Executive summary
Business imperative of Identity 2.0
Voice and data revenues of Telcos seem to follow the opposite of Moore’s
Law with network revenues halving at the same time as bandwidth and
capacity doubles.
It is a business imperative for Telcos to be increasingly innovative moving
up the value chain, by expanding accessibility, improving online safety,
and providing new business opportunities for our customers. Identity
Services feature large in this.
First steps to capitalize on the IP enabled Extended Enterprise will be in
the areas of mobility, collaboration and unified communication. These all
recognize the coming wave of further device proliferation in an ‘always on’
network of communication. These changes and the associated delayering of legacy systems will drive closer architectural attention from
subscriber centricity to user centricity and user profiling.
Web 2.0 is the term sometimes used to denote the business revolution in
the computer industry caused by the move to the Internet as a pervasive
platform, and the joined up attempt to understand the rules for success on
that new web services based platform.
Identity 2.0 stems from this same theory of World Wide Web transition
and pre-requisites for success. Its emphasis is a simple and open
standards based method of identity transactions using emerging usercentric technologies such as Information Cards and OpenID. Public Key
Infrastructures (PKI) are relegated to the plumbing.
The on-line world needs an identity meta system with trust anchors in the
real world. Telcos are in a perfect position to help build this system and
reap the benefits of being an ‘early mover’ and positioning themself as
one of the de facto Identity Service Providers on the World Wide Web.
Multiple business models on how to derive value from being in this
position exist, but the most common assumption is that each identity
transaction facilitated by Telcos as an Identity Provider will carry with it a
micro payment. Because the number of such transactions is expected to
increase exponentially, while the transaction costs will remain relatively
flat, the potential rewards are extremely scalable and represent share
holder value.
Market Size
IDC predicts that the market for IAM products will grow to nearly $4 billion
by 2009
Forrester Research, Inc predicted in February 2008, that the identity
management – or identity and access management (IAM) – market will
grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014
(including revenues from both products and implementation services)…
Moreover, during the next seven years, we will also see buying behavior
migrating from… products to managed services.”
The market size expectations warrant the release of immediate R&D
funding.
Business Case
The underlying premise of user centric Identity management is that, from a
macro economic perspective, organizations are wasting many resources in
maintaining customer information. A smarter way would be to put users in
charge of updating their own information. They have most to gain from
keeping identity information accurate, complete and up to date. The money
saved using user centric identity management methods can be shared
between the user, the relying party and the Identity Service provider. Overall
an economy that uses such methods and technology to good effect is more
productive. How to derive actual bottom line profits for Telcos is becoming
more and more evident.
Business Models
Consumer space
The most obvious business model here is where the Identity Service
Provider receives micro payments from the relying party every time
identity information is consumed. The micro payments are in
recognition of costs saved and risks avoided. The consumer in the first
instance will expect a ‘free’ service.
This model is well understood and utilized by the credit card
companies and the on-line payment industry. Later ‘Gold’ and
‘Platinum’ versions may well attract a yearly consumer fee. The good
news is that the model scales up very well.
Professional services arena
The Business Model is much simpler here, as the liability and payback mechanisms are our customers’ problems. Because this is
leading edge technology, premium rates can be negotiated.
Introduction to Digital Identity.
Quick Context; Why Identity matters;
Why User Centric;
Why CardSpace and possibly OpenID but not PKI;
What is the relation to PKI?
This introduction is an attempt to make the central issue of User-Centric
Identity accessible to anyone who is not an "Identity Savant", thereby
opening an important debate to a wider audience within Telcos. This
section is based to some extend on a paper written by John Madelin1
Why Identity matters
More and more CIOs, CSOs, CTO’s, Analysts and IdM bloggers are
reflecting on Identity as a central organizing principle in an increasingly
complex digital world.
Examples include de-perimeterization, device proliferation, network
convergence. To cut a long story short, they predict we're on the edge of
a social, cultural and economic step-change to rival the scientific and
Industrial revolution in the scale of its impact on all of us. This is a
provocative and accelerated introduction to convince Telcos’ board
members to make haste and invest in this. Some Telcos seem to be
gradually realizing how important it is, to own a piece of the Identity
provider real estate being developed in the cloud at this very moment.
One only has to have a close look at the make up of the board members
of two think tanks on digital identity:
Information Card Foundation: Deutsche Telekom – Jorg Heuer
Microsoft – Kim Cameron
Ping Identity – Patrick Harding
Google – Ben Laurie
PayPal – Andrew Nash
The Burton Group – Craig Burton
Oracle – Uppilli Srinivasan
Novell – Dale Olds
OpenID
1
France Telekom – Orange
Facebook - Luke Shepard
Google - DeWitt Clinton
IBM - Tony Nadalin
Microsoft - Michael B. Jones
Pay Pal - Andrew Nash
VeriSign - Gary Krall
Yahoo! - Raj Mata
Towards the Identity Society. John Madelin and Luke Razzell, 2006, The Identity Society.
http://www.identitysociety.org/files/identitysociety.pdf
Why User Centric
Enterprise organizations and governments view customer relationship
information as a key asset and are fiercely protective of this asset.
Fortunes are spent on maintaining customers’ personal information and
protecting this information from prying eyes as mandated by data
protection legislation.
CIOs are relying on meta directory technology to solve one of the
industry’s thorniest problems: how to maintain information about the same
individual scattered over different databases and directories nevertheless
perfectly synchronized. Corporate-managed updates are effectively
replicated using standards based connectors and schema mapping
between systems.
However, what this technology cannot solve is the ability to provide
updates we don’t know about. In the real world, our customer’s
circumstances are constantly changing, yet businesses and (most)
government agencies are not automatically alerted. This is an ongoing
problem, because no matter how good we are at synchronizing data
across platforms and applications, it doesn’t matter when the data
becomes rapidly obsolete.
No call center can solve this problem. As an industry, we need to find a
more logical way to manage this; namely through user-centric computing
which puts individuals back in charge of their own identities. After all it is
in the user’s own interest to keep his/her main identity attributes complete
and up to date. If organizations could somehow subscribe to change
events in their customers’ lives and automatically process these, the
thorny problem of labor intensity is solved, but not that of trustworthiness.
Who will verify and back up new identity related claims of our customers?
This is where a new trusted third party; the Identity Service Provider can
add value.
Today, CIOs are watching two different user-centric solutions rise in
popularity: CardSpace from Microsoft and OpenID from the open source
community.
Conventional wisdom indicates that, with the advent of Vista and
Windows 7 on countless PC desktops, Information Cards will become the
de-facto way users will manage their identity information. CIOs need to
take note: On a global scale, employers are expected to issue Information
Cards to their employees, governments to their citizens, etc. Plurality of
operators using ‘open’ standards is the key here.
Why CardSpace before OpenID and Certificates?
Greater acceptance of Information Cards is due, in part, to Information
Card’s being based on a ratified internet standard called ‘WS-Trust’ and
thus providing a much more "open" solution than Microsoft’s previous and
suspiciously received Passport offering. Information Cards are not
designed to run exclusively on Microsoft servers or Microsoft owned
networks, which means that, in principle, every home PC connected to the
Internet can become an identity provider.
Well-known Internet based companies like Google, eBay and Amazon are
most likely to be early adopters of user-centric computing and other ecommerce sites will soon follow suit or be left behind. Cost savings
combined with better security should follow naturally.
As we saw in the membership list above, some organizations play it safe,
by for the moment at least keeping a foot in both camps; Information
Cards and OpenID. Microsoft is not aiming to trash the competition; rather
they are steering towards some form of convergence2.
For the moment we have seen more OpenID support announcements in
the press than public support for Information Cards. This is about to
change driven by the great marketing machine from Redmond. We have
seen this before in the browser space.
Most analysts predict a future in which a typical user will have between
three-and-six Information Cards in their CardSpace virtual wallet, that are
regularly used for different types of public or private transactions. The
chore of maintaining personal information relating to those cards now
resides with the individual, making it easier for organizations and
consumers both. The user interface is there to be exploited.
With the user’s consent and by subscribing to change alerts from trusted
identity service providers; companies don’t have to waste tremendous
financial and human resources managing data with a rapidly deteriorating
life span. Individuals don’t have to worry about maintaining endless silos
of personal data scattered all over the net.
When consumers can assign preferred identities to trusted eCommerce
sites and more anonymous self issued identities to things like social
networking sites; we will eliminate the need to enter reams of personal
information on web pages we don’t necessarily trust; organizations will
reap the financial rewards by cost savings and better quality of
information on which to base their service delivery.
Forget liability. Liability can be excluded. If we as Telcos do this right,
Relying Parties will still flock to use our identities. This is because we can
verify our users’ identities better than each relying party could possibly do
on their own. It could also be said Telcos have a fixed line wired to the
identity user’s wallet.
In conclusion, this paper maintains there is some really big money to be
made by a few, select organizations with the financial clout and publictrusted brand names to become the default public identity providers in ‘the
cloud’. Telcos are prime among them. Remember an Information Card
does not store the actual information, just the meta links to it. The
information itself has to be stored and secured and backed up somewhere
safe. This is part of most Telcos’ core competencies. The attributes
Telcos have for success in this area are not shared by many other type of
companies.
2
Why OpenID leads to Information Cards. Kim Cameron, Microsoft. http://www.identityblog.com/
video clip.
What is the relation to PKI?
Today the Public Key Infrastructures (PKI) sold and implemented 5-7
years ago are coming to the end of their useful technical life. With
hindsight many systems may have been a little over engineered and
maybe not used to generate as many certificates as the systems originally
were designed for. When only a few thousand certificates were generated
on a platform designed for hundreds of thousands of users, it’s frankly a
bit embarrassing. No wonder CTOs do not want to hear the word!
With hindsight this level of certificate generation should have been
outsourced.
This is why Telcos are seeing a lot of interest in the market for completely
outsourced/managed solutions for PKI as well as other aspects of Identity
and Access management. A managed service allows customers of Telcos
to focus on just the security benefits of using certificates. The same holds
true for Managed Information Cards and OpenIDs and other form factors
of electronic Identity.
Usage of Managed Information Cards by relying parties is heavily based
on trust. It is as crucial today as it ever was, that the chain of trust can not
be broken by an unsecured piece of technology, by insecure networks or
lack of procedures and policies, by insecure physical data centers, etc.
This is why in the Telcos’ Managed Information Cards proposition, PKI
solutions will continue to play a crucial role to uniquely tie the user to their
Managed Information cards during the Information Card verification and
issuing process. OpenID in comparison is much more light weight and
vulnerable.
Waves of Identity
Those of us that have been in the Identity and Access Management
industry for a number of years have seen several hype cycles around
Identity.
Identity 0.1 (LDAP Directories and Meta Directory)
The first identity wave was all about directory enablement and leveraging
the X.500 set of computer networking standards developed by
International Telecommunication Union (ITU) formerly known as the
International Telegraph and Telephone Consultative Committee (CCITT).
While technically the dream of creating a supra national ‘Directory of
Directories’, all federated and networked was a success, commercially the
initiative flopped. No organization felt safe in putting its privacy sensitive
data outside a firewall to share with other organizations. The lasting
legacy of this era however was the Lightweight Directory Access Protocol
(LDAP) supporting directory technologies from different vendors like SUN
and Novell and Microsoft’s Active Directory, of which hundreds of
thousands are deployed by organizations the world over. Typically such
directories are created to create a one truth repository of all users and
their access rights within the organization. The information attributes
contained in these directories are kept up to date with connector
technology to back-end systems from meta-directory vendors.
The key here is that Identity Management during this wave was internally
focused towards the organization and its employees and neatly firewalled,
safe from the outside world. This model became useless in a
deperimeterised environment.
Identity 1.5 (Identity Federation)
With the disappearing network perimeter the need arose to give partners
and suppliers access to network resources. The federated model arose
and the supporting standard for this was Security Assertion Markup
Language (SAML), an
XML-based standard for exchanging authentication and authorization data
between different security domains. SAML is a product of the OASIS
Security Services Technical Committee.
The single most important problem that SAML tried to solve is the inter
company Web Browser Single Sign-On (SSO) problem. However it did
this without addressing the underlying Identity trust issues in a scalable
way. That is why with SAML we are only half way solving the underlying
problem, but like with PKI we can re-use some of the technology.
Identity 2.0 (Identity Meta System)
Web 2.0 is the term sometimes used to denote the business revolution in
the computer industry caused by the move to the Internet as a pervasive
platform, and the joined up attempt to understand the rules for success on
that new web services based platform.
Identity 2.0 stems from this same theory of world wide web transition and
pre-requisites for success. Its emphasis is a simple and open standards
based method of identity transactions using emerging user-centric
technologies such as Information Cards or OpenID.
The current internet model makes taking one's identification difficult from
site to site. This was described in a Burton Group report as, "today's
identity systems—which represent a “1.0” architecture, feature strong
support for domain management but exhibit scalability and flexibility
limitations when faced with the broader identity requirements of Internet
scenarios." In that light, user-centric proponents believe "federation
protocols (from Liberty Alliance, the Organization for the Advancement of
Structured Information Standards [OASIS], and the Web Services working
group) are bastions of a domain-centric model but do little to recast the
architectural foundations of identity systems to support grander
structures3."
A major road block to creating Identity 2.0 is the strength of the existing
infrastructure. Industry analysts Gartner Research reflect this perspective
in their August 2006 report, stating:
"Identity 2.0 will be relevant to online companies — and particularly
consumer-focused companies — but not before 2008. There are various
Identity 2.0 initiatives — including Microsoft's CardSpace (formerly
3
Mike Neuenschwander The Burton Group 2005. "User-Centric Identity Management and the
Enterprise: Why Empowering Users is Good Business".
http://www.burtongroup.com/Research/PublicDocument.aspx?cid=736.
Information Cards), Sxip and Higgins. While all the initiatives leverage
Internet and Web protocols, there are different approaches for storing
identity attributes and in securing the interactions; these different
approaches are not clearly interoperable and lack a unifying standardsbased framework. Success for Identity 2.0 approaches will also require
service providers to modify their Web sites and services to request,
accept and authenticate identity data from clients and identity providers.
This presents a potential "chicken and egg" problem whereby consumers
don’t perceive the need to create digital personas until services are
available to use them."4
Components of the Identity Meta System
There will be three key players in the Identity Meta System:
1. The user or subject.
2. The relying party
3. An Identity Service Provider
Whether you are creating serious Internet banking systems, hip new
social networking applications, multi-player games or business
applications for enterprise and government, you need to know something
about the person using your application. This can be as simple as
knowing for sure they are over 18 years of age.
We call this the identity of the user, expressed in a number of attribute
claims.
Claims Based Access model for the user
The model starts from the needs of the hosted application: The idea is
that developers of such applications write their software on the
assumption they can get whatever claims they need from an identity
service provider in the cloud. They do not need to write the management
and verification routines around verifying claims anymore than they need
to write the I/O routines around disk access any more.
It is this standards-based architecture for getting those claims we call the
Identity Metasystem – meaning a system of identity systems. This is a
shared architecture with support across the industry using the standards
WS-Trust and WS-Federation.
4
Gregg Kreizman; Ray Wagner, et al. (2006-08-09). "Findings: Identity 2.0 Is Too ill-defined for
Imminent Deployment".
Relying Party
A simple definition of a Relying Party is any Web site or hosted
application on the Internet that uses a trusted third party identity provider
to authenticate a user who wants to log in and use that application.
Identity Service Provider (IDP)
This is the party we will have to rely upon to enable us to go about our
business and get things done for anything of any value in an Identitycentric and web-enabled world. An Identity Service Provider is a body
with the brand and commercial weight to stand as your guarantor in web
exchanges. The IDP would effectively back you up with trust (and in real
terms, liability). The old term for this back in the turbulent early days of
PKI was a TTP, or Trusted Third Party. Early TTPs blasted their server
and certificate management facilities into the sides of mountains, and
spent millions physically and logically safeguarding them -- an early
reflection of the value incumbent in "Identity" information.
Innovation Black Swan events
A black swan (in Nassim Nicholas Taleb's version5) is a highly improbable
event with three principal characteristics: It is unpredictable; it carries a
massive impact; and, after the fact, we concoct an explanation that makes
it appear less random, and more predictable, than it was. According to
Taleb, the astonishing success of Google was a black swan. Why do I
think the same will become true for the Managed Information Card identity
service offering this paper proposes Telcos should build?
Why do we not acknowledge the phenomenon of black swans until after
they occur? Part of the answer, according to Taleb, is that humans are
hardwired to ask and learn specifics (what’s the bottom line?) when they
should be focused on generalities. We concentrate on things we already
know and time and time again fail to take into consideration what we don’t
know and can’t yet know. We are, therefore, unable to truly estimate
opportunities, too vulnerable to the impulse to simplify, narrate, and
categorize, and not open enough to rewarding those who can imagine the
“impossible.” This thing will be big, but don’t ask me how big in year
1,2,3…n.
Identity Google
When co-founders Larry Page and Sergey Brin devised the PageRank
algorithm that put the relevancy in Google search they were both PhD
students at Stanford University. They had more interest in student life,
than becoming internet millionaires.
At the time there were already many search-related business thriving on
the web. Yahoo, Alta Vista, Excite, HotBot, Infoseek, etc. Because Larry
and Sergey realized their formula’s potential, they improved their search
algorithm so that it could be sold to these existing companies. Had Excite
or any of the other companies shown any interest in the PageRank
technology, neither co-founders would’ve felt it necessary to leave their
PhD’s behind to start Google, a company that today is valued over US$
100 billion. Some say Google benefited from an extraordinary sequence
of lucky events. It is also true that remarkable companies create their own
luck! Google happens to be a remarkable company.
In the Identity space, like the search landscape, we also can see a
number of more or less successful start-ups already. We have Naimz,
LinkedIn and Plaxo to name a few. They are however, like the early
search engines, missing two vital ingredients. Additionally they were
launched slightly ahead of the predicted wave of Identity awareness which
will be generated by the so called CardSpace ‘Tipping point’ which is
explained in a later chapter. It is not known, if these companies are
looking into the opportunity of becoming IDP, based on Managed
Information Cards. If they did they would be at best reputation based,
rather than based on solid identity verification and trust building methods,
the method advocated in this paper and explained later.
5
Taleb, Nassim Nicholas (2007), The Black Swan: The Impact of the highly improbable.
Why Telcos Unique opportunity ?
Skeptics may argue that if going into the ‘Managed Information Cards
business’ was such a ‘predictable’ opportunity, some talented students or
young entrepreneurs would already be out there with a booming service.
In my ITSM article of July 14, 2006 entitled E-commerce and User-Centric
Identity Management I already hinted at the fact that the successful
Identity Service Provider would have to have some pretty special
attributes such as having financial clout and a public-trusted brand name
in order to become the default public identity provider.
Telcos also have an ability to execute no small start-up will never have:

IP Leadership.
This enables their business customers to reach more destinations
directly through their global IP backbones.

Data Centers
Telcos support hundreds of data centers, including managed
hosting and co-location centers, around the world.

Security Specialists and Security Operations Centers
Telcos usually offer continuous security monitoring and
management.

A presence in most high streets, where if required the actual act of
securely binding the user Subject to his/her digital representation
can take place.
A successful company seeks out opportunities. Taking advantage of an
opportunity means recognizing that there is an opportunity to take
advantage of in the first place.
This is not a ‘winner takes all’ opportunity. The identity meta system
needs plurality of operators from across the globe. If Telco’s can work
together and build a trusted network of identities, the Identity Meta system
will be all the better for it and flourish.
Market Size
IDC predicts that the market for IAM products will grow to nearly $4 billion
by 2009
Forrester Research, Inc predicted in February 2008, that the identity
management – or identity and access management (IAM) – market will
grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014
including revenues from both products and implementation services)…
Moreover, during the next seven years, we will also see buying behavior
migrating from… products to managed services.”
Note that neither IDC or Forrester differentiate between Identity 1.0,
Identity 1.5 or Identity 2.0 technologies. In fact it is likely that neither firm
of analysts have factored in the amount of autonomous growth brought
about by a huge uptake of user Centric Identity Management services,
just like no analyst could have predicted that on IPO Google would raise
$1.67 billion, implying a value for the entire corporation of $23 billion.
The on-line world needs an identity meta system with trust anchors in the
real world. Telcos are in a perfect position to help build this system, the
lack thereof Gartner and others lament. In seizing this opportunity as this
paper proposes, fast and without delay, Telcos can reap the benefits of
being early movers and positioning themself as one of the de facto
Identity Service Providers on the World Wide Web.
The author Marcus Lasance is Principal Consultant at Verizon Business in Amsterdam. Prior
to working for Verizon Marcus Lasance was Managing Director of MaXware UK, and Identity
1.0 ISV which was acquired by SAP in 2007 and now forms part of SAP Netweaver identity
Management.