Gaining Trust

A follow up to my look at digital identity yesterday Tom from HR for the leader in you wrote about gaining trust. In reading his post he talks about how hierarchies end up lying (at some point) and due to their small size teams cannot lie.

In thinking about this does that mean that this metadirectory idea will become corrupted? Or based on the openness of the solution will small communities be established (essentially identity teams) that comply with the five C’s? The 5 C’s are:-

  • Competence
  • Community
  • Commitment
  • Communication
  • Cupidity

Something to ponder on my flight to Sydney this morning.

Digital identity a perspective

George Siemens of elearnspace pointed to a couple of papers written last week by Stephen Downes on digital identity (part 1, part 2) which were very interesting. A disclaimer, not being an academic I personally find Stephen’s work difficult to read so I might have misunderstood the intent, if so let me know.

Stephen’s first paper provides the context of the problem he is trying to resolve, while part 2 provides us an answer. Part one covers Identification, Authentication, Privacy, and finally self-identification and within the paper touches on several of The Laws of Identity both from a positive and negative perspective. In fact much of his ideas and concepts directly relate to a recent White Paper released by Kim Cameron. So what are the 7 laws of identity, you can either read the white paper, or have a look at this old post.

The second part of Stephen’s paper actually provides a set of perl scripts that implement a digital identity system called “mIDm”. The system looks nice and simple, to quote Stephen:-

* A user declares the name of his or her private website – the location of an mIDm script on their own server (or a server provided by a host, such as an online community of their choosing)
* When the user attempts to access a remote website, the remote website redirects their browser to that mIDm server with an access key (sometimes called a ‘handle’, though I don’t like that name).
* The mIDm server accepts and stores the key. The idea here is that only a person with access to the mIDm server can store that particular key.
* The mIDm server redirects the user back to the remote website.
* Upon the user’s return, the remote website independently requests the key from the mIDm server.
* If the key is returned, then the server accepts that the mIDm address provided by the user is valid, and hence, may request additional information (such as, say, FOAF data) from the mIDm server.

While not a perfect solution a good starting point.

I have been reading some of the posts that have come out of Digital Identity World over the last few days and am finding some interesting (there’s that word again) comparison with Stephen’s work. Such as this post from Kim Cameron where he is quoting an idea from Scott Mace on the concept of an ID-Legal web site:-

“…what we need is a Web site that determines which Web sites and services comply with (the) 7 laws of identity. Maybe it could be modelled on this, and let the visitors vote on the compliance of each particular Web site with the 7 laws.”

Stephen’s system is working along these lines, not 100% but close enough for me. He has defined a nice solution that works on a one to one basis.

If we pick up on Eric Nolan’s post on Law 7 we start to see that what Stephen is proposing is something very much like the “Secure Token Service” or STS. But to do this we will need some standards to ensure communication across the metadirectory is seamless, maybe that is what they are talking about and I am missing the point. Stephen did not see too impressed with the whole metadirectory idea but his solution does seem to go down the path of the laws, I wonder if he intended this or it is a coincidence? What I like about Stephen’s solution is he has touched on many of the aspects that are being discussed as part of the broader debate around digital identity but in a simplified format that non-experts can related to which is always a good thing.

In leaving Stephen’s work for a minute I am all jazzed up about the deeper meaning of the 7th Law, specifically the bit about “consistent experience while enabling separation of contexts”. I have ranted over and over again about the whole user experience and it seems imbedded in these laws is that if systems complied with all 7 would begin to improve the user experience.

This poses some interesting challenges for system designers. How does one build a system that allow the portability, as discussed, but still simply enough to be used by joe average and not requiring 100 consultants for a large consulting firm to implement? At the core we need to be able to understand the identity of a person using a workplace tool so that their user experience can be personalised to their specific needs based on their role in the organisation, aka the employee portal. My definition of an “Employee Portal” is a solution that provides a secure, single point of interaction with the organisation, covering information, business processes, and people, personalised to the employee’s role, needs and responsibilities.

Personally I am not able to dig deep enough (if you are check out these links) into the complexity posed by all of this work within the digital identity space, I am more just a keen observer who really wants to simplify how we provide secure access to systems for employees to use on a day to day basis and easy enough so that all systems will implement it. Complexity in the management of identity within enterprises is one of the leading causes poor people data management begin to solve identity management and the rest becomes simplier.

Australian Census online

An interesting story was in the Australian IT to on how the 2006Australian Census will have an option to be completed online. I am not really sure what to make of it. While I think it is a great step forward I have a healthy scepticism on the security of the system. I know that once I fill in my form the data is entered into a computer but this is different.

Couple with that it also seems I will need to get use to voting online in the up and coming 2006 Victorian elections.

Still I wonder about how the government will ensure my identity online is secure and 100% accurately authenticated. Also what would happen if a DOS affect or specifically written worm/virus was to attack the sites?

Background checking service

From blog*on*nymity I found an interview with ZabaSearch’s President & General Counsel Robert Zakari and Chairman Nicholas Matzorkis.

ZabaSearch is yet another personal search/background checking service to entry the now very crowded market. The interview is very interesting, highlighting flaws in the system and process and should scare the living daylights out of anyone in the US.

What is interesting is that the obvious was not discussed, linkages with ATS vendors.

Blog anonymously

(Via blog*on*nymity)

The EFF have published an interesting item on how to blog anonymously. The post has some good tips and some not so good ones, many are also only relevant if you live in the US which while might be good for a lot of bloggers does not cut it for the rest of us.

Again not being an IR/ER expert I do wonder about these sorts of things, does actively trying to hide your blog when you know the content might get you fired actually makes things worse if you do get caught? I guess it would depend on your local legal environment.

A final thought, it is very hard (if not impossible) to really be anonymous in the internet. So it is easier to just “Be Smart”!

Digital IDs at Cebit

Computerworld has an item today talking about digital identity and how some of the work from organisations like Liberty Alliance were starting to make progress on enhancing security online.

While an interesting read, the article really says nothing, I found it filled with PR-type comments and meaningless announcements from big companies. It is sad to see such when so much good work is going on, and a lot is available already in the public domain.

Laws of identity and workplace tools

Kim Cameron has recently published his 7th law of identity management they are:-

  1. The Law of Control
  2. The Law of Minimal Disclosure
  3. The Law of Fewest Parties
  4. The Law of Directed Identity
  5. The Law of Pluralism
  6. The Law of Human Integration
  7. The Law of Contexts

Kim provides a good summary page if you want to get started on understanding the laws in more detail.

Now reflecting on the 7 laws and where they place us for identity management for workplace technologies.

HRIS systems should be the master source/trigger of an identity for an employee, logically they are the first system to hold information about an new employee, from the recruitment process. From hear we need to build a framework to enable the rest of the organisation and the employee to understand and use this “professional identity”. By the very nature of things the HRIS should now hand off the control of the identity to an LDAP environment. However the HRIS still retains control of the people data associated with that employee, not the LDAP environment.

Why is this so? If the employee moves positions in the organisation this should be facilitated by an online self service solution in which the HRIS is the first system to know about the change and as such the information can now be transferred to LDAP. However this now begins to move out of the identity management area and into data management.

Personally the laws make sense to me and I will be interested to see how/if the laws impact the market and how long it takes for solutions to appear.

Manageing digital identity & trust

Just listened to Phil Becker being interviews by Doug Kaye over at IT Conversation. Phil is one of (maybe the) organisers of the Digital ID World conference that was recently held in Denver this year.

I am finding myself more and more interested in the whole area of digital identity, I have mentioned single sign on (SSO) several times here as I thought it was important and the HRIS industry has been talking about it for a LONG time, same with the regular IT industry. I am only now beginning to understand really what is required.

Phil spoke about a presentation from Tony Scott, CTO General Motors and GM’s experiences in developing a global phone book for their employees. The project took 1 year to complete, the technological portion about 2-3 months. The cultural, political and legislative took 1 year. GM learnt how they had to deal with the incompatibility between the different privacy attitudes/legislation environments around the globe. Having been through this in the late 90’s at Nortel Networks, working on single instance (physically in the US) global SAP HR roll out, I can fully appreciate the issues they had to face. These issues of privacy and cultural differences are going to be some of the biggest issues faced by digital identity.

Phil also spoke about trust and how critical this is for digital identity to succeed, but also recognises that technology cannot generate trust. Trust is probably the biggest change issues faced when deploying workforce applications. When you start placing employee payslips online, processing performance reviews, salary changes, IR action etc the employee’s trust in the integrity of the system is paramount. So often I have seen very successful (up until deployment) projects damaged by a poor roll out and change program.

So how do you create trust? Personally I feel you create trust over a period of the meeting (or exceeding) expectations of your customers. Phil confirmed this during the interview.