Skip to main content

Recent thoughts and media appearances

  • A Maturity Model for De-Weaponizing Identity Systems - Part 1

    It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing. And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.” Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

    Read more

  • Professionalizing Identity: What happens next?

    Apologies for not getting this out sooner. After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback. There was a common theme to these conversation - I signed the pledge; so now what happens? From a long term perspective, I simply don’t know. On a shorter timeline, here’s what I do know. Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group. This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc. My hope is that around the beginning of 2017 the organization gets going in earnest. Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization - 180 more days isn’t going to kill anyone. Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset. In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.

  • The Moments Ahead for Identity

    [My address to the European Identity Conference 2016. Although this starts like my TCP/IP Moment talk it goes in a very different direction. In some regards, I think this might be the most important talk I have ever written and delivered. Giving credit where credit is due - the ideas in this piece are the distillation of many many conversations over the years. I am deeply indebted to the following peers for their help, encouragement, ideas, and support: Allan Foster, Robin Wilton, Nat Sakimura, Josh Alexander, Chuck Mortimore, Joni Brennan, and Josh Nanberg.]

    Read more

  • Why is the Identity leg of the stool missing?

    [Many thanks to Gerry Gebel for giving me the nucleus for this post] In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

    Read more

  • Identity: The Missing Leg of the Stool

    I had the pleasure of representing the Identity Ecosystem Steering Group (IDESG) at the International Association of Privacy Professionals’ Global Privacy Summit this week. Laura Hamady of PayPal, Heidi Wachs of Jenner and Block, and I talked about navigating the maze of online retail. My part in the talk was to illustrate the flow of personal data between the various players in different online retail scenarios. (Here’s a copy of our presentation if you are curious.) Now, as the only non-lawyer in the bunch, and likely the only identity person at the conference, I had a blast pointing out all of the data protection and handling issues that stem from identity interactions. The movement of identity data between social identity providers, your back-office systems, and third-party service providers is a dance of varying elegance. Regardless of how well those pieces are integrated, the information being shared helps your organization delight your customer. But in order to do so, the customer’s privacy needs and expectations must be met. (Not to mention sectoral and legal data protection requirements as well.) And that got me thinking. The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy and security professionals can fully meet these challenges in part because their default tools are the wrong ones for the job. What’s missing from the conversation is identity management. Identity is the missing third leg of the stool. Identity helps mitigate a vast number of security threats including insider threat through the minimization of access. Identity also helps address privacy requirements but governing access control to customer data. In this regard, we can think of identity management as the operational means by which privacy implements some of its required controls. And to be clear I am not saying that identity meets all of the requirements on its own; there are many other privacy controls that require security, and not identity, to meet - traditional data protection and event monitoring being just a couple. By working with identity professionals, privacy teams can better understand the flow of customer data. They can sharpen the focus of their privacy impact assessments and can more easily identify third-parties provide services and whose terms of service need to be harmonized with the organization’s privacy policy and notices. Simply put - an organization that coordinates the efforts of its privacy, security, and identity professionals is more likely to not only meet its customers privacy requirements and most importantly, more likely to delight its customers.