This is a draft of the book with the same title now available through Amazon:
Security Arguments are Philosophical
How moral is a technical dilemma? How technical can a moral argument be? Philosophical questions are rare in Security-focused debates unless people are trying to make a “political” point, i.e. a critical point about technical choices. Usually in these cases the choices are about what is deemed “better” or “more advanced” in technological terms, and not about truth or ethical questions. The root of this problem is that Security lacks a theory, as I wrote in a previous chapter. We have principles and “best practices” but we do not have a theory explaining our actions “from first principles.”
Would such a theory be possible? In this book I have shown some examples of how the current Security approaches rely on ideas and presuppositions that can be identified as a form of mechanistic ideology. I pointed to the problems arising from Information thought as an object and Security centred on protection and defence of “information assets.” A philosophy, though, would take this trend as part of reality, as a “perspective” and correlate it to other lines of action and thought.
From protection-centric Security we would be moving logically to user-centric and data-centric alternatives, not to discard the dominant ideology altogether, but to put it in context and help free our thinking and our actions. For Identity management, we would see for example that we need to offer a new vision by joining “analytical” and “synthetic” approaches instead of following the latest marketing trends.
How moral is a technological question? In the current era, technological discussions are essentially philosophical ones, even if we don’t see that. Or, better said, current technological issues are our modern philosophical debates, disguised as empirical choices. This view has multiple results for the present and the future, and I will explore some of these in this last chapter.
Cloud Computing and the Problems of Information Technology
Cloud computing is a new step in organisational and social history. It is rooted in the changes driven by profit maximisation, global leverage of salary differentials, new levels of division of labour between countries and within these. Organisations adapt to these global changes, rapidly losing any national or local character and adopting technologies that speed up this post-cultural transformation.
If at first organisations adopted Information Technology as a differentiator, seeking commercial advantages that were promised by the new technologies, further adoption has been hampered by problems. Information Technologies transformed rapidly into commodities and the assumed advantages disappeared. Frequent and severe IT project failures are only the backdrop to a deeper problem, which was the opaque relationship between technology adoption and corporate productivity. Nevertheless, despite the obstacles and problems, IT adoption continues at a fast pace. This helps to see that at the core of its social and economic role the driving factor is not the technology itself, but the work and the workers that act with it and through it. The generic “information worker” is the real force behind the mysterious “success” of Information Technology in the face of unlikely and elusive benefits derived from its adoption. Value, when it comes, is generated by the new universal, transnational work (essentially services) and not from any particular technology. This is why positive correlations between IT investment and enterprise productivity appears only when the organisation has other programmes in place, hiring, enabling, educating, freeing and leading the new working classes of professionals. When this is not the case, IT investment by itself fails to produce any value for the organisation, and the same is the case with Information Security and Identity Management investments.
These underlying causes explain too why Information Technology and Security professionals are confused and sometimes resistant to the global adoption of Cloud services. Businesses enter into the “Cloud Transition” phase when investments in IT can be conveniently replaced at a fraction of the cost by external capabilities. At the same time, the only differentiating factor that remains is the ability of organisations to leverage skills, creativity, education, mobility, dynamism, and ambition of their people.
Business continues to evolve
Business organisations are increasingly adopting outsourced IT services and the use of externally hosted infrastructures. For those organisations that didn’t make the change consciously or still move through a hybrid phase, a new problem appears as the variety and complexity of user administration and user access rights becomes very difficult to manage.
What are the differences? What can help organisations draft suitable Security policies? While there are still differences related to business models, we can see the same groups of users across many private and public sectors, all showing similar needs. The signature of these changes is that users previously considered “external” have equal or more access needs and rights than “internal” users. Complementing this, “internal” users also interact with the organisation as “external” customers and citizens. This leads to a new panorama where traditional “enterprise” approaches and IT “solutions” cannot and should be devised separately from all other forms of “identity management.” In writing this I am consciously adopting the view there is no Security strategy that is not an Identity management strategy in essence.
Amid this change, technologists and managers have to recognise their way of acting has to adapt. Sometimes, terms that appeared in other contexts are used for the Security practices. This is the case of the Service Orientation born in the period where the emphasis was on enterprise-level software and database development. Now this terminology is used –I think properly—for the Security and Identity specialities. For about 10 years now some experts have been writing about Security and Identity “as a Service.” The move into the Cloud has given more energy to these calls for transformation, but the results have been so far incomplete.
The Cloud has many aspects, but it tends to appear as one thing in particular for those who approach it within the traditions of the computer revolution of the 20th Century: the Cloud phenomenon appears as an incarnation of the out-sized computer, sitting somewhere remote and isolated, capable of everything, ever-present. Cloud computing is thus understood as a return to the mainframe era, a fact not ignored by hardware vendors who are continuously trying to “run the Internet” on some collection of multiprocessor “boxes.”
To the hammer, everything looks like a nail, as the saying goes, and that is how people see the tools and technologies around the Cloud, and by doing this, the conventional observer misses the fact the Cloud is not (and can’t be) a technological compound, but essentially reflects historical and sociological changes, a different context to the one where some of us learned to use the Personal Computer.
This is the case with those disciplines like Identity and Access Management which are tightly related to organisational, non-technical causes. To the techno-centric practitioner, Identity management –even when based in the Cloud– is frozen in time at the moment somebody thought about the possibility of centralising user control across many separate machines and operating systems. Currently the Identity management experts are still fixated with the technologies of “user provisioning” and “role management” as these were elaborated during the Mainframe and later Client-Server periods.
Supported by this fixation, the most notable change in the technology market has been the reduction in the number of technology suppliers, ending in a small core of large, monolithic offerings which compete more on size and difficulty of implementation than on effectiveness and business value.
Under the spell of these technologies, Security and Identity specialists think more of complex platforms and extensive software development tools this time offered “in the Cloud,” or as “Software as a Service” (SaaS). The change ends there, because these conceptions are an obstacle for the Security disciplines and for Identity management in particular, as professionals limit their work to models that have little to do with Identity and the possibilities of the Cloud. Not only the social and economic nature of the Cloud is lost, but also the wrong tools are adopted for a reality that does not lend itself any more to the traditions of “enterprise architecture.”
As this model fails and the number of abandoned “provisioning” projects grows across the world, surprisingly the technology market starts to fragment again, moving away from the previous concentration in the hands of a few sellers. Some new entrants follow the SaaS model to offer parts of the Identity technologies, while others remain “in the enterprise” and focus on the areas of “risk-based reporting” and “compliance.” In the whole, this fragmentation is positive for business leaders and consumers in general, and it is safe to predict the rapid loss of relevance of the “end-to-end” Security portfolios. As part of this development, I predict an increased focus on the core of Access control, i.e. the disciplines of Authentication and Authorisation, and a move away from the focus on “provisioning” and “role management.”
Traditional thinking focuses on Unique User IDs, password management, well-defined roles and “user provisioning,” and more recently on risk-based reporting and application per application access control, but all of this will give way to new forms of Identity management that will challenge at the same time the monolithic “platform” approach, and the “niche vendor” approach.
These will not be vanquished by a new technology, or the “next big thing,” but fundamentally by a new way of doing things across computing networks. The new technologies will be the product of this new period, not the cause of it, and the inventors of these new technologies will be the interpreters of the economic and social change that is driving all of this. As I have been describing in this book, what is new in Identity stems from post-industrial, post-cultural, capitalist, globalised commercial exchanges and human movements. The forces that cross and surpass national boundaries and transform the family and local life, also change business and organisational structures.
The global, transnational enterprise is also global in the sense that it represents the existence and reproduction of identities that are mobile and rootless, lacking firm context and defined loyalties. These “identities” are abstractions of biological individuals, “equal individualities” and entities with little history and references to begin with. No individual appears certified, but only as a fragment of a legally existing person, and only as a function or a partial activity in the economy or as part of an organisation. In the global network, the activities of the individual are indirect and partial, or better said, a shadow of a real individual.
For this fundamental, non-technological reason the monolithic individual does not exist, and therefore in dealing with Identity we are not facing a definable object, but an activity. Professor Chadwick[i], a prominent British scholar in the speciality of Identity management has formulated synthetically this with the formula: “It does not matter who you are but what you can do.”
Global and national organisations cannot rely, and should not rely, on unique identity instruments (credentials) or stable identities. They should aim instead at defining, enabling, protecting and verifying stable modes of informational exchange and access routes. The key to Cloud value is a “variety of identities.” Unique, flat, general and shared network spaces with stable identities are things of the past.
Now, in this context, something is still missing, and is still difficult to grasp if we stay with the techno-centric perspective. For the individual as a natural person, his or her “identity” continues to be unique and coherent, even if it is partial and unstable for the multiple organisations, contexts and realms he or she moves in. For the organisation Identity is fragmented, scattered but still falsely understood as unique and defined.
This is the contradiction that we live in, the ideological framework that makes us think of Security as a profession bound to protect and defend; while it should be clear to all that we are missing the point and not responding to a historic challenge with such attitude. In fact, understanding that it is sociology and history which drive change and not technology would lead us to see the whole promise of the new era is rooted on widespread individual use of computers, a new form of generalised work. The machine is the instrument and the mediator, but the machine is only responding to expanding human action. It is this mediation that allows for anonymity and hence creates the context of fraud and crime (because it underpins the context of freedom).
In seeing this, the controlling “protecting” technocratic spirit tries to turn against the basis of the historical period and tries to cancel anonymity as if it were some accidental unwanted feature in the current situation. This ignores that computing power in the hands of individuals and indirection of personal activity are the foundations of the digital global market. This market is indeed the product of uprooted, universalised, generic, global indirect activity that is not materially linked to the biological person (to the taxpayer, the homeowner, the corporate worker), but only indirectly and voluntarily so.
Is it not the case then that linking back all activities in the network to the “real biological person” is not only impossible but also counterproductive? Besides, is it not the case that successful business models always arise without such linking? Here is my thesis: fragmentation of the identity is not a problem if a) the person has the power to decide to act through the network; b) if multiple identities, i.e. levels of action are acceptable for the business models; and c) if various identities (and channels) are acceptable for commercial exchanges and human interaction in general.
False perspectives disappear once we understand that technologies create their own justification and present themselves as “causes” when they are not. Technologists and conventional Security experts cannot see that indirection and abstraction implicit in the computer create indirect mediated action and abstract, uprooted shadows of the individual, and not the other way around. Is it a serious stance to detest the unnamed anonymous “hacker” that is enabled precisely by the techniques of remote computing? Is it a rational stance to alert of the risks of “attacks” to data just when we expose data to the global networks?
If we think of these problems for a minute, we will immediately see that the risk of fraud and impersonation, as well as all other Security “problems,” are derivatives of multiple layers of indirection in commercial and social transactions through the computer networks. Shouldn’t it be obvious the way “forward” should not be to plan the rest of our lives as a war against masked aggressors, “exotic” hackers, and “anonymous” enemies but to adapt to this new context? Our commitment should be instead to develop new protocols, new assurance levels, new business plans, new strategies and various identities on all sides, across all boundaries.
Specifically: a variety of identities means parallel or shared identities and concurrent flows of collaboration managed by the individuals. The new model is one where Identity management is not and cannot be a gubernatorial discipline to bring order where there is chaos, to simplify where there is complexity or to reduce choices where there is freedom. I also imagine the moment where Identity management will stop being seen as part of Security and become just one more art of business risk-taking.
Eclosion of Security Concepts
When I meet with senior Security experts, especially those in upper management positions in public and private organisations, the conversation often focuses on the future of Identity and Security management. I confess that this is a subject of constant reflection for me and I eagerly take part in such exchanges when the opportunity arises. In these discussions I see that Security and Identity management leaders face every day complex decisions about their organisations, as these evolve and address new problems in the global network.
The consensus usually is that Security and Identity management cannot be delivered any longer purely within the boundaries of the organisation or enterprise, and that new ideas are necessary to face the challenges that come with de-perimetrisation and Cloud Computing.
In considering the subject, it is compulsory to leave behind either a pessimistic or a naive optimistic stance: either believing the future will be “more of the same” or “completely new.” These are false assumptions. What we see –both in technology and business practices– is that the new coexists with the old, and the old gives birth to the new. The combined result of these movements is what I call “eclosion” –from the French éclosion– meaning “to hatch” or “be hatched” — using an image from the biological sciences.
In a more descriptive way I like to think of change not as evolution or displacing one class of systems by another, but as the constant unfolding and opening of reality. Here, to avoid an excessively wide discussion of these matters I want to focus on the plane of conceptual transformation and for example on the changes driving Security and Identity. In the realm of ideas, we should speak of “differentiation.” The following trends were presented in chapter 6 and are repeated here for convenience:
- The protection and compliance focus which Identity management inherits from the Security Domain will not disappear, but it will have a lesser role in the IT landscape than it has now.
- Centralised control models over identities will be reserved for restricted areas of the IT infrastructures, while organisations implement federated and decentralised assurance services.
- Privacy and Data Protection concerns will be seen as essential, but increasingly not as a central management task, and instead as rooted on the individual choices and different varieties of identity.
- Identity management as a Service will experience rapid adoption but a single model will not exist, and corporations will sometimes have partly hosted and partly on-premises solutions.
- The intellectual structure of Security and Identity management will change, moving from a focus on Risk Management, to a balance of Risk and Trust Management.
- Given the perceived and real risks of network crime and disruption, security will rely even more on defences in-depth, and a variety of identities and identity assurance levels while using more refined risk-based and attribute-based access controls (all of this enabled by Identity management solutions).
Each of these trends has in itself a counter-balancing element which on the one hand represents a continuation of the past, but also is a reformulation of it. Change by differentiation leads to increased complexity.
Cloud Computing is not itself caused by changes in Security or Identity disciplines, but, as I explained, the latest stage of a trend that has been always present in computing towards virtualisation, shared capabilities, resilient remote resources and networking. The Cloud is at the same time a continuation of the old and the appearance of new and different models of infrastructure and application services. This has an important effect on the future of Security and Identity management.
In developing Cloud computing, we see two major trends arising: Identity management “for” the Cloud, and Identity management “in” the Cloud. The first represents Security services to protect the Cloud environments themselves; and the second is the Identity services offered from Cloud or hosted platforms. The two types of service are inseparable but need to be distinguished in our study.
Security and Identity “in” and “for” the Cloud reflect two “views” among the users of these services and IT specialists: Security for the Cloud means securing the broader IT application and data workloads as they migrate from corporate data centres into Cloud services. Security in the Cloud means developing a new delivery model for IT solutions – for example, Identity management as a service.
The core of the conceptual differentiation taking place at this level is between Trust and Risk Management. On the one hand, Security in the Cloud is a view that reflects the ideas of Trust Definition and Trust Establishment, leading to a stance centred on Trust Management. In this “world” Identity is seen as Distinction and Membership. On the other hand, Security for the Cloud is a view that reflects the ideas of Trust Enforcement and Trust Validation, leading to a stance centred on Risk management. In this “world” Identity is seen as Object and Context.
These views represent different action perspectives and different participants: For Security in the Cloud, we have the Subjective position, the position of the business owner and leader, the strategist, but also that of the group, the organisation, and Society in general. In Security for the Cloud we have the Objective position, the position of the implementer, the controller, the auditor, but also that of the engineer, the technologist, the IT organisations in general.
Trust Definition and Trust Establishment are crystallised in a view of Security “in” the Cloud, and answer the question: How do we benefit from operating in the Cloud; how do we manage trust with our clients, colleagues, staff, partners, etc. Trust Enforcement and Trust Validation are at the root of a view of Security “for” the Cloud, seeking assurances for Data Control, Compliance, Protection and Privacy. It is obvious these views are complementary. It is also clear the two major groupings here described can be analysed further into the four perspectives that I have presented in previous chapters:
- Trust Definition: Security seen from the perspective of Direction and Identity seen as Distinction.
- Trust Establishment: Security seen from the perspective of Selection and Identity seen as Membership.
- Trust Enforcement: Security seen from the perspective of Protection and Identity seen as Object.
- Trust Verification: Security seen from the perspective of Detection and Identity seen as Process.
The delivery of Security “in” the Cloud is a precondition for realising Security “for” the Cloud. An excessive focus on security “for” the Cloud assumes the organisation is not yet benefitting from these capabilities and needs assurances to adopt Cloud-based solutions; while the view focused on security “in” the Cloud seems to reflect the target state of any Cloud initiative: security as a service “in” the Cloud.
While the two views remain linked and dependent on each other, the Risk-centred “view” will predominate in the context of deciding how to adopt Cloud-based strategies; contrariwise, the Trust-centred “view” will predominate in the context of delivering or exploiting Cloud-based services. The two views are part of the same panorama and have to be mastered in the Cloud Security strategy. Because of this, it is advisable to keep in mind the disciplines of Trust Definition and Allocation are still not well developed and stay in the background among Security professionals. In the new world of Cloud computing, nevertheless, it is essential to develop a balance between these disciplines and the dominant perspectives of Trust Enforcement and Verification.
Setting up and governing Identity data ownership should be the base of Defining Trust between the participants in the market. Developing new protocols for the establishment of collaborations and partnerships, and defining employee, consumer, citizen and third-party access levels are at the base of the Establishment of Trust between the users and organisations.
It will be necessary to adopt a wider combination of policies, roles, groups, capabilities, attributes and credentials for such variety of users. This will enable them to access multiple channels within a number of levels of assurance around the enterprise and its partners. In the same way, standardising data, identity propagation and assurance processes will support the Verification of Trust.
Risk Focus and the Cloud
In day-to-day corporate management the easiest way to appear “on top of your subject” is to avoid contradictions when you speak. It does not matter if you know your subject, for in a generalised Services Economy and in Information Technology there are hardly any standards. When presenting something, the IT manager can survive by being consistent and conservative. For example, in speaking about security it is “safer” and simpler to think and act following the usual ideology that “everything in Security is about risk.” Your task is automatically cut down for you as you can focus now on “risk mitigation” and “managing security threats.” Security specialists will not challenge you, because we also move within an ideology that says: “Yes, we know that Security includes trust management, but we have decided to focus on Risk management and risk avoidance only, because … we are specialists after all.”
These positions are protected by the assumption that to be objective, Security practitioners and experts have to be essentially Risk managers. Underpinning this self-perception, the Security profession thinks of itself not only as objective, but also as scientific and quantitative. When challenged, the Security expert will doubt that Trust can be measured, for example, and will try to prove that Risk is the only measurable “quantity” in Security. After all we have plenty of measurements and assessment methods, like the now-abandoned ALE[ii], ROISI[iii] and the Gordon & Loeb investment functions[iv]. And don’t we have “accepted” practices around threat and risk probabilities?[v]
The Security expert convinces him or herself that those sub-disciplines not centred on Risk management are somehow less objective or less “quantitative” than they practice. It is usual to see the Identity management people as lacking in business insight because they recommend investments just based on organisational transformation and overall efficiencies. Have we not all learned in our training and certifications that Risk is the only objective measure?
In the same vein that I asked at the beginning of this chapter what is the moral bearing of a technological argument or the technological value of a moral choice, I have to ask now, philosophically speaking: “What is subjective and what is objective?” Is it critical to clarify the use of terms here, because we take things for granted too easily, and assume that some terms have evident or definitive meanings. We need to make a distinction to fully grasp what we mean by these terms and determine how these can be applied to our profession.
To promote this discussion, I often suggest that we agree on a distinction between what is quantitative and what is not. In this way, we can arrive at a wider distinction, between the objective and the subjective. The intent of the objective/subjective distinction is comfortably matched by the quantitative/non-quantitative pair because, if a statement is quantitative, then it is communicable, and thus it can be corroborated by evidence. If a statement is not quantitative, then it remains in the realm of pragmatics, i.e. the Person. Therefore it is essentially incommunicable and remains beyond verification. In other words, the non-quantitative is necessarily subjective, while the quantitative has at least the change of verification. Only the Number (quantity) manages to cross the gaps between Persons, Subjects and Agents[vi].
In Security, what is quantifiable and what is not? We know the sorry state of our disciplines when it comes to assessing the value of our proposals, plans and solutions. Even when they insist on quantitative Risk assessments, our Risk managers are shy when it comes to show any success of security investments. Not only the industry but also academia and literature fail to show consensus about the value of Security and IT investment in general. In fact, although the IT world prefers to ignore this, to date the function and value of IT are not settled matters. This is even more the case in the face of quickening global changes. And the problem is wider: few experts would dare to explain the nature of Information itself, while so many of us still keep talking about the “value of information.” That has not been settled either: the concept of information has at least four different meanings in the literature: as an object, as an intangible value, as relationship and as process.
How is it then, given these flaws, that we do not see their effects in understanding Security? How are we still comfortable speaking about “Information Security” and about the “Identities” that access “Information”?
In the midst of the Cloud Transition, the Risk-focused managers like to fashion themselves as the most quantitative orientated experts, by using security breach and attack “statistics” and “threat modelling,” as well as “probability calculus.” Sadly, as we have seen in a previous chapter, all of this boils down to some experts choosing the weights of the factors and advising what threats are meaningful and which ones are not. Instead of probability calculus we have some medieval theory based on “authorised opinions”[vii].
Further, especially because the whole world of Security is changing, we need to accept that it is even more difficult to show the value of IT investments themselves, and not only in Security or Identity management. We should face the realities described by Nicholas Carr in his 2003 article “IT Doesn’t Matter”[viii].
Quantitative Identity Management
It could be argued that decision-making about Identity management is difficult because of factors that are not intrinsic to the discipline, for example, related to the maturity of the business. I think that this approach evades the problem. After all, it should be always possible to present a good investment proposition even if the organisation does not have a grasp of the complexities of user management.
Of all the areas in Security, Identity management seems to be the least quantifiable (keeping the distinction that I proposed above). Now that some Risk experts dare to recognise the difficulties they have in showing the results of investment, there is perhaps some chance that the Identity specialty becomes more normal after all, but I do not think that we need to rely on a change in views at this point. The Cloud is bringing a different context. A formula may capture what is happening: Identity becomes more relevant, more material, when information becomes indirect. In a somewhat more detailed expression, I like to say that Identity becomes more objective (quantifiable) when the users exchange information more indirectly. This is easy to understand if we think that human exchanges evolved incrementally towards more indirection and abstraction, while in the past even “information exchanges” were only done between natural, physical, present individuals. As the separation evolves, Identity becomes less personal and more symbolic, mediated and numeric. In this sense, it becomes more quantitative.
This is the key to understand not only why Identity management appears first as the least quantifiable of the Security disciplines, but also how in the near future, this specialty will be the only quantifiable one, while the other areas still will need a longer travel in the Purgatory of “knowledge by experts” and “art practitioners.”
In a previous chapter (“Quantitative Identity Management”) I described how identity data flows can be isolated and assessed, and how these becomes symbols and agents of organisational work. Identity data is notoriously mismanaged everywhere. There are fundamental problems of governance, of standards, of architecture, of validation, authorisation and provisioning processes. Let’s be clear: these problems are not getting easier or smaller. Actually they are exploding and deepening as organisations of all sizes enter the third or fourth waves of globalisation. On this ground we should not only be thinking about the Cloud, but also “after the Cloud,” towards the next wave of indirection and human work abstraction.
In the recent past, even while client and user data was treasured and reasonably governed (either by reasons of commercial interest or via regulatory pressure), identity data was not only mismanaged, but also not measured. It was never considered an “asset,” resulting in a situation where Identity data was the only major category of business-related data that was not managed, as if it had no value at all. From the micro-economic angle, though, it is clear that Identity data was not measured while it was chiefly “internal,” i.e. employee or direct contractor Identity data. These blocks of data were rationalised as non-asset, “worthless” informational entities about “cost factors” and not sources of revenue. In other words, even in the post-industrial enterprise, at the start of the current globalisation wave, Identity data that originates in “cost factors” was and still is considered as not being “an asset.”
It will take more work and research to discover all the related issues, but this already explains the current state of mismanagement of Identity, and the future of Identity in the period of Cloud transition. Data that remains rooted in “cost factors” will not be managed as an asset (by default); excepting those cases where enlightened management recognises the intangible benefits of Identity data management in the core enterprise and its immediate periphery. Contrariwise, other types of identities, originating from partners, collaborators, suppliers, distributors, and public and private consumers, will increasingly be treated as a series of complex “assets” deserving better or more effort into Identity management. Now, because the core enterprise is decreasing in absolute and relative terms anyway, and because the “external” users are many more than the “internal” ones, once better Identity processes become the standard, then we will see a rational cost-based solution for corporate staff. While the Cloud transition is unfolding, the real costs and negative impacts of defective user management processes and technologies is ignored by private and public organisations alike. User management costs are not even an item in IT cost schedules.
In other words, business change drives organisational change, and organisational change drives the utility of Identity data management. This is precisely the meaning of the Cloud Transition. Identity management is also transitioning from a sub-discipline focused inside the Enterprise (looking from the inside-out so to say), to a transformed praxis coming from outside of the Enterprise.
In this sense, in the measure that other Security disciplines remain anchored behind the firewalls and rotating doors of the corporate buildings, Identity management shall detach itself from Security in a very interesting way. From being something the IT department doesn’t want to do or was not ready to do, it will become something the IT department will never do. Around the same time, though, in a moment of revelation, IT experts will wake up to discover they themselves have ceased to have or to be a Corporate Department altogether thereby ending the long and fruitless try to “align with the business” as well as their tortured experience with Identity.
That will stop a constant tendency towards fragmentation of the Identity solutions, or “point solutions,” as we say in the trade[ix]. Everyone in the Profession sees user management as part of security, the same as everyone sees Security as part of IT. This is a wrong perspective. By doing this, we are taking distance from business, even if we promise “alignment.” This is so because current conceptions of secure user management are not where the reality is going, because security theories are incomplete in this space, and —note this—because Risk-based Security is essentially non-quantifiable and “subjective.”
Against the backdrop of the Cloud Transition, an objective (quantifiable) approach is not only necessary but feasible for Identity Data Management once we address transforming user types and user access routes described earlier in this book. By looking into these data flows as business data, we will not only articulate a discourse of value, but can also quantify the complexity, the change, the cost and finally the exchange value of this information. The enterprise will discover the full value of identity once it stops to own it. On this basis, we will see Security and Identity management as a question of performance, flow, network reachability and workflow efficiency and Identity Data will be a product, at a price, but not anymore a product of the transformed enterprise.
Addressing the Cloud Transition means adopting quantitative Identity management in the global stage. While in the past good Identity management—always an unreachable goal—was predicated on internal business processes, in the new period a completely new rationale is coming to the fore whereby “good management” is not and cannot be internalised management of external identities.
Let us summarise the obstacles that existed even before the Cloud became an economic and social imperative. Most of these factors are either ignored or “hidden” from view within the dominant techno-centric paradigm:
- Hidden costs of IT Operations and project delivery (project mobilisation, project delays and failures, IT inefficiencies)
- Undue and unexpected, un-evaluated effects of outsourcing arrangements (internalised management of external identities, inadequacy of traditional technologies in the deperimetrised enterprise)
- Continued divide between IT and business departments (persistent lack of alignment and absence of common objectives)
- Persistence of risk-based security and risk-focused investment decisions (under- and over–investment in technologies)
- Limits induced by a problematic theory and understanding of “information” (excessive costs and deficiencies managing information as an “object” and not as a process)
- False definition of future stages as “simpler” or “less complex” (wrong expectations of business and IT teams assuming complexity can be “reduced” with more technologies)
- Investment and commitment tied into monolithic Identity technologies and network operating systems (technologies designed for enterprise, closed environments slow down organisational transformation)
More specifically, in the Security and Identity areas, conventional approaches lead the business teams and technologies to focus on:
- Centralisation of access control
- Automation of identity life-cycle (push model)
- Educational activities focused on “compliance”
- Compliance focused on vulnerability patching
- Access control taken as access remediation (account cleaning)
- Risk-based reporting defined as “detection of misbehaviour”
We have seen already the roots of this direction. It suits a vision where the essentials are:
- Operational costs
- Financial losses
- Perception of exposure to “Security risks”
- Regulatory Compliance
- Number of breaches, incidents
In this context, inevitably, all Security becomes equal to “protection[x]”. And, as a result, all our activities are articulated around the “pressures” that IT managers experience in their jobs. All solutions become technological choices between “tools” and the primary selection criteria are savings, reduction of service desk calls, decrease of effort in account management, “simplification of processes,” savings in compliance cost and related measures. In other words, Security becomes an IT matter, to be owned and resolved by IT managers and experts. Just considering this end scenario leads us to see how absurd the starting point is.
After The Clouds
To continue in this fruitless state of mind, it is necessary to “transition to the Cloud,” but with clear vision. It is essential to avoid adopting the Cloud as another technology in the hands of the old IT department. An example of continuing old prejudices can be seen in the polemic exchanges taking place between Larry Ellison and Marc Benioff, respectively CEOs of Oracle Corporation and Salesforce.com, in the past few years. This debate was summarised by Bob Evans writing in Forbes Magazine[xi]. Computerworld and InformationWeek carried at the time good descriptions of the discussion[xii].
The Web is full of exchanges like these, where marketing strategies are confused with analysis, and the discussion becomes a distraction, if not even the cause of more confusion, for the business and technical leaders considering Cloud adoption. In this debate, for example, the terms “false cloud” and “real cloud” were used liberally.
Terms like “false cloud” and “real cloud” mobilise underlying subjectivities and commitments but are not rational arguments. To begin with, there is nothing like a “false cloud” or a “real cloud.” The Cloud is not coherent, finished or complete; it cannot be defined once and for all. It is not only still in the making, but also it is essentially not of a technical nature.
We can see that many discussions about the Cloud (and the Ellison-Benioff debate was no exception) set comparisons around technical capabilities like “virtualization,” “efficiency” or “Java-enablement.” That is precisely the discourse of the old IT department. To be fair, in this debate Benioff did make very good points, addressing non-technological qualities of the Cloud — for example that it has to be “democratic” and “economic.”
Technical differentiators are fine, and each technology house will have some technical solutions, hopefully well-integrated into their offerings, but Cloud consumers (either companies or individuals) should not get distracted by these functionalities or impressive hardware specifications, because the Cloud is above all a social and historical phenomenon. The roots of this phenomenon are economic in nature, and they are global, but the technologies and principles are not new. These existed since the start of the electronic computing era and were not invented recently as many experts believe!
It is the global extension, the variety of user types, the diversity of applications and services, and exploding business models that makes the Cloud. Benioff’s Salesforce is not less “true” than Ellison’s database in the Cloud. These are only two models, perhaps one more innovative than the other, matching two modes of use of computing resources. While the Ellison model may be “good” for some organisations, the Benioff model is valuable for others, and we can see companies using both in different combinations. Who can be confused about the coexisting modalities of Cloud solutions?
The Benioff-Ellison debate tends to reappear when we discuss Security requirements and Identity management projects in the Cloud. Questions arise about the use of Software as a Service or application platform (SaaS and Infrastructure). Which is more secure and which is more efficient?
The conventional IT approach tends to see the Cloud as another new technology and ignore the fact that neither the application nor the platform should be chosen in and by themselves. It is high time that IT professions abandon techno-centric criteria, especially because new technology is not always good. Technology adoption in the usual manner will be especially counterproductive if we do not start from a clear understanding of the role of the users of technology. The needs of these users are the engine of the Internet and the Cloud expansion period. What technologies we use to serve those needs comes second.
To do this we have to study the “access route matrix,” i.e. the combination of user types, device types, credentials, assurance levels, locations and application types that are or will be in play. From the access route matrix we can gather the type of Cloud that will be necessary: Private, Hybrid or Public, and the many combinations between these modalities.
We need to accept the Cloud for what it is: a diverse environment with a multitude of offerings. This environment will not become less complex in the future, but larger and more complex. It is counterproductive to assume that a particular marketing strategy represents the “true cloud” versus all the rest, or that some clever combination of infrastructure and software will rule over all the others. That thinking is anchored in the past, when IT departments were given the responsibility to “choose” one technology over another and having “one provider” for all needs seemed to be a good idea.
The Cloud transition changes this because in the same way there is no single type of user (e.g. the “enterprise user”); there is also no single “optimal” type of application or infrastructure/platform. It is also the case that different applications can be ideal even if they run on different platforms. Isn’t it the beauty of the Cloud that market forces will decide adoption, technology mix and mobility? Why should a software capability be linked forever to a specific platform or infrastructure?
From a technical point of view it is logical to expect that a particular offering will have enough efficiency, virtualisation, security, redundancy and all the other desirable capabilities, but if you do not face the new landscape of users, partners, third parties, trusted and not-trusted environments at a global scale, how “economic” will your Cloud be?
This is relevant for Identity management solutions, considering that Identity data is not concentrated around any particular point of the network-of-networks that is the Cloud. Identity data performance becomes more critical than old-style security focused on multiple layers of protection around the applications. How you manage identity data contributes more to security than how deep you bury your application. So if the data is not concentrated in any one point and if the enterprise does not own most of the data anymore, where are we going to build our new Chinese wall?
The conventional IT department perspective thinks of the Cloud as an extension of the enterprise realm, and some platform sellers contribute to this mirage by “extending” proprietary platforms as Cloud platforms. This is entirely justified as business strategy from their point of view. During the Cloud transition period, companies and cloud consumers in general will have various combinations of traditional enterprise, private and public Cloud adoption levels; but we must look beyond this towards a period “after the Cloud”, i.e. a period when the Cloud has stopped being a novelty, a marketing term or a “challenge.” An era when the Cloud will be our normal space of action, and there will be no more reason for “false” or “true” doctrines.
Breaking the Ceiling for Cloud Adoption
When discussing the Cloud Transition, we find persistent doubts and demands for increased assurances for data protection, cross-border operations, data ownership and processing, out-sourced operations and service provisioning. As covered in previous chapters, all these aspects can and should be covered in our Security strategy, but the techno-centric views pass over the real limits to Cloud computing, if only Risk issues are important, and, more precisely, only Risk for the enterprise and enterprise “assets.” Risk for the citizen, consumer and employee are addressed, but only as far as they form “informational assets” (which is not always the case), and only to respond to legal duties (data protection and privacy).
This fails to see the real ceiling, for Cloud adoption is not enterprise trust but individual trust, individual (citizen and consumer) confidence in electronic commerce and exchanges. Roughly speaking, “half” of Cloud adoption depends on organisation adopting hosted services to do their business and reduce their IT footprint and costs, but the other “half” (in fact a bigger part of the picture) depends on the users and consumers buying and transacting through the Internet in greater numbers. As Mike Neuenschwander[xiii] suggested some years ago, the “ceiling” for mass adoption lies in lack of user-centric and privacy-centric identity solutions in the hands of the individual and the citizen, and not on the side of the enterprise. In fact, organisations persist in managing users through administrative, centralised, and over-engineered and in reality insecure technologies and only do not have more users because this would be absurdly complex.
This is, though, a still open challenge around developing a socio-economic approach (with a hint of technology only) that will shift our understanding of the Cloud and electronic commerce in general to new protocols and new possibilities. Neuenschwander calls for a “trust protocol” based on social structures, to override the Cloud adoption ceiling[xiv].
I want to close this chapter by describing how I think this conundrum will be resolved. While I agree with M. Neuenschwander in saying the Cloud needs a “trust protocol” and a “user-centric approach” I am convinced that this is not achievable through a new (or old) “identity platform.” Neuenschwander himself has made suggestive contributions to this matter with his idea of the private “persona” and the “trust protocol,” but this work does not logically lead only or even primarily to a technology or a technological solution that would support these social changes. Above all we need an intellectual revolution bringing us away from the belief that new technologies are necessary for progress. Instead, progress is needed first for new technologies to appear. We need to get the causal chain right. Either the new trust modalities, strategies and plans exist first at least in the mind of the public and organisational leaders, or no technology will ever support user-centric trust.
In fact, I believe that technologies for this change exist and have been available for over a decade. Is there something that Identity experts cannot do with our old and proven Internet protocols? It is not technology that is missing, and we are losing time by attaching our hopes to partial solutions and a multitude of “social media” which do not represent the general interest but just clever business plans.
The trusted protocol and the user-centric solutions will not appear as great ideas once we crack the Identity code from a different angle, that of membership. As the reader is aware by now, the Selection perspective –the one that represents more centrally the vision of Identity management—calls for an idea of identity as “membership,” based on “Trust allocation.” In this sense, a trust protocol is not a technology, but a series of concerted actions to effectively transfer risk and allocate classes of people into multiple assurance levels. So a trust protocol is a process to define, allocate, enforce and verify trust, and not only a mechanism to “score” trust in the Cloud or to enforce some set of rules. Those mechanisms will certainly be necessary, but first a radical evolution of the idea of trust and risk sharing needs to take place, repositioning the disciplines of Security. I hope that in closing this book, I have given good arguments in favour of this transformation.
As we transition to the Cloud, the world after the Cloud will light up our steps.
[i] David Chadwick’s website: http://www.cs.kent.ac.uk/people/staff/dwc8/
[ii] Security practitioners continue to quote the NIST Risk Management Guide for
Information Technology Systems, but this publication does not use the concept of “Annualize Loss Expectancy (ALE) anymore! See: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
[iii] Return on Information Security Investment, see: Adrian Mizzi, “Return on Information Security Investment”, 2005, http://www.infosecwriters.com/text_resources/pdf/ROISI.pdf
[v] The ISC2 CISSP body of knowledge manual details: “Risk management minimizes loss to information assets through identification, measurement, and control, and minimizes loss due to events. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, cost–benefit analysis, management decision, safe-guard implementation, and on-going effectiveness review. Risk management provides the mechanism to the organization to ensure that executive management knows current risks, and decisions are made to accept the risks or implement safeguards to minimize the risks and accept the lower
residual risks.” CISSP Guide, Auerbach Publications, 2007
[vi] An extraordinary explanation of these terms can be found in the work of the American mathematician Brian Rotman, especially in his book “Mathematics as a Sign”, Stanford University Press, 2000.
[vii] Ian Hacking, “The Emergence of Probability”, 2006
[viii] N. Carr, “IT Doesn’t Matter”, Harvard Business Review, May 2004. While Carr still follows a techno-centric model, where technologies are causes and social change is a consequence, he clearly recognises the inevitable fate of the Corporate IT Department.
[ix] Why was user management always sub-optimal? Simple: this type of data was never an asset. Service orientated architecture was never applied to identity data flows because the IT department was always catching up with “the business” project pipeline. There never was time for planning. The IT practitioners know about this sad reality but most do not speak about it. Why was it an illusion that one day architectural patterns would be adopted in the unglamorous world of user administration at least in the same degree as they exist in application development? Why was Access Management –adopted by ITIL as a “process” in 2007—is considered only as part of Service Design but not of Service Operations? The questions are innumerable, but all point back to a refusal to see the fundamental role of the user in Information Technologies.
[x] Marco Casassa Mont, “Economics of Identity and Access Management: providing decision support for investments”, Hewlett Packard Laboratories, 2009
See also “reducing the costs of IT security Management” CA Technologies (2006)
[xii]http://www.computerworlduk.com/news/it-business/3308935/larry-ellison-trashes-salesforce-at-oracle-openworld/ and http://www.informationweek.com/cloud-computing/software/benioff-vs-ellison-this-round-goes-to-sa/228300205
[xiii] M. Neuenschwander, “Thinking outside the domain – The emergence of user centric identity and the trend toward pro-social management systems”, 2006, and “Scaling identity to internet proportions”, Oracle IDM, April 2012
[xiv] M. Neuenschwander, “America On The Couch: Analysis Of An Adolescent Society”, February 2009. In his blog, Neuenschwander writes: “The Internet enables us to form diverse communities rapidly, introduce environmental variables, monitor behaviours, and investigate community outcomes. Through this kind of research, it may be possible to develop a kind of “trust protocol” that is applicable to a wide range of interactions from financial transactions to social networking. By understanding elements of trust, we may be able to construct a new kind of capitalism, one that avoids the faults and tragedies of youth.”