From Identity Service Provider to Identity Provider Service!

I had the pleasure of meeting one of my identity heros at ESAF on Monday; Kim Cameron. It went well and truly made up for my trip to PARSIFAL, where I had been told he was going to present, I did however meet the EU Information Commissioner at PARSIFAL though, and discussed with him the importance of Cloud Based Identity. This initiated the seed growing.

At ESAF I also bumped into a number of other potential Cloud Based Identity Players. The result of the interaction with Kim created a massive brain explosion. The result two words swapped places. Seems such a minor result when stated like that! :-(
But Identity Service Provider became Identity Provider Service! (IPS)

Definition: An Identity Provider Service, is a Cloud Based Identity Service Model that allows any individual, leader of a group or organisation to create identities for themselves or their members. Allowing the management of the Identities in such a manner that they can be simply used by and within the group or organisation, or can be raised to a level of trust whereby they can be consumed by third parties, and as a result the Identity Provider and Identity Provider Service can recieve a revenue.

The following Graphic attempts to capture the concepts that were borne in my mind, undoubtedly the result of reading what many others have written on the topic and watching the Dick Hardts Identity 2.0 Video (he's my other Identity Hero, how can I properly cite all the folks who helped create conditions for the two words to swap! My friends at the Jericho Forum undoubtedly played a key part, especially Steve, Paul and Andrew. I am confident that the LEF Cloud Study Tour also had an impact. So I lay these out for the world to consume in an OPEN Manner. In the hope that a new Identity Provider Service Model will result.



Imagine the three Customer, Professional and Organisation components as Blimps floating atop the Identity, Claims, & Access Management landscape. They will be populated with Personas with Claims that need to be verified. These claims could either be self asserted or verified in the "New Cloud based Identity Provider Service" approach ie the Scout Leader or the BMA said they were they accurate claims!

I see the Identity Provider Service being delivered at varying levels of trust, Self Asserted (Free), Group Leader Asserted (Free with Certificates), or Organisational Assertion (One Off Fee with Certificates), and Authenticated Organisational Assertion (higher One Off fee with additional means of authentication) Payment is made by the consumer of the identity in the latter two cases on a transaction basis (think credit card transactions) and this payment is split between the Identity Provider Service and the Identity Provider.

Expanding the example the Boy Scouts of America may choose to allow each Troop Leader to publish their own Troops Identity or negotiate a higher Trust Level with IPS and issue Certificated Authenticated Identities for which they will receive revenue when the Identities are used/trusted by third parties. The Identity Provider Service would operate like Mastercard/Visa charging a verification fee that rises dependant upon the the level of Claims being Made and the Risks involved in the transaction.

The British Medical Association could choose to issue an electronic identity to its Doctors using this Identity Provider Service approach and recieve a revenue from the organisations that consumed the Doctors Identities that naturally came with a verified Claim that they were a Practising Doctor (Meta Data of the Claim to be determined)
NB In this new IPS Model all parties would need to determine HOW the Identity Risk is shared. The BSA would be the Identity Provider. IBM, PayPal, Microsoft, RSA could provide the Identity Provider Service following a standard approach. Lots of legal and compliance stuff to be sorted!

But in the meantime it could start small, I would use the service to publish Information Cards (for that feels like the best form in which to create the Identities) for my friends and family so that we could all safely interact on the Web.

I wouldn't buy a "Geneva Server" to do that but I would certainly sign up to the first IPS that would allow me to publish such Information Cards.

After the concept takes off, I predict an early explosion of Identity Provider Services followed by a shake out that would reduce to 3 maybe 4 providers within 3-5 Years. The number of Identity Providers would remain large. In comparison to the Credit Card Model, I can get a Credit Card from the Royal Society for the Protection of Birds! Why? because they earn revenue from it... I'd quite like an RSPB Identity for my Twitcher Persona!!!!

Alternatively we could continue populating the Blimps from the Enterprise Centric Model, more costly and less effective. Please NO!

I propose the population of the Group, Organisation and Professional Blimps ahead of the population of the Customer Blimp, ultimately these three Blimps will merge. Initially Enterprises will think they want Enterprise issued Identities to fill the Customer Blimp using this new Cloud Identity Service Model but eventually we will get that the other Identities are cheaper and more reliable!

Needs far more thought, for 'tis early in the morning...

But I just had to share!!!

Abstraction and Clouds

After my SaaS/Abstraction Tweet, I have been considering my posit ie That SaaS can be implemented in a Cloud like Manner or NOT. Which appeared cause some tension...

FROM @golfcaddy
@adrius42 But isn't SAAS an abstraction of sorts?

From @ccairney
@adrius42 @golfcaddy if cloud computing is defined by layers abstraction then SaaS sits in one of the layers

From @RobynMiller
@adrius42 I don't know why, but the word abstraction doesn't 'click for me...

I have come to the conclusion that the tension comes down to the fact that the act of abstraction is NOT a binary switch, ie abstracted or not. I have perhaps been lazy in my thinking.

So to build my posit, here are some elements of the Abstraction Concept

SubRoutines: These are often just Abstraction within the Application

Service: Clearly a type of Abstraction that can be found in Clouds, but does that mean existance of Service Level abstraction = Cloud. I would argue not. Thoughts???

I personally believe you can use the service level abstraction in a manner that is not Cloud like.

I would also argue that the degree of abstraction, when designed in a cloud like manner is directly proportional to the Cloudiness of the Cloud involved.

For example I would argue that the use of Amazons S3 for data storage is clearly Cloud to some degree, but not "Full On Cloud". That would look like storage of data fully virtualised below the Abstraction Layer stored across, virtualised internal data storage, Amazon S3, and Nirvanix. So that if any of the storage services below the abstraction layer fail then the abstraction layer ensures that the consuming party above the abstraction layer is not aware of the event. Now that is Full On Cloud Computing, between the Platform and Storage Layer.

From Enterprise Architecture, through Collaboration Oriented Architectures, to Customer Centric Architecture!

Many IT Enterprise Architects, are still struggling to achieve their ultimate peak, which they have determined to be the optimisation and complete integration of the Enterprise. Historically they have determined that their primary focus is optimising the benefit of usng IT to their total Enterprise (represented by the Green shape), the integration and productivity benefits accruing from connecting a few organisations within an Enterprise as the second priority (the orange colour). Leaving the optimisation of single organisations as the third priority (Light Blue). This is often hard as each internal organisation sets more store by the value that IT can bring to their own organisation, than considering the optimal usage of IT across the Enterprise. This results in a large amount of wasted effort as each internal function battles for the resources to maximise the benefits of IT for themselves.

Even more unfortunate is the fact that this internally focussed and selfish optimisation approach results in barriers to collaboration between Enterprises. The recently published Collaboration Oriented Architecture framework from the Open Group highlights key steps to take reduce the friction between Enterprises, while minimising the risks to the Enterprises and their Customers.

However, even this refined collaboration oriented approach still does not resolve the key issues and opportunities for the most important constituents of all Enterprises: their Customers! Customers are impacted most badly by architectural approaches that do not hold them at the centre.



The new Yellow layer in the diagram above signifies a new Customer Centric layer. Architects who understand the importance of this new layer will be scrambling to drop their Enterprise or Collaboration titles and adopt the attitudes and title of a Customer Centric Architect. Now we have to start thinking about what exactly that means, we could do well by starting to think about how Identity and Access Management systems optimised to meet the needs of individual Enterprises might be architected with the Customer in the forefront of all our minds.

There is a lot to do to change our architecture mindsets. We need to stop thinking internally of our own Enterprises and change to think FIRST of our Customers. It was hard enough trying to achieve Enterprise Architecture, one can only imagine the difficulties that will be encountered on this journey. However the benefits are even more legion than those which drove us to strive for Enterprise Architecture. Now all we have to do is to persuade the internal functions why this makes more sense than focussing on their special needs. Perhaps it will be easier to persuade them to give up their own gains, if it is the Customer that wins rather than a colleague in another department/organisation!?

However it won't be that easy to accomplish as the legacy systems are all facing the wrong way, akin to each organisation or function in an Enterprise having its clothes on inside out! Perhaps the challenge of changing this state of affairs should not be imagined, as the resulting vision of Enterprises in varying states of undress will not be not pretty. But imagine it we must, happily we have pointers and emerging tools and services. The tenets are similar to those espoused in the Jericho Forum COA, the benefits will however be more profound. Additionaly, SOA, the Cloud, Mobilisation, Web 2.0 (The Social Web) and in the future Web 3.0 (The Semantic Web) are all emerging at the right time. With these tools Enterprises will be at least able to consider the transformation, assuming of course they have Customer Centric Architects that get it, and internal functions that are willing to take their "clothes" off! Perhaps that is the real result of Consumerisation, not just of the devices and services, but of whole Enterprises! Now that is a nice thing to imagine!

Aha Number 1: On the relationship between my Personas and my "Me" Tags

I created this Blog Space, out of some weird sense that I didn't want to be blogging on this subject to my usual reader! Something about wanting to reach/please a different audience. This week while on the Leading Edge Forum Cloud Study Tour, I watched as @mastermark decided to reduce his tweets under the #lef tag, because he felt he was overwhelming his audience. This must have got my subconcious thinking as I woke this Sunday morning knowing that Personas and Personal Tagging were very closely related.

So for some definitions:
A Persona is a public facing identity that normally has a name like Adrius42
Personal Tagging will come in three basic forms, the lowest level is self asserted, next comes from the aggregation of third party tags (vis By public acclaimation Adrius42 is a Geek, and those of you who know me will know that I would be mighty proud of such an acclaimation!) this second form of tagging is what others tag me as, the final form of tagging is a claim that can be authenticated via a thrid party, eg I am a Doctor ( I am not so I would have a hard time having the BMA authenticating that claim, whereas my son would not)

So onto my Aha! this e-trust blog space is simply a poor attempt of mine to tag my Web2.0 persona.

What would be better is if the Social Media Tools (starting with my friends at FaceBook who really didn't get what I was talking about when I raised the topic!) were to implement Personal Tagging it will be the early beginning of Identity and Access Management in the Social Space.

Instead of "following" all of Adrius42 you could "follow" my Web2.0 persona articulated at the application level by Adrius42#Web2.0. I would be more comfortable letting some of you into that, than the whole me!. So when you accessed Adrius42, you would get to see those persona#tags that you have chosen to follow and that I have let you see. You can also chose to unfollow one of my persona#tags if I start to get too nerdy in it, as you might my upcoming Adrius42#greencomposting persona#tag!

I would also be able to define the folks who could see my persona#tags. For example my Adrius42#web2.0 tag I might make public, whereas Adrius42#holidays I might make visible to friends so that they could choose to follow it and I could choose to let them.


So here's to Persona#tags

Now all I need is for this post to go Viral and for my FaceBook friends to get what I was jabbering on about.... then my Twitter friends then my Del.icio.us friends... and then my whole Social Media Universe. And then Mark and I would be able to stop feeling guilty about what we were blabbing on about!!!

Latest Version of IAM Module

Latest Version based on all your kind feedback..

Module Overview
In a world where collaboration is increasingly the norm, information is an increasingly valuable asset. High profile attacks on organisations from foreign states, credit card information being stolen from unprotected wireless networks, or simply the loss of personal data sent through the post on CD-ROMs, all demonstrate the changing shape of the risks to that value. Information Systems are used to store and disseminate these information assets within and between organisations. Organisations therefore need to ensure they protect the communication and storage of this information in these systems by understanding the risks they face and putting in place appropriate measures to prevent their information assets from being compromised. This module will explore this Information Asset Management (IAM), and the role that information professionals take in IAM. Opening with the framing and history of IAM, the module will use key industry resources and knowledge of business information systems to approach the analysis of business risk and planning of information risk management, realised through real-life case studies and guest lectures.

Learning Outcomes
By the end of the module the student will be expected to be able to:
• Understand the different types of information threats and vulnerabilities that an information system may experience, and how they may impact businesses.
• Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.
• Analyse the security elements of information technology services, systems and assets within an organisation. This will include the competencies required to manage the confidentiality, integrity, and availability of data and information.
• Develop appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level
• Show understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.
• Demonstrate understanding of the techniques used to manage data and information within an organisation and as it crosses into and out of an organisation. This includes the IT and information management processes involved in the acquisition, creation, categorisation, storage, transfer and disposal of data and information.


Initial Plans for the Assessment

2 hour unseen examination

Initial Group development and implementation of an Audit Plan:
Based on a case study of Company X, that holds a number of information risks of various degrees of complexity and transparency. In groups, students will produce an audit plan, and implement the information risk assessment. The case study is based upon real-life situations.
Groups will have the opportunity to interview a guest IT professional and the lecturer who will both role-play Business and IT Leaders in the Case.

To address the following learning outcomes:
- Evaluate the information risks information systems may bring to a business and communicate the potential business impact of those risks.
- Analyse the security elements of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity of and availability of data and information
- Show their understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.
The development and implementation of the audit plan allows discovery of the risks. Feedback will be given on the approaches the groups have taken.

Group Information Risk Assessment and Control Plan Presentation:
Subsequently the groups should analyse their assessment develop their proposals for the final phase. In this phase the groups will present their assessment and proposals, as if to Company X’s Audit Committee. They will produce a written audit document, to include; an executive summary, a detailed information risk assessment, an outline of the potential impacts, and any proposed policies, controls and/or mitigations.

To address the following learning outcomes:
- Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.
- Analyse the security elements of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity of and availability of data and information
- Develop appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level.
- Show their understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.
The Information Risk Assessment and Control Plan will be marked per group, but an individual portion of the marks will be assigned based on how well each student worked within the group.

Information Asset Management: Draft Learning Objectives

I am starting on the journey of module development... lecturing on Information Asset Management to third year computing students at a UK University.

I have the passion for the subject, I know that they really need to know this stuff, especially in the collaborative "cloud" world we have racing at us fast! My challenge is that there are apparently few courses out there for me to build upon, and even less reading material written on the subject. I am excited at the opportunity to help prepare information professionals in this way. So given the nudge I had this morning on Twitter from @gblnetwkr, I decided to start to call upon the wisdom of the crowds!!!

Draft Module Aims
This module will focus on the importance of managing information assets to maximise value and mange risk to an appropriate level. It will explore the various agencies, roles, policies, processes and technologies involved, while highlighting the importance of the role Information Professionals, and others, need to play in managing information assets.

I am using the e-skills PROCOM work as a guide, though that is still in draft, and is not too strong in the area of Information Security. I will also be using PROCOM, COBIT and ITIL more formally when I figure out the appropriate approvals and copyright implications.

My first ever "initial" draft set of Learning Outcomes !!!

By the end of the module the student will be expected to be able to:
• Understand the different types of information threats and vulnerabilities that an information system may experience, and how they may impact businesses.
• Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.
• Develop appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level.
• Ensure the security of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity, and availability of data and information.
• Show their understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.
• Demonstrate their understanding of the techniques used to manage data and information within an organisation and as it crosses into and out of an organisation. This includes the IT and information management processes involved in the acquisition, creation, categorisation, storage, transfer and disposal of data and information.

All that draft language should give you the clue, feedback welcome.

...on three counts
1) If you were a student would you want to come to the lectures?
2) Is the content right?
3) Any other perspective you might have....?

How to Trust Apple's Time Machine and Time Capsule

For reasons I am still not totally clear on, but that I suspect could be down to poor coding, my Apple Time Capsule and Apple Time Machine became unworthy of e-trust.

The dreaded words "Preparing Backup" being the harbinger of doom for many, and for those who enjoy console logs the still scarier words "Node requires deep traversal" tended to signify a VERY long wait for the backup to prepare, my record stint of patience being over two weeks! This is not one users experience according to various forums. However those same forums hold some gems that helped me regain control of my errant backup processes, while I wait impatiently for Apple to figure out that they really do have a problem with their Time Machine and Time Capsule.

So for those who have the same problem I will be placing in this blog a few of the gems I have gleaned from the various fora.

I will also be attributing the finds, but for now some quick pointers

1) Use the Console (iashton in Apple Support Forum)
Try starting Console - its in Applications/Utilities
Click on system.log in the left hand pane and then type backupd into the filter box in the top right of the window
Click the Time Machine icon on the top menu bar and select Back Up Now.
A backup should start and you can check its progress in the Console window.

2) A Fix (Patty Patty in Apple Support Forum)
1) Turn Time Machine off
2) Trash the com.apple.TimeMachine.plist in /Library/Preferences
3) Restart
4) Full Spotlight reindex of the Macintosh HD
5) Added a bunch of folders to the "Do Not Backup" list in Time Machine
6) Turn Time Machine on

3) A Great Tool The Time Machine Editor
I used this to reduce the number of backups