By Patty Donovan, The Open Group
Over 300 tweets were posted during The Open Group’s initial tweet jam, which took place this week on Tuesday morning! The hour of spirited conversation included our expert panel, as well as other participants who joined in the spirited discussion including:
- Bob Blakley (@bobblakley)
- Geoff Brunkhorst (@gbrunkhorst)
- Allen Brown, The Open Group (@allenbrownopen)
- Ericka Chickowski, Dark Reading (@ErickaChick)
- Andy Ellis, Akamai (@csoandy)
- John Fontana, ZDNet – Identity Matters (@johnfontana)
- Dana Gardner, ZDNet – BriefingsDirect (@dana_gardner)
- Dazza Greenwood, MIT (@dazzagreenwood)
- Jim Hietala, The Open Group (@jim_hietala)
- Dave Lounsbury, The Open Group (@technodad)
- E. G. Nadhan, HP (@NadhanAtHP)
- Wendy Nather, The 451 Group (@451wendy)
- Paul Simmonds, Jericho Forum (@simmonds_paul)
- Mike Simons, Computerworld UK/Techworld.com (@ITjournalist)
- Gene Spafford, Purdue University/CERIAS/CSSCS/USACM (@TheRealSpaf)
- Eric A. Stephens, Oracle (@EricStephens)
- Nick Owen, WiKID Systems (@wikidsystems)
If you missed the event this time, here’s a snapshot of how the discussion went:
Q1: What are the biggest challenges of #idM today? #ogChat
Many agreed that regulations at the federal and business levels are inadequate today. Other big challenges include the lack of funding, managing people not affiliated to an organization and the various contexts surrounding the issue. Here’s a sampling of some of the tweets that drove the discussion:
- @jim_hietala: For users, managing multiple identities with strong auth credentials across myriad systems #ogChat
- @ErickaChick: Q1 Even when someone writes a check, no one usually measures effectiveness of the spend #ogChat
- @dazzagreenwood: #ogchat biggest challenges of #IdM are complexity of SSO, and especially legal and business aspects. #NSTIC approach can help.
- @EricStephens: @theopengroup q1: it can be challenging for orgs to get the funding to fully blueprint and impl their #idm architectures. #ogchat
- @Dana_Gardner: Biggest challenges of ID mgmt today are same ones as 10 years ago, that’s the problem. #ogchat #IdM
Although our participants agreed that governments should have a central role in creating standards, questions about boundaries, members and willingness to adopt emerged. Dana Gardner pointed out the need for a neutral hub, but will competitors be willing to share identities with rival providers?
- @JohnFontana: Q2 NISTIC is 1 example of how it might work. They intend to facilitate, then give way to private sector. Will it work? #ogchat
- @Dana_Gardner: This is clearly a government role, but they dropped the ball. And now the climate is anti-regulation. So too late? #ogChat #IdM
- @simmonds_paul: @Dana_Gardner Ever tried entering country with your corp. ID? (other than Canada) – Standards (such as your Passport) need to exist #ogchat
- @Technodad: @simmonds_paul @dana_gardner Agree. Evidence that problem isn’t tech, but regulatory and business. #ogChat #idm
- @gbrunkhorst: Corps have the ability to span geopolitical boundaries. any solution has to both allow this, and ‘respect borders’ (mutually Excl?)
The panelists opposed the idea of creating a single identity ecosystem, but the key issues to developing one rest on trust and assurance between provider and user. Paul Simmonds from the Jericho Forum noted that there are no intersections between the providers of identity management (providers, governments and vendors).
- @ErickaChick: Q3 So many IT pros forget that #IdM isn’t a tech prob, it’s a biz process prob #ogChat
- @wikidsystems: @NadhanAtHP I have more than one personality online. #ogChat #idM
- Response from @NadhanAtHP: @wikidsystems Just curious why you “want” multiple ecosystems? What is wrong if we have one even though it may be idealist? #ogChat #idM
- Response from @wikidsystems: Q3 to be clear, I don’t want one identity eco system, I want many, at least some of which I control (consumer). #ogChat
- @EricStephens: @theopengroup Q3 time, time. #idm experts within companies are consumed with operational concerns. Need time to architect it #ogchat
- @451wendy: Q3 Context validation for identity attributes. We all use the Internet as citizens, customers, employees, parents, students etc. #ogChat
- @451wendy: ‘@TheRealSpaf: regulation of minimal standards for interoperability and (sometimes) safety are reasonable. Think NIST vs Congress.” #ogChat
- Response from @csoandy: “@451wendy @TheRealSpaf have you read some of the requirements in NIST 800-53? They’re not really “reasonable” #ogChat
Q4: Identity attributes may be valuable and subject to monetization. How will this play out? #ogChat
The issue of trust continued in the discussion, along with the idea that many consumers are unaware that the monetization of identity attributes occurs.
- @ErickaChick: @theopengroup Q4 This seems like a privacy nightmare to me #ogChat
- Response from @JohnFontana: Q4 @ErickaChick depends on who you trust with your attributes #ogchat #exostar #covisint
- @Technodad: Q4: How about portability? Should I be able to pick up my identity and move to another #idm provider, like I can move my phone num? #ogchat
- @NadhanAtHP: Q4 Identify attributes along with information analytics & context will allow for prediction and handling of security violations #idM #ogChat
- @JohnFontana: Q4. @Dana_Gardner the password is a dead man walking. #ogchat
Q5: How secure are single sign-on (#SSO) schemes through Web service providers such as #Google and #Facebook? #ogChat
There was an almost unanimous agreement on the insecurity of these providers, but other questions were also raised.
- @simmonds_paul: Q5. Wrong question, instead ask why you should trust a self-asserted identity? #ogchat
- @dazzagreenwood: Q5 #ogchat The real question is not about FB and Google, but how mass-market sso could work with OpenID Connect with *any* provider
- @Dana_Garnder: Q5. Issue isn’t security, it’s being locked in, and then them using your meta data against you…and no alternatives. #SSO #ogChat #IdM
- @JohnFontana: Q5. @simmonds_paul agreed. But prob. now is in some contexts right now I can also prove I am you. #ogchat
- Response from @allenbrownopen: @JohnFontana wouldn’t suggest you try that at immigration
- @NadhanAtHP: Q5 Tracking liability for security violations is a challenge with #SSO schemes across Web Service Providers #idM #ogChat
Q6: Is #idM more or less secure on #mobile devices (for users, businesses and identity providers)? #ogChat
Even though time edged its way in and we could not devote the same amount of attention to the final question, our participants painted interesting perspectives on how we actually feel about mobile security.
- @jim_hietala: Q6. Mobile device (in)security is scary, period, add in identity credentials buried in phones, bad news indeed #ogChat
- @simmonds_paul: Q6. I lose my SecureID card I worry in a week, I lose Cell Phone I may worry in an hour (mins if under 25) – which is more secure? #ogchat
- @dazzagreenwood: Q6 #ogchat Mobile can be more OR less secure for #ID – depends on 1) implementation, 2) applicable trust framework(s).
- @Technodad: @jim_hietala Q6: Mobile might make it better through physical control – similar to passport. #ogChat
Thank you to all the participants who made this a possibility, and please stay tuned for our next tweet jam!
Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.