The big news today in the Identity world revolves around an announcement made at the RSA Conference in San Francisco by Microsoft that they would collaborate on interoperability between CardSpace and OpenID in cooperation with JanRain, Sxip and Verisign.
This is obviously a good thing as long as Microsoft don't decide to take over the world...at least not in Identity terms. I'm sure they want to take over the world in just about everything else.
Plenty of commentary from people directly involved with this initiative here, here, here, here, here, here and here.
Showing posts with label cardspace. Show all posts
Showing posts with label cardspace. Show all posts
Wednesday, February 07, 2007
Thursday, February 01, 2007
Symantec's version of Microsoft Passport?
I talked about Symantec's pending announcement of their "Security 2.0" initiative earlier today. Well, they're calling it their "Identity Initiative", but it's essentially Symantec's statement that they've arrived into the world of Identity...and Identity 2.0 at that.
For them to announce it at an event like Demo (traditionally a showcase for Startups) implies they want to be seen as innovators in this space. They've long been in the world of Antivirus and when they realised this was becoming commoditised, they started to diversify and move into managed services and more recently into Security Management software (see earlier post). CEO John Thompson is an ex-IBMer so he clearly understands all about expanding/diversifying a portfolio and moving away from commoditised, low profit margin markets (Note: A slightly IBM-biased view, but my excuse is that I've been force-fed IBM propaganda for the past 6 years).
Symantec understand they have the consumer market with their Antivirus products. So instead of going up against the likes of IBM, CA, Oracle, Sun, Novell, BMC et al in the space we know as Enterprise Identity Management, they've decided to play to their strengths and start their foray into Identity by going where there are far less competitors and where the market is far less mature (Not that one could call Enterprise Identity and Access Management a mature market, but I'm speaking in terms of relativity here). Work in the User Centric Identity space is still very new and their entry allows them to cultivate their image as being innovators.
As I've said before, Microsoft's CardSpace, OpenID and i-names are various popular technologies that attempt to tackle the User Centric Identity issues prevalent within the Internet. They are however, just a bunch of standards, protocols and specifications around how this can be done. Sure, Microsoft has a CardSpace client to enable this to happen and Sxip has a few technologies like Sxipper and Whobar that do similar things in terms of providing some of the infrastructure required. There's just 1 problem...most of the world doesn't know about Identity 2.0. They need to be educated...and this will take awhile - even in light of all the security threats out there in the big bad Internet.
In this respect, Microsoft has a "leg up" on the competition. Eventually, all Windows users will have CardSpace capabilities built into Explorer and there may even be non-web clients that are CardSpace-enabled. If Microsoft's evil plan comes together, we'll all be using CardSpace eventually to do certain things (probably not everything though). It may not be so bad however, because Microsoft learned from their mistakes with their dismal attempts at CardSpace's predecessor, Passport. The biggest problem with Passport was that you had to trust Microsoft with ALL your information. They would store it on their servers and the plan was for them to be your central point of reference for your online identity. CardSpace has no such requirements. Your personal information is stored on your machine as Information Cards. The CardSpace client allows you to select the relevant Information Card required for the purpose of your identity transaction. This way, you don't give up all the keys to your kingdom, and the information exchanges are done securely via encryption mechanisms and set protocols.
Symantec seems to have realised that the key to User Centric Identity is to make it all invisible for the end user/consumer. In fact, it should be seamless, painless, secure and require little impact. What better way to do this than by leveraging existing infrastructure? Enrique Salem, group president with Symantec’s consumer business unit is quoted here as stating the following:
For them to announce it at an event like Demo (traditionally a showcase for Startups) implies they want to be seen as innovators in this space. They've long been in the world of Antivirus and when they realised this was becoming commoditised, they started to diversify and move into managed services and more recently into Security Management software (see earlier post). CEO John Thompson is an ex-IBMer so he clearly understands all about expanding/diversifying a portfolio and moving away from commoditised, low profit margin markets (Note: A slightly IBM-biased view, but my excuse is that I've been force-fed IBM propaganda for the past 6 years).
Symantec understand they have the consumer market with their Antivirus products. So instead of going up against the likes of IBM, CA, Oracle, Sun, Novell, BMC et al in the space we know as Enterprise Identity Management, they've decided to play to their strengths and start their foray into Identity by going where there are far less competitors and where the market is far less mature (Not that one could call Enterprise Identity and Access Management a mature market, but I'm speaking in terms of relativity here). Work in the User Centric Identity space is still very new and their entry allows them to cultivate their image as being innovators.
As I've said before, Microsoft's CardSpace, OpenID and i-names are various popular technologies that attempt to tackle the User Centric Identity issues prevalent within the Internet. They are however, just a bunch of standards, protocols and specifications around how this can be done. Sure, Microsoft has a CardSpace client to enable this to happen and Sxip has a few technologies like Sxipper and Whobar that do similar things in terms of providing some of the infrastructure required. There's just 1 problem...most of the world doesn't know about Identity 2.0. They need to be educated...and this will take awhile - even in light of all the security threats out there in the big bad Internet.
In this respect, Microsoft has a "leg up" on the competition. Eventually, all Windows users will have CardSpace capabilities built into Explorer and there may even be non-web clients that are CardSpace-enabled. If Microsoft's evil plan comes together, we'll all be using CardSpace eventually to do certain things (probably not everything though). It may not be so bad however, because Microsoft learned from their mistakes with their dismal attempts at CardSpace's predecessor, Passport. The biggest problem with Passport was that you had to trust Microsoft with ALL your information. They would store it on their servers and the plan was for them to be your central point of reference for your online identity. CardSpace has no such requirements. Your personal information is stored on your machine as Information Cards. The CardSpace client allows you to select the relevant Information Card required for the purpose of your identity transaction. This way, you don't give up all the keys to your kingdom, and the information exchanges are done securely via encryption mechanisms and set protocols.
Symantec seems to have realised that the key to User Centric Identity is to make it all invisible for the end user/consumer. In fact, it should be seamless, painless, secure and require little impact. What better way to do this than by leveraging existing infrastructure? Enrique Salem, group president with Symantec’s consumer business unit is quoted here as stating the following:
"We have a strong base to build from, with almost half of our active Norton user base already enrolled in a basic Norton Account. We’ll enable our millions of customers to extend the functionality of their Norton Account to manage all their information, all in one place."
Did I read that right? All their information in one place? I hope they don't mean to store everyone's details in one single place and leverage this the same way Microsoft tried to with Passport?
If they DO indeed decide to do that, hopefully they at least have the good sense to practice responsible disclosure of information or even adopt the concepts mentioned as part of the functionality offered by the Higgins project's Identity Mixer (yes it was donated by IBM, but my point here it not to promote it but rather to highlight a feature) which essentially subscribes to the concept of using something akin to "vouch for" tokens. e.g. Instead of saying someone is 35, the token states that they are over 21 because the consuming party often just needs to know that fact rather than their actual age.
I wonder if Symantec are looking long term big picture here and positioning themselves to be the "Identity Oracle" that Bob Blakley talks about here (at the time of posting, Bob's blog seems to be down)? If they are, then it's a very brave move. It may come to be a brilliant move. Only time will tell, but you've got to give them credit for having the guts to think big if this is indeed where they're heading. It may work, as long as they don't make the same mistakes as Microsoft did with Passport. If they keep privacy at the top of their list of considerations with this initiative, they may get somewhere.
Symantec have also stated that the initiative will work with CardSpace and OpenID. That's a good start I suppose. Watch this space.
Monday, January 29, 2007
Bit of a light month in Identity
I'm all iPhoned out. Seems all the news in January's been about Apple and the iPhone. The announcement at MacWorld, Cisco subsequently suing Apple over the use of the name and the latest being a Canadian company (Comwave) claiming to have the rights (at least in Canada) to the iPhone name. From a marketing standpoint, Apple's done a brilliant job here. Even if the damn phone doesn't end up being called an "iPhone", we'll all know it as "that thing formally known as the iPhone" - the point being that we've all heard about it. There's been much discussion about why Apple even announced it when they knew Cisco had claim to the name in the US (we know this because Apple was in talks with Cisco over licensing the name from them before the iPhone announcement). The most logical conclusion seems to be the publicity. I have also yet to read about any geeks out there who don't want one. They all practically wet themselves over the announcement...maybe that'll change when the hype dies down. I for one, do NOT want one...maybe I'm the only one. I must not be geeky enough.
So in a month where nothing was interesting enough for me to comment about, here's a few main bits of Identity news I came across:
So in a month where nothing was interesting enough for me to comment about, here's a few main bits of Identity news I came across:
- The Burton Group followed up a previous post about the Law of Relational Symmetry (which I referenced in an earlier post) with a post relating to the Law of Relational Risk. I for one had a tougher time grasping the concepts here, so I REALLY had to concentrate.
- The Burton Group also mentioned the "ascension" of authorisation management within enterprise environments of late. Seems this concept just won't go away...and rightly so. But as I mentioned in an earlier post (although at the time I used the term "entitlement management" and made mention of a company called Securant, which started a discussion between myself and Securent's CEO Rajiv Gupta which you can read in the comments section of that post - I should note that he didn't respond to my email following my final comment. I'm sure he had better things to do than debate terminology with me), this is not a new concept. It's just getting more attention of late.
- EMC talked about leveraging their RSA acquisition to "identity enable" their suite of products. I'll believe it when I see it!
- Microsoft Windows Vista launched - probably means we'll start to see the advent of more Windows CardSpace enabled solutions.
- IBM announced the release of Identity Mixer, which is software designed to help people hide or anonymise their personal information on the web. This has been donated to the Higgins project.
- The Liberty Alliance announced a Portal called OpenLiberty.org to "provide easy access to tools and information to jump start the development of more secure and privacy-respecting identity-based applications based on Liberty Federation and Liberty Web Services standards".
- Microsoft Architect for Identity and Access and User Centric Identity luminary Kim Cameron gave examples about how one would integrate CardSpace with OpenID.
- Kim Cameron and Dick Hardt (yes that really is his name), CEO of Sxip had a bit of a friendly stoush over OpenID and what Kim thinks is a susceptibility to phishing unless OpenID adopts some of the more secure concepts behind CardSpace. Dick responds on his blog. The discussion continues in the Identity-sphere.
- Australian Prime Minister John Howard announced changes in his cabinet making Senator Ian Campbell the new Minister for Human Services. He takes over from Joe Hockey who is now Minister for Employment and Workplace Relations. I mention this because it means that there's now a new guy in charge of Australia's Access Card initiative which has the potential to become our National Identity Card depending on what happens moving forward. It will be interesting to see the direction this takes moving forward with new leadership in place...not to mention the continuation of all the Software Security vendors (one of which I work for - more on this in the next post) and System Integrators salivating at the sheer size and potential $$$ involved with winning even part of the bid to implement this or to provide part of the infrastructure for it.
Subscribe to:
Posts (Atom)