You are here: The Open Group > The Open Group Conference, London 2011 > Proceedings
       

The Open Group Conference London
Highlights of Day 2

Overview

The Open Group Conference, London 2011 continued on Tuesday, May 10 at the Methodist Central Hall, Westminster. The Conference was organized to discuss themes along three primary tracks:

  • Evolving EA to architect the business
  • The critical role of a digital identity ecosystem to improve cybersecurity
  • The business and financial impact of Cloud Computing

Morning Plenary

Day 2 (The Open Group Jericho Forum® Conference) was centered around the need for a digital identity ecosystem. There was a lively discussion on the effective management of identity at a global level. Plenary session presentations in the morning brought together thought leaders from the Jericho Forum, where key questions were asked, such as: Why do we care about identity? What are the drivers for an identity management ecosystem? Why now? And, what is the role of government?

Why the Need for an Effective Digital Ecosystem for Cyberspace/Cloud/Critical Infrastructures – Why should we care?
James Whyte, Head of IT Service Delivery, UK Foreign & Commonwealth Office

Following a brief introduction from CEO Allen Brown and Adrian Seccombe of The Open Group Jericho Forum, James Whyte began his plenary speech by looking at his own career in IT, during which he has seen and implemented a huge amount of change. He described change and IT as synonymous. Mr. Whyte went on to give the audience an overview of F&C and explained the importance of the financial services sector to the economy. The huge sums of money involved make these organizations juicy targets for attack. At F&C, Mr. Whyte has the same concerns as other information security professionals: insider dealing, breaches, and attacks.

Mr. White continued by considering the changed drivers of identity, which include increased flexibility with remote access to systems anywhere, anytime, anyhow; reduced cost and footprint; and a shift from identity to user resource access management. The most important driver identified by Mr. Whyte was the demand for ‘i’ devices such as iPads and iPhones.

So can we jump into the Cloud and roll out these ‘i’ devices? Is the technology secure enough to take the risk? Suffice it to say that, according to Mr. Whyte, F&C has not widely deployed them.

In order to meet these drivers, he explained that the role of CIO needs to change from protector to enabler, and the CIO needs to become ambivalent about how systems are accessed, where people are accessing data from, when people are accessing data, what device people are accessing from; and the CIO even needs to be ambivalent about the data itself. As Mr. Whyte posited, if data is really securely encrypted, why do I care where it’s stored?

However, the CIO cannot be ambivalent about identity. Mr. Whyte suggested that limiting devices, remote systems, and remote access as well as overburdening staff with tech (fobs, biometrics, GPS, etc.) are common ways for CIOs to compensate for the lack of good identity management.

What do I need to achieve good identity management? According to Mr. Whyte:

  • Reliable and user friendly identity authentication
  • Reliable and user friendly DLP
  • Reliable impact mitigation
  • Users to be educated and to take responsibility

Mr. Whyte concluded that the drivers for change and de-perimeterizing are huge and there has been no silver bullet yet. He is not sure a silver bullet will ever exist, but nevertheless we need the industry to give better tools to prevent incidents and just as importantly the industry must give tools to minimize the impact of incidents if they occur.

How is the Jericho Forum® addressing them? (Identity Commandments, Identity Management, Entitlement Management, Access Management) and what to expect from the rest of the Conference
Paul Simmonds, The Open Group Jericho Forum®

Paul Simmonds kicked off his session by looking at the collaboration driver. Businesses want to communicate with both customers and colleagues via the web. The consumerization of IT has led to a shift of power where businesses must support certain platforms in order to satisfy the consumer. Collaboration adds business value, but security professionals find it difficult to mitigate the risk.

Mr. Simmonds went on to pose the questions: Why identity; why now? Passwords are broken – Mr. Simmonds noted that organizations have been trying to sell single sign-on for 30 years and he is yet to see one that works properly. In addition, the majority of (government and private) directories will not scale, there is little, if any, trust on the Internet outside of your locus of direct control, and spam is still rife (the ability to spoof an email address is a lack of strong identity issue). Humans are not hard-wired for security. ‘Joe Public uses the same user name and password for every site they visit and my mother does not, cannot, will not ever have a good head for security!’

Security is increased by designing for the way humans actually behave. Mr. Simmonds identified the fact that current authentication systems are designed to suit computers, not humans as the root of the problem. It is insanity that security professionals understand that identity management gets worse as you scale it, he said, and yet still think that making it larger will fix it.

We need to return to first principles and look at how people use identity and how this mirrors in the digital realm, Mr. Simmonds said. This is what The Open Group Jericho Forum has done with its Identity Commandments. Key considerations included:

  • Identity must be separated from access management.
  • Identity is not just about people (devices).
  • Federation of existing IAM system will not scale.
  • Strong identity is key to trust and collaboration on the Internet.

The Open Group Jericho Forum is a global consortium and feels strongly that solutions must work globally and across organizations.

The UK Government's Aspirations for Managing Identity
The Earl of Erroll

After providing some background on himself and the various Parliamentary ICT groups in which he is active, the Earl of Erroll opened his session by examining the balance between the citizen and the state. The citizen expects to be protected, with the attitude ‘I have done nothing wrong, I have nothing to fear’. But what if ‘they’ get your data mixed up? The Earl described a permanent state of dynamic tension between privacy and freedom of information.

He then moved on to discuss the illusion of security. We will never have absolute security, he said; the government has to be able to issue fake identities (witness protection or agents in the field being two examples), so trusting the system is impossible. Total information access allows the good guys to identify the bad guys, but there is always the threat of ‘Big Brother’ – what would happen if the world changed? Lord Erroll explained that the impact on the citizen is far greater if the executive misuses personal information, than if another type of organization – for example, a supermarket – does.

The Earl looked at three measures that already exist in this space:

  • NSTIC – A new US government identity management program that places the emphasis firmly on the private sector. The danger is that a large corporation could ‘grab’ it.
  • EURIM
  • The Open Group Jericho Forum®. Its Identity Commandments are a big step in the right direction but they need to be translated into plain English to achieve real success.

The major driver, according to Lord Erroll, is the ability to do business electronically and globally. He took leave with some final thoughts, including that we are who we are, so we don’t want our identity managed by anyone else; and the Internet can be very useful so it is imperative that we find a way to certify attributes about ourselves so we can do business electronically.

Parallel Tracks

Following the plenary sessions, attendees had the opportunity to attend track sessions. Tracks focused on:

  • EA in Government
  • EA in Banking and Finance
  • Trusted Technology
  • Service-Oriented Architecture
  • Business Architecture
  • Interoperability

The Consumerization Industry View from PayPal
Andrew Nash, Senior Director of Identity Services, PayPal

Andrew Nash introduced himself as senior director of identity services at PayPal and a board member of the OpenID and Open Identity Exchange Foundations. He continued by giving the audience an idea of what his talk would cover: Identity, how consumers view their identity, and which engagements make sense?

The challenge is that identity professionals know identity is important. What’s needed is to communicate identity – with a small ‘i’ – that consumers can engage with on a daily basis. At present, the enterprise and the consumer have very different ideas about identity.

Mr. Nash then went over some of the trends he is seeing at the moment, including:

  • Mobile devices, set-top boxes, etc. are creating an environment where users and devices are becoming the same thing.
  • Connecting identities and linking claims are accelerating.
  • Identity is moving from security to enablement, which means that traditional ID and security arms dealers are no longer leaders.
  • Consumer ID protocols – OpenID/OAuth. For example, Google is using OpenID because it saves them money when their email addresses are being subverted.
  • Privacy and user control issues are constantly in the news (FTC and privacy groups are also more active). This prompts the question, how much control should users have and what does it look like from a privacy perspective?

He then went on to ask: What does the identity ecosystem look like today? What motivation is there for consumers to share their details? Mr. Nash used the example of delivery of goods. There is an obvious benefit to the consumer to share their address, so it is likely that will provide accurate information.

Mr. Nash used PayPal as a further example to support his argument. Registration on the site is just a couple of questions. A customer is then added to a loop where they are asked for more information slowly, over time. Together, Ebay and PayPal look after 800 million consumer identities, so they know how to attract new customers. They care most about fresh meat so they make it easy to sign up by keeping down the level of engagement necessary to allow the consumer to do something useful.

He concluded by reiterating the difference in opinion between the consumer and the enterprise on the subject of identity.

The Jericho Forum® Identity Commandments – a deeper dive into how they advance the Identity Ecosystem debate
The Open Group Jericho Forum members Adrian Seccombe and Steve Whitlock

Steve Whitlock started off the session on The Open Group Jericho Forum Identity Commandments with a high-level introduction to identity using The Open Group as an example. He discussed the various pieces of information you need to create an account on the website (in order to register for the Conference) and then compared this with collecting your badge on the day, where all you needed was your name.

He then returned to the topic touched on earlier in the day, that humans are not naturally good at security. Secure questions, even if you don’t lie, can be hard to remember the answers to, and users don’t generally do well with passwords.

Mr. Whitlock finished his part of the talk with an overview of the history of digital identities. It’s expensive to create and manage identities, so the first organizations in the space were governments, then large corporations, then third parties. Over time, as large companies and governments started doing electronic business, standards had to be produced. Further change came as individuals started doing things like online banking or using PayPal, and creating digital identities not tied to any company. This was consolidated by the growth in social media that has led people to create an additional identity. Mr. Whitlock referred to his wife, who put down January 1st for every question when she registered for Facebook and now gets birthday cards on the wrong date each year.

The floor was then given to Adrian Seccombe, who explained the key shift in the Identity Commandments: the separation of identity and access management. He added that the Jericho Forum had also recognized the importance of challenging what was meant by identity. The Forum is focused on direction and the future, not on ‘how’ today. Mr. Seccombe said that it works on the edge of what’s possible and doesn’t expect to achieve instant answers today. One of the key ‘hows’ the Jericho Forum is considering at the moment is how to give users control in a way that is natural and matches their normal behaviours.

Mr. Seccombe highlighted entitlement management as an important step. A resource owner must define Entitlement (Resource Access Rules) and access decisions must be relevant, valid, and bi-directional. He laid out resource access rules, which included that entitlement rules should be simple and minimal, thus ensuring attribute requests are minimized, and avoiding the over-exposure of attributes from different persona. By granting access based on attributes (for example, proof that someone is over 18) there is no need for the actual information (date of birth in this instance) to be shared.

He laid out the steps needed to achieve this:

  • Step One: Inventory information assets
  • Step Two: Classify information asset sensitivity
  • Step Three: Define resource access rules: claims based, do not simply populate an access control list (ACLs will not scale in the cloud)
  • Step Four: Define claim (for example over 18) and define attributes required (date of birth)

Mr. Whitlock drew the session to a close by reflecting that attributes are the most sensitive part of identities.

Organizational Intelligence
Richard Veryard, Director, Next Practice Research Initiative, UK

Organization intelligence is not just technology. With this statement, Richard Veryard kicked off his session, part of the EA as a Business Discipline track. Instead, it is simultaneously a question of how the organization is configured, and how the technology is configured to support the organization.

He went on to supply a definition: organizational intelligence is a critical measure of the management capacity of an organization in a demanding competitive environment. It depends on many things including:

  • Appropriate organization structure and culture
  • Appropriate management practices
  • Good use of appropriate technologies
  • Coordinated action and innovation

The success of a technology depends on how it is used. Mr. Veryard illustrated this by looking at knowledge management – an area where lots of implementations fail because they are not synchronized with the corporate culture.

Enterprise architecture is about people, business, and technology. This includes management practices, organization structures, platform architectures, knowledge base, and technology adoption and use. Mr. Veryard then discussed two trends:

  • Trend 1: Organizations are looking for new ways to operate (edge-driven organizations).
  • Trend 2: There is a plethora of technologies aimed at making the enterprise smarter; for example, real-time business intelligence, social networking, network-centric systems.

Organizations need to implement both trends together.

Mr. Veryard compared the attributes of a stupid organization with an intelligent one. Stupid organizations ignore the environment around them, cannot discriminate between the important and the trivial, respond incoherently to crisis, and fail to learn from mistakes. Stupid organizations may contain very clever people (but who don’t talk to each other) and very sophisticated technology (but poorly wired together). Intelligent organizations, on the other hand, detect and interpret weak signals of significance, mobilize coherent response to complex opportunity, take a rational approach to risk and uncertainty, and encourage high-quality decision-making throughout the organization, collective learning, and innovation.

All these capabilities are both technical and social and must be looked at together to achieve organizational intelligence.

Enron and the myth of talent: Mr. Veryard explained that the culture of Enron was to hire talented people and tell them to think of clever things to do with the money they were given. There were critical loops missing from this process and critical blind spots in the way Enron was managed. The business managed to lose vast sums of money without even knowing it was happening. How, he asked, can an organization be so stupid?

In comparison, Mr. Veryard referenced an incident that happened at Microsoft in 1995. Bill Gates sent a memo to the whole of Microsoft about the importance of the Internet. This was a key moment in the history of the software industry. He had taken time to increase his view of its importance: “Now I assign the Internet the highest level of importance”. This is an example of a gradual shift in opinion leading to a pivotal shift in direction and the memo to the whole company is evidence of collective responsibility.

As the amount of data increases (Mr. Veryard used a retail example, looking at customer data, store data, and product data), the system only works if there’s enough coordination and integration across the organization to allow it to function intelligently as a whole. Mr. Veryard wrapped up by focusing on enterprise architecture strategy and looking at the two contrasting agendas. We are moving from simplify and unify to differentiate and integrate.

Jericho Forum® Panel Session
Moderator: Stuart Okin, CEO, Comsec Consulting
Panelists included John Arnold, Guy Bunker, Andrew Yeomans, Steve Whitlock

This session was an informal discussion of the topics covered by the security track/Jericho Forum® Conference throughout the day. Moderator Stuart Okin started out with some introductions. Participants included a selection of The Open Group and Jericho Forum members – for example, Thomson Reuters, Barclays, Boeing, Capgemini, Nokia and NASA – as well as some members of the press.

To begin with, there was a focus on why there is currently a need for the Identity Commandments and why identity is such a big issue now. Today’s identity systems are built by single enterprises exclusively to meet their own needs. Companies are trying to do it in what they believe is the cheapest way possible: user name and password. The discussion then moved on to password failure and password fatigue. The biggest problem, panellists said, is that they’re shared so information leaks out and they are also restricted to only 26 characters (or six on a mainframe). Returning to a popular topic of the day, it was remarked that the qualities that make passwords strong are the same ones that make them difficult for humans to use. It is incredibly difficult to educate users to choose something strong and memorable.

The push to a new identity management ecosystem is likely to come from consumers. The Zeus Trojan attacking banks is an example of an issue that will encourage consumers to pressure their banks to find a new way. Identity must be linked to the core ID of the person but single factors are just too weak. Proliferation of the user ID is the issue. The key shift is from the enterprise-centric ‘We’ll cause you to have an identity’ to the user-centric model. At this point, Mr. Seccombe stressed that he is not opposed to an authenticator; he is opposed to a plethora of authenticators.

The discussion concluded with an examination of the practical steps needed to achieve a new identity management ecosystem:

  • Cultural change within organizations
  • A standardized way to move forward
  • Intelligent devices that can identify you by sight and sound

Social Networking

Join The Open Group on social media to get the inside scoop on milestones related to various standards and certification initiatives, thought leadership webinars, conferences, and regional networking events.

Coming together with fellow members of The Open Group not only provides opportunities to exchange information but also to have a voice in shaping the future of IT.


   
   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page