Thursday, July 30, 2015

Invisible Identity

My Name Was Michael & The Rest Is History
Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History
In my previous post, I promised to explain the following:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It cost them a lot of money. Disney calls it "magic". The technology powering the MagicBand infrastructure was complicated to build, but they've done it and have the increased revenue to show for it. They've also managed to turn what is effectively a security device into a new revenue stream by making people pay for them, including charging a premium for versions that have Disney characters on them.

While it does many things, arguably the key benefit of the MagicBand is in delighting Disney's customers by providing seamless, friction-less, surprising experiences without being creepy. For example, when you walk up to a restaurant, you can be greeted by name. You will then be told to take a seat anywhere. Shortly after, your pre-ordered meal will be brought to you wherever you chose to sit, just like magic. If you understand technology, you can inherently figure out how this might work. But the key in all this is the trust that the consumer places in the company. Without the trust, Disney steps over the "creepy" line.

How does Disney ensure trust? Through security of course. Sure, the brand plays a part, but we've all lost trust in a supposedly trusted brand before because they screwed up their security.

The key pieces of that security? Identity proofing, authentication, access control and privacy, none of which is possible without a functional, secure identity layer.

Conveniently (for me), Ian Glazer recently delivered 2 presentations that go into a little more depth around the points I'd otherwise have to laboriously make:

  1. Stop treating your customers like your employees
  2. Identity is having its TCP/IP Moment
If you have some time, do yourself and favour and follow those links - you might just learn something :)

What Disney has managed to achieve within their closed walls is exactly what every organisation trying to do something with omni-channel and wearables would like to achieve. Disney is a poster child for what is possible through an identity-enabled platform, particularly in bringing value to the business through increased revenue and customer satisfaction. Identity truly is the enabler for Disney's MagicBand.

The reason it works is because no one notices the identity layer. Not every organisation will be able to achieve everything Disney has managed, but even going part of the way is worth the effort. Only by ensuring the identity layer is there, can you really make it invisible.

Until people stop noticing the identity layer, you need to keep working on it. Only then will the business see the full potential and value that identity brings to increasing revenue.

Thursday, May 28, 2015

Identity needs to disappear


The disappearing machine
Photo source: Paul Chapman - The disappearing machine
In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.

Yeah, we get it. Identity is VERY important. Enough already.

The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.

Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:
  1. We've not been very effective in explaining what we mean. AND/OR
  2. No one gives a crap.
The truth is probably a combination of the two.

From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"

Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?

We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.

In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).

Today, we often pull out the data-loss card. But we can do better:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
I'll explain in the next post.

Update: The next post is up.