The Cloud is (not) what I say it is (not)

The simplest way to appear “on top of your subject” is to avoid contradictions when you speak. It does not matter if you know your subject, for in a generalised Services Economy there are hardly any standards. When presenting something, just be consistent and utter tautological implications. For example: “We need a consistent plan to deliver the solution to satisfy client expectations”, or “Everything in Security is about risk, for that reason we should focus on technologies that help our clients mitigate risk and manage security potential or real security threats”.

In the past week I heard twice –from seasoned Security specialists– interesting statements of that order: “Yes we know that Security includes trust management, but we have decided to focus on everything else, because we are specialists after all”; and “There is no established way, no clear-cut method to address issues of risk management in the corporation, it is an art, not a science”.

Something must be happening! Is there a reversal of fortunes that is making the risk-orientated security disciplines retreat from the apex of the profession? Up to now I thought that Risk was the only thing measurable about security. After all we did have ALE, and ROISI and ROI and the Gordon&Loeb investment function.  And we had “accepted” practices around threat and risk probabilities. Didn’t we?

Weren’t all the other security specialties mired in some sort of dazzle and confusion due to the fact that we are not “objective” and “quantitative”?  For example, all those folks of the Identity Management camp: weren’t they all the time trying to recommend investments just because all those workflow engines are so “useful” ?

That was not supposed to be the case of the Risk disciplines, at least not in the fables of the profession. We actually learned that Risk is the only objective measure in security.

What is subjective and what is objective? The terms are critical here, because too easily we take things for granted, and assume that it is evident what we mean when we use those words. Let’s be more precise and adopt a very simple distinction: what is quantitative and what is not?

This comfortably matches the intent of the objective/subjective terminology. If a statement is quantitative, then it is communicable, and consequently it can be corroborated by evidence. If a statement is not quantitative, then it remains in the realm of pragmatics, i.e. the sphere of the Person. Hence it is essentially incommunicable and remains beyond verification. Only the Number manages to cross the gap between Persons, Subjects and Agents.

I should be explaining all those big words but for now it should suffice to ask: in the sphere of Security, what is quantifiable and what is not?

We all know the sorry state of our disciplines when it comes to assess the value of our proposals, plans and solutions. By reading academic and industry literature you will find that not only there is no consensus about the return on investment in Security, but –more importantly—there is also no consensus, no single measure and no stable theory about even the value and return of IT investment in general.

What has not penetrated in our little IT world is that –to date– the function and value of IT are not settled matters. This is even more the case in the face of accelerating global changes. Furthermore, what is not understood is the function and value of Information itself even if some of us like to take this for granted and keep talking about the “value of information”.  I don’t think that has been settled either: in fact, it could be easily demonstrated that the concept of information has at least four different meanings in the literature: an object, an intangible value, a relationship and a process.

But then, if the function and value of information are not settled, this automatically affects the understanding of Security: after all we should be speaking about “Information Security” and about the “Identities” that access that “Information”.

The Risk focused sub-disciplines like to fashion themselves as the most quantitative of the pack, by using security breach and attack “statistics” and “threat modelling”, as well as “probability calculus” . Sadly in the end all boils down to some experts choosing the weights of the factors and advising what threats are meaningful and which ones are not. Instead of probability calculus we actually have some medieval theory based on “authorised opinions”.

While it continues to be notoriously difficult to demonstrate the rate of return of IT investment,  it is *more* difficult to show the value of Security investment per se, and even more difficult to produce any quantitative argument to support investment in Identity and Access Management.

It could be argued that decision making about I&AM is difficult because of factors that are not intrinsic to the discipline, for example, related to the maturity of the business. I think that this approach evades the problem. After all, it should be always possible to present a good investment proposition even if the organisation does not have a good grasp of the complexities of user management.

The truth is that of all the segments in Security, Identity Management appears to be the least quantifiable (to stick with the distinction that I proposed above). Now that Risk experts dare to recognise that they are practitioners of some non-quantifiable art, I feel more reassured of my choice of specialty though. And actually this has motivated me to reason as follows.

Identity becomes relevant when information becomes indirect

This is the key to understand not only why I&AM appears the least quantifiable of the Security disciplines, but also how in the near future, I&AM will be the *only* quantifiable, while the other areas still will need a longer travel in the Purgatory of “knowledge by experts” and “art practitioners”.

How come? It is actually very simple, and here I will give an advance of my current research on Quantitative Identity Management.

Identity data is notoriously mismanaged everywhere. There are fundamental problems of governance, of standards, of architecture, of validation, authorisation and provisioning processes. Let’s be clear: these problems are not getting easier or smaller. Actually they are exploding and deepening as organisations of all sizes enter the third or fourth waves of globalisation.

In the past, while client data was treasured and reasonably governed (either by reasons of commercial interest of via regulatory pressure), identity data was not only mismanaged, but also not measured. It was never considered an “asset” giving raise to a situation where Identity Data was the only major category of business-related data that was *not* managed, as if it had no value at all. Looking from the micro-economic angle, though, identity data has not been measured while it was primarily “internal” , i.e. staff  or contractor identity data. Although contractor identity data is “external”, there is a common aspect with staff data: the origin of these chunks of non-asset, “worthless” information are entities (persons)  that are cost factors and not sources of revenue. In other words, even in the post-industrial enterprise, at the start of the current globalisation wave, identity data that originates in cost factors is *still* by default “not an asset”.

It will take more work and research to cover all the related issues, but here we have an interesting thesis that not only explains the current state of mismanagement, but also the future of identity data in the new stage of organisational and corporate transformation.

This works in the following way: data that remains rooted in cost factors will not be managed as an asset (by default); excepting those cases where enlightened management recognises the intangible benefits of I&AM in the core enterprise and its immediate areas. Contrariwise, other types of identities, originating from partners, collaborators, suppliers, distributors, and public and private consumers, will increasingly be treated as a series of complex “assets” deserving better/more Identity Management.  Now, because the core enterprise is diminishing anyway, and because the external users are many more than the internal ones, once better/more I&AM becomes the standard for the externals, then, and only then we will see a rational cost-based solution for corporate staff.

While this transition is still pending, the actual costs and negative impacts of defective user management processes and technologies is ignored by private and public organisations alike. User management costs are not even an item in IT cost schedules.

In other words, business change drives organisational change, and organisational change drives the utility of identity data management. This is precisely the context where I like to say that I&AM is also transitioning from a sub-discipline focused inside of the Enterprise (looking from the inside-out so to say), to a transformed praxis coming from outside of the enterprise.

In this sense, in the measure that other Security disciplines remain anchored behind the firewalls and rotating doors of the corporate buildings I&AM will detach itself from Security in a very interesting way.

From being something that the IT department doesn’t want to do o was not ready to do, it will become something that the IT department will *never* do.  Now there is perhaps something that will soften this moment of revelation as one day the IT departments wake up to discover that they have actually ceased to exist altogether thereby ending the long and fruitless attempt to “align with the business”.

That era will put an end to a perpetual tendency towards fragmentation of the identity solutions, of point solutions as we say in the trade. Why was user management always sub optimal? Simple: this type of data was never an asset. Why was SOA never applied to identity data flows? Elementary:  the IT department was always catching up with “the business” project pipeline. No time for planning, you know?

More questions: Why was it an illusion to expect that some day architectural patterns would seep into the unglamorous world of user administration in the same way as they were in application development?  Why was Access Management adopted as a “process” by ITIL only in 2007? Why even now Security Management appears as a process in Service Design but not in Service Operations?

These are too many questions to address here, but let’s round up this first take:

Everyone in the Profession sees user management as part of security, the same as everyone sees Security as part of IT. This is a wrong perspective. By doing this, we actually are taking distance from business dynamics, even if we promise “alignment”. This is so because current conceptions of secure user management are not where the reality is going, because security theories are incomplete in this space, and —note this—because Security is essentially non-quantifiable (or “subjective”).

Against this, an objective (quantifiable) approach is not only necessary but perfectly feasible for Identity Data Management once we address the transformation of user types and user access routes described earlier in this text. By looking into these data flows as business data, we will not only articulate a discourse of value, but can also easily quantify the complexity, the change, the cost and ultimately the exchange value of this type of information. The enterprise will discover the full value of identity once it ceases to own it.

On this material basis, we will see I&AM as a question of performance, flow, network reachability and workflow efficiency.

Identity Data will be a product, at a price, but not anymore a product of the transformed enterprise.