” directed the creation of a new Federal standard for a secure and reliable form of identification to be issued by all Federal Agencies to their employees and contractors. FIPS 201, also called Personal Identity Verification (PIV) is the primary standard with several others around it. The solution is basically a smart card containing several digital certificates for different applications and reference fingerprint templates. A template is a mathematical representation of the fingerprint following a particular standard data format for interoperability. The General Services Administration (GSA) stood up a shared service (I guess you could call it Identity-as-a-Service) to issue these new credentials to agencies who signed up with them. A total of 64 did. Others, total of 25, went at it alone. All have been working to issue cards.

From the latest report:

Number of people who require this credential is about 5.8M. Down 13% from six months ago (has our government actually gotten smaller or is it just lower headcount between administrations)
The number of PIV cards issued went from 20% six months ago to 48% currently. At this rate they should be done in a year – if you chose to define done as over 90%. Not likely if you look at the data but I won’t go there right now.
Of the 15 cabinet-level agencies (aka “Department of..." ), Energy, Housing and Urban Development, Labor and State are all greater than 80% done.
Of the 15 cabinet-level agencies (aka “Department of..." ), Justice and Homeland Security are the worst off…still. To be fair, DHS, hasn’t filed a report since last October despite the mandate by OMB to do so quarterly. Ironic the agencies responsible for law enforcement and security are the least able to abide by a federal security program.
Of the 15 cabinet-level agencies (aka “Department of..." ), Defense dominates. DoD accounts for almost 3.3M of the total 5.8M. The 3.3M is 13 times more than the next largest agency, Veterans Affairs. DoD has issued 1.7M already. To be fair, they did have a HUGE head start.

The government continues to move along. What is more interesting to speculate, however, is given the amount of money the government dumped into this program, how and in what form will the technology find its way to a larger global marketplace. It happens a lot with technology innovations. Just look at the very medium we are using right now.

Don't Remember Your Password, BE the Password

2009-05-06T12:59:00.000-07:00

David Kearns post on password management has generated some conversation. Mark Dixon posed the question:

The big question is, "Replace username/password with what?"

One response from Jeff Bohren has me a bit unsettled. Jeff proposes certificates and possibly information cards but discards biometrics by saying.

"Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords."

Any debate around displacing username/password combination has to include application of biometrics. I think because it is a relatively poorly understood technology it tends not to get airtime. Biometrics is not some creepy science thing only used by the FBI to catch criminals. A biometric, any type, is just a mathematical representation of a physical characteristic. That mathematical representation is nothing more than a very, very long and strong password that you do not have to remember. You ARE the password. And it has the side benefit of being linked to its owner so it isn’t easily stolen.

In this case the only thing standing in the way of using a biometric password in place of a traditional password is the cost – cost of the “input device” and cost of the technology to match the “password” computed from the input device to the “password” stored elsewhere. A keyboard is the input device for a traditional password and standard issue with any computer. A biometric reader is the input device to get a biometric password and not yet standard issue on everything (some laptops yes). How are you going to carry your certificate around or store your info card? A smart card? Your smart phone? A USB key fob? Those are costly input devices too and you have no guarantee the right person is the one using it.

There can be issues with the matching (not authenticating when you should have) but as I have blogged about before you can manage through those issues. Besides how many times do you mistype your strong password and have to enter it again? Probably way more times than when you should authenticate but didn’t using your biometric.

The Four W’s of Product Management

2009-05-05T11:07:00.000-07:00

It is high time for a post on Product Management. As product managers we know what we are supposed to do: listen to the market, look for unsolved pervasive needs, define product that meets the need, and launch product that makes multiples of revenue over the costs. In reality, however, we daily run into plenty of people who want to help us do our jobs with plenty of ideas:

“I was just with customer X and they have this problem that should be solved in product”
“We in services just implemented this great
feature/integration/component/tool/custom application for a customer that you should productize”
“This customer is strategic and is going to need A, B, C and so we want to bid it to them as product”
“Well if we get one customer to pay for it then it is a no brainer and should be a product”

These are somewhat extreme examples but you get the idea. Over the years I’ve developed a very simple way of guiding these conversations. I call it the “Four W’s of Product Management”. This is an obvious rip off of the Marketing Mix (aka Four P’s of Marketing – Product, Price, Place Promotion). I actually prefer Pragmatic Marketing’s less popular but more accurate Problem, Product, Place, Promotion. I digress. The Four W’s of Product Management then:

Who are we talking about? Not which one or two customers but more specifically what market or customer segment are they in? This immediately turns the conversation away from solving the tactical problem at hand to a more strategic discussion.

Why are we talking about them? You may or may not have managed to define the segment but then you will discuss the particular problem. It usually turns back tactical at this point and back to the specific instance that started the whole conversation. However, sticking to this topic you explore if that particular problem is possibly representative of all or most of the customers in the segment you think you know.

What can we do to help them? If you’ve managed to define the segment and defined the problem then you finally start discussing the solution to the problem – the product idea. I’ve found this is usually where people want to start but in order to do our jobs successfully you need to start the conversation with the first two areas initially.

When do they need it? This is not meant to be tactical and asking when the specific thing is needed but rather when does this problem occur for the customer? Is it now, is it in 3 months? After some material event? Perhaps even more importantly here is How. (I can’t yet make How one of the questions because then it would be the Four W’s and One H of Product Management and that isn't brand friendly.) A part of When, How, is meant to understand your channel to get the What to Who to solve the Why. If it doesn’t fit your sales team forget direct sales. If you don’t currently see a channel at all you may have to factor in the cost/benefit of building one.

It is a very simply methodology. One that I will continue to use and refine throughout my career as a filtering mechanism when discussing all those great new product opportunities. I use this technique regularly. Honestly sometimes it is painful. Not everyone is comfortable elevating a tactical conversation to a strategic level. When you it, however, sometimes it'll will spark something very good, sometimes going through this process you can stop a weak idea immediately.

Of course no one ever tries to help us do our jobs...

Identity Analytics at IBM

2009-05-01T11:51:00.001-07:00

I had the pleasure of listening to a presentation and meeting Jeff Jonas at IBM. A dynamic and engaging speaker Jeff started a software company whose early deployments were doing identity analytics to catch bad guys in Vegas casinos. Not to over simplify but identity analytics is looking for the relationships between pieces of identity data to build identity profiles. He later sold the company to IBM and continues there with the typical large company-like title of “IBM Distinguished Engineer and Chief Scientist, Entity Analytic Solutions, IBM Software Group”

A deep thinker he doesn’t strike me as your typical technologist. Head over to his blog to see what he’s up to. What I find interesting and worth noting is that he is doing research on what he calls "anonymous entity resolution" or :

“…technique enabling advanced data correlation while only using irreversible
cryptographic hashes.”

Or maybe this helps understand it:

“This new capability makes it possible for organizations to discover records of
common interest (e.g., identities) without the transfer of any privacy invading
content”

Think about the barriers that technology has the potential to break down and the applications that it enables. That could really be a game changer.

Identity as a Service Revisited

2009-04-24T09:02:00.000-07:00

Forrester Research made a prediction in their Identity Management Market Forecast: 2007 to 2014 that Identity-as-a-Service (IDaaS) would be a future direction for identity management. This was published in February of 2008.

I read a post recently from Adrian Rodriguez from identropy on Integration-as-a-Service (IaaS) which said:

“In my opinion, technology has progressed from the normal implementations, to the much lesser known Identity as a Service (which was popular about a year ago but really never caught on because it is what all implementers were already doing) to Integration as a Service (which provides the greatest value and return on investment for an organization).”

Oddly enough most of the material from IDaaS was published in 2007 to early 2008 and focused on IDaaS as an architectural model for offering identity-based services in a SOA model. This one from Nishant Kaushik over at Oracle tried to clear up confusion between Identity-as-a-Service the SOA layer and also as the software on-demand or the SaaS model. And then it appears, IDaaS started going away as Rodriquez suggests. Probably because no one was able to take the SOA version beyond the relevant standards involved to actually define services.

Then this came out this year (link):

"Fischer International Identity, enabler of Managed Identity Services, was announced as the 2008 "Industry Innovator" in Identity & Access Management by SC Magazine. Fischer was recognized for their Identity as a Service (IaaS) platform that enables organizations to securely outsource user provisioning, compliance enforcement, audit reporting, privileged account management, and password management through the cloud in a SaaS model."

When reading the marketing material and the link to the original SC Magazine article it is more the SOA-version than the SaaS-version although Fisher’s product positioning uses SaaS to explain what it is. It is understandable to use SaaS to explain it to customers but does add to the confusion.

Conclusion?

The original IDaaS was meant to be a services layer for identity information and hasn’t really gone anywhere in the last year.
The “aaS” extention to IDaaS caused confusion in an attempt to clarify
No one has figured out how to make money at Identity as a Service. Fisher is trying.
Fisher puts the trademark logo on IaaS which is going to cause heartburn for identropy which has chosen to use IaaS for Integration-as-a-service.
I will strongly resist anyone on my team or any marketing department I work with to attach “aaS” to what we do. ...Hey look it is Video-as-a-Service (aka Television). ...for lunch we're going to implement Food-as-a-Service (aka Carryout)

Product Managers are not “Pigs”

2009-04-23T06:53:00.000-07:00

There is so much material about agile product management it is impossible to get to it all. What I am referring to is the discipline of product management, not software development, although I’m not really sure how you can separate the too. In one day, a phrase search of “agile product management” on Google went from 13,800 to 14,100 hits. I wonder if Google can index as fast as material is produced. The viewpoints and opinions vary from real practitioners to theorists. Pragmatic Marketing (an organization whose ideas I embrace greatly by the way) is totally on the agile product management bandwagon. They have an eBook on the subject. Click on the picture to download. There is even a post that I can’t seem to find anymore that picked apart the agile manifesto and how it is perfect for product management.

I’ll caveat all my comments by saying I do like the concepts discussed around agile product management and the pros do outweigh the cons. In practice it does bring a number of benefits to my product management team. Additionally, there seems to be no distinction between “Agile” and “Scrum” although going back a few years there has been multiple agile methodologies. Remember eXtreme Programming (XP) or maybe further back Rapid Application Development (RAD). Since Scrum is the new black and much of the material is how great agile product management can be I’ll share a few stumbling blocks.

Product Managers are not “Pigs”: The whole pig and chicken thing in scrum is a little odd but the Pigs are the ones committed to the project in the Scrum process - they are the ones with "their bacon on the line." Product Managers should definately be committed but should not fill 100% the Product Owner role. When they do they are spending too much time with development, inward facing, and not enough outward facing and building the channel. Daily standups are onerous. This is the area where I, and apparently quite a bit of the community, believe Scrum is weak. There is no clear role in the Scrum methodology for Product Managers. When you implement Scrum there is a large gravitational force that pulls you closer to development. That is a positive thing and a primary purpose of the methodology but also dangerous. Product managers should have their bacon on the line but it should come in the form of product P&L and revenue and not Sprint success. This area is the #1 issue for a product management team in a Scrum-based environment.

How many Pig pens do you have?: Product Managers rarely enjoy the benefit of managing one product. So now imagine a PM as a Product Owner doing what a Product Owner does for three products. Three daily standups...are you kidding? The challenge is greater if the development teams are all doing things slightly differently. My first experience with Scrum over three years ago was with one particular development manager who was giving it a try. The challenge was that particular product was one of the lowest revenue generators of the entire portfolio. Yet the process was requiring by percentage much more time than the highest revenue producer. This creates a problem for a Product Manager with multiple products and again why Product Managers should be committed but not Pigs.

Development managers need to be mighty: This holds true for any methodology really, but is even more so when implementing Scrum. Without a strong development manager (or Scrum Master) the Product Manager gets pulled too closely into a facilitation role and too close to the Sprint backlog. A strong development manager will take on part of the Product Owner role specifically to derive market requirements (Product backlog) into Sprint backlog line items. A Product Manager should not attempt, nor be asked to attempt, requirements at this level.

Don't try this at home. We're trained professionals: It will be impossible to adequately reap the benefits of agility if you are implementing it solely on text books without experience or consultation. In the end you will either follow the letter of the law so closely it doesn’t work or you will fail to implement properly the key components that actually give you the agility…like properly managing Sprints and their outcomes.

Spurts and Sprints: Scrum is based on the concept of Sprints. The idea is that you do as much work as possible in the backlog during a set period of time. Be wary when the sprint durations change to fit the work to be done (unless there is a good reason, see next point). Due to culture or the collective experience of the “Pigs” there will be a tendency to vary the duration of the Sprint for every time to fit what needs to be accomplished. That is just waterfall and the Sprint is a fancy name for development phase and the Sprint Backlog is just a requirements document. Furthermore, be wary when Sprints are created for testing and bug fixing.

“We didn’t actually complete the last sprint, we just
stopped it since time was up, so we are going to do a short sprint for testing
and bug fixes.”

Easy to see the problems that ensue.

Take all the time you need. We've abandoned time-to-market: A final point to make is be wary the Scrum and Sprint concept isn’t abused as a reason to not make commitments. Two ways this comes about:

1) There are specific features you need implemented for a strategic customer (polite way of saying something was sold we didn’t really have). Your Sprint durations are 4 weeks, you need it in 6 weeks, and the actual time it would take is 5 weeks. If you followed the Scrum/Sprint methodology to the letter you’d get part done in the first four weeks then have to wait for the end of the second four week Sprint to get the rest (you are now two weeks late), and then of course have to wait another Sprint for the testing and bug fixing and suddenly you are not agile despite having an agile methodology and you have a big problem.

2) Second way this comes about is if you plan to launch a certain set of features by a given date. Product launches are strategic after all. Let’s say for example you are launching a consumer software product in time for the holiday season. Your launch date is set, your features are largely set, but organizationally you are implementing Scrum to the letter.

“we are doing Scrum so we make no commitments and we have no
idea if all this stuff can be done when we want it to, we only look one Sprint
at a time and set goals, not commitments, and we reevaluate after each Sprint.
If we didn’t achieve our Sprint goals we will roll them forward into the next one. Of course it is your choice as product manager if you want to do that or not...”

You can see the snowball effect this creates and the problem you have.

So there are a few items to watch out for if you are going Agile and trying Agile Product Management. I wonder how many more items Google indexed in the time it took to write this post.

Measuring the Strength of Multi-Factor Authentication

2009-04-22T06:05:00.000-07:00

I read an interesting post and subsequent discussion on multi-factor authentication and its strength. The author, Luther Martin applies a model to determine the strength of authentication systems that is based on "the chances of any particular random attempt at authentication succeeding”. Multi-factor meaning a pin/password (something you know) combined with something you are (biometric) or have (physical token). Generally the industry has accepted that two things you know is not strong authentication. He then applies this to pose the following question:

“Let’s compare two authentication schemes:

Scheme A, which requires a username/password plus a biometric
Scheme B, which requires two different username/password combinations

Which one is more secure and why? Is there any reason to say that one is inherently more secure than the other?”

The basis of Martin’s claim is that the chances of someone succeeding to hack Scheme A are statistically nearly the same as Scheme B, therefore scheme A and B both presents the same relative authentication strength.

A very thought provoking position and I 100% agree with Martin’s position that a uniform model is required to measure authentication strength. But there are a couple of points to throw into the mix…

The basis of his claim is that a biometric has at best a 10^6 FMR (false match rate) or a 1 in a million chance that you will authenticated when you should not have been.

Firstly, Biometric systems are tuned to achieve certain performance metrics depending on the balance between security and convenience. It is possible to achieve a better FMR if you are willing to give up convenience (increase the FNMR). The FNMR measures the times you didn’t authenticate when you should have. If you tighten up the system you can drop down the FMR drastically at the expense of a user possibly having to present their fingerprint more than one time when they should have succeeded the first time. The result is a much, much less likely chance someone is incorrectly authenticated. The authors model holds and Scheme A wins out.

Second, related to the biometric, this FMR is for a single finger print. A fingerprint is one kind of biometric and it is one of ten (generally) you have of that type. With two fingers it gets better, other biometrics (e.g., iris) it can be much better. Scheme A would be way better if the second factor is iris. Of course, there is a cost tradeoff here but the model does not take cost and convenience into account.

The fourth point to make is where does the authentication occur? In scheme B the authentication is server side making it much easier to attack. In scheme A with a biometric or frankly with any OTP device it needs to involve the local workstation making it much harder to attack. A authentication strength model should take into account how easy it is to conduct an attack.

The third point to make is the one of practicality. The subsequent discussion touches on this but doesn’t go much further. What is the real likelihood a user will remember two username/password combinations? More likely they will remember them but writing them down on a yellow sticky note attached to the monitor. It is harder to put this in a model but does assume that it more likely the chances of getting to a password or two are much easier that we think it should be.

In the end a good thought provoking post but the real take away is the point that a model should exist that measures the strength of authentication mechanisms, and that model should include as many variables as possible.

The 80/20 Theory of Salespersons

2009-04-20T12:20:00.000-07:00

At some time just about everyone learns the Pareto principle. Perhaps not everyone learns it by its formal name but rather learns the more common name “80-20 Rule”. Simply stated 80% of the effects come from 20% of the causes. When applied to business: 80% of revenue comes from 20% of customers.

How does this apply to product management and sales people? We know our sales force need tools to sell – collateral, demos, white papers, case studies, ROI calculators, etc. This is completely understandable. Some ask for more, some ask less. Some are nearly full stop without and some don’t ask at all. I would even submit that within Identity Management, because the topic can sometimes be abstract and new, this is a greater challenge than in traditionally more mature areas.

So here it is. The 80-20 Theory of Salespersons and what we learn from it. 80% of your “requests” for more sales tools comes from 20% of your product’s sales force. And the important part of this theory - The 20% who ask the most from you are the least successful of your sales force as they are hoping, grasping, that one more demo or white paper will help them make a deal.

Now it all starts to come together. You are investing most of your time in the area where you’ll get the least return. Very quickly then you reach the conclusion you should be spending time and offering to help the least vocal of your sales team (at least those who are actually working). They are the professionals; they are the ones who can sell ice to Eskimos; they are the ones when properly supported will blow away sales quotas time and time again.

Follow this Theory. In the end you’ll be doing less but generating more revenue for your product. You’ll be enabling the most successful members of that thing every successful product needs: a channel to market.