Tuesday, October 21, 2003, 8:52 AM

Identity and Innovation in Computing

From: P.T. Ong
To: Brian B.
Subject: Re: Innovation Conference
Date: Tue, 21 Oct 2003 08:52:05 +0800

Hi Brian,

Here are a few thoughts on identity and it's impact on computing...

1. Lego-brick server architecture ... (a bit futuristic) plug-and-play clustering and failover. (If you're out of disk space, plug in another box; not enough CPU, plug in another box.) This assumes strong digital identity between servers (and users/admins).

2. Strong Digital Identity as a foundation of future secured apps. The next generation of applications will have to be secured in such a way they comply with EAs (Evidence Acts) and ETAs (Electronic Transaction Acts) across multiple legal jurisdictions. That paves the way for the truly paperless office. BUT, the driver is not "paperless" -- it is speed of business. Legally binding digital documents *and* transactions. This needs strong digital identity.

3. Federated identity will hit a roadblock -- legal liability. Why would company A want to take on the legal liability of a liability of a contract between company B and party C, just because company A vouches for the identity of party C? There needs to be deeper thinking into federated identities and it's practical applications. My belief is that we're going to end up with lots of direct strong authentication of entities by companies... and less federation than we originally thought. The federation could make it easier to bootstrap identities, but companies might not continue to rely on others to tell them who their customers partners, and vendors are.

4. Here are a few more regulations to worry about:

o The Gramm-Leach-Bliley Act (GLB)
o Health Insurance Portability and Accountability Act (HIPAA)
o SEC Rule 17-CFR 270.17a-4 (SEC 17a-4)
o NASD 3010(d)
o European Union Directive on the Protection of Personal Data (EU Directive)
o The US Patriot Act
o The Sarbanes-Oxley Act (Sarbox or SOx)
o The New Basel Accords (Basel II)
o California SB 1386

What is your (a company's) strategy in going about addressing regulations? A basic system that needs to be deployed is strong digital identity. Otherwise, why bother implementing digital compliance systems if you can't even tell if the person on the system is who they say they are?

5. Moving forward with security:
  1. Begin with the end in mind - What is the digital identity "end" you have in mind?
  2. Avoid expensive "Big Bang" projects
  3. Show benefits to end-users early and often - Convenience, business continuity (non-intrusive)
  4. Question the need for compromises - Not always trade off: security vs. convenience
  5. Construct systems based on strong principles - When you throw very large numbers on only slightly weak systems, they will break.
  6. Start now! ... Build incrementally.
The item I would highlight is "construct systems based on strong principles". We've seen the law of large numbers wreak havoc on Microsoft Windows.

6. I like to challenge CIOs: What is your roadmap to strong digital identity? Do you need one? How does that drive your business? (Yes it can -- it's not just a cost center -- Justin Taylor of Novell agrees in The Business Case for Identity Driven Computing.) Hope these perspectives help.

Please feel free to adapt them to your needs for the conference.