This is a draft of the book with the same title now available through Amazon:
This work represents a systematic reflection on over 30 years of work in the IT industry and in particular in the Security profession. Many parts of the text were published in a fragmentary way since 2006 on my personal website, but the current re-worked text represents a coherent view and indeed a philosophy of Information Technology and Security which underlie all my previous publications.
The text is primarily addressed to Information Technology and Security specialists, but I hope that the general reader will still find an easy argument to follow. In fact, perhaps the core of my argumentation is that current Security and Identity problems cannot be solved and should not be addressed within the narrow and one-sided grounds of technology. I even think that most of these problems are caused by the unilateral view that technology is a cause, and not a consequence, of historical development. My thesis calls for a multi-ocular position, in the sense developed by the Japanese philosopher Magoroh Maruyama, where the techno-centric view is compensated and complemented by other perspectives.
I expect that a large part of the objections or misunderstanding that this text will provoke will come from my suggestion there is a global economic and social process that is reducing the relevance and finally will cause the end of the traditional IT Departments, both in the public and the private sectors. Challengers will focus on this more visible side of my assertions and perhaps ignore the basis of my work, which is a general theory and logic of organisation. Perhaps I should underscore here that, while I recognise the importance of Cloud Computing, I see it not as a technological phenomenon, but caused by business and social transformation. It would be wrong then to assume that I am some sort of “Cloud enthusiast” happily ignoring the practical constraints and realities of Corporate IT.
Confronted with predictions about the death of the IT department, and the scale of adoption of Cloud computing, people in the Computer Industry are sceptical. Things are not happening as the Cloud enthusiasts predict or want, they say, and the “defenders” of corporate IT may have a point indeed: the IT departments of the world are putting up a fight and are successfully delaying the next computing revolution. Nevertheless, this does not mean that traditional IT is being “successful” in the whole. Their resistance is only delaying but not stopping the eventual realisation that corporate and organisational IT is not an intrinsic part, or a necessary part of business or organisational life, in any sector of activity. It became part of the common, standard organisation because of social and economic forces, and its fate is bound to the change of these circumstances.
I also would like to clarify what the next computing revolution consists of. Too often, Cloud enthusiasts (as well as their “enemies”) assume the new computing platforms are the result of “advanced” or so-called “new technologies” that are changing how IT is done. This is an error, and for that reason I do not classify myself as a naïve proponent of Cloud computing. What has changed is not the technology, but the way technology is used. The reader should keep this in mind when reading this book.
A key test to see through both blind enthusiasm and IT regression is to analyse how the subject of Security in the Cloud is covered. While the Cloud proponents will minimise the problems around Security, the IT Departments will exaggerate the issues. I explain in this book that while there are problems – specifically around managing user access– these issues are not so difficult and serious as the IT Departments would lead us to believe. Further, these Identity management issues cannot and will never be addressed with the conventional IT focus on technology. So it is a matter of seeing through these issues: Those who never did Identity management well are speaking about an area which is foreign to their fundamental perspective!
By using fear and confusion, the IT vendors are not helping to clarify the situation and in fact actively support the delay in transformation. They provide new versions of old technologies which serve to conform to the traditional organisational boundaries and to keep the conventional models of the IT departments. The public and private business and organisational leaders need to be careful when buying technology so as to avoid a path that will delay their business progress for years.
So yes, change will occur, perhaps not in this decade, not as fast as predicted, but change will come nevertheless. An index of this change is that expert consultancy firms –some of which I have worked for or with in the past decades– are already adapting mentally to this change. As it becomes to our work, they describe the “options” and “modalities” of technology adoption. This is necessary and adequate. Our clients need to understand the options they have and should not be “sold” on some starry-eyed solution, but it is also our duty to alert our clients of the prospects. The global consultancy organisation Gartner made one such advance in 2011 when it alerted the IT sector of another shift in the Identity management space.
In the cited event, Gartner’s Research Vice President Ant Allan, predicted that by 2014 “notable project failures” will cause 50 Percent of Organisations to shift Identity management efforts “to intelligence rather than administration.” We didn’t have to wait until 2014 to see this happen. I know that organisations across all economic sectors are moving away from the 10-plus-year-long trend to “manage” identities by means of automation technologies. This change was not direct, as first organisations moved away from “automated provisioning” towards “compliance solutions,” wrongly called “access governance.” These in turn were able to address only part of the Identity problem, and now the trend is moving away from them too. The next orientation, which Allan calls “intelligence” is not well defined yet, but will focus on identity data management (identity analytics and data aggregation).
The “notable project failures” Allan refers to are not advertised in the press, but are nevertheless known to Security and Identity practitioners: global corporations either never implemented Identity management solutions as expected, or years of effort have come to nothing in this area. In this book, I analyse why this happened and suggest that the whole Identity management technology trend flatly ignored the organisational past and future roots of the problem.
While Gartner recommends that businesses focus on “monitoring, log collection, correlation, analytics and reporting,” it also predicts that by the end of 2015 “more than 50 Percent of cloud-based IAM offerings will be hybrid solutions,” i.e. a combination of on-premises and off-premises/hosted technologies and services. This is in line with I propose in this book.
To foster change, an intellectual revolution is necessary, and it is essential to find the structure, the logic of such a revolution of the mind. What people inside and outside of the IT world need to understand is that things are changing in this industry, and are changing for good. We have the choice of becoming an obstacle or else lead the change. By change I mean that a new cycle has already started, whereby individuals determine what happens to IT technology–as technology inventors, producers and consumers.
Perhaps it can be said that the individual never left the scene, that large organisations were mostly “in the lead” during a long period. This was the period when organisations could “push” technology on the market, and decide what was in and what was out. It should not be forgotten, though, that the Computer revolution of the second half of the last century was a revolution of the individual and for the individual.
The future looks different to the traditional IT context where solution design and adoption depended on the producer. Not adopting depends first on the user. So Identity management services in the Cloud are inevitable, as corporations and organisations move to a situation where the “external users” are much more important than in the past.
People have been talking for years about user-centric security, but always taking the user as an enemy. In the old model it is always the “end user” who is not trusted. I am sure that this model is not sustainable even in the short run. User-centric shall mean the individual users and their teams, groups, affiliations, etc. will manage themselves and it will be up to the “enterprise” or the “organisation” to define the levels of trust and access that it will permit. There will be many levels of access. There will be more complexity, not less. Paradoxically, the “external user” will become more essential to the enterprise collaboration and more “secure” than the internal ones.
The essence of this book is that it breaks with conventional thinking about the idea of information and information exchange. At the base of my thinking there is a notion of bi-directional information exchange, and therefore a concept of Security where there is a bi-directional correlation of risk and trust. Risk and Trust on the side of the organisation, and risk and trust on the side of the user. My work then examines the ways in which we can abandon the ideologies prevalent in large organisations and allow the individual to assert his or her autonomy. At the professional level, I recognise there is a great levelling of all the professions and all the work activities, so that we all appear now as individuals in front of the corporations and state organisations. Persons are the margin of organisations –as Luhmann explained, and individuals are the economic and social abstractions that act within the organisation and interact with each other.
In the same way as this levelling transforms our activities, it also transforms our identities for each other and towards the organisations. It gives us less power as persons, compared with the abstract mechanisms of the private or public corporation, but it also gives us more power as individuals, as abstract entities. So I welcome this change, instead of seeing it as some lamentable “proletarianisation” of the professionals and workers, but the condition is that we recognise this process for what it is, instead of remaining immersed in the ideologies and false views that it creates.
If professionals, in particular Security professionals, lose autonomy as “advisers” or consultants, as proud independent actors in the industry, if our services become subservient in the present-day workplaces, on the other hand we can begin to understand that passive adaptation to this generic managerialism is not the only way forward. In fact, we have been there already, practising Security as one more managerial speciality, seeking standardisation and “rationalisation” as our only goals. We have also promoted “efficiency,” “normalisation,” and “universalisation,” while suppressing conflict and dissident opinion. Aside of purging our professional lives of any sort of meaning, and beyond fostering a narrow technical rationality, where did all of this lead us?
I think of this book also as a sort of call to Security and Identity professionals to deeply revise ideas and abandon prejudices. As modern capitalism develops –in the only way it can—towards greater and greater abstraction of the individual, as it leaves behind the person with all its diversity and peculiarity, we should see this also as a moment where we re-assert ideals of completion and purpose beyond and outside “business as usual.” Yes, we have survived the transition from the personal engagement of the professional, the “trusted adviser,” to a context where the rule is that “nothing is personal.” What remains of the person then? How to we express the ideas of person, individual, belief, intention, identity, responsibility in the current context? What is the purpose of organisational know-how and professional choices?
Computer Security –as I show in this book—is now universal but is also “hollow.” It is “valid” but also empty of particularity. This happens because Security is a dependent activity inside a much wider set of determinations. So, I address Security and Identity in a search for completeness that takes me outside of the conventional boundaries and technological thinking. I hope the reader also sees that it would be fruitless to discuss Identity and the related subjects in isolation. Because Identity management sits “at the bottom” of the symbolic chain that starts with history, sociology, economics, business, management, IT and Security, any valid assertion about these –more general—spaces will also be valid for Identity management. Contrariwise, a valid assertion for Identity management is not necessarily valid for the upper, more encompassing realms that surround it.
Therefore, it is not possible to address the issues of Identity and its management without transforming our thinking in all the other areas of organisational and business activity. This explains the large variety of subjects that I discuss in this book. Throughout the text, the reader will see there is a strong emphasis on systems theory, and the idea of organisations as “articulation of differences.” Equally strong is the notion that the fundamental logic of the organisation is a distinction between members and non-members of the same and that “communications” are driven by distinctions. Also, the evolution of such distinctions is the key mechanism of change in organisations of all classes. Following Luhmann, I think that an organisation does not exist as a metasystem of the individuals it encompasses, but as a system in its own right, a self-differentiating network of communication.
In this sense the maturity of an organisation is reflected in its internal division of work and strands of specialisation. This increase in differentiation does not need or imply a greater or better degree of inclusion of the person, or a more complete or “ethical” mode of action. In fact, the organisation becomes less humanistic but simultaneously more universalistic the more it develops and differentiates internally. This in turn means that the decision processes are less complete in the sense that these become more “managerial,” more one-sided and short-term orientated. This happens in paradoxical fashion against a backdrop of increasingly detailed and specified rules, policies and procedures, industrial standards and regulatory frameworks.
The key insight of Luhmannian sociology is the organisation is not a thing, a continuous entity, an addressable unit of nature which own its information processes and hence may decide how to use or manage these resources. The question is, if such a communication exists that will result in a differentiation of practice (a “new” practice). Even with a conscious decision towards new standards or solutions, we need to remain aware there is neither a guarantee nor a causal relation that decisions are either rational or sustainable. Decisions, as taught by Luhmann, are communicative acts within a network of informational exchanges; therefore, decisions are always contingent.
This theory allows us to see Security as a communicative act whereby assertions of risk and trust are made because these become operationally necessary in organisational life. An additional slant is that risk is contrasted to trust, as if it were a separate idea, only because of ideological constraints. The Security professions “differentiate” themselves in the network by stressing the discourse of risk and this is what explains the predominance of this thinking, not the other way around.
Against this trend, I show how the discourses of Risk and Trust are co-dependent and correlated, and how the conscious professional can step back from the easy “differentiations” that lead our professions down the barren path of Risk Assessments. In the context of organisational discourses, because the organisation excludes the person, we cannot speak of a “bounded rationality” or certain “limits” of human thinking. This would assume that a full or complete rationality is possible for the capitalist organisation or the modern corporation. In reality, without the Person, in a network of abstract individuals we can only have partial discourses based on the fragmentation of activities, the “specialisations” and the constraints imposed on the individuals. “Error theories” arise from these sub-rational (not “irrational”!) discourses, not from the choice process or the psychology of the people involved, but from the inevitable constraints of individuals acting in an organisation.
In chapter one, “Security as a Problem,” I show how Security is not the obscure and boring area it seems from the outside, but a practical discipline fraught with issues and challenges. While it occupies a seeming well-established space in the IT world, it lacks a theory of its own and is dependent on decisions and ideas that come from outside of it. Security professionals have to see our area as a problem first, if there is any hope for change.
In chapter two, “Freeing Security from Risk Avoidance,” I address the dominant ideologies of Security and Risk Management, explaining how these form a one-sided view of reality. I also show there is a fundamental flaw in this approach, by which the Security practitioners have confused objective with subjective risk and misinterpret standard probability theory.
In chapter three, “Security and Information: Access Management,” I revise the basic concepts of Identity Management and Security. Elementary definitions of “access control” are developed first to then understand what access control means in the context of business and public organisations. In this chapter I also redefine Information, explaining the current preference to see Security as an object.
In chapter four, “Identity becomes Data,” I show how social and economic transformations are homogenising identity exchanges. This in turn moves the task of controlling identity and access to a form of data integration and management. This global transformation is the ground on which we have to rethink all the areas of Information Security.
In chapter five, “Identity Services and Programme Delivery,” I detail the current problems faced by IT and Security projects and how these reveal one-sided definitions and wrong expectations. Identity management is part of a general trend marked by failure and frustration in IT management.
In chapter six, “The Cloud Transforms the Network,” I offer a wider perspective of the more recent changes in Corporate IT and the next Computing revolution. I show how “old” and well-known technologies are used in a new way by a rapidly growing user population and new models of organisation. Social and economic transformation changes the space where Security professionals have to define their purpose.
In chapter seven, “Quantitative Identity Management,” I introduce new criteria to understand information as data exchanges within the organisation. The crucial concept of interaction of identity and business data is explained, to show how we can begin to develop a Quantitative approach for Identity management, moving away from the previous focus on Risk.
In chapter eight, “When is a System Secure?,” I review the current status of data protection and the failures of Security management. I demonstrate that a change of direction is necessary to centre Security strategies on the exchanges, the processes of communication where value is created.
In chapter nine, “Persistence of Techno-centrism,” I explain the views focused on Risk, Protection and Technology are not transient and will be always part of the organisational discourse. While this remains true, I call the Security professionals to adopt a wider, complete view of the organisation and recognise the various logical perspectives that are at play.
In chapter ten, “The Cloud Transition,” I return to the analysis of the current period of history, and describe the potentials and pitfalls of the adoption of Cloud solutions. In particular for Identity management, the Cloud Transition offers the possibility of finally setting up this speciality in its own rightful place.
 “Gartner Predicts By 2014, Notable Project Failures Will Cause 50 Percent of Organizations to Shift their IAM Efforts to Intelligence, Rather than Administration”, Gartner Identity & Access Management Summit, London, March 2011 March, http://www.gartner.com/it/page.jsp?id=1540014
 See also my 2006 article where I propose an integration Security Information model: Carlos Trigoso, “The Path to Assured Solutions”, http://carlos-trigoso.com/public/the-path-to-assured-solutions-original/