Wednesday, February 28, 2007

For those interested in online identity branding

From time to time, I've talked about this concept of our "Online Identity Brand". I've decided from this point on to write anything I have to say about this topic on a new blog:
How To Brand Your Name (http://howto.brandyour.name/)

Yes, I got the domain name too :-)

Head on over there and have a look if this topic interests you...subscribe to the feed if that's how you get your blogs and news.

Monday, February 26, 2007

A sign you are an identity geek

It's almost 5am in the morning and what do you do? Sign up to get your own OpenID.

Sure, I could have done this at any other time but I couldn't sleep and am just going through my RSS feeds in Google Reader. I got bored and decided to take a break from reading hence the OpenID sign up.

In case anyone's wondering, I used myopenid.com as my provider. That means my OpenID is:
https://ianyip.myopenid.com

I don't plan to keep it that way however. I fully intend to use OpenID's delegation capabilities and use ianyip.com or some variation related to my domain. I don't think I can be bothered to do that at 5am in the morning however...mainly because ianyip.com isn't really hosted anywhere at the moment (I own the domain but didn't bother with hosting services). What this means is there's no actual HTML page that I can modify to leverage the delegation capabilities. I could use blog.ianyip.com and modify the header on my blog, but blog.ianyip.com doesn't make sense as an OpenID identifier in my humble opinion. Perhaps I'll map openid.ianyip.com to blog.ianyip.com in the DNS settings. I'll figure this out tomorrow...or maybe later in the week.

Phil Windley has a post on how to do this if anyone's interested.

Awards blow

I don't usually comment on these things because I don't really think much of awards. I felt the need to post this simply to prove my point.

SC Magazine recently announced the winners of their annual SC Magazine awards. First thing I noticed was the following:
Best Identity Management Solution

Winner:
Encentuate for Encentuate TCI

Finalists:
BMC Software for BMC Identity Management
Courion Corporation for Courion’s Enterprise Provisioning Suite
Novell for Novell Identity Manager and Access Manager
Oracle Corporation for Oracle Identity Management

I noticed the glaring omissions of CA, IBM and Sun...right after my "What the F*$&" reaction at the decision they made with regards to the winner. I mean really...Encentuate?! How does having some single sign on and access control stuff qualify them as winners over the other finalists?

Even though I thought they made a rather "interesting" decision with their Identity Management award, I thought I should at least give them credit for having the good sense to appear impartial by omitting CA from that Identity Management list (CA is a platinum sponsor as you can see on this page)...and then I saw this:
Best Enterprise Security Solution

Winner:
CA for CA Identity and Access Management Suite, including CA SiteMinder

Finalists:
Guidance Software for EnCase Enterprise
PGP Corporation for PGP Encryption Platform
Vontu for Vontu 6.0

At this point, any shred of credibility they had left in my eyes was lost completely. Again, I had to say "What the F*$&" with their list of finalists. Did they pick the list with the intent that they would have no choice but to give it to CA because the others obviously did not measure up?

I'd really like to see what set of criteria they used to come up with the list of finalists and to pick the eventual winner. Did they toss a coin? Use a roulette wheel? Roll a dice?

Saturday, February 24, 2007

IBM responds to Oracle with Mickey Mouse monitoring tool

Before I start, I should point out that just because I no longer work for IBM does not mean I dislike IBM. I still have a great respect for "Big Blue" and will continue to do so until they do something that radically changes my mind. I say that up front because I'm about to be somewhat critical of them. I've always had my criticisms of the company, but now I can raise them in a public forum (instead of privately discussing them with my colleagues) without fear of having management "give me a stern talking to"...now I just have to put up with comments from my former colleagues. But a little healthy discussion never hurt anyone.

I am referring to the new monitoring offering from IBM Tivoli, specifically around the Identity and Access Manager products. The monitoring offerings can be found here and here. I'll probably get a little grief about this from those of you I know from IBM. Hey, I'm entitled to my opinion aren't I? Especially as I talked about Oracle's offering earlier this month.

Before I move on, I'll take a little detour and talk about IBM from a marketing standpoint. I used the term "respond" in the title to this post, but I'm not sure that's the case. I was simply referring to what the average person would perceive it as. As far as marketing and image is concerned, perception is the truth. Oracle made their announcement early in February. According to IBM's pages, the monitoring offerings were released mid to late January, which is before Oracle's announcement.

So it looks like it was being developed at the same time as Oracle, unless IBM have managed to trick those of us delving deeper into believing this is the case by listing the release dates in January. I don't know because even internally within IBM, there was no announcement to the greater community until my last week at IBM (week ending February 16)...and I worked for the field sales team whose job it is to sell the software and use announcements like this as "value add selling points". And herein lies the problem with IBM marketing when it comes to Identity and Access Management. If they do such a poor job of communicating this information internally (in a timely manner), how are they to do this effectively to the external audience? This lends itself to a belief I've had for as long as I've worked in this area.

The biggest barrier to sales and building a long term pipeline (even one that the sales people cannot see) and dare I say shortening the sales cycle (apologies for using all these sales "buzzwords") is that IBM is behind the eight ball when it comes to mind share in the Identity and Access Management arena. When it comes to enterprise identity, the press is filled with references to Oracle. When it comes to user centric identity, it's all Microsoft (and occasionally smaller niche players like Sxip and JanRain). Lately, even Symantec's getting into the act.

It never used to surprise me when people would look at me with bewilderment when I told them IBM was one of the leading vendors in this space. It still doesn't surprise me. IBM's PR and marketing machine does an extremely piss weak (i.e. very poor) job of talking up its Identity market leadership. It spends too much time harping on about Linux, Open Source, SOA and the services offerings from Global Business Services and Global Technology Services (at least I think that's what they're called now - they keep changing the names and re-organising the business units, and I have first hand experience that confirms how confusing it is even for employees). Even with these headline messages, they send out mixed signals!

Now that I've got that out of the way, back to the topic at hand. I'll be the first to admit that I don't know the deep technical details of what Oracle's offering actually does. I only know what I've read at a high level. At face value, it looks like Oracle's offering does more than IBM's. I won't outline the details because you can go read about it yourselves (unfortunately, the only link I can provide is this one to the announcement - Oracle's site is so crap that I couldn't find any specific information about their monitoring offering for identity management). I linked to IBM's offering earlier in this post but here are the links again if you don't want to scroll (here and here).

The monitoring offering from IBM tracks the following in Tivoli Identity Manager (TIM):
  • Server availability and server process activity
  • memory usage characteristics: heap size before and after garbage collection, max heap size, garbage collection time
  • workflow queue backlog
  • user page response times
  • tablespace usage
  • logged error messages
And the following in Tivoli Access Manager (TAM):
  • Server availability and server process activity
  • WebSEAL statistics
  • Junction statistics
  • response times
  • workload
Here's why I think these features are "Mickey Mouse" in nature. Most customers I know who have implemented TIM and/or TAM and want to monitor the identity infrastructure has had to implement it themselves (because as I have previously said, there was no actual solution provided by IBM for it). How did they do it? Shell scripts that take a day or so to write. Pretty trivial stuff because they just wanted to monitor infrastructure statistics like performance, server load, response times, table space usage etc. But hang on, that looks like what IBM's just provided as the monitoring offering! All IBM have done is hooked it into the IBM Tivoli Monitoring product set via the Tivoli Universal Agent! If I were a customer, I'd still write my own and let my shell script feed the data into the relevant standard monitoring infrastructure within the organisation's environment.

Of course, IBM usually doesn't do things without a few good reasons. In this case, it is possibly for the following reasons:
  • They knew what Oracle was doing and didn't want to be seen as falling behind.
  • IBM customers have been calling out for a monitoring solution to deal with the IBM Identity Suite for over 2 years and they decided to finally address it (in a half hearted sort of way). In other words, the sales team can finally say "yes" without looking guilty when customers ask if there's a monitoring solution for the Tivoli Identity and Access Management suite.
  • It's a good way to up-sell customers who have the Tivoli Identity suite and get them to consider the Tivoli Monitoring suite.
Of course, that's not to say it doesn't have any real benefits. Problem is, I can only see 2:
  • Customers no longer have to write their own shell scripts to do this.
  • IBM services teams and IBM business partners no longer have to write scripts when they deploy the Tivoli Security products to deal with monitoring. Of course, any good services team will have already written the scripts and should just re-use as much of it as possible, so one could argue whether this is a benefit here. It's probably more beneficial for teams who are new at deploying the products.
As for the biggest barriers to adoption:
  • This is useless to me unless I have IBM Tivoli Monitoring.
  • I cannot modify the solution for my own needs...at least not easily.
  • Where is the monitoring offering for the underlying identity infrastructure? By that I mean the most important software support component used by TIM and TAM - IBM Tivoli Directory Server (TDS)! TDS is the LDAP component so one could argue that you could go find some open source alternative or find some LDAP monitoring solution out there. This defeats the whole purpose doesn't it? IBM's solution lets you monitor TIM and TAM for "infrastructure things" but doesn't actually let you monitor the core software components supporting the applications. So the answer is to use the new offering for TIM and TAM but go build your own or buy something else to monitor TDS? Sounds rather nonsensical to me. I may be over reacting here because monitoring an LDAP is not difficult. It's common and pretty standard practice. TDS even has a section of the LDAP tree that can be queried for monitoring stats. Problem here is that I've still got to somehow feed that into my monitoring solution. Back to writing scripts I guess! To illustrate this point, let me just point one thing out. TIM and TAM don't work without TDS. Enough said.
  • It only monitors trivial infrastructure metrics. There is nothing that will give me the business context I need, which is often the biggest reason to monitor the security and identity infrastructure.
Here's a few examples of what I mean when I say business context monitoring:
  • Repeated failed authentication attempts.
  • Tracking a user's session to alert of suspicious behaviour.
  • Alerting of requests for access to "sensitive" parts of the environment (systems or additional access to what a user already has).
  • Real time alerts of additional access privileges that do not meet defined security policies (an email to a person hoping they'll see it soon doesn't cut it I'm afraid).
The list is endless...and will be very different for each company, especially when dealing with business processes around auditing and compliance. Don't get me wrong. IBM Tivoli (and possibly even Oracle) has the products in place to address these needs. There just hasn't been a combined solution that solves these issues easily. There's too much services and customisation work involved and not enough "cookie cutter" approaches to make life easier for end users and services teams. And here is where both Oracle and IBM have not addressed a real need.

Friday, February 16, 2007

I am officially no longer an IBM employee

Today was my last day at IBM Australia. There were mixed feelings as one can reasonably expect. Relief, reflective, grateful, optimistic, excited...and unemployed.

Of course, this does not change anything. My interests remain the same and as such, I will continue to write about the same things I've been writing about on this blog.

Anyone from IBM reading this who was expecting content a little less technology focused and a little more along the lines of "how and what we're doing in London" please send me an email and I'll give you the URL of our travel blog :-)

Thursday, February 15, 2007

I'm now using Feedburner

You may have noticed I've added a link to the right hand column for a more convenient way to subscribe to this blog's feed (for those without a browser that's capable of automatically detecting the feed URL).

I've done this in conjunction with switching to using Feedburner to serve up the feed. Why did I do this you ask? Because Blogger doesn't bother giving feed stats so I have absolutely no idea how my feed is being utilised...or even if I have anyone subscribing to my feeds (You guys at Google/Blogger listening?!) I considered migrating my blog to Wordpress because they have feed stats, but that was just too much trouble.

I happen to know there are a few of you out there currently subscribing to my Blogger feed, but only because you told me. Otherwise, I would be none the wiser and still be thinking that no one reads this. Your current feeds should still work because Blogger doesn't cut off its default feeds simply because I've changed all my internal page links and meta data to point at my new feed. But it would be great if you could do me a favour and start using the new feed by clicking here. Thanks!

Saturday, February 10, 2007

Another idea down the drain

The most talked about news item for the past day or so has been the release of Yahoo! Pipes. The guys over at the O'Reilly radar blog do a pretty good job of giving a rundown of what the new service is (here and here). Apparently it's brand spanking new out of a new initiative put in place by Yahoo! called the Brickhouse (it's their "innovation incubator" for want of a better term) which is being driven by Caterina Fake of Flickr fame (according to this article).

Why am I mentioning this? Because I've been meaning to get cracking on prototyping something like this for awhile now (I can't prove it, so you'll have to take my word)! Like the title of this post says, another idea down the drain...no pun intended.

You may have gathered I know IBM's Tivoli Security suite of products very well (Disclaimer: I still work for IBM for at least another week but I'm not trying to sell any product here, hence I've deliberately left out linking to it - you want to read about it, go find the links yourself). One of the products in the suite is something called IBM Tivoli Directory Integrator (ITDI). It's essentially a data integration tool, but with lots of drag and drop functionality, scripting capabilities (for some business logic) and out of the box connectors into many data sources (databases, LDAPs, filesystems, Web Services etc.). In other words, you don't need to be a hard core programmer to use it and build integration solutions. So to explain a simple use case, you could grab some data from one or more sources, do something with that data (combine it, use it as lookup inputs etc.) and output results along the way into other sources...and still grab data at any point to help with the tasks at hand. By sources, I mean anything that a connector can get to ("But hey", you say, "that's kinda what Pipes does". "Yes, I know").

I've been a believer in this product because it makes life easier for those of us that need to integrate data...especially identity data because of the very nature of having to figure out relationships between disparate data sets. In fact, I gave a presentation on what the product could do at a Tivoli conference last year. I used an example where I had ITDI listening for a HTTP request from a user (via a web browser) asking for specific types of events occurring in a location during a specified time period. ITDI would then fetch information from an online event database (via a REST web service), match each returned event with its top Google search result and the location coordinates for each event, "mash" it all together and return the result to the user's browser in the form of KML data which could be opened in Google Earth to view the location and details of each event returned. For those interested (I'd imagine this to be only the ones that use ITDI - the rest of you can ignore this part), the presentation I used can be found here and the actual ITDI solution package can be found here.

The stuff I've just mentioned is basically to illustrate an example use case where ITDI is useful. Yahoo! Pipes uses pretty much the same concept. Get data from various places, mash them all together and get something more useful from it at the end. At the moment, I think Pipes focuses on RSS feeds, but it is not inconceivable that they'll extend it to other sources. Just build more "connectors". I've always felt it was only a matter of time before someone released something like Yahoo! Pipes for use on the web by the masses. I've known for awhile how powerful the concepts behind Yahoo! Pipes and ITDI are first hand. The excitement in the online community over it just reinforces my thinking. I just didn't get off my butt to do anything about it. Procrastination's been my enemy as usual (I already whinged about this in an earlier post).

Well, I shall chalk this one up as another "Gosh darnit, hot diggity dang!" moment.

Now excuse me while I go code something up...anything!

Friday, February 09, 2007

Blog URL change

You may have noticed this blog now points to http://blog.ianyip.com. It's all part of my ongoing efforts to "brand myself" online.

http://ianyip.blogspot.com still works so those with feeds and bookmarks need not worry (or so the Google help pages tell me).

Thursday, February 08, 2007

Oracle a systems management vendor?

Oracle announced today the release of a management pack for their Identity Management suite. It's apparently a systems management and monitoring suite for Identity Management environments. It'll obviously work with (I didn't say work well, but it should at least plug into) the Oracle products, but an interesting tidbit is that it's supposed to work with other Identity Management infrastructure too. They could just mean LDAPs and Active Directory rather than the suites from other vendors. In fact, I'd be very surprised if it does work with other vendors' suites without having to do a lot of integration work...which begs the question why not just buy a monitoring/systems management solution from CA, IBM, BMC, HP or even the latest, hyped Open Source alternative in Hyperic if you're not using Oracle's Identity products? Maybe Oracle realise this but have a longer term strategy in mind. More on this later in this post.

That aside, it probably makes sense for an organisation using Oracle Identity Management (IdM) software to use it if "out of the box" monitoring of their IdM environment is desired. The biggest problem Oracle have? They are not a systems management vendor so they'll have a tough time selling into accounts where one of the previously mentioned system vendors' products is the incumbent. I do however, applaud them for this move. It's something customers have been crying out for awhile. No vendor I know of (IBM included) has done a particularly good job of working out how to monitor their Identity Management infrastructure both from a business perspective and a software infrastructure perspective. It's pretty much just been a services engagement that is not exactly easily repeatable because of the very nature of services. I get asked by customers all the time: "so how do you monitor this stuff". It was because of this fact that we made a high level attempt in the IBM redbook I co-authored to address the issue but it was prescriptive rather than a detailed "get your hands dirty" approach. You really need a systems management/monitoring expert to work with an Identity Management expert (in whatever products you happen to be working with) to work out the kinks and the details. With a software solution built exactly for this specific purpose, one could argue you cut that time in half.

The gauntlet has been thrown down by Oracle to the other vendors to address this issue. Identity Management infrastructure is fast becoming core to an organisation's infrastructure and figuring out a nice, easy way to perform systems management activities on this infrastructure is paramount to building out the whole story. It's not like we are all running around acting surprised that customers actually want an easy way to monitor the critical part of the environment they have just been sold and implemented. It's just a matter of prioritising this within the product roadmap and understanding that it's a very important aspect and will help sell the core solution and also serve as a way to cross sell the systems management solutions (and vice versa). Systems management vendors should view this as a way to leverage their strengths and provide a compelling story for customers to make a sizable investment in a vendor's brand of solutions.

Perhaps this is a preview of Oracle's strategy moving forward? Are they going to be buying a systems management company soon? Wouldn't surprise me the least bit. And when they do, watch out CA, IBM, BMC and HP. Could you imagine Oracle coming out saying they can monitor data, identity management, application servers and ERP systems out of the box? CA, BMC and HP had better get their act together or Oracle's going to come out and eat their lunches (even more so that Oracle already is). They'd potentially also have a leg up on IBM simply by rounding out the picture. Of course, IBM has all these pieces except the ERP software...and they've stated they do not want to get into the "applications" game. IBM however, is still well ahead of Oracle in the systems management game. For how long, I don't know. Maybe not much longer.

Oracle should just fork out the cash and buy BMC. Or if they're looking at the bigger picture and want to go head to head with IBM, then they should buy HP.

Note: I know how big HP are, so I'm not even sure if Oracle would have the cash to buy HP. Maybe a merger would be more realistic. Maybe someone should ask Larry Ellison at the next keynote speech he gives.

Update: Vince Padua correctly reminds me with his comment in response to this post that Oracle already took a step towards becoming a systems management vendor. They have their "Oracle Enterprise Manager" offering. Read his comment for a good summation of what it does and go the Oracle's site for more product info if you're interested.

Wednesday, February 07, 2007

Generation Y will regret not protecting their online identity brand

If you read my previous posts (here and here) relating to one's online identity brand, you may find this article from NY Magazine interesting. Word of warning though...it's a VERY long read so do it only if you have a spare half hour.

The article talks about the common practice of under 25s (pretty much "Generation Y") letting it all hang out and being completely public about every aspect of their lives. From MySpace and Facebook profiles, public Flickr photos of activities and parties to their own blogs written in diary style disclosing everything from break ups to private feelings and insecurities.

Maybe it's the security consultant in me... or maybe it's the Generation X-er in me (technically, I'm on the cusp of Generation Y - depending on who's definition you subscribe to, I'm either Gen-X or Gen-Y - notice that even Wikipedia's articles have discrepancies in the date ranges) but I really think the individuals interviewed for the article are taking a rather Utopian and idealistic view of the world. Part of it could be attributed to their relative ages and with that comes a level of naivety about the way society works (I'm feeling rather old right about now) and the dangers out there on the Internet. The article does touch on the negatives with such a public display of everything that is you, but it largely focuses on the fact that these Gen Y-ers think that everything is going to be fine and that there are no consequences. Apparently reputation is supposed to take care of everything (ie. people will behave if they want to keep their good name in tact - I think they may have forgotten about the fact it's really easy to fake your identity online and not have anyone notice when trying to do something "evil") and it will all be fine if people know the real you and you're not being fake.

I'll go slightly off my point here in mentioning that they even talk about the potential loss of privacy and potential stalkers and perverts, but they blissfully pass this off as being part of the territory. I suppose it'll take a serious, high profile incident to get these people to take this aspect more seriously and start to worry about potential safety risks! The article goes so far as saying we live in a world of "perceived" privacy and Gen Y-ers are the first to realise this hence they readily embrace the web without fear and can put themselves out there without really losing any privacy at all. It uses the fact that we are on cameras everywhere we go as an example to illustrate the "perceived" part of this supposed privacy we all think we have. What they failed to mention is that things such as surveillance cameras cannot be linked to your identity very easily. First, they need someone to recognise you. Things we do in our daily lives are generally difficult to track back to your identity (Credit cards and financial transactions being the obvious exceptions). Online, this is not the case. Everything out there on the web has identity specific information about individuals. Something as innocuous as a comment you place on someone's blog may contain your identity information and can be readily traced back to you from the comfort of someone else's computer. Sure, I agree these safety issues can be mitigated by being careful not to release too much information. Generally, if information gets out and you released it, it's your fault. Therein lies the danger. These blissfully unassuming Gen Y-ers need to be educated about privacy and how valuable it actually is. Unfortunately, they're all out there trying to be the next Paris Hilton to care.

Now, back to reputation. At least they have the sense to think about this aspect. They realise that everything they put out there will go towards their personal reputation (in real life, not just online) and simply write off anything embarrassing as "oh, they'll forget about it" or "people won't care what I did at a party 5 or 10 years ago". They don't seem to realise that everything you have ever done counts for or against you...even more so if someone can find it online.

Maybe this is ok when it comes to friends or social acquaintances because we forgive our friends for things they've done, but it sure a hell matters when it comes to your professional life! And here lies another problem. Anything you may have done that you are not proud of will follow you around as a black mark to be used against you in the cutthroat world that is business. It also goes towards character. Lawyers use character witnesses all the time to help establish that a person is capable (or incapable) of performing an action by playing the "that is just out of character" angle. Pretty soon, they won't need character witnesses. Lawyers can just point the judge and jury at a bunch or URLs.

When it comes to business and anything professional, there's money involved. I'm stating the obvious here but I mention this because it is much more difficult to "forgive" someone for something they did 5 or 10 years ago when I have a financial interest in them. Does an executive really want someone with compromising online photos and videos fronting a deal worth millions? Would they have been hired in the first place? What about that promotion? If the decision is between 2 equally qualified people and one of them has posted things about themselves that are not particularly flattering, I sure as hell wouldn't be selecting them! What about situations where it is absolutely imperative that mental toughness is paramount and you have a blog entry pouring your heart out about your deep insecurities and lack of confidence in your ability? You've already given you opponent an advantage before you begin.

This "online identity brand" thing isn't going to go away...especially with the way the next generation is using the web. Everything seems to be out in the open and they're proud of it. The first step however, is the realisation of the implications behind all this. Your professional reputation counts on it. Your "online identity brand" is inherently linked to your reputation. You are what your "online identity brand" says you are...even if you have no control over certain aspects of it.

The problem? They're all too young to know any better.

Note: Boy do I feel old NOW. Next thing you know, I'll be going around calling kids "sonny boy" and start sentences with "back in my day".

Microsoft Identity Manager next on the cards?

Possibly. For now, they're calling it "Identity Lifecycle Manager (ILM) 2007".

At the same keynote I spoke of in my previous post, Microsoft also made mention of this extension to their Enterprise Identity capabilities:
"Available to customers in May, ILM 2007 is a new solution that builds on Microsoft’s metadirectory and user provisioning capabilities by adding support for managing strong credentials such as certificates and smart cards. ILM provides an integrated and comprehensive solution for managing the entire life cycle of a user identity."

There's not a lot of technical detail around, so it's difficult to tell if that means they're finally joining the Enterprise Identity Management party (about 5 years late) or simply announcing certificate and smart card support for their update to MIIS while continuing to pass off MIIS as a real Identity Management product rather than what it REALLY is - a synchronisation tool for pulling data into Active Directory in Microsoft centric environments that occasionally pushes data outwards (they pretend this is real provisioning).

Yes I still work for IBM (at least for another week and a half) so you can say I'm being biased and anti-Microsoft. But you don't see me bagging CA, Sun, Novell, Oracle or BMC do you? That's because they have real products. Not some proprietary directory synchronisation tool they pretend does more than just move user data around. Of course, if Microsoft can prove me wrong, I'll eat my words.

CardSpace and OpenID announcement

The big news today in the Identity world revolves around an announcement made at the RSA Conference in San Francisco by Microsoft that they would collaborate on interoperability between CardSpace and OpenID in cooperation with JanRain, Sxip and Verisign.

This is obviously a good thing as long as Microsoft don't decide to take over the world...at least not in Identity terms. I'm sure they want to take over the world in just about everything else.

Plenty of commentary from people directly involved with this initiative here, here, here, here, here, here and here.

Thursday, February 01, 2007

Symantec's version of Microsoft Passport?

I talked about Symantec's pending announcement of their "Security 2.0" initiative earlier today. Well, they're calling it their "Identity Initiative", but it's essentially Symantec's statement that they've arrived into the world of Identity...and Identity 2.0 at that.

For them to announce it at an event like Demo (traditionally a showcase for Startups) implies they want to be seen as innovators in this space. They've long been in the world of Antivirus and when they realised this was becoming commoditised, they started to diversify and move into managed services and more recently into Security Management software (see earlier post). CEO John Thompson is an ex-IBMer so he clearly understands all about expanding/diversifying a portfolio and moving away from commoditised, low profit margin markets (Note: A slightly IBM-biased view, but my excuse is that I've been force-fed IBM propaganda for the past 6 years).

Symantec understand they have the consumer market with their Antivirus products. So instead of going up against the likes of IBM, CA, Oracle, Sun, Novell, BMC et al in the space we know as Enterprise Identity Management, they've decided to play to their strengths and start their foray into Identity by going where there are far less competitors and where the market is far less mature (Not that one could call Enterprise Identity and Access Management a mature market, but I'm speaking in terms of relativity here). Work in the User Centric Identity space is still very new and their entry allows them to cultivate their image as being innovators.

As I've said before, Microsoft's CardSpace, OpenID and i-names are various popular technologies that attempt to tackle the User Centric Identity issues prevalent within the Internet. They are however, just a bunch of standards, protocols and specifications around how this can be done. Sure, Microsoft has a CardSpace client to enable this to happen and Sxip has a few technologies like Sxipper and Whobar that do similar things in terms of providing some of the infrastructure required. There's just 1 problem...most of the world doesn't know about Identity 2.0. They need to be educated...and this will take awhile - even in light of all the security threats out there in the big bad Internet.

In this respect, Microsoft has a "leg up" on the competition. Eventually, all Windows users will have CardSpace capabilities built into Explorer and there may even be non-web clients that are CardSpace-enabled. If Microsoft's evil plan comes together, we'll all be using CardSpace eventually to do certain things (probably not everything though). It may not be so bad however, because Microsoft learned from their mistakes with their dismal attempts at CardSpace's predecessor, Passport. The biggest problem with Passport was that you had to trust Microsoft with ALL your information. They would store it on their servers and the plan was for them to be your central point of reference for your online identity. CardSpace has no such requirements. Your personal information is stored on your machine as Information Cards. The CardSpace client allows you to select the relevant Information Card required for the purpose of your identity transaction. This way, you don't give up all the keys to your kingdom, and the information exchanges are done securely via encryption mechanisms and set protocols.

Symantec seems to have realised that the key to User Centric Identity is to make it all invisible for the end user/consumer. In fact, it should be seamless, painless, secure and require little impact. What better way to do this than by leveraging existing infrastructure? Enrique Salem, group president with Symantec’s consumer business unit is quoted here as stating the following:
"We have a strong base to build from, with almost half of our active Norton user base already enrolled in a basic Norton Account. We’ll enable our millions of customers to extend the functionality of their Norton Account to manage all their information, all in one place."

Did I read that right? All their information in one place? I hope they don't mean to store everyone's details in one single place and leverage this the same way Microsoft tried to with Passport?

If they DO indeed decide to do that, hopefully they at least have the good sense to practice responsible disclosure of information or even adopt the concepts mentioned as part of the functionality offered by the Higgins project's Identity Mixer (yes it was donated by IBM, but my point here it not to promote it but rather to highlight a feature) which essentially subscribes to the concept of using something akin to "vouch for" tokens. e.g. Instead of saying someone is 35, the token states that they are over 21 because the consuming party often just needs to know that fact rather than their actual age.

I wonder if Symantec are looking long term big picture here and positioning themselves to be the "Identity Oracle" that Bob Blakley talks about here (at the time of posting, Bob's blog seems to be down)? If they are, then it's a very brave move. It may come to be a brilliant move. Only time will tell, but you've got to give them credit for having the guts to think big if this is indeed where they're heading. It may work, as long as they don't make the same mistakes as Microsoft did with Passport. If they keep privacy at the top of their list of considerations with this initiative, they may get somewhere.

Symantec have also stated that the initiative will work with CardSpace and OpenID. That's a good start I suppose. Watch this space.

What am I getting myself into?

The UK and London in particular is becoming a surveillance society according to various observers (here, here, here and here). I already knew this before I decided to move there so I'm not really surprised...at least not until today when I read this.

Essentially it talks about a proposal to install "body scanners" around the city to X-Ray people walking by to catch anyone with a weapon...or at least what looks like a weapon. I don't think I need to say very much for anyone to realise there are many many many things wrong with this proposal. First of all, I don't particularly want to potentially be subjected to X-Rays everywhere I go! Obvious health risks aside, what about our privacy rights? X-Rays are yet another form of an identifier. One could argue it's a rather high tech expensive way of presenting one's "credential". Given that fact, I sure as hell don't want it stored on some giant database somewhere for someone to look at later without my knowledge or my approval! I even have issues giving out my email address. Did you think I wouldn't have a problem with the British Government having my frigging X-Ray photos? Hell yeah!

There's already closed circuit TV around the streets of London so they can pretty much track where I'm going if they want. I was watching the news on TV the other night and it showed how they managed to track a terrorist who tried to detonate another bomb on the tube, but it didn't quite go off like he planned. They showed him exiting the train, leaving the station, walking through some train tracks, climbing a fence and through someone's house and then getting on a bus! Hey, it worked because they caught the guy this way...but that also means they could go figure out EXACTLY what everyone else is doing too!

Look, I can probably accept that they have cameras around London for "public safety", but X-Rays?! Talk about a blatant invasion of privacy! They take our pictures now. They're looking into facial recognition technology (UK police for identifying suspects and also as part of the ID card program). Now they want to take our X-Rays too? What's next? Urine and stool samples so they can see how healthy we are and what we've been eating? What about hair samples? Do they want that so they can do DNA screening to figure out who's going to be bleeding the public health system dry with health problems later in life and ship them off to another country before it's too late?

Perhaps the British Government have been spending too much time reading George Orwell's 1984 or the V for Vendetta comics.

Update: Apparently they can also track your car via number plate recognition and like monitoring people's telephones and email.

Symantec on YouTube?

You heard right. Symantec have signed themselves up to YouTube and started to post demonstrations of security vulnerability exploits in action. Well, at least it's more interesting than reading a long technical article (these usually put me to sleep and make me wonder why I even bother to read them) about it. Although looking at the video, you can't really tell what's going on. Apparently the exploit manifests itself when you see the screen flickering. Remember to squint!



Anyway, I just mentioned the fact above because it was a new way of doing things. I really wanted to make a point about Symantec's impending announcement about their new Identity initiative - something they're referring to as Security 2.0. Wonder what it's going to be.

It's also more evidence that they're trying to position themselves to compete against the likes of IBM, CA, BMC and the like, especially in light of their recent announcement to acquire Altiris for $830 million. They have a huge gaping hole in Identity and Access Management if that's what they're going for. Wonder who's next on their acquisition list.