[KI-LC] FW: Media query from SC Magazine - deadline 2/26/2016 17:30:00

Ken Dagg kendaggtbs at gmail.com
Fri Feb 26 10:22:19 CST 2016


Sal,

Sounds great to me.  One small suggestion: remove the "I" part so that the
start of the second paragraph becomes, "The Kantara Identity Relationship
Management workgroup was formed in many way ..."

I'd also suggest you provide a short, couple of sentences, that he could
use to attribute you.

Ken



On Friday, 26 February 2016, Salvatore D'Agostino <sal at idmachines.com>
wrote:

> Took a run at this.
>
>
>
> A number of the latest advances in identity management stem from the fact
> that there is a growing understanding that the nature of the requirements
> and issues to be in order to perform identity management has changed.  And
> the understanding that this impacts the business, legal and technical
> constructs and therefore the nature of the solutions brought to the fore.
>
>
>
> Inside Kantara I chair a workgroup called identity relationship
> management.  It was formed in many ways as a result of the fact that the
> paradigm has shifted from simply managing access with a narrow concept of
> identity to one in which solutions need to be highly contextual and to take
> into account the particular identity relationships as opposed to managing a
> single identity and related resource with a specific method of
> authentication.  In doing so we defined a range of principles that we
> believe help define the characteristics of the current paradigm.  (you can
> see the principles and an exercise we are conducting to see how they apply
> here http://kantarainitiative.org/confluence/display/irm/IRM+in+the+Wild
> ).
>
>
>
> Mobility and the internet of things are really helpful in examining this
> shift.  The authentication and authorization decisions that identity
> systems manages is no longer that of a single identity tied to the static
> relationship that can be established before the fact and then related to a
> particular transaction.  In the mobility + IoT cases an individual, the
> phone and the things and their many interrelated attributes are extremely
> dynamic and wide ranging.  These bring into play the challenges of scale,
> performance and indirect control (the phone and devices are not wholly part
> of the identity management solution as they are typically 3rd party
> components that need to be integrated and vary significantly).  As a result
> identity relationship management needs to be in place in order to deliver
> what has traditionally been identity and access management.  These
> solutions need to evolve to bring into play things like much larger data
> sets, complex and dynamic database relationships among the attributes and
> information contained (which in combination is big data), situational
> (people, places, things, time, user control and consent) awareness, tenancy
> (as part of a cloud based solution), multi-factor authentication (to help
> confirm exactly the relationship of use to authentication device) and a new
> generation of digital credentials (OAuth, JSON Web Tokens, distributed
> ledgers-block chain), consent receipts as a new token category and user
> managed access (UMA)  besides the identity relationship manager to
> implement solutions that leverage all of these.
>
>
>
> *From:* lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>
> [mailto:lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>] *On
> Behalf Of *Salvatore D'Agostino
> *Sent:* Monday, February 22, 2016 6:41 PM
> *To:* 'Colin Wallis'; 'Mike Schwartz'
> *Cc:* 'Kantara Leadership Council Kantara'
> *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
> 17:30:00
>
>
>
> Colin, I can pitch in on some of these:
>
>
>
> What are the latest advances in ID Management technology?
>
> How has it evolved over the years?
>
> ID management has been largely about people in the past. How will  the
> Internet of Things change that, if at all?
>
>
>
> I can use UMA and IRM as an examplse and also bring in some of the things
> we have been talking about in the IDoT DG.
>
>
>
> *From:* lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');> [
> mailto:lc-bounces at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc-bounces at kantarainitiative.org');>] *On
> Behalf Of *Colin Wallis
> *Sent:* Monday, February 22, 2016 5:50 PM
> *To:* Mike Schwartz
> *Cc:* Kantara Leadership Council Kantara
> *Subject:* Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
> 17:30:00
>
>
>
> OK, thanks for that offer Mike.
>
> But the thing is, the guy asked Kantara, so he is expecting a response
> from experts on behalf of Kantara.
>
> Taking him to Gluu is kind of one step removed.
>
> I'm happy for responses to contain links to Gluu and elsewhere, but I
> think we are setting ourselves up for some copyright concerns if we point
> folks away, straight out of the gate.
>
> Cheers
>
> Colin
>
> > Date: Mon, 22 Feb 2016 15:11:16 -0600
> > From: mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
> > To: colin_wallis at hotmail.com
> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
> > CC: lc at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
> > Subject: Re: [KI-LC] Media query from SC Magazine - deadline 2/26/2016
> 17:30:00
> >
> >
> > Colin,
> >
> > I'll can offer to take a stab at responding to these questions by the
> > date requested on a Gluu blog.
> >
> > thx,
> >
> > Mike
> >
> > On 2016-02-22 11:13, Colin Wallis wrote:
> > > Thanks Ken
> > > We'll consider this question dealt to.
> > > Anyone else want to take on one of the others?
> > > Cheers
> > > Colin
> > > .....................................
> > >> At airports around the world, travelers' identities are routinely
> > > verified using biometric identification. Recently in India, a new
> > > facility for pension distribution adapted an iris authentication
> > > scanner to validate citizens. New generations of fully integrated,
> > > end-to-end cloud identity management platforms offer clients secure
> > > and flexible means to pick and choose which services they need. For
> > > this latest ebook from SC Magazine, we speak to a number of experts
> > > with hands-on experience about how these advances in technologies are
> > > changing the face of identity management and opening up new
> > > opportunities for the enterprise to become more secure—and we’ll
> > > throw in a few caveats (for one, what happens to privacy when
> > > biometrics are added to the mix?) that any organization should heed
> > > when revamping its identity management strategy.
> > >>
> > >> Here are the questions he's exploring:
> > >>
> > >> What are the latest advances in ID Management technology?
> > >>
> > >> How has it evolved over the years?
> > >>
> > >> What happens to privacy when biometrics are thrown into the mix?
> > > GONE GONE....
> > >>
> > >> How are ID management systems and access management/roles-based
> > > management converging?
> > >>
> > >> ID management has been largely about people in the past. How will
> > > the Internet of Things change that, if at all?
> > >>
> > >> Is authentication keeping up with trends in ID management?
> > >>
> > >> My identity as my wife sees it may be different to my identity as my
> > > bank sees it, which may be different again to my identity as my
> > > employer sees it. How do we cope with multiple attributes in ID
> > > management?
> > >>
> > >> How do we maintain and preserve identity in the long term, as a
> > > person's life and circumstances change?
> > >>
> > >> Are there standard for ID management?
> > >>
> > >> What are the biggest challenges facing companies that want to design
> > > and deploy their own ID management systems?
> > >
> > > -------------------------
> > > Date: Mon, 22 Feb 2016 06:58:22 -0500
> > > Subject: Re: [KI-LC] FW: Media query from SC Magazine - deadline
> > > 2/26/2016 17:30:00
> > > From: kendaggtbs at gmail.com
> <javascript:_e(%7B%7D,'cvml','kendaggtbs at gmail.com');>
> > > To: colin_wallis at hotmail.com
> <javascript:_e(%7B%7D,'cvml','colin_wallis at hotmail.com');>
> > > CC: lc at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','lc at kantarainitiative.org');>
> > >
> > > Colin,
> > >
> > > I agree fully that the first two paragraphs address the scope of his
> > > question regarding biometrics and privacy.
> > >
> > > However, your comment, "sense of direction of travel for SC Magazine
> > > being towards Data Protection" prompts me to include the rest of the
> > > material regarding Privacy. In my opinion, a focus solely on data
> > > protection misses the boat on respecting privacy and probably does it
> > > a disservice. As you are aware, having the best data protection
> > > practices in the world while using an individual's PII for unstated
> > > purposes or disclosing it inappropriately, still means the
> > > organization is not respecting an individual's privacy.
> > >
> > > I agree with your concern regarding "a compromise in the sample or the
> > > templates database" being a major issue with respect to an individual
> > > having to re-establish and re-bind their identity. However, I would
> > > argue that the same holds true for any piece of an individual's PII
> > > that is used by an organization. Biometric data, because it is viewed
> > > as unique to an individual, is in some organization's minds, viewed as
> > > a silver bullet with respect to Identifcation. However, in my opinion,
> > > it is just another piece of data that can be used to mitigate the risk
> > > of misidentification. If the consequences of misidentification are
> > > severe it should still be corroborated with other PII. In other words,
> > > it is not a silver bullet.
> > >
> > > This being said, I restructured the answer to address the "silver
> > > bullet" concept as well as the out-of-scope text. I would recommend
> > > including the background in the response as I believe that it is
> > > important to raise the "technology neutral" idea with respect to
> > > privacy policy/legislation. I would like to start the process of
> > > changing the perception held by many people that current policy is
> > > outdated or has been overtaken by advances in technology. (My soapbox
> > > rant for the day)
> > >
> > > Wile we probably aren't going to be killed for not answering all the
> > > questions I hope that others can address some of them.
> > >
> > > Ken
> > >
> > > ==============
> > >
> > > The perception that something should happen to privacy because
> > > biometrics enter the mix is erroneous.
> > >
> > > Privacy is a state that is respected when an individual understands
> > > and consents to how their personally identifiable information (PII) is
> > > collected, maintained, used, disclosed and disposed. Biometric
> > > information, given its uniqueness to each individual, should be
> > > considered to be PII.
> > >
> > > Regardless of its apparent uniqueness, an organization that wishes to
> > > mitigate the risk of misidentification of an individual should not
> > > look at biometric data as a "silver bullet". If the consequences of
> > > misidentification are high they should still corroborate the biometric
> > > data with other PII during their authentication. The process, whether
> > > in the digital or real world, still requires an organization to
> > > identify the consequences of misidentification before it puts in place
> > > procedures and techniques (such as the use of biometric data) to
> > > mitigate that risk.
> > >
> > > Background on Privacy
> > >
> > > It should be noted that jurisdictions around the world have identified
> > > that respect of an individual's privacy is technology neutral.
> > >
> > > For the US Government NIST Special Publication 800-122 defines PII as
> > > "any information about an individual maintained by an agency,
> > > including (1) any information that can be used to distinguish or trace
> > > an individual‘s identity, such as name, social security number, date
> > > and place of birth, mother‘s maiden name, or biometric records; and
> > > (2) any other information that is linked or linkable to an individual,
> > > such as medical, educational, financial, and employment information."
> > >
> > > In other countries with privacy protection laws derived from the OECD
> > > privacy principles, the term used is more often "personal
> > > information". This term, in general, is broader than PII. For example,
> > > there are two pieces of legislation that cover privacy at the federal
> > > level in Canada: the Privacy Act and the Personal Information
> > > Protection and Electronic Documents Act (PIPEDA). The Privacy Act
> > > relates to an individual’s right to access and correct personal
> > > information the Government of Canada holds about them or the
> > > Government’s collection, use and disclosure of their personal
> > > information in the course of providing services (e.g., old age
> > > pensions or employment insurance). PIPEDA sets out the ground rules
> > > for how private-sector organizations collect, use or disclose personal
> > > information in the course of commercial activities across Canada.
> > >
> > > Both acts is essence define personal information to be any factual or
> > > subjective information, recorded or not, about an identifiable
> > > individual. This includes information in any form, such as:
> > > * age, name, ID numbers, income, ethnic origin, or blood type;
> > > * opinions, evaluations, comments, social status, or disciplinary
> > > actions; and
> > > * employee files, credit records, loan records, medical records,
> > > existence of a dispute between a consumer and a merchant, intentions
> > > (for example, to acquire goods or services, or change jobs).
> > >
> > > Excluded is information concerning the name, title, business address
> > > or telephone number of an employee of an organization.
> > >
> > > Both acts identify how personal information should be collected,
> > > maintained, used, disclosed and disposed. Of interest is the
> > > requirement to identify a retention period for the personal
> > > information that is collected about an individual and how that
> > > information is expunged from an organization's records.
> > >
> > > Also of interest is how the power and versatility of re-identification
> > > algorithms have significantly increased the ability of identifying an
> > > individual without the use of PII. As such, Big Data is becoming an
> > > issue in privacy circles.
> > >
> > > <snip>
> > >
> > >
> > > _______________________________________________
> > > LC mailing list
> > > LC at kantarainitiative.org
> <javascript:_e(%7B%7D,'cvml','LC at kantarainitiative.org');>
> > > http://kantarainitiative.org/mailman/listinfo/lc
> >
> > --
> > -------------------------------------
> > Michael Schwartz
> > Gluu
> > Founder / CEO
> > mike at gluu.org <javascript:_e(%7B%7D,'cvml','mike at gluu.org');>
>


-- 
Kenneth Dagg
Independent Consultant
Identification and Authentication
613-825-2091
kendaggtbs at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20160226/a82e53b9/attachment-0001.html>


More information about the LC mailing list