Friday, March 18, 2011

Is 1984 a step closer?

A debate this week in the House of Lords, does not appear to have hit the UK broad sheets. Some may think that it was of little consequence, as it was simply the UK choosing to sign up for the idea that Passenger Name Records should be kept for ALL Pan-European flights in a massive European Travel Register. Lord Hannay in his own opening speech, promoting the motion, stated that it was a "considerable invasion of privacy".
The declared goal is the standard "protect us from terrorists" mantra, the negative or unexpected consequences of such a large database being available to all European Governments are not apparently being included in the decision. This is especially concerning as it is also likely that the US Government and other Foreign States may gain access to the database by fair means or foul.

Let's consider a few "Abuse Cases":
Simply by tracking the flights of the CEO's of all the major European companies a Foreign State, could glean significant information about potential mergers and acquisitions.

As The Earl of Erroll pointed out in the debate a Foreign State could acquire information about the travel companions of key leaders of Industry, or other Foreign States, that could in turn be used to blackmail or pressure said leaders.

Given the attributes to be stored will include passenger financial data, the database could be the cause of a massive exposure of Credit Card details.

As The Earl of Erroll also points out if we were concerned about the dangers of a National Identity Register, why would we not be concerned about the dangers of a European Travel Register that arguably will hold even more detailed information.

The record of large government organisations when it comes to protecting the private records of its citizens have not been shown to be the highest. Just how access to such sensitive data would be limited to those exploring Terrorism or Organised Crimes is not clear.

What's next? The recording of all train journeys across borders, and then car journeys, and then...?

Should we not all be as concerned the Earl of Erroll?

Sunday, February 27, 2011

I was in a EURIM meeting last week discussing the importance of establishing an Identity Governance Framework that would help set the direction of regulations and other key components that would enable the development of an e-Identity Infrastructure. All those present believed in the importance and value of such an Infrastructure, there was whoever one aspect that did not seem to have universal agreement.

Basically it came down to the need for a Universal Identifier that would be owned by Governments.

In this case we were talking primarily of the identity of Citizens. I responded very clumsily to what seemed to be a proposal to tie such an Identifier to the Identity used for voting, it turned out to have been tied through the Registration process, my visceral reaction remained. I mumbled my concern without clarity.

Today I was in reminded of the Lord of the Rings and its relationship to this problem. I declare myself to be a Hobbit who sees the creation of the Rings (of Identity?) as something to be feared, especially the One Ring, the one that binds all the others together.

The forces that would have us believe that a Universal Identifier should be created by governments in order to protect us from thieves and terrorists, are not being fully transparent with the potential negative impacts, partly because the law of unintended consequences is so relevant in this space, but also they don't want to declare their own intents.

Let's remember what was inscribed inside the "One Ring"

One Ring to rule them all,
One Ring to find them,
One Ring to bring them all,
And in the darkness bind them.''

A chilling reminder, for those that understand the message that Tolkien was sharing with us.

Basically it is a question of Primacy, who owns the Identity of an Individual?
Some would say the State, I would say the mature and sane Individual
I was sure this right would be enshrined in "The Universal Declaration of Human Rights" but despite reading and re-reading the articles I found no clear declaration, while Articles Three and Six touch on the concept. The right to own ones Identity is not explicitly stated.

The first Jericho Forum Identity Principle (under development) addresses this topic it currently reads:
PRIMACY: Invisible Root Identity – The privacy and integrity of a core “Identity” is ALWAYS safeA Root Identity must be uniquely and permanently connected with an Entity/Principal and must NEVER need to be disclosed.

Rewritten as a new Article 31 of the The Universal Declaration of Independence it would read:
Everyone has the right of primacy over their Identity, no State, group or person may usurp that right.

Tuesday, January 11, 2011

From Silo to .....

The shift from being a silo focussed Enterprise, to a Deperimeterised one is NOT a simple task. The primary reason for this is that it involves a tectonic shift in all the key components of an organisation, including all those that relate to each of the major domains of People, Process and Technology, in short everything must change.
The Culture of the organisation must change from top to bottom, this shift involves moving from a "Do It Ourselves" to a "Do It Collaboratively" approach. In Information terms this means moving from keeping Information to ourselves, to sharing information with others. This leads to the need of a fundamental shift in governance systems, meaning that the systems that govern the direction of, and behaviours in an organisation often need to be reversed, and certainly re-designed. The implications of the importance of this part of the "shift" can be seen in the failure of many organisations trying to make the shift. Business Leaders making this change understandably feel nervous and as a result resort to taking up the governance reins, hoping that they will be able to effectively steer their organisation throughout the change. Empowerment is the first thing to suffer with this approach, as this behaviour is observed and replicated down through the leadership ranks, and yet Empowerment is one of the most important success factors in making this change. This results in a failure to appreciate which of the many unknown processes in an organisation are key and which can be eliminated. My own view of the failure of Michael Hammer's Re-Engineering of Enterprises in the 1980's stemmed from the basic fact that the Leaders of an organisation of any reasonable size have no way of being able to understand all of it's processes. Especially as so many of those processes are "unknown" and certainly undocumented. (The most successful re-engineering exercise I was ever involved in occurred in France, where an enlightened leader, whilst using an external consultant, insisted that all of his staff were involved in the re-engineering exercise, unfortunately the effort were supplanted by a "Top Down" change that was Global resulting in a 400% loss of productivity.) Changing the business processes of a silo based organisation to deliver the needs of a Deperimetersed one, is not a trivial exercise, and certainly not one that can be achieved incrementally. For few organisations understand all the processes that they operate, let alone the Information Assets that are key to these processes. Our inability to manage the vast amounts of information that modern Enterprises produce inevitably leads to the use of Information Technology, and here-in lies the tail that wags the Corporate Dog. Advances Information Technology has lead to an amazingly powerful tension driving organisations towards Deperimeterisation. Cloud based services, being simply the latest of these advances. Consumerisation is another of these technology mediated tensions.

I am reminded of a challenge in one of the many corporate team building exercises that I have had the pleasure of engaging in. This one had me dressed up in massive amounts of padding, connected to bungy cord and then told run up a padded aisle to see how far I could get. The weird experience of having the bungy cord decide that I had come far enough and drag me flailing back to the start must have been designed to teach me something, though I can't remember what.
in the case of the Silo based Enterprise, the bungy cord is Deperimeterisation, and no, it is not connected to the other side of the Grand Canyon but to the Moon. in the words of Eric and Ernie, "Get out of THAT without moving!"

The good news is that Mankind has demonstrated our ability to get to the Moon and back. Is your organisation ready to demonstrate the capabilities needed to achieve this shift? If it is small and agile, then likely yes, if you are in a large organisation here's hoping you have a charismatic leadership team with Vision, who believe in Empowerment.

To those expecting the word security to appear in the body of this article, on September 12th 1962 did Kennedy use the word Security in announcing the endeavour that relied upon Security at every step?

"We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.".

Will your organisation choose to go to the Moon or will it be dragged there flailing? One thing I will say is; your ability to treat Information as a valuable asset is going to be fundamental to your success, with a rethink of "Identity, Entitlement and Access Management" being a crucial early step, but that's another blog!

Sunday, January 09, 2011

Mac App Store introduces the opposite of Shop Lifting

The opposite of Shop Lifting would be called something like Wallet Snatching.

With the new functionality introduced by the 10.6.6 upgrade the Mac App Store introduces the unwary to a new means of losing their money. The App Store used by iPhone, iPod, and iPad owners has a two click to purchase interface. With Mac App Store, Apple have introduced, an arguably devious, means of increasing sales by eliminating the "Are you sure?" Click.

This seems like a minor deal, but you must remember that the Terms and Conditions of App Store basically says when you have bought it it's yours and there is NO means of getting your money back apart from going to the developer of the software.

I am not a lawyer but I believe that Apple have successfully driven a coach and horses through the sale and purchase of goods Act, which clearly states that it is the seller, not the manufacturer, who is responsible if goods do not conform to contract.

This coupled with the fact that the App Store was not built to be secure from the developers perspective is a reason for developers who value their brand and their profit to steer clear from the App Store.

A recent incident I experienced with the SlingBox App has damaged Sling Medias brand in my eyes and certainly means I will be doing no more business with them. I also aim to stop as many of my friends as possible from buying Slingboxes. This arguably all stemmed from Sling Media's use of App Store, and hiding behind the Apple's decision to ignore the Sale and Purchase of Goods Act.

CAVEAT EMPTOR is even more important when it comes to doing business with Apple.
I think that may be assuming that they are above the law!

Yippee! End to End Secure FaceBook

"A step towards being my Identity Service Provider"

In the wake of FireSheep and the ability of coffee shop squatters to harvest authentication cookies from insecure WiFi Networks, and gain "one click" access to FaceBook accounts, FaceBook have started up a new way of accessing FaceBook. With the launch of one can now have their authentication cookie, and all other data, securely transferred to and from FaceBook. While this does not solve all of FaceBook's security issues, (after all they still use Username and Password for account access!) it is a very important step. All FaceBook users should shift to this means of accessing FaceBook. Currently, it is still in a testing phase the service will be more broadly promoted in coming months.

So to benefit from "end to end secure FaceBook" change your FaceBook bookmarks now, I have!
Now all I have to do is figure out which of the many applications I use to access FaceBook use this secure protocol.
Anyone have a list?

This is a welcome step, and if FaceBook continues in this vein, I will be happy to expand my use of them as my Identity Service Provider. Recently they are more openly about positioning themselves as an Identity Service Provider, they are choosing to gain the position by slowly on FaceBook App at a time. More importantly they have the potential to gain the trust of Enterprises as an Identity Services Provider. They are more likely to achieve this status, if they comply with all the Jericho Forum Commandments.

There are some additional services and capabilities that would help me make this step. What am I missing ?

1) A revised authentication infrastructure that eliminates the use of Username and Password as the prime method of Authentication to FaceBook

2) An easy to manage Security Dashboard that allows me simple oversight and control over my web based Identities

3) A Security Monitoring Service that has the capacity to alert me when my data is being harvested, or misused

4) A means of more finely selecting which of my data I want to share with specific services that use FaceBook Connect
(Currently it is a binary decision, often "All or Nothing", with little ability to negotiate)

5) Methods of enhanced authentication, which I can choose to use for specific services that I may choose to use FaceBook Connect with.

6) Various Methods of warning when specific events, of my choosing occur. I would see three levels "Alert Ferocity"
a) Poodle: Just giving you the heads up
b) Jack Russel: Seriously annoying until you accept the alert
c) Pit Bull: Will fight to the death to get the alert through to you, no matter the cost

7) An ability to apply varied levels of friction to information flows that I can select for different types of data, or specific data elements.
a) Open = No friction, Anyone has access
b} Closed = Limited Friction, Many have access, though it is easy to share with others
c) Combination Locked = Serious Friction, fewer have access, but it is difficult to share with others
d) Key Locked = Ultimate Friction, few have access, and I am informed when they access

8) A Transaction Dashboard that allows me oversight and control of my ALL web transactions, this service will only be possible after FaceBook has really proven their ability to look after my interests.

Clearly, I expect others, not just FaceBook, to be aiming to provide these identity services and this list equally applies to them. Some providers will have more complete and robust services, others will not provide the complete range of robust and trustworthy

Source of key elements in this blog