New “Identity & Access Management Services” Report

I’ve just come across this site providing an overview of a new report (to be released in September 2007), titled “Identity & Access Management Services”, by Research&Market:

“The "Identity & Access Management Services” report provides extensive research and rational analysis on the Identity Management industry at global level. This report has been made to help clients in analyzing the opportunities, challenges and drivers critical to the growth of identity management service industry. The forecast given in this report is not based on a complex economic model, but is intended as a rough guide to the direction in which the market is likely to move. It is based on a correlation between the past market growth and growth of base drivers….”

Here are some of the key findings of this work, including a list of the issues, facts and players that have been analysed:

“Key Findings

• Identity management services industry is expected to grow at a CAGR of 7.28% over the period 2007 to 2011.
• It is forecasted that hardware token authentication market will grow at a rate of 10.72% from 2003 to 2009.
• Increasing investment in identity management-related technologies will further drive the identity management services industry in future.
• Use of identity management services will curtail the administrative time up to 50%.
• Identity management services can be applied to different industry verticals like banking, defense, and automotive manufacturing.

Key Issues and Facts Analyzed

• The market size of the global identity management services industry.
• Analysis of various challenges and opportunities for the industry.
• The factors driving growth in this sector.
• SWOT analysis of key players operating in the industry.
  

Key Players Analyzed

This section covers the key players operating in the global identity management service industry including BMC Software, Inc., Computer Associates, Novell Inc., Cisco Systems Inc., Accenture, IBM Corporation, Hewlett Packard Co. etc.”

Further information is available here, including a “Table of Content”.

The “Industry Analysis” (and related SWOT analysis) and “Future Outlook (2007-2011)” sections might potentially provide some interesting insights about the current status of Identity Management Technologies/Services and where this area is heading: however it must be said that this report is not free (and actually it is quite expensive …).

--- NOTE: my original HP blog can be found here ---

Top Challenges and Opportunities in the Identity Management Space

I’ve been invited to be part of a panel at the 4th International Conference TrustBus 2007 (chair: Prof. Gunther Pernul), to discuss on “Managing Digital Identities – Challenges and Opportunities”.

In my opinion the top challenges that Identity Management is going to face in the next 5 years are the following:

• Improve Users’ Control on Their Personal Data (within Devices and Orgs)
• Enterprise Privacy Management: Automation of Privacy Management and Regulatory Compliance in Enterprises
• Alignment of Enterprise IdM Practices and Solutions to Business-driven IT Management (ITIL, etc.): Identity Governance, Risk and Assurance Mgmt
• Secure, Privacy-aware and Trustworthy Federated IdM/SSO
• Interoperability between various Federated IdM/SSO initiatives
• Standards to enable Data Exchange between Enterprises/Orgs driven by Security and Privacy Policies and Users’ Preferences
• Exploitation of Web 2.0 + Identity 2.0 in Enterprises/Organisations …
  

Instead, I believe that the top opportunities are:

• Improve overall Enterprise IdM Practice and User Experience/Control …
• New Research & Development Opportunities in the Identity Management Area both at the User and Enterprise sides
• New Business Opportunities in the Identity Management space in terms of IdM Services, Solutions, Products, …
  

What is your opinion? Do you have any different view and/or suggestion on challenges and opportunities?

--- NOTE: my original HP blog can be found here ---

UK Public Spending on Identity Management set to Surge to £5.2 billion by 2011

A recent article by Kable, called “Whitehall to boost identity spend by £5.2 billion” reports that:

“Spending on IdM is ready to leap by almost 50% next year from £825m to £1.23bn, propelled by major programmes such as the National Identity Card Scheme, e-Borders, the Police National Database and the National Offenders Management Systems. Total IdM spend in the period 2008-2011 will amount to £5.2bn. This follows a prolonged period of strong growth since 2000 when total IdM spend was just £135m, and maintains the trend of central government being the biggest spender
…
Behind the growth is the government's well publicised desire to deal with identity fraud, illegal immigration and the threat of terrorism, along with the drive for government bodies to share more information in integrating services. The latter has to include a strong element of IdM to ensure that officials only have access to the information appropriate to their roles. It could, however, run into problems deriving from fears over the development of a "surveillance society", worries over the reliability of databases and biometric technology, the attractions that new systems could provide for fraudsters, and implementation delays.”.

This article says that to obtain a copy of a related Kable’s report, called “Identity management in the UK public sector until 2011” it is necessary to contact Matt Phelan on +44 20 7061 3235 or matthew.phelan@kable.co.uk.

OpenId and its Security, Privacy and Trust Issues: Next Steps to Address Them?

I agree with the comments made by Jeff (in a recent post called “Compendium of OpenId Issues”) about current OpenId limitations. I’ve also found the analysis made by Stefan Brand in his post about current OpenId issues very educational and comprehensive.

Of course, I believe that OpenId provides value but I also see some of the key limitations and related threats (in terms of privacy, security and trust), when considering them from (1) an end-user perspective and (2) potential future adoption of OpenId in enterprise contexts – if “valuable” transactions and/or assets are involved.

Kim Cameron’s post, called “Integrating OpenId with InfoCard”, suggests an interesting approach to mitigate some of these issues (in particular identity phishing) by leveraging InfoCard/CardSpace. I’ve also found in the web other people’s suggestions and ideas on how to solve other specific issues.

However, in general, what is OpenId community’s reaction to these issues and criticisms? Is there any site/documents tracking these issues and describing how the OpenId community thinks to address them, along with plans/roadmaps?

Public Webcast - Identity Enables Mobility with Security: Identity Centric Architecture aligning SOA with Next Generation Networking …

I’d like to create awareness about a potentially interesting webcast, on August 29 (“Identity Enables Mobility with Security: ICA aligning SOA with NGN”), by Rakesh Radhakrishnan (Sun Microsystems):

“Rakesh Radhakrishnan (http://www.identity.futuretext.com/), an IT architect with Sun, joins us to present the second in a series of webcasts exploring the intersection of Identity Management with SOA. Based on experiences Rakesh has had working in the teleco sector, Rakesh will explore the strategic significance, market requirements and all the potential possibilities of leveraging Standards based Identity Systems for an Enterprise IT environment (& Enterprise Architecture) and Telecommunication environment to provide a pragmatic view for the future in network convergence and converged services based on Service Oriented Architecture. Specific topics included will be:

• Overview (Identity for SOA and NGN)
• Identity for Sensor Networks
• Identity for Programmable Networks
• Identity for IMS
• Identity for OAM
• Identity for NGN IN
• Identity for Web Services/ESB
• Identity for Content/DRM
• Identity for Devices
• Identity for Enterprise Networks
• Identity for Storage and ILM”

More information about this webcast, along with details about (free) registration can be found here.

Digital Identity Survey: Identity Authentication …

The identity management community might be interested in taking this survey - “Digital Identity Survey: Identity Authentication”:

“This survey is intended to evaluate individuals' views and opinions on digital identities, specifically in terms of methods of authenticating one's identity. It should take approximately 15-20 minutes. The results will allow us to guide researchers as they design and implement digital identity management technologies. All information collected in this study will be completely anonymous and kept strictly confidential. Data will be stored securely and made available only to the research team, managed by Dr. Annie Antón and Dr. Julie Earp from North Carolina State University. This research is funded by NSF ITR grant #0428554 jointly with Purdue CERIAS.”

“Content-Aware Access Control” and Enterprise Web 2.0…

Web 2.0 is eventually going to have an impact on Enterprises, at least in terms of collaborative tools. Employees, familiar with Web 2.0 mash-up tools, social network tools, etc., (because they use them in their “private lives” …) will gradually find these tools (and related approaches) more and more relevant and useful also in their day-to-day work, in organising their information, generating content and sharing it with other colleagues. This will have an impact on enterprise collaborative solutions. It is already happening …

However, collecting and organising information within enterprises is subject to business rules, security and privacy constraints. Depending on the level of confidentiality, people’s roles and current stages of business activities (e.g. a Merge & Acquisition process, a security/audit review, a product development, etc.), different “views” and “perspectives” on information need to be provided to different employees for specific reasons. Generated and collected information can be unstructured or only partially structured.

Whilst collaborative and mash-up tools on the web might only need simple access control (or no security at all), a quite different story applies for enterprises. These tools and solutions needs to be “adapted” and re-thought in an Enterprise context.

I am still looking for additional use cases and business cases for Identity 2.0 in enterprises (see here and here …): however I think that there is an opportunity and a role for “Content-Aware Access Policies” and “Content-Aware Access Control” for Web 2.0 collaborative solutions in enterprises.

Content-Aware Access Policies define fine-grained access control constraints on information (for example collected in enterprise collaborative/mash-up tools), by keeping into account different types of content, its actual content and contextual parameters (users, their role, system information, etc.). They reflect business, security and privacy constraints directly on valuable information and content. Part of these policies can be defined directly by people (employees) generating “content” and coupled to this content. In this scenario, the definition of access policies becomes itself the result of social/collaborative networks (in enterprise contexts).

Content-Aware Access Control is driven by these policies: it is not only about allowing (or denying) access to a piece of information (as a whole entity), but can provide fine-grained views and perspectives on this information by processing and manipulating the content.

I think there is an opportunity in exploring models and criteria to express these policies and enforce them with “appropriate” access control systems – by leveraging and extending existing Web 2.0 collaborative solutions. I am very interested in knowing your views and comments on this.

An Identity Management Survey for the Financial Sector …

I came across this article by ITWeb (South Africa), called “ID Management Survey call for entries”, highlighting the fact that “The Tshwane University of Technology has constructed an identity management survey, and is inviting public participation to aid with its research”.

The identity management Community might be interested in contributing to this survey. NOTE: I didn’t find any link form this University to the survey web site, but the survey site provides some contacts to ask questions to.

The article says that “The faculty of ICT aims to use the results of the survey to develop a generic implementation model for identity management in the financial sector.” The survey web site also says that “This will help identify to what extent different organisations agree on what identity management entails, as well as what the requirements are for implementing an identity management solution”.

On Privacy Enforcement Technologies (PETs) …

I would recommend reading a recent post published in “Blog*on*nymity: blogging on the Identity Trial”, titled “PETs are Dead: Long live to PETs”.

The author provides an interesting analysis of Privacy Enhancing Technologies (PETs) from different perspectives:

• PET as a personal tool/application
• PET as a security technology
• PET as a data minimisation tool
• PET as expressing the Fair Information Principles
  

The author also discusses some of the current reasons that have slowed the adoption of PET technologies, in particular within enterprises, the importance of not just focusing on applications but also having a more “holistic” approach and suggests of reasoning in terms of privacy-enhancing technologies, that enable PETs.

Having worked for a while in the privacy management space (e.g. on privacy-aware access control and privacy-aware information lifecycle management) I tend to agree there are adoption barriers (in enterprises and organisations) when talking about PET technologies/approaches/architectures/solutions. Enterprises and organisations tend to make privacy-related decisions based not necessarily on technologies/solutions but primarily on risk management and cost/benefit analysis.

Most of current enterprise privacy management approaches focus on “human processes” and “compliance checking” aspects – i.e. identifying if and when privacy policies/laws have been violated and reporting/reacting to violations. Obviously this approach is showing its limits - considering the increased number of identity thefts and privacy violations.

In the medium/long-term the attention might indeed turn to PET technologies but I think that to make this happen there should be stronger “financial+accountability” consequences to privacy violations: this might happen if privacy laws/legislation are “shaped” in the same way SOX legislation is, for corporate governance …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

On Federated Policy Management in Enterprises: Episode II …

In June I published a post about “Federated Policy Management”:

“Policies are used to drive access control decisions and enforce accesses to resources. How to “synchronise” policies that are used at different levels of abstraction – in complex telecom or enterprise environments?
Ideally an organisation might want to define high-level policies, check for their compliance and manage them in a centralised way. However, the idea of having a general purpose policy language is unfeasible, given the current legacy systems and the complexity of the real world.
In practice, different policies are defined and enforced at each different IT layers (e.g. network, system, OSs, middleware, application/services, etc.). Keeping these policies aligned with (high-level) business and security objectives and fully understanding the impact of local changes to the global context is often a challenging experience.”

In other words, the problem is how to “align” and keep consistent high-level policies with a multitude of lower-level policies, each of them potentially having their own operational context, their policy-decision-points (PDPs) and policy-enforcement-points (PEPs).

The idea of having a “Federation of Policies” would imply:

• Having a model of these multiple policies (syntax, semantic, ontology, etc.);
• Mapping dependencies between policies (that apply at the same IT layer and/or across IT layers);
• Having mechanisms to propagate changes top-down and bottom-up, depending on needs;
• Having “federated” mechanisms to translate these changes into policy modifications, at the right policy levels …
• Having a model of involved IT infrastructure (PEPs, PDPs, etc.) and associated requirements;
• Having (centralised?) supervision of all these policies, security, their auditing and compliance checking.
  

Has anybody in this community come across solutions or approaches to this problem?
Any other alternative approach to be aware of?

On Company Policies and Impact on Identity Theft …

Ian Williams’ article, titled “Poor company policy aids identity thefts”, provides an overview of a recent report by Experian:

“Many businesses are still in the dark ages when it comes to making sure customers are who they say they are, reveals a new report by risk management experts Experian.
The report shows that 70 per cent of financial services companies still rely on fraud-friendly paper documents to authenticate a person's identity, and 36 per cent of retailers and 40 per cent of telecommunications companies are still doing it.
According to the survey too many industries are left hamstrung by their reliance on the use of passports, utility bills and driving licences for authentication, despite the fact that electronic systems are generally considered to be safer and faster for all concerned. The report is based on interviews with 1,500 consumers and anti-fraud, risk and compliance experts from 70 businesses in the UK.”

It would be interesting to have a comparative analysis across different countries (e.g. in EU, US, etc.) showing the impact that different companies’ policies have on identity theft.

Digital Identities, Infrastructures and Government-related Initiatives…

Two interesting articles have been recently published on topics related to digital identities, infrastructures and government-related initiatives:

1) An article by Maggie Biggs, titled “National Id? What about a Global ID?” reports about FIXs, the Federation for Identity and Cross-Credentialing Systems:

“FIXs, a little-known group of non-profits, government contractors, commercial entities, and government agencies -- has just unveiled a first-of-its-kind global infrastructure to support distributed, integrated identity management and cross-credentialing across organizations. The implementation combines several existing security technologies along with a set of trusted models, policies, and operating rules to insure the accurate identity of personnel accessing physical sites or logical systems. Already in a pilot mode at a handful of government agencies and defense contractors, the FiXs identity management initiative does not have a hard date for broad deployment, although the impediments do not appear to be technical. …”

2) An article by Michael Holden, titled “Britain begins ID card procurement process” reports about the launch, on Thursday, of the ID Card procurement process:

“LONDON (Reuters) - Britain launched on Thursday the selection process to choose companies to run its multi-billion pound national identity card scheme, the world's most ambitious biometric project. Prime Minister Gordon Brown's government described the move as "another milestone" towards the controversial compulsory scheme, which is expected to cost more than 5 billion pounds over the next decade.”

Part II: Enterprise Use Case for OpenId and/or InfoCard …

Thanks to James McGovern for his input and his articulated reply to my comments. James, I see we have some different views in terms of B2B and outsourcing, at least concerning potential deployments of OpenID or InfoCard. I see your points and I found them useful to better understand your perspective.

The key reason, at this stage, for asking for enterprise use cases for OpenId and InfoCard in enterprise is primarily curiosity and interest in better understanding this space. Most of my IdM R&D work is actually “enterprise-centric”: I am keen to explore how recent “user-centric” trends might impact the enterprise.

Going back to this initial question, any additional input or view from the Community would be welcome.

Report - “Audit & Compliance Professionals: Survey on Identity Compliance”

A new report has been released by Ponemon Institute, called “Audit & Compliance Professionals: Survey on Identity Compliance”.

Based on an overview document provided by Ponemon, this survey reveals that “despite the importance internal auditors and corporate compliance professionals place on ensuring proper access to systems and data, .., the majority report inadequacies in current practice. 82% say a risk-based approach would be more effective. … Audit and compliance professionals are clearly struggling to gain control over issues at the heart of IT compliance, knowing who has access to what in your organisation”

In a nutshell, “this survey confirms poor communication, inefficiencies cripple IT compliance efforts”. The views of auditors and corporate compliance staff are examined. Findings from analysis of 845 responses indicate a set of inadequacies, including:

• Reliance on Manual Processes;
• Lack of Centralised Control;
• Poor Collaboration and Communication;
• Inattention to Business Risks.

More details about findings and instructions about how to download this report can be found here.

ISTPA - Analysis of Privacy Principles: Making Privacy Operational

A report has been recently released by the International Security Trust & Privacy Alliance (ISTPA) that might be of interest to this community. It is called “Analysis of Privacy Principles: Making Privacy Operational” (and available online for downloads):

“This recently completed study looks in depth at 12 major global privacy instruments, and derives a set of core privacy 'requirements' which can be useful for governments and businesses evaluating options for designing and implementing operational privacy controls.”

More on the “Enterprise IdM Risk Management” Service …

Yesterday I provided more details about my view of the “Enterprise Identity Registry” Service (a.ka. “Enterprise Identity Census” Service, a.k.a. “Enterprise Identity Tracing” Service, …). As discussed, this service (leveraging a mixture of manual and automated processes) stores and manages a rich (hopefully up-to-date …) set of metadata about data repositories (of various types) that contains identity and personal information.

As anticipated, this service provides the foundation for the “Enterprise IdM Risk Management” Service. More in general, the “Enterprise IdM Risk Management” Service is fed with the following information:

• Metadata about identity information stored in various data repositories;
• Other events/logs of relevance, collected directly from controlled data repositories and/or other solutions already dealing with this aggregation of information;
• Knowledge base consisting of policies (rules) on how data should be used/processed/managed, dictated by security, privacy and business constraints;
• Representation of Risks for identity information (based on known contexts and processes), related Threats and mitigation information: this information is linked to the policy-driven knowledge base mentioned above;
• Exceptional cases/situations to be handled in specific ways.
  

In my view, the “IdM Risk Management” Service should provide (at least) two basic types of functionalities:

• Risk Detection and Management: identity metadata and collected events are periodically checked against the knowledge base, to identify potential risks and threats, sent alerts and propose mitigation steps. For example, this functionality should be able to detect that a “copy” of a set of identity data has been done in a location or place where this data cannot be stored (let’s say due to privacy policies) or that some content of a data repository should be deleted because of its expiration date, identify related risks and alert administrators/responsible people;
• What-if Risk Analysis/Decision Support: this service can provide decision support (based on what-if analysis) based on contextual information provided by the user, existing knowledge-base and risk/threats models. For example, a user/administrator/etc. might ask what happens if it makes a copy of a data repository from a location to another location or if it stores personal data in their laptop, etc. This service should highlight potential risks/threats and suggest mitigation.
  

This service is quite interesting from a R&D perspective and the potential (business) value it can provide. Of course much work has already been done (and technologies developed) in the areas of Risk Management, Decision Support Systems and What-if Analysis.

However, I believe there is an opportunity (and R&D challenge) in applying these techniques (and potentially related technologies) in the specific context of Enterprise Identity Management and providing simple-to-use services, accessible to employees and eventually to business partners and end-users.

More on the “Enterprise Identity Census” Service …

In a previous post I discussed the importance for enterprises to keep track of their “digital identity assets” and some related issues. I shared some thoughts about two “next-generation identity services” that could help improving the current situation: the “Enterprise Identity Registry” Service and the “IdM Risk Management Service”.

Here are some additional thoughts about the “Enterprise Identity Registry” Service: actually, a better name for this service could be “Enterprise Identity Census” Service or “Enterprise Identity Tracing” Service …

As anticipated, this service aims at being a secure, comprehensive “registry” of all enterprise data repositories containing digital identity information, within an enterprise. The goal of this service is to improve “identity data governance” by ensuring that the enterprise, in a centralised way, knows where collected “identity data” is stored and can reason on top of it, in terms of risks and potential threats. Registered data repositories could potentially be of any type, including RDBMS databases, LDAP directories, meta/virtual directories, files, etc.

Whilst this service does not aim at storing any personal data, it nevertheless provides “meta-information” about related data repositories and their content. For each “registered” data repository, associated metadata includes information about types of stored identity, reasons/purposes for collecting this data, owner(s) of the data repository, people that are accountable and responsible and any related policy (e.g. deletion policies, privacy obligations, etc.).

How to make this “Identity Service” relevant in an enterprise? How to ensure that it is going to be populated and kept up-to-date? I envisage a hybrid approach involving:

• Definition of enterprise policies and guidelines asking employees that manage/copy/deal with identity information to register information about related “data repositories”, for example via a web portal. Doing this might be part of “good ethical” behaviour each employee has to comply with – to deal with enterprise security and privacy guidelines;
  
• Deployment of an automated discovery solution to search the enterprise intranet for (various types) of “data repositories”, check against (already) registered locations and potentially trigger alerts. This area is particularly interesting from an R&D perspective because of the hard problems to be solved, such as how to “characterise” potential “targets” during the search, how to minimise “false positives” and the set of missed targets.
  

I keep researching on this. Your comments and thoughts are welcome …

ID Cards: Business vs Government priorities …

I’ve just read an interesting article, called “Firms call for Clarity on ID Cards”, by James Murray, IT Week, describing the complexity of rolling out ID Cards (in this case in UK) and different priorities between businesses and government …

Any Enterprise Use-Case for OpenId and/or InfoCard?

I am looking for OpenId and/or InfoCard use-cases in an Enterprise context.

About OpenId, I’ve found some related material in the OpenIdBook, a collection of OpenId questions from Enterprises (in Johannes Ernst’s blog). About InfoCard, so far I’ve found an interesting transcript of a discussion involving Kim Cameron, Craig Burton and Aldo Castaneda and a post on Kim’s blog.

Any additional reference to material (documents, papers, web-sites, etc.) discussing enterprise use-cases for OpenId and/or InfoCard, would be welcome. Thanks.

Next-Generation Identity Services: “Enterprise Identity Registry” and “IdM Risk Management” Services

Medium-large enterprises face the problem of how to track their “digital identity assets”. It is easy to lose track of this data: identity information (about employees, customers, business partners, contacts, etc.) is often collected by different groups and organisations within an enterprise, to satisfy business objectives. Copies of (part of this) personal data can be made by employees, salesmen, etc. on their personal systems to simplify their work and avoid connectivity issues whilst travelling. Quite often, these teams and people operate in isolation. There is usually “local knowledge” of what happens but little awareness and coordination at a centralised enterprise level. This can create inconsistencies, data redundancies and uncontrolled data proliferation – without meeting security and privacy policy requirements: this has serious implications in terms of lack of data control and governance, identity thefts, etc.

I see the opportunity for researching and developing new Enterprise Identity Services that could help addressing some of these related issues. In particular:

1) Enterprise Identity Registry Service: this service, available within the enterprise (and, with some degrees, to business partners and customers), provides a centralised, enterprise-based “registry” keeping track of:

• Where identity information is stored (i.e. data repository locations, their proprieties, etc.);
• Which type of information is stored (*not* the actual information, just the kind of data);
• Purposes and reasons for storing data, along with related policies;
• Type of security and privacy capabilities of the data repository;
• Who is responsible and accountable; etc.
  

It is important to notice that this service *does not* store any personal data or information, just knowledge about its existence across the enterprise. Advanced version of this service will have “event monitoring” functionalities on registered data repositories (to identify potential anomalies or suspicious activities) and “alerting” capabilities;

2) IdM Risk Management Service: this service, to be used by CIOs, privacy/security officers, business people, employees - involved in the management/access/usage of personal data - leverages “decision support” capabilities to assess risks of dealing with identity information (for example when creating new identity repositories, copying information, developing applications/services accessing data, etc.) and suggest “risk mitigation” steps. This service would be based (among others) on metrics and information gathered from the “Enterprise Identity Registry”, a model of data, related policies and a knowledge-base of risks and suggested mitigation steps.

To become a valuable service for the enterprise, the “Enterprise Identity Registry” has to be populated, kept up-to-date and properly secured (otherwise, it could become itself the target of attacks …). Part of this can be achieved by educating employees (and enforcing responsibilities and accountability); part of it could be potential automated. Similarly, the “IdM Risk Management Service” needs to be updated in terms of knowledge-base, metrics and policies to make it useful and valuable.

Some of the emerging enterprise ITIL initiatives, Web 2.0, social network and collective knowledge trends can be used to achieve some of these goals and develop related solutions. I will expand on these concepts and my thoughts in future posts – as I keep researching and exploring this space, collecting requirements and assessing the actual business value and related interest.

What do you think about these types of Identity Services? Would they be of real value to your organisations and work environments? Any comment?

WebCast - An Overview of the Identity Governance Framework (IGF): Putting Privacy and Regulatory Compliance First (August 15, 2007 8:00-9:00AM PT)

A webcast is going to take place on August 15, 2007 8:00-9:00AM (Pacific Time) on the following topic: “An Overview of the Identity Governance Framework (IGF): Putting Privacy and Regulatory Compliance First”.

I’ve been involved in the IGF initiative and I believe it has good potentials, considering that it is also moving towards an open source direction: getting feedback and input from the audience would really be valuable.

Please register at https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=91218422&UID=14126787

More details about this webcast, including contacts, are available online:

“The secure and appropriate exchange of identity-related information between users and applications and service providers (both internal and external) is the basis of providing deeper and richer functionality for service oriented architecture. Sensitive identity-related data such as addresses, social security numbers, bank account numbers and employment details are increasingly the target of legal, regulatory and enterprise policy, such as the European Data Protection Initiative, Sarbanes-Oxley, PCI Security standard and Gramm-Leach-Bliley. The Id Governance initiative assists entities managing identity data with increased transparency and demonstrable compliance with respect to policies for identity-related data. It would allow corporations to answer questions such as: Under what conditions may user social security numbers be accessed by applications? Which applications had access to customer account numbers on January 27, 2007? The market requirements document (MRD) for Identity Governance, defining these needs as well as other use cases, has been recently completed by the Liberty Alliance and development of code is underway in two places: openLiberty.org and in the Technology Expert Group (TEG) within Liberty. In this webcast, the two project leads, Prateek Mishra and Phil Hunt, and Liberty's Executive Director, Brett McDowell, will discuss what Identity Governance is, the use cases it addresses and how it applies to you as an individual as well as enterprises working to protect your privacy.”