Executive summary Business imperative of Identity 2.0 Voice and data revenues of Telcos seem to follow the opposite of Moore’s Law with network revenues halving at the same time as bandwidth and capacity doubles. It is a business imperative for Telcos to be increasingly innovative moving up the value chain, by expanding accessibility, improving online safety, and providing new business opportunities for our customers. Identity Services feature large in this. First steps to capitalize on the IP enabled Extended Enterprise will be in the areas of mobility, collaboration and unified communication. These all recognize the coming wave of further device proliferation in an ‘always on’ network of communication. These changes and the associated delayering of legacy systems will drive closer architectural attention from subscriber centricity to user centricity and user profiling. Web 2.0 is the term sometimes used to denote the business revolution in the computer industry caused by the move to the Internet as a pervasive platform, and the joined up attempt to understand the rules for success on that new web services based platform. Identity 2.0 stems from this same theory of World Wide Web transition and pre-requisites for success. Its emphasis is a simple and open standards based method of identity transactions using emerging usercentric technologies such as Information Cards and OpenID. Public Key Infrastructures (PKI) are relegated to the plumbing. The on-line world needs an identity meta system with trust anchors in the real world. Telcos are in a perfect position to help build this system and reap the benefits of being an ‘early mover’ and positioning themself as one of the de facto Identity Service Providers on the World Wide Web. Multiple business models on how to derive value from being in this position exist, but the most common assumption is that each identity transaction facilitated by Telcos as an Identity Provider will carry with it a micro payment. Because the number of such transactions is expected to increase exponentially, while the transaction costs will remain relatively flat, the potential rewards are extremely scalable and represent share holder value. Market Size IDC predicts that the market for IAM products will grow to nearly $4 billion by 2009 Forrester Research, Inc predicted in February 2008, that the identity management – or identity and access management (IAM) – market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 (including revenues from both products and implementation services)… Moreover, during the next seven years, we will also see buying behavior migrating from… products to managed services.” The market size expectations warrant the release of immediate R&D funding. Business Case The underlying premise of user centric Identity management is that, from a macro economic perspective, organizations are wasting many resources in maintaining customer information. A smarter way would be to put users in charge of updating their own information. They have most to gain from keeping identity information accurate, complete and up to date. The money saved using user centric identity management methods can be shared between the user, the relying party and the Identity Service provider. Overall an economy that uses such methods and technology to good effect is more productive. How to derive actual bottom line profits for Telcos is becoming more and more evident. Business Models Consumer space The most obvious business model here is where the Identity Service Provider receives micro payments from the relying party every time identity information is consumed. The micro payments are in recognition of costs saved and risks avoided. The consumer in the first instance will expect a ‘free’ service. This model is well understood and utilized by the credit card companies and the on-line payment industry. Later ‘Gold’ and ‘Platinum’ versions may well attract a yearly consumer fee. The good news is that the model scales up very well. Professional services arena The Business Model is much simpler here, as the liability and payback mechanisms are our customers’ problems. Because this is leading edge technology, premium rates can be negotiated. Introduction to Digital Identity. Quick Context; Why Identity matters; Why User Centric; Why CardSpace and possibly OpenID but not PKI; What is the relation to PKI? This introduction is an attempt to make the central issue of User-Centric Identity accessible to anyone who is not an "Identity Savant", thereby opening an important debate to a wider audience within Telcos. This section is based to some extend on a paper written by John Madelin1 Why Identity matters More and more CIOs, CSOs, CTO’s, Analysts and IdM bloggers are reflecting on Identity as a central organizing principle in an increasingly complex digital world. Examples include de-perimeterization, device proliferation, network convergence. To cut a long story short, they predict we're on the edge of a social, cultural and economic step-change to rival the scientific and Industrial revolution in the scale of its impact on all of us. This is a provocative and accelerated introduction to convince Telcos’ board members to make haste and invest in this. Some Telcos seem to be gradually realizing how important it is, to own a piece of the Identity provider real estate being developed in the cloud at this very moment. One only has to have a close look at the make up of the board members of two think tanks on digital identity: Information Card Foundation: Deutsche Telekom – Jorg Heuer Microsoft – Kim Cameron Ping Identity – Patrick Harding Google – Ben Laurie PayPal – Andrew Nash The Burton Group – Craig Burton Oracle – Uppilli Srinivasan Novell – Dale Olds OpenID 1 France Telekom – Orange Facebook - Luke Shepard Google - DeWitt Clinton IBM - Tony Nadalin Microsoft - Michael B. Jones Pay Pal - Andrew Nash VeriSign - Gary Krall Yahoo! - Raj Mata Towards the Identity Society. John Madelin and Luke Razzell, 2006, The Identity Society. http://www.identitysociety.org/files/identitysociety.pdf Why User Centric Enterprise organizations and governments view customer relationship information as a key asset and are fiercely protective of this asset. Fortunes are spent on maintaining customers’ personal information and protecting this information from prying eyes as mandated by data protection legislation. CIOs are relying on meta directory technology to solve one of the industry’s thorniest problems: how to maintain information about the same individual scattered over different databases and directories nevertheless perfectly synchronized. Corporate-managed updates are effectively replicated using standards based connectors and schema mapping between systems. However, what this technology cannot solve is the ability to provide updates we don’t know about. In the real world, our customer’s circumstances are constantly changing, yet businesses and (most) government agencies are not automatically alerted. This is an ongoing problem, because no matter how good we are at synchronizing data across platforms and applications, it doesn’t matter when the data becomes rapidly obsolete. No call center can solve this problem. As an industry, we need to find a more logical way to manage this; namely through user-centric computing which puts individuals back in charge of their own identities. After all it is in the user’s own interest to keep his/her main identity attributes complete and up to date. If organizations could somehow subscribe to change events in their customers’ lives and automatically process these, the thorny problem of labor intensity is solved, but not that of trustworthiness. Who will verify and back up new identity related claims of our customers? This is where a new trusted third party; the Identity Service Provider can add value. Today, CIOs are watching two different user-centric solutions rise in popularity: CardSpace from Microsoft and OpenID from the open source community. Conventional wisdom indicates that, with the advent of Vista and Windows 7 on countless PC desktops, Information Cards will become the de-facto way users will manage their identity information. CIOs need to take note: On a global scale, employers are expected to issue Information Cards to their employees, governments to their citizens, etc. Plurality of operators using ‘open’ standards is the key here. Why CardSpace before OpenID and Certificates? Greater acceptance of Information Cards is due, in part, to Information Card’s being based on a ratified internet standard called ‘WS-Trust’ and thus providing a much more "open" solution than Microsoft’s previous and suspiciously received Passport offering. Information Cards are not designed to run exclusively on Microsoft servers or Microsoft owned networks, which means that, in principle, every home PC connected to the Internet can become an identity provider. Well-known Internet based companies like Google, eBay and Amazon are most likely to be early adopters of user-centric computing and other ecommerce sites will soon follow suit or be left behind. Cost savings combined with better security should follow naturally. As we saw in the membership list above, some organizations play it safe, by for the moment at least keeping a foot in both camps; Information Cards and OpenID. Microsoft is not aiming to trash the competition; rather they are steering towards some form of convergence2. For the moment we have seen more OpenID support announcements in the press than public support for Information Cards. This is about to change driven by the great marketing machine from Redmond. We have seen this before in the browser space. Most analysts predict a future in which a typical user will have between three-and-six Information Cards in their CardSpace virtual wallet, that are regularly used for different types of public or private transactions. The chore of maintaining personal information relating to those cards now resides with the individual, making it easier for organizations and consumers both. The user interface is there to be exploited. With the user’s consent and by subscribing to change alerts from trusted identity service providers; companies don’t have to waste tremendous financial and human resources managing data with a rapidly deteriorating life span. Individuals don’t have to worry about maintaining endless silos of personal data scattered all over the net. When consumers can assign preferred identities to trusted eCommerce sites and more anonymous self issued identities to things like social networking sites; we will eliminate the need to enter reams of personal information on web pages we don’t necessarily trust; organizations will reap the financial rewards by cost savings and better quality of information on which to base their service delivery. Forget liability. Liability can be excluded. If we as Telcos do this right, Relying Parties will still flock to use our identities. This is because we can verify our users’ identities better than each relying party could possibly do on their own. It could also be said Telcos have a fixed line wired to the identity user’s wallet. In conclusion, this paper maintains there is some really big money to be made by a few, select organizations with the financial clout and publictrusted brand names to become the default public identity providers in ‘the cloud’. Telcos are prime among them. Remember an Information Card does not store the actual information, just the meta links to it. The information itself has to be stored and secured and backed up somewhere safe. This is part of most Telcos’ core competencies. The attributes Telcos have for success in this area are not shared by many other type of companies. 2 Why OpenID leads to Information Cards. Kim Cameron, Microsoft. http://www.identityblog.com/ video clip. What is the relation to PKI? Today the Public Key Infrastructures (PKI) sold and implemented 5-7 years ago are coming to the end of their useful technical life. With hindsight many systems may have been a little over engineered and maybe not used to generate as many certificates as the systems originally were designed for. When only a few thousand certificates were generated on a platform designed for hundreds of thousands of users, it’s frankly a bit embarrassing. No wonder CTOs do not want to hear the word! With hindsight this level of certificate generation should have been outsourced. This is why Telcos are seeing a lot of interest in the market for completely outsourced/managed solutions for PKI as well as other aspects of Identity and Access management. A managed service allows customers of Telcos to focus on just the security benefits of using certificates. The same holds true for Managed Information Cards and OpenIDs and other form factors of electronic Identity. Usage of Managed Information Cards by relying parties is heavily based on trust. It is as crucial today as it ever was, that the chain of trust can not be broken by an unsecured piece of technology, by insecure networks or lack of procedures and policies, by insecure physical data centers, etc. This is why in the Telcos’ Managed Information Cards proposition, PKI solutions will continue to play a crucial role to uniquely tie the user to their Managed Information cards during the Information Card verification and issuing process. OpenID in comparison is much more light weight and vulnerable. Waves of Identity Those of us that have been in the Identity and Access Management industry for a number of years have seen several hype cycles around Identity. Identity 0.1 (LDAP Directories and Meta Directory) The first identity wave was all about directory enablement and leveraging the X.500 set of computer networking standards developed by International Telecommunication Union (ITU) formerly known as the International Telegraph and Telephone Consultative Committee (CCITT). While technically the dream of creating a supra national ‘Directory of Directories’, all federated and networked was a success, commercially the initiative flopped. No organization felt safe in putting its privacy sensitive data outside a firewall to share with other organizations. The lasting legacy of this era however was the Lightweight Directory Access Protocol (LDAP) supporting directory technologies from different vendors like SUN and Novell and Microsoft’s Active Directory, of which hundreds of thousands are deployed by organizations the world over. Typically such directories are created to create a one truth repository of all users and their access rights within the organization. The information attributes contained in these directories are kept up to date with connector technology to back-end systems from meta-directory vendors. The key here is that Identity Management during this wave was internally focused towards the organization and its employees and neatly firewalled, safe from the outside world. This model became useless in a deperimeterised environment. Identity 1.5 (Identity Federation) With the disappearing network perimeter the need arose to give partners and suppliers access to network resources. The federated model arose and the supporting standard for this was Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data between different security domains. SAML is a product of the OASIS Security Services Technical Committee. The single most important problem that SAML tried to solve is the inter company Web Browser Single Sign-On (SSO) problem. However it did this without addressing the underlying Identity trust issues in a scalable way. That is why with SAML we are only half way solving the underlying problem, but like with PKI we can re-use some of the technology. Identity 2.0 (Identity Meta System) Web 2.0 is the term sometimes used to denote the business revolution in the computer industry caused by the move to the Internet as a pervasive platform, and the joined up attempt to understand the rules for success on that new web services based platform. Identity 2.0 stems from this same theory of world wide web transition and pre-requisites for success. Its emphasis is a simple and open standards based method of identity transactions using emerging user-centric technologies such as Information Cards or OpenID. The current internet model makes taking one's identification difficult from site to site. This was described in a Burton Group report as, "today's identity systems—which represent a “1.0” architecture, feature strong support for domain management but exhibit scalability and flexibility limitations when faced with the broader identity requirements of Internet scenarios." In that light, user-centric proponents believe "federation protocols (from Liberty Alliance, the Organization for the Advancement of Structured Information Standards [OASIS], and the Web Services working group) are bastions of a domain-centric model but do little to recast the architectural foundations of identity systems to support grander structures3." A major road block to creating Identity 2.0 is the strength of the existing infrastructure. Industry analysts Gartner Research reflect this perspective in their August 2006 report, stating: "Identity 2.0 will be relevant to online companies — and particularly consumer-focused companies — but not before 2008. There are various Identity 2.0 initiatives — including Microsoft's CardSpace (formerly 3 Mike Neuenschwander The Burton Group 2005. "User-Centric Identity Management and the Enterprise: Why Empowering Users is Good Business". http://www.burtongroup.com/Research/PublicDocument.aspx?cid=736. Information Cards), Sxip and Higgins. While all the initiatives leverage Internet and Web protocols, there are different approaches for storing identity attributes and in securing the interactions; these different approaches are not clearly interoperable and lack a unifying standardsbased framework. Success for Identity 2.0 approaches will also require service providers to modify their Web sites and services to request, accept and authenticate identity data from clients and identity providers. This presents a potential "chicken and egg" problem whereby consumers don’t perceive the need to create digital personas until services are available to use them."4 Components of the Identity Meta System There will be three key players in the Identity Meta System: 1. The user or subject. 2. The relying party 3. An Identity Service Provider Whether you are creating serious Internet banking systems, hip new social networking applications, multi-player games or business applications for enterprise and government, you need to know something about the person using your application. This can be as simple as knowing for sure they are over 18 years of age. We call this the identity of the user, expressed in a number of attribute claims. Claims Based Access model for the user The model starts from the needs of the hosted application: The idea is that developers of such applications write their software on the assumption they can get whatever claims they need from an identity service provider in the cloud. They do not need to write the management and verification routines around verifying claims anymore than they need to write the I/O routines around disk access any more. It is this standards-based architecture for getting those claims we call the Identity Metasystem – meaning a system of identity systems. This is a shared architecture with support across the industry using the standards WS-Trust and WS-Federation. 4 Gregg Kreizman; Ray Wagner, et al. (2006-08-09). "Findings: Identity 2.0 Is Too ill-defined for Imminent Deployment". Relying Party A simple definition of a Relying Party is any Web site or hosted application on the Internet that uses a trusted third party identity provider to authenticate a user who wants to log in and use that application. Identity Service Provider (IDP) This is the party we will have to rely upon to enable us to go about our business and get things done for anything of any value in an Identitycentric and web-enabled world. An Identity Service Provider is a body with the brand and commercial weight to stand as your guarantor in web exchanges. The IDP would effectively back you up with trust (and in real terms, liability). The old term for this back in the turbulent early days of PKI was a TTP, or Trusted Third Party. Early TTPs blasted their server and certificate management facilities into the sides of mountains, and spent millions physically and logically safeguarding them -- an early reflection of the value incumbent in "Identity" information. Innovation Black Swan events A black swan (in Nassim Nicholas Taleb's version5) is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was. According to Taleb, the astonishing success of Google was a black swan. Why do I think the same will become true for the Managed Information Card identity service offering this paper proposes Telcos should build? Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to ask and learn specifics (what’s the bottom line?) when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know and can’t yet know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.” This thing will be big, but don’t ask me how big in year 1,2,3…n. Identity Google When co-founders Larry Page and Sergey Brin devised the PageRank algorithm that put the relevancy in Google search they were both PhD students at Stanford University. They had more interest in student life, than becoming internet millionaires. At the time there were already many search-related business thriving on the web. Yahoo, Alta Vista, Excite, HotBot, Infoseek, etc. Because Larry and Sergey realized their formula’s potential, they improved their search algorithm so that it could be sold to these existing companies. Had Excite or any of the other companies shown any interest in the PageRank technology, neither co-founders would’ve felt it necessary to leave their PhD’s behind to start Google, a company that today is valued over US$ 100 billion. Some say Google benefited from an extraordinary sequence of lucky events. It is also true that remarkable companies create their own luck! Google happens to be a remarkable company. In the Identity space, like the search landscape, we also can see a number of more or less successful start-ups already. We have Naimz, LinkedIn and Plaxo to name a few. They are however, like the early search engines, missing two vital ingredients. Additionally they were launched slightly ahead of the predicted wave of Identity awareness which will be generated by the so called CardSpace ‘Tipping point’ which is explained in a later chapter. It is not known, if these companies are looking into the opportunity of becoming IDP, based on Managed Information Cards. If they did they would be at best reputation based, rather than based on solid identity verification and trust building methods, the method advocated in this paper and explained later. 5 Taleb, Nassim Nicholas (2007), The Black Swan: The Impact of the highly improbable. Why Telcos Unique opportunity ? Skeptics may argue that if going into the ‘Managed Information Cards business’ was such a ‘predictable’ opportunity, some talented students or young entrepreneurs would already be out there with a booming service. In my ITSM article of July 14, 2006 entitled E-commerce and User-Centric Identity Management I already hinted at the fact that the successful Identity Service Provider would have to have some pretty special attributes such as having financial clout and a public-trusted brand name in order to become the default public identity provider. Telcos also have an ability to execute no small start-up will never have: IP Leadership. This enables their business customers to reach more destinations directly through their global IP backbones. Data Centers Telcos support hundreds of data centers, including managed hosting and co-location centers, around the world. Security Specialists and Security Operations Centers Telcos usually offer continuous security monitoring and management. A presence in most high streets, where if required the actual act of securely binding the user Subject to his/her digital representation can take place. A successful company seeks out opportunities. Taking advantage of an opportunity means recognizing that there is an opportunity to take advantage of in the first place. This is not a ‘winner takes all’ opportunity. The identity meta system needs plurality of operators from across the globe. If Telco’s can work together and build a trusted network of identities, the Identity Meta system will be all the better for it and flourish. Market Size IDC predicts that the market for IAM products will grow to nearly $4 billion by 2009 Forrester Research, Inc predicted in February 2008, that the identity management – or identity and access management (IAM) – market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 including revenues from both products and implementation services)… Moreover, during the next seven years, we will also see buying behavior migrating from… products to managed services.” Note that neither IDC or Forrester differentiate between Identity 1.0, Identity 1.5 or Identity 2.0 technologies. In fact it is likely that neither firm of analysts have factored in the amount of autonomous growth brought about by a huge uptake of user Centric Identity Management services, just like no analyst could have predicted that on IPO Google would raise $1.67 billion, implying a value for the entire corporation of $23 billion. The on-line world needs an identity meta system with trust anchors in the real world. Telcos are in a perfect position to help build this system, the lack thereof Gartner and others lament. In seizing this opportunity as this paper proposes, fast and without delay, Telcos can reap the benefits of being early movers and positioning themself as one of the de facto Identity Service Providers on the World Wide Web. The author Marcus Lasance is Principal Consultant at Verizon Business in Amsterdam. Prior to working for Verizon Marcus Lasance was Managing Director of MaXware UK, and Identity 1.0 ISV which was acquired by SAP in 2007 and now forms part of SAP Netweaver identity Management.