We must understand the past to not repeat it.

Please see the prior post and the post before about how we got to discussing this.

We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine.  How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore.

In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this quote (this slide is from a presentation he gave around the same time)

Stefan

It is the likability that is the challenge.

We have to have the right and freedom NOT to be required to use our “real name” and birthdate for everything.

This is the defacto linkable identifier that the government is trying to push out over everything so they can link everything they do together.

Stephan proposes another Fair Information Principle.

Stefan6

I will share more of Stephan’s slides because I think they are prescient for today.

Stephan’s slides talk about User-Centrism technology and ideas in digital identity – ideas that have virtually no space or “air time” in the NSTIC discussions because everything has been broken down (and I believe intentionally so) into “security” “standards” “privacy” “trust frameworks” silos that divide up the topic/subject in ways that inhibit really tackling user-centrism or how to build a working system that lives up to the IDEALS that were outlined in the NSTIC document.

I have tried and tried and tried again to speak up in the year and a half before the IDESG and the 2 years since its existence to make space for considering how we actually live up to ideals in the document.  Instead we are stuck in a looping process of non-consensus process (if we had consensus I wouldn’t be UN-consensusing on the issues I continue to raise).  The IDESG are not taking user-centrism seriously, we are not looking at how people are really going to have their rights protected – how people will use and experience these large enterprise federations.

Yes everyone that is what we are really talking about…Trust Framework is just a code word for Enterprise Federation.

I went to the TSCP conference a big defence/aerospace federation (who was given NSTIC grants to work on Trust Framework Development Guidance) where this lovely lady Iana from Deloitte who worked on the early versions of NSTIC and potential governance outlines for IDESG – she said very very clearly “Trust Frameworks ARE Enterprise Federations” and it was like – ahhh a breath of fresh clear honest air – talking about what we are really talking about.

So back to the Stephan Brands re-fresher slides on user-centric ID so we don’t forget what it is.

 

Stefan5

 

Stefan4

 

Stefan2

 

 

 

 

 

Stefan3

 

 

Stefan2

Look at these, take them seriously.

 

Dear IDESG, I’m sorry. I didn’t call you Nazi’s.

The complaint  by Mr. Ian Glazer was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list.  Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.  During this time I experienced intensive trolling about the matter on twitter itself.

Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment.

Tampa11

I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.

I in no way intended to imply that any member of the IDESG has any intention remotely similar to those of the NAZI party of Germany.

I in no way intended to imply that the content of the meeting of the IDESG related to the content of the meeting I referenced in the tweet.

I am very sorry if the tweet had an emotionally negative impact on people on the management council and particularly those of with Jewish Heritage.

I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.

I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]

I’m sorry I didn’t say something along these lines sooner.

One should not feed the internet trolls and I didn’t.

I was in a process were I felt it was inappropriate to speak about this more until the Ombudsman’s process had run its course.

I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.

The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.

 

 

 

Missing: Privileged Account Management for the Social Web.

This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software – Privileged Account Management (PAM) for the Social Web – how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?

I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:

  1. regular identity management in the enterprise,
  2. regular Privileged Account Management in the enterprise
  3. Privileged Account Management for the Social Web.


1) IdM (Identity Management) in the Enterprise

There are two words you need to know to get IdM and the enterprise: “provisioning” and “termination“.

a) An employee is hired by a company. In order to login to the company’s computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an “identity” that they can use to log in to the company systems.

b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.

The next thing to understand is logs.

So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems – it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.

I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.

2) Ok, so what is Privileged Account Management in the Enterprise?

A privileged account is an “über”-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.

They are not “owned” by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in

  • Sarbanes-Oxley
  • the Payment Card Industry Data Security Standard (PCI DSS),
  • the Federal Energy Regulatory Commission (FERC),
  • HIPAA.

Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].

Links to articles on PAM, [1] Burton Group Identity and Privacy Blog, KuppingerCole, Information Security Magazine.

3) Privileged Account Management on the Social Web.

Increasingly companies have privileged accounts on the social web. Dell computers has several for different purposes. Virgin America, (they link to the account from their website – thus “validating” that this is their real account), JetBlue, Southwest Airlines, Zappos CEO, (employees who twitter), Comcast Cares (Frank Eliason) (interestingly comcast on twitter is blank).

Twitter is just the tip of the iceberg – there are also “fan pages” on Facebook for brands. Coca-Cola, Zappos, NYTimes, Redbull, Southwest, YouTube Channels, Dunkin’ Donuts, etc, etc. on thousands of other platforms and yet-to-be-invented services.

These are very powerful accounts – they are managed and maintained by many employees around the clock and are the public voices of companies.

I have yet to see or hear of any software tools to enable enterprises to manage Social Web privileged accounts. How are companies managing access by multiple employees to these accounts?

Is there software that does this yet?

Is anyone working on these kinds of tools?

Leave your comments here or tweet with me @identitywoman