Blue Ocean

The concept of cloud brokering had been drawing more attention lately. In particular, Gartner has developed quite a bit of market analysis on the topic. Most of these analyses tend to focus on the business of cloud brokering. However, I find it insightful to consider the potential technology platforms associated with cloud brokering. Very often, the largest and most durable technology businesses are strongly intertwined with differentiated, scalable, hard to replicate technology platforms (i.e. databases, operating systems, search engines) By nature, these platforms provide a long-term sustaining competitive advantage. Furthermore, when it comes to corporate strategic investment or VC funding, the ability to articulate breakout platform opportunities can prove invaluable. Platform envy can significantly increase investors' belief into a new and unproven business model such as the one we will be discussing here.

So, let us try to identify the four most compelling cloud brokering platforms, capable of fueling and sustaining large revenues within the emerging market of enterprise cloud services.

Security Brokers - The Cloud Firewall

The first platform candidate is the security broker. Security is certainly a key concern of enterprises contemplating the adoption of cloud services and infrastructures. CIO and CSO need a coherent security strategy to manage risk and compliance across cloud providers and architectures (private, public, semi-private clouds). Because of the heterogeneous nature of clouds, the proposed solution is to unify external security under a single security control point, the cloud security broker. Security cloud brokers become security hub across multiple enterprises (tenants) and cloud services, allowing enterprises to harmonize security despite differences in cloud providers' security frameworks, capabilities and APIs. The strategic technology underpinning platform is the cloud security gateway [link to previous blog]. This cloud firewall becomes the security control point for cloud. Security brokers operate or manage them. Initially, security brokers may get pinned down as identity and access brokers but as SSO and access management quickly commoditize, information security and information management become the predominant value of cloud security brokering (e.g. encryption, data loss protection, rights management, backup, archiving, eDiscovery). For cloud security brokering, large security companies such as Symantec [Link to O3] should play an important role since the platform becomes an essential delivery mechanism for security across mobile devices and cloud services. In addition to the emergence of cloud security brokers implemented as web security gateways, one should anticipate security to be increasingly delivered at the edge of the network by specialized cloud providers, a little bit like content is increasing delivered through CDN. This means that large network infrastructure providers such as Telcos and Internet infrastructure companies such as Akamai should also play an important role, especially in the SMB segment that already prefer a "no software" delivery model.

User Management Brokers - The Cloud Identity Hub

The second large cloud brokering opportunity is the "identity hub". The identity hub is identity management as a service. In the long run, the identity broker replaces traditional enterprise IDM. In the short run, the cloud identity broker supplements existing IDM systems by enabling the provisioning and life-cycle management (profile mgmt, credential reset, etc) of users across external cloud services. In that sense, the identity hub is a virtual directory in the cloud. It brokers identity from the enterprise to external clouds providers. In today's early days of cloud, legacy user repositories such as Active Directory or LDAP stores remain the enterprise authoritative identity stores. Over time, as the center of gravity of IT shifts from in-premise to cloud, the identity hubs becomes authoritative and start governing identities across both internal and external applications. On top of these multi-tenant cloud directories, user management self-services, workflow and governance services emerge, making the cloud identity broker the natural heir of today's identity management platforms. One should expect IDM companies to eventually dominate the space. However, many of these companies will be slow to embrace the cloud due to lack of cloud DNA or fear of cannibalizing their legacy business. Hesitations may leave the barn door wide open for large SaaS vendors that already think of themselves as platforms and already host house important elements of enterprise identities. CRM, collaboration services, HR SaaS such as Salesforce, Google, Box.net, Workday or SuccessFactor (now SAP) come to mind as legitimate candidates to occupy the enviable position of identity broker within the cloud eco-system.

Service Management Brokers - The Cloud & SaaS Marketplace

The third obvious cloud brokering platform opportunity is the cloud and SaaS marketplace. This cloud exchange is to the enterprise and cloud services what the Apple store is to consumers and their beloved device: the mission-critical broker service that integrates, manages, fulfills and bills cloud services. This cloud broker is essential to the transformation of IT into a business enablement function (i.e. IT as a Service). As IT transforms into a service organization focused on agile business enablement some primitives capabilities become foundational: automated procurement of cloud services, on-demand provisioning of users and elastic deployment of applications. The enterprise SaaS marketplaces become the metaphor for business functions and employees to access the new IT capabilities in self-service. IT itself become the ultimate broker but it needs a specialized technology platform. The broker makes IT truly capable of enabling heterogeneous services while ensuring capacity, monitoring SLAs, and usage-based billing across the different groups and functions that comprise a large enterprise. Integration is another critical value-add of the SaaS service broker. SaaS marketplace therefore must be more than simple SaaS stores, they must be thought as end to end platforms that can support the dynamic meshing and flexible workflow composition of external cloud services across multiple providers. They need to be tightly integrated with corporate identities and corporate information as well. These are the characteristics of a true cloud platform and potentially very large enterprise business. Cloud and SaaS marketplaces should be the promise land of the traditional middleware and system integrators such as Oracle, HP, IBM, Microsoft or Dell; unless the dominant SaaS platforms manage to "force" their way into the new market to beat the incumbents.

Data Integration and Intelligence - The Cloud Datamart

The last and maybe the largest cloud brokering platform may turn to be the cloud data mart. Son of Haddoop and Cassendra, this cloud broker rules the cloud data integration and intelligence markets. The business problem it will solve is the age-old IT challenge of business data integration and business intelligence. When corporate data actually resides across distributed cloud services and databases (HR, CRM, finance...) this old problem becomes a whole new ball game. The technology cornerstone is a cloud database, multitenant, distributed yet capable of integrity. Think of it as an intelligent data warehouse infrastructure at the edge of the network, capable of logging, aggregating, and intelligently analyzing corporate information stored across multiple enterprise SaaS services. It is both a big data challenge and a cloud integration challenge. The cloud datamart need to integrate with the CRM, HR and ERP systems of tomorrow. We already know that these systems and their data stores will no longer stand in-premise. A cloud database is a fairly thorny technical problem in itself. Cloud data integration is its business killer app. The technical and business requirements are extremely ambitious but rewarding. Can you imagine the next generation Oracle, Splunk and Business Objects as a single cloud offering?!

Business and technology predictions are of good form at the beginning of a new year. Of course, these predictions will often be defeated by the devils of execution. Most are soon forgotten. Yet, there should be little doubt that the heterogeneous and distributed nature of the cloud creates large business opportunities for cloud brokers. The shift to the cloud screams for changes in technology platforms. With changes come land grab opportunities. As product people and architects, it is thought-provoking to imagine the lands we should lay course to, in order to find the new gold. Eldorado or fool's gold, that is the only question.

Posted by Nico Popp at 8:43 PM | Permalink | Comments (0)

Today, we are announcing Symantec O3 early access program, a new approach to securing enterprise clouds. But what is Symantec O3 really about? No doubt, cloud is an inexorableIT trend. However, CIOs and CISOs often cite security as a major concern. That is not to say that the new cloud platforms are fundamentally more insecure than the computing platforms that preceded them. Quite the opposite, cloud-oriented architectures have the potential to provide stronger security than most IT organizations can achieve today.

Nevertheless, SaaS applications and cloud infrastructures challenge in their own way IT's fundamental function of defining and enforcing consistent security policies across devices, users, and information. The new cloud platforms directly conflict with the need for enterprises to establish consistent risk profiles and compliance postures. The shift to the cloud is eroding our traditional controls. Network-based security is no longer as effective since the network is no longer ours The network and its controls now belong to Salesforce, Amazon or Google.

The shift to the cloud raises a fundamental question regarding the role of tomorrow's IT. If IT can outsource desktops, applications and infrastructures operations, can IT also outsource the governance of corporate digital policies? The answer is simple. IT should no have to embrace the cloud at the cost of renouncing its "raison d'être"! We ought to be able to embrace the clouds without relinquishing the control of our own security policies.

This need to layer IT driven security independently of cloud providers drives the emergence of a new security control point. The new control point must act as a "cloud firewall." Unlike it sibling, the cloud firewall inspects outbound traffic. It is not network-centric but web-centric since Web protocols are the clouds lingua franca. The security gateway leverages identity and access control to initiate itself between all user devices (fixed or mobile) and clouds infrastructures (private or public). It creates a new layer of IT security and governance. By virtue of being inline with cloud traffic, the cloud firewall is context aware (identity, device type, location, time, etc). It is also be content-aware, providing information security through the deep inspection of HTTP streams and the application of DLP, encryption and tokenization technologies. Indeed, the cloud firewall has complete visibility. It feeds cloud access and information events into log management systems that can now correlate security information across internal and external systems across managed and unmanaged devices.

At a time where pundits are claiming the deperimeterization of the network, it is time to reinvent a new form of perimeter for the cloud. Delivering on such vision will take no less than the leading security company. The cloud firewall is the cornerstone of tomorrow's IT security. So, long live Symantec O3, the catalyst for a new form of perimeter security, a perimeter for the cloud.

Posted by Nico Popp at 1:41 PM | Permalink | Comments (0)

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

Posted by Nico Popp at 2:52 PM | Permalink | Comments (0)

It is clear that high assurance identity on the internet is going to require identity proofing. With more than 1 Billion Web users, and 3 Billion mobile users increasingly connected to the Internet, scalability is going to be essential. If high assurance identities become the norm, digital identify verification services that do not require in-person proofing could therefore turn into a significant market opportunity

Most folks in the industry would tell you that credit bureaux, and financial institutions ought to be primary beneficiaries as the new business emerges. However, the convergence of Internet, mobile and telecommunication driven by iPhone and Android could attract new market players. Mobile network operators (MNOs) have a wealth of identifiable data about us. They are also uniquely positioned to bring to market multi-channel solution. In fact, an MNO-operated ID proofing service could easily support voice and web, for brick and mortar as well as online service providers.

Them comes the unfair advantage: the mobile handset. Obviously, the biggest challenge of "person not present" identity proofing lies in the processor ability to match the person on the other side of the communication channel to the identity data. A personal mobile device provides a unique link between my digital and physical me (there is a long history that links my mobile device to my identity). For the web, it supports an out of band channel that considerably adds to the security of the verification process. From a privacy and control standpoint, the mobile phone enables a user-centric approach where the user can approve the transfer of her personal information (a sort of out of band OAUTH dance). Last but not least, location (somewhere I am) may prove of strategic importance, since an embedded GPS can correlate the proofing event to a verifiable personal location (e.g. my home). Location verification for proofing could happen "just in time" or as a post-process step. In any case, it would greatly strengthen the overall process.

There is little doubt that the combination of wireless data and handset constitute a unique recipe for enabling high-assurance identity proofing systems. The OIX will soon get to the bottom of this theory since it has recently announced the formation of a working group for telecom data. Early next month, OIX members will explore the development of a trust framework that would support the secure exchange of identity data between MNOs and relying parties while ensuring the privacy and trust of consumers. This could well be a significant step towards high-scale, high-assurance identity systems. So, good luck to new working group; we will be watching closely.

Posted by Nico Popp at 12:25 PM | Permalink | Comments (0)

I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on the Open Identity stack. The second is more enterprise cloud focused; it is driven by the Cloud Security Alliance (CSA). The CSA is developing a more SAML-oriented technology blueprint within OASIS. The technology protocols are different but the risk controls are similar. Therefore, I am hopeful that both trust frameworks will converge (I will certainly try to help them converge).

But let us re-hash the motivation of the industry that sponsors these efforts. A trust framework is necessary to enable policy makers across vertical markets (healthcare, enterprise SAAS, mobile payment, digital content) to set the security and privacy bar for identity providers, identity brokers and relying parties. For sure, across all vertical markets, the sharing of identity requires a baseline of best practices for security, and privacy as it facilitates customer adoption of cloud identity services by providing a foundation for trust.

However, there is another motivation to develop certification programs for identity services. The true 'raison d'être' for identity trust certification is that it will allow private consortia or legislators to govern liability in a multi-party transaction. In particular, one can shift the liability away from accredited identity providers on the basis that they have demonstrated the proper privacy and security controls through certification. In other words, trust certification can be used to kill the liability elephant that has been haunting the federated identity rooms for so many years.

By capping liability risk through certification, an identity trust framework would make it commercially easier for large Internet consumer, commercial banks and online payment systems to participate as identity providers in high assurance transactions such as health care, eGov services and all new breeds of cloud services. In essence, this not too different from the VISA model, where a consortium of financial institutions establishes the network blueprint, for online payment, defines the necessary security controls and is hen able to shift the liability (in this case, away from the card issuing banks (IDPs) to the merchants (RPs), who are generally responsible for charge back expenses).

Of course, certification does not happen in a vacuum. Certification is about risk management. It needs to define privacy and security controls appropriate to the transaction and information risk levels. This means that identity certification will have to discriminate among different levels of assurance (most likely, the four NIST levels of authentication) in order to adapt across multiple verticals. Howard Schmidt seems to agree with the need for identity trust frameworks and even points to a concrete market: "The president is 'concerned and very committed' to making sure that as healthcare goes electronic that 'we also have the right controls for security and privacy,' Schmidt said at a May 11 conference on privacy and security sponsored by the Health and Human Service Department. "The plan to develop a strategy will focus on ways to improve identity management. As part of that effort, the administration will roll out a 'trust framework' incorporating authentication technologies, standards, services and policies that government, industry and consumers could adopt. The key issue is that we have to instill trust in the system. If we don't trust the system, we won't use it and if we don't use it, we lose its [potential] benefits".

For all of us in the digital identity world, it is certainly encouraging to see that the federal administration is recognizing the importance of identity management and its acute need for trust policy. It is certainly not an easy issue, but it is now getting the visibility that it deserves. There is also plenty of good will in the industry to collaborate and make a trust framework for eHealth a reality. The elephant may not have quite left the building, but at least we can now all see it, and it is a good thing.

Posted by Nico Popp at 1:45 PM | Permalink | Comments (0)

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook core usage matrix is mind-boggling:

• More than 400 million active users
• 50% of our active users log on to Facebook in any given day
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook

However, Facebook true ambition's may well reside beyond the confine of its own Web site. If one combines Facebook Connect (authentication++), OAuth (authorization) and the Social Graph API, it is crystal clear that Facebook strategy is to become the identity fabric for the Internet. By turning the social network into an identity infrastructure, the Facebook APIs could enable an even larger business opportunity. By extending the Facebook business over external websites, the Social Graph APIs open the door to transactional business models such as Cost per action advertising, eCommerce and payment. There again, when it comes to numbers, the social network hero is showing Homeric promise:

• More than 80,000 websites and devices (including iPhone and Xbox) have implemented Facebook Connect since it launched in December 2008
• More than 60 million Facebook users use Facebook Connect each month.
• Two-thirds of ComScore's US Top 100 websites and half of ComScore's Global Top 100 websites have implemented Facebook Connect.
• Sites like the Huffington Post have seen a 500% increase in Facebook referrals after implementing Facebook Connect.
• 500,000 applications have been built on Facebook and the growth of social gaming (playdom, Zynga, Playfish, etc) is still in its infancy.

So, what could go wrong? Where could the enemy arrow strike its fatal blow to our hero? Could it be over this security glitch that exposes our chat messages to friends? Perhaps, these controversial default privacy settings that leaves our identity increasingly public? Will the threat arise from a growing reputation as a corporation trying to take advantage of our personal data to 'help itself -- and its advertising and business partners'? If there is something that could stand in the way of Facebook, it is probably Facebook itself. Indeed, the growing controversy and erosion of consumer trust surrounding Facebook privacy and security nonchalance may eventually become the Achilles' heel of the young identity giant.

Facebook is clearly an extremely innovative company and a successful platform. Of course, it must keep on running fast against the agile Twitter and the powerful Google of the world who are certainly eying with envy its privileged position as the leading Internet social platform. No doubts that the investors are placing tremendous pressure on management to drive revenue growth. Nevertheless, Facebook needs to slow down and consider the long terms implications of being the de-facto custodian of our digital lives. It must start fulfilling the responsibility that comes with millions of digital identities under management. If it is true that today's Internet generation may have less privacy concern than their elders, in the long run, consumers will not allow Facebook to manage and control their identities unless they can trust the platform.

Eventually, Facebook will have to "do the right thing" for the consumers, sometime in spite of their ignorance digital risks, and surely, despite a business model that encourages Facebook to look the other way when it comes to privacy and security. Yes, the Achilles' heel is very real, it is being exposed every week in the press, and the temptation is growing for privacy zealots and regulators who are assiduously watching the missteps. Good common business sense aside, it is time for Facebook to take responsibility and leadership for the immense security, privacy and trust challenges that our digital identities require. Maybe, it is even time for the social network to start promoting elements of security, privacy and trust within its core platform.

Posted by Nico Popp at 6:40 AM | Permalink | Comments (0)

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical standards for identity. Identity policies must be set to deal with privacy, security, and liability. Once policies have been defined, certification can emerge as the foundation for trust between all parties exchanging information. However, the type of policy needed greatly depends on the sensitivity of this information, the security risks, and many other factors, including geo-political sensitivities. Indeed, the level of trust assurance required to protect access to the energy grid, electronic health care records or social web pages is clearly not the same.

The open approach that the OIX take is attractive. The OIX does not try to set the policy rules. Instead, it creates a common framework, a shared approach that will enable different communities to create their own certification rules. It is not an easy problem. But because cyber security and key governmental initiatives depend on high assurance identity management, OIX is an important first step to get there.

Posted by Nico Popp at 9:18 AM | Permalink | Comments (0)

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Posted by Nico Popp at 9:50 PM | Permalink | Comments (0)

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

Posted by Nico Popp at 11:19 AM | Permalink | Comments (0)

Today, Federal CIO Vivek Kundra is announcing the first pilot for its Open identity initiative. The pilot will support both OpenID and Information Card technologies. Initially, it will be conducted by the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS) and other agencies. Over time, over 500 governmental web sites may become Open ID relying parties, potentially, creating one of the largest federated identity network.

Bien sur, VeriSign and the PIP will participate to the pilot as Open ID authentication services. This means that your VeriSign PIP ID will be accepted across participating federal Web sites. Saying that we are proud of being a part of this important announcement would be an understatement. The open identity initiative is a crucial step in President Obama's mandate for open citizen participation on key society issues such as health care, ecology and energy.

The goal is as bold as it is audacious. By embracing open and distributed identity systems, the US government is taking a resolute step towards turning the Web into an organizing engine for participative civic action. Identity is foundational. Making it easy for users to register and participate in government Web sites is smart. Removing obstacle to participation by allowing citizens to manage their digital identity through independent service providers of their choice is inspired. Yes, the tone is definitely right. Civic participation should be based on principles as open as is the Internet that enables it.

User centric identities for a citizen centric Internet? It certainly feels very right to me.

Read our Press Release.

Posted by Nico Popp at 5:05 PM | Permalink | Comments (1)

There have been a few very insightful discussions from Chris Messina and other regarding the PIP as a secure file, so I thought I would share some of our longer-term product goals.

Today, the PIP file vault is a personal digital locker for our users to manually upload their most personal files. That by itself is not an innovation. In fact, the Web is full of personal storage services like Gmail. Online storage provides immediate and useful value, yet its usefulness is limited by the amount of work an end-user is willing to commit (uploading takes work!).

Now it is interesting to consider how this simple Web 1.0 model of personal digital storage evolves when combined with an OpenID provider. Together, can these technologies allow us to transfer and store in one single place under our control the personal files, private data and rich media content that is today spread throughout the Internet? In short, can a simple file vault become the in-cloud "time machine" of our distributed digital lifestyle?

A SAAS and device-centric view of cloud storage:

A lot has happened with network storage in the last few years. One of the most notorious disruptions is Amazon S3. I would characterize Amazon S3 as a SAAS-centric view of storage. Web applications can outsource the storage function to a highly cost-effective network that already has reached economy of scale. Obviously, it fits the Amazon economic model perfectly. Closer to the end user, we find Microsoft and Apple storage services. Their approach is similar in concept. To them, cloud storage is merely a device enhancement and synchronization is their lingua Franca (iSynch for Apple, Live Mesh for Microsoft). The concept certainly has merit for users with data spread across multiple devices. However, this is a very device-centric view of the world. It fails to realize that increasingly, our critical data resides across many Internet Web Sites with no ability to synch.

A user-centric viewpoint: centralized storage for distributed private data

So, what happens now when one looks at storage with a Web 2.0 user-centric view instead of the cloud-centric view of Amazon, and the device-centric view of Microsoft and Apple? One sees independent, distributed and sometime competing Web services. Through these services, users store personal information, create new data, and acquire digital content. Some of that content is low value and can be left behind. Some of his data is social in nature and is probably best shared with our Facebook friends. However, some of this data is also highly confidential and personal in nature. In that case, we, the end user, should be able to request its safe transfer, and backup to a digital locker that we fully control (the OP).

Towards a "Locker Connect" mechanism

Using the OpenID and OAuth models, such private data transfer can be authenticated and authorized by the end-user (although the data flows from the RP to the OP). The locker network end point address can be discovered as any identity attribute would. Finally, a user interface ala Facebook Connect can provide a friendly user experience while ensuring a user-centric control point (the user controls what, where, when and if the data is being sent).

The "wow" effect

The use cases certainly sound unlimited. Think digital health care and the $20B stimulus package: whether I am accessing my doctor, hospital, lab or pharmacy Web sites, I can now authenticate across all health service providers and authorize the audited transfer of personal health records back to my locker. Think rich media content: I can now purchase digital music, movies, or books across multiple e-tailers and have the bits (or maybe just the digital rights) sent back to my locker. Think payment and billing: please, send all my purchase and online statements back to my digital locker.

Yes, we can! With data portability and OpenID, a simple file vault can grow into a much more compelling personal identity service. And who knows. With security and private storage, we may even have a real business model!

Posted by Nico Popp at 9:37 AM | Permalink | Comments (0)

The PIP team just released a new feature on Friday: a secure digital vault to store your most personal documents online. Think of it as a digital lock box in the cloud to store copies of your most important documents online (deed of trust, will, passport, property pictures for insurance, etc).

Since, these documents are your secrets, all files are encrypted using key management best practices. To increase security, access to the vault requires two-factor authentication. If you already have a VIP token, simply link it to your PIP account. For our most cost conscious PIP users, we offer a free mobile version of the VIP OTP token. It can be downloaded to your phone here (I use the iPhone Beta version that will be available soon). Once strongly authenticated, the vault opens (Flash is your friend) and you can begin to upload files.

The activation process is really straightforward, and our usability team has done a lot of work on the user interface. Moreover, it is free to all PIP users. So, try the new features and tell us what you think. By combining OpenID, strong authentication, password vault and secure storage, the PIP is getting one step closer to realizing VeriSign's long term vision of a user-centric identity service that will enable and protect our digital self.

Posted by Nico Popp at 9:24 AM | Permalink | Comments (0)

Great news for OpenID aficionados, the largest identity social network is embracing OpenID. With 221M users, one could easily conclude that OpenID has just received the stimulus package that it needed to finally achieve critical mass. But, what does it really mean for OpenID? While we are all looking forward to the day FaceBook becomes both an OpenID provider and relying party, the initial impact is more likely to be a significant change in the OpenID user interface. As shown, here and there, is clear that from a UI standpoint, Google and FaceBook are converging in terms of how to achieve login and exchange of personal data across relying parties and social networks.

While FaceBook will likely integrate OpenID as the "alternate" login method for FaceBook Connect, Google and its followers will do the same with Open Social and Google Friends Connect (in the case of Google, you may also get the friendly Yahoo!, MySpace and AOL followers). By becoming the alternate login method (but a more obscure one), the risk for OpenID is to be relegated to the level of OAuth and SAML as authentication protocols without any consumer brand recognition. Alternatively, OpenID may rise above the "open stack" plumbing to become the network mark that ensures interoperability across the FaceBook and Google networks. That my friend, is of course politics, but with a Facebook on board, it would appear that this week, this old chimera of federated Internet identity may have made a significant leap forward.

Posted by Nico Popp at 1:53 PM | Permalink | Comments (0)

This week, the PIP team is releasing an improved version of the 1-click sign in. The great news is that PIP users are no longer restricted to our small initial list of supported sites. Indeed, you can now add any of your favorite sites to your 1-click list (with a few caveats such as pure flash sites). Over time, we will monitor the most popular sites being added and we will include them to the default 1-click list.

This is great news for PIP users, especially for the non-US community who is no longer limited to our choice of sites (I must confess that our initial list was very US-centric). By the way, kudos to the PIP engineering team: doing all this in JavaScript without any browser plug-in is a real engineering "tour de force". Also, the team also improved the UI and performance of the bookmarklet window. Note that you will be prompted to re-install the 1-click bookmarklet.

The Internet is getting easier. Happy 1-click navigation!

Posted by Nico Popp at 6:24 PM | Permalink | Comments (0)

2009 promise to be a pivotal year for OpenID. So far, industry adoption has been strong with consumer powerhouses such as Google, Yahoo!, Microsoft and MySpace backing up the technology. At the same time, consumer adoption remains limited to early adopters. Meanwhile, FaceBook, the identity provider of choice for 160M consumers is promoting its own alternative in the form of Friends Connect, creating the risk of balkanization. With a new year beginning, a recently augmented leadership, and high competitive stakes, the moment felt opportune to put together my 2009 wish list for OpenID.

Execution: The Separation of Concerns

My first wish is organizational. The OpenID foundation board host really bright and passionate people. Folks are committed to the success of OpenID. Across the board, there is also a strong willingness to do what is right. Nevertheless, execution on key priorities appears to remain sluggish at times. Perhaps, the foundation needs a more effective way to drive execution. There, it could borrow a page from what larger corporations do extremely well. They separate governance from execution. The OpenID board is governance. It needs to articulate priorities, but create focused committees around these priorities. Then, it needs to empower the best elements in the board and the community to drive the outcome. Sounds obvious, but by enforcing that separation of concern and empowering people to work in parallel, I think the OpenID foundation could gain tremendously effectiveness in 2009.

Identifier: Email Address as OpenID, at Last!

In the last two years, I have been regularly in a position to explain and pitch OpenID to Financial Institutions, Mobile Network Operators and MSOs. By experience, I have learned that OpenID detractors and alternate technology providers will always bring two detrimental arguments against OpenID: user experience and security. The usability argument can be summarized as follows: "How much marketing dollars do you plan on spending to teach consumers to type a URL instead of a user name?". The answer is simple and usually reminiscent of Omer Simpson's catch phrase. So, in 2009, let us do ourselves a favor. Let us remove the leading argument against OpenID. Let us make email addresses first class OpenID identifiers. It is not about alienating URLs as identifiers, it is about enabling email addresses alongside URLs, because millions of consumers already regard email as their primary online identity and an email address is already their user name across so many sites.

Security: OpenID Security Analysis and Best Practices

The second argument that OpenID detractors will always bring up is security. In fact, there is a lot of confusion around the security of OpenID as a protocol and its propensity to phishing as a user experience. There again, detractors and naysayers are having a ball. What we need there is a neutral third party study that explains why OpenID is a sound protocol, and describes the best security practices to deploy the technology. None of the companies involved in the foundation should be responsible for such study. Instead, the board should sponsor an independent and reputable third party security lab to lead the security review. Once it is complete, the foundation should publish the results of the security analysis, alongside the recommended deployment best practices.

Branding: Establishing the "OpenID Network Mark"

Everyone agrees that OpenID needs to emerge as a brand that consumers can recognize. Similarly to Visa for payment, Dolby for music and Gore-Tex for rainwear, OpenID ought to become the "ingredient brand" for identity. The reason the OpenID brand needs to emerge is that we need a "network mark" that transcends all the identity silos. Very much like consumers know that their bank card will work when they see the Cirrus network logo on an ATM machine, consumers need to know that their identity will work on a Web site that carries the OpenID network logo. A network mark has a simple yet powerful meaning. It does not matter whether the card is from Bank of America, Wells Fargo or WAMU, it just works with this ATM machine. It does not matter whether the identity is from Google, Yahoo! or MySpace, it just works with this Web site.

In the OpenID brand lies the one big problem. Although a strong OpenID brand will prove to be good for everyone in the long run (by creating ubiquitous interoperability, Visa helped card issuing banks make more money than they would made on their own), at this time, none of the large consumer companies involved in the OpenID foundation have any incentive to promote another brand than their own. Therefore, the foundation needs to create a forcing function. My recommendation would be to leverage its ownership of the OpenID intellectual property to enforce the network mark. Let us keep OpenID free to all, but let us require everyone who uses the technology and benefit from the free IP to display the OpenID logo.

Avoiding the balkanization of identity to achieve the broadest possible user-centric federation network is what is at stakes in 2009. Undeniably, this is the year when OpenID can get from good to great. The OpenID network will rise or OpenID will become another commodity protocol encapsulated in the stacks of more fragmented identity networks (such as Google Open Connect or FaceBook Connect). It is up to us the OpenID community to make things right by seizing the opportunity. As we say in the valley, it is all about mere and simple execution. Yes, indeed, this coming year ought to be a critical and exciting year for Internet identity and OpenID.

Posted by Nico Popp at 10:15 PM | Permalink | Comments (0)

As you probably heard, a significant network security incident happened last week. A large phishing attack was perpetuated against CheckFree.com. Millions of consumer identities have presumably been stolen. Consumer impact aside, the attack warrants our attention because it shows the new challenge that identity and access management faces in a world of outsourced network services. For businesses, the lesson is as clear as it is scary. In a world of SAAS, you do no longer control your security. Your home-grown access policies have become irrelevant. As an enterprise, you have lost control of your network protection. Unfortunately CheckFree and millions of their consumers learned this lesson the hard way last Friday.

So what happened? In a nutshell (you will find a very good explanation here), the bad guys first used a spear phishing attack to capture the credential that would allow access to CheckFree's account at Network Solutions. Once the first phase was successfully completed, the attackers logged into the Network Solutions account to map CheckFree's name server to theirs own servers, located in Ukraine. Following the DNS compromise, the bad guys eventually launched a large scale phishing attack against CheckFree's customers, potentially allowing the compromise of millions of consumer identities.

Because, the DNS servers were hosted at Network Solutions, CheckFree's security was totally bypassed. As a matter of fact, it did not matter what level of security checkfree.com implemented. Their policies had become irrelevant. Had CheckFree deployed risk-based authentication, two-factor authentication, smart card with biometry or anything else to their millions of consumers, it would not have mattered. Checkree's consumer identity protection had become as vulnerable as Network solutions name and passwords.

The lesson is brutally clear. In a world of SAAS, a world where most enterprises are increasingly living in, corporate access policies are no longer enforceable. As an enterprise, you can raise your identity game, but your game is now as good as your weakest SAAS vendor (granted that in this case, Network Solution provided a mission critical Internet service by managing the IP addresses of CheckFree's name servers). When it comes to security, if you do not control access policies (authentication and authorization), the truth is that you do not control anything. Furthermore, you may now longer be in compliance since most regulations like Sarbanes-Oaxley require an enterprise to implement stringent policy, processes and audit to regulate employee and non-employee access to critical business information.

The DNS Cathedral and the Identity Bazaar

While the pundits scream for DNSSec deployment, the bad guys have already found a chin in our future Internet armor. Their message to us is simple: there is no point in securing the front door if the back door is to remain open. DNSSec is important, but not the panacea. Phishing will not go away unless we also work on strengthening identity and access management on the Internet. Last week attack makes this conclusion inescapable. Today, the Internet counts about 100 millions domain name. There are also hundreds of ICANN accredited registrars. Some are small companies, some are very large businesses. The world now understands that millions of businesses worldwide rely on these registrars for protecting their most precious digital asset: their Internet name. Does it mean that all the registrars of the world, large or small, need to change the way they authenticate users all at once?

Maybe, but a coordinated and more effective approach should also be considered. Time may be ripe for federated identity services, a new breed of cloud services that would make it easier for registrars (and SAAS vendors) to deploy stronger authentication; a federated identity service that provides choice of authentication and allow registrants to define authorization policies based on their own internal requirements and business needs. Instead of each individual registrar whose business expertise has little to do with identity management, a shared identity service trusted by the whole ecosystem could increase security for a much lower cost and complexity than point solution deployment. A cloud identity broker that provides additional authentication factors such device ID, certificates, one time passwords or smart card would have allow CheckFree to enforce two-factor authentication without Network Solution having to know or do anything.

Identity Brokers - Local Bootstrap Credentials - Locally Defined Policies

Software aficionados will always question the security of a centralized cloud identity service. Centralized identities present a risk. However, the risk of a centralized IDP can also be reduced by allowing domain name holders (the enterprise) to provide their own bootstrap credentials to the IDP. After all, small and large enterprises like CheckFree already issue trusted credentials to their employees. A cloud identity service that can also integrate with the enterprise would provide optimal security, accountability and flexibility. Simple yet effective security policies could now be implemented- for example, requiring that every employee access to Network Solution originates from CheckFree's internal IT network (think Kerberos to SAML). Such simple access policy alone would have defeated the Ukrainian attack from last week. Finally, had CheckFree already issued tokens or smart cards for remote access to its employee, a federated identity cloud service would have enabled their re-use to protect employee access to Network Solution.

Interestingly, the same week Google Facebook and MySpace launched their own competing solution for consumer federation, the CheckFree incident reminds us that the most urgent need for federated identity may not lie in the land of consumers but in the world of enterprise and B2B security. Undisputedly, the growth of cloud computing and SAAS exacerbates the need for secure identity providers. In that world, less OpenID, no FB Connect or MySpaceID; SAML tends to be the Lingua Franca. As the CheckFree incident demonstrates, the benefits of SAML federation are significant for enterprises. Compliance, security, and data safety are at stakes. Who know? As smarter attacks keep on emerging, SAAS federation and SAML identity providers may be the next big thing when it comes to securing cloud computing and digital identities on an increasingly wilder Internet.

Posted by Nico Popp at 4:38 PM | Permalink | Comments (0)

There has been a lot of buzz around Google's OpenID announcement last week. First, because Google awkwardly decided to change the service end point discovery part of the protocol. The good news is that Google fixed their faux-pas fairly quickly. In fact, they had no reason not too follow the spec and alienate the OpenID community.

More significant and more interesting however, was Google OpenID departure from requiring users to use URL as OpenID identifiers. Instead Google wants to let users use their GMail address as an OpenID identifier. Using GMail addresses as OpenID is not only a justifiable way to improve the OpenID user experience; it is also a very smart move by Google in their quest to become the dominant Internet identity provider (IDP).

As a consumer, there is no doubt that using an email address is the obvious identifier. Email is to consumers what domain names and URL are to businesses: a natural identifier. After all, email is already my Amazon, Apple and many other sites login. It is the intuitive OpenID that any consumer will expect to type in any relying party login box. In the long run, not having to teach millions of consumers that they should type a URL instead of an email address will prove a huge win for OpenID. Too bad it took though it took the weight of one to move an entire community forward.

But the consumer is not the only winner here. I think Google will prove to be the other beneficiary. By making email addresses, the de-facto OpenID identifier, guess who is now more likely to become the identity provider of choice for millions of consumers? I would venture that those IDPs who are already providing millions of Web mailboxes to consumers, have just gained a position of strength. Coincidentally, Google, Yahoo! and Microsoft have quite a few of those under management! Of course, Yahoo! and MSN are well tame rivals as far as Google is concerned. No, to appreciate this chess move, we ought to look at the other guardians of our Web identity: the social networks.

So, by changing the OpenID user interface, Google is now in a position of strength vis-à-vis OpenID, forcing FaceBook further into a dead-end proprietary identity APIs strategy. The beauty is that Google did not even have to force a button or any branding on relying party web sites. The choice of identifier alone will make it easier for consumers to choose Google over FaceBook. I would now expect to see Google drive OpenID integration across all APIs related to social networks and mobile (we already know that OAuth/OpenID integration is next) at full speed.

So, for sure, with Google and email, OpenID has gained a lot this week. At the same time, the idea of a federated Web identity network dominated by the three large Web mail providers is becoming more real. Nevertheless, consumers should rejoice. This week was a big step towards less name and passwords, and in the end, more convenience is certainly no evil.

Posted by Nico Popp at 4:29 PM | Permalink | Comments (0)

The issue of personal data portability is rapidly moving center stage. So, what is the big fuss about and what is really at stake here?

For us, as consumers, it is an important issue because eventually, it will determine how much ownership we will be able to enforce upon our personal data and content, including our social graph, that today, is dispersed across competing social networks and Web portals.

For Google, and FaceBook (FB), the stakes are equally high. Ultimately, the winner could take it all and be the one who really drives revenue from social networking. But to understand, we need to review the controversy first.

It really all started with OpenSocial. OpenSocial was Google's response to the rapid rise towards hegemony of FB APIs. To counter FB, Google created an alternative that it self-proclaimed an open standard by rallying a large number of FB competitors behind it.

Competitive response aside, Open Social also arises from our industry's realization that social network is much more than a destination. Social networking is really a new application dimension. It is a new form of interactions that can augment almost any application, or any web site. To add social networking capabilities to an application, you need APIs. OpenSocial fills that gap.

With OpenSocial, Google is also reducing social network to mere "containers". Google is turning the social networking portals into a set interoperable data sources that it can dip into. In fact, with the consent of the end-user, these social databases become instantly accessible to a whole new layer of identity services. The first generation of these new of services is now known. It is called Google Friend Connect.

It is clear that FB understand the threat of a layer above social networks dominated by Google. Its decision to block Friend Connect under the excuse of privacy control does not fool anyone. It is also likely that OpenSocial may have forced FB into exposing its own APis to third party Web sites. Friend Connect, on the other hand, is consistent with Google "social cloud" strategy. It simply extends OpenSocial by alleviating the need for site owners to write code. Although it remains to be seen whether an embedded widget can provide the right user interface, by putting itself, between Web sites and social networks, Google is moving fast to disintermediate the leading social network. If Google were to succeed, it would surely make a significant dent into FB's $15B valuation.

But what is the real prize here? What is really at stakes? Let me venture an explanation. How do you discover sites, products, music, videos on the Internet? You Google it,of course. Now, in the real world, how do you discover products, movies, or books? Very often, you discover them through your social connections. Social events are always full of "I love this new product, you should really buy it too", "you must see that movie", "I highly recommend reading that book", "this restaurant is unbelievable". So maybe, social discovery is the perfect complement to search when it comes to generate and monetize traffic to other sites.

So here may lie Google's bet on Open Social. The bet is that social networking capabilities integrated into a Web site can drive viral traffic (because your social feed will notify your friends of a site visit or of a transaction, because you will recommend a merchant by becoming a 'member of the site' or writing a review, because you will trust a site by finding people you know who have already experienced this site). Not withstanding the data mining and advertising intelligence opportunity that sitting between sites and social networks can present in the long run, the bet is that social interactions will drive more site visitors. Of course, for an ad network like Google that strives on monetizing new customer acquisition and traffic, it is a very rational bet.

So while FB seems initially more concerned about keeping interactions within the walled garden, Google is forcing all the social networks to embrace a deportalization strategy. Of course, it is a smart move for Google who, unlike social networks, has already strong customers relationship with most Web sites through its AdWords and AdSense programs. Without access to a direct channel to online merchants and .COM sites, FB is in a relatively weaker position but it had to respond and Facebook Connect is its current answer to Google. Will FB be more effective in driving revenue by deportalizing its APis and driving traffic outside FB instead of raising the walls of the garden day by day? That remains to be seen.

At the end of the day, social traffic is still a theory in search of validation. For these merchants and Web site owners, that traffic may never materialize. To the non-believers, I can only oppose the success of Yelp whose sole purpose of its community is to drive traffic to local businesses. Considering the energy that Google is deploying around open Social and Friend Connect, we should have our final answer soon. One thing is almost certain, for the near future, the social cloud is likely to be the strongest market force driving internet-scale identity services, and that is very good news for OpenID.

Posted by Nico Popp at 11:18 AM | Permalink | Comments (0)

With the increasing visibility of OpenID, VeriSign gets often invited to conferences to discuss the implications of this new technology. One of the questions that I often get from the audience borrows a line from Jerry Mc Guire: "When technology is based on IP-free open standards, how do identity vendors and service providers make ends meet?" In other words: "Show me the money!" Broad question, so I thought I would get on the record to describe a few of the popular business theories around OpenID and discuss their respective merit.

The IDM Software Business Model:

The first answer is to observe that OpenID is a federation protocol and as such, it fits well within an identity management suite (very much like SAML, or WS-*). Vendors in that space are well known: CA, HP, IBM, Microsoft, Oracle, Sun, etc. IDM vendors derive revenue by licensing their identity management software to large enterprises. Single-Sign-On across enterprise applications still remains an unsolved problem within many enterprises. Because of it is ligthtweightness, OpenID carries the promise of simpler integration across many internal Web applications (enterprise portal, SAP, Oracle Web apps, etc...), making it an attractive IDM solution component and a must-have for most IDM software vendors.

The Service Aggregator Business Model:

OpenID is especially best suited for managing identities across consumer services. So, the natural early adopters will be consumer service aggregators, such as Mobile Network Operators and MSOs. Indeed, these companies view their millions of subscribers as an untapped strategic asset. The ability to leverage OpenID to more easily up-sell and cross-sell subscribers across a growing portfolio of services and channels (wireless, broadband and TV) has strong business appeal. In other words, federating within the walled garden makes good business sense: one unified identity, one converged brand experience, one view of the customer and the ability to subscribe existing customers across new services in one single click, whilst charging them on one single bill.

The Security Business Model:

As a consumer, if you have one consolidated identity for use across many Web services, you are more likely to want to protect that unique identity. It is also easier to do so, since only the identity provider needs to deal with the complexity of any additional security technology. In a shared identity eco-system, security solutions such as strong authentication become more cost-effective since the price of securing identities can now be shared across all the relying parties. In other words, economies of scale can be realized. This is exactly the VeriSign identity protection model that we introduced in early 2006. At that time, OpenID did not exist, so the chances of sharing a complete identity were pretty slim. Therefore, we decided to adopt a simpler sharing model where only the security (the second authentication factor) is shared across sites. Authentication services such as VIP are a good fit for OpenID as they make it relatively easy to turn any IDP into a strong IDP. Beside, if accepting a name and a password from a third party may not provide much additional value over a self-issued name and password, the idea that an identity provider will provide a more secure and stronger identity could well be a compelling value proposition for sites to start accepting OpenID as relying parties.

The Insurance Policy Model:

Building on the idea that what makes accepting a third-party as an identity provider is a stronger identity, arises the identity assurance model. In that model, the identity provider becomes a risk underwriter. Basically, the IDP "insures" the relying party on the validity and knowledge that it has about a given identity. The identity risk profile allows the IDP to make some explicit guarantees (e.g. "no charge back") and be compensated for it. For example, a bank who knows a lot about a consumer identity and purchase behavior could vouch for a consumer transaction to be trustworthy and underwrite the risk based on the consumer risk-profile that it has accumulated over time.

The Lead Generation and Advertising Model:

In OpenID everyone is focused on Single-Sign-On. The truth is that the real money-maker may be more about attribute exchange than simpler login. By attribute exchange, I mean the ability to seamlessly transmit a subscriber's registration profile and payment information in real-time. In that context, I can see OpenID become an enabler for CPA-based advertising. In the CPA model, the publisher and the ad network (IDP) get paid when the user registers with the advertiser (lead acquisition) or purchases from the advertiser (impulse buy). By removing the typing, OpenID can enable a much more effective CPA model where the user only needs to login into their identity provider to authorize a registration or a purchase. The ability to register a new customer and allow them to pay from any device within 1-click could prove a significant enabler for direct response advertising.

Of course, all these business models remain somewhat theoretical and unproven. However, the intuition is that there are many angles to consider when approaching OpenID from a business perspective. Interestingly, the breadth of opportunities should make the emerging standard more relevant to many leading Internet companies. This may explain the broad and growing attraction for federated identity, and OpenID in particular. That is all good news for the technology, as without business drivers, it will remain a technology construct that makes conferences headlines but is ignored by business minded leaders. That would be a shame of course as the best ideas are the one that can seduce consumers, technologist and those who follow the same three directives day after day: "Show me the money, show me the money, show me the money!"

Posted by at 10:38 AM | Permalink | Comments (0)

Today, Google, Microsoft, Yahoo!, IBM and VeriSign are joining the OpenID Foundation board. After the OpenID deployment from Yahoo! and Google earlier this year, this is one more piece of good news for the OpenID afficionados. I know that all of us involved with OpenID at VeriSign are really excited with the latest developments. Since OpenID is a key element of VeriSign's identity strategy, I thought I would take a minute to discuss the role and the importance of the Foundation moving forward.

IP Free Open Technology:

If we have learned one thing form the success of DNS and SSL, it is the importance of Intellectual Property (IP) free open standards to the success of any new Internet technology. Without them, the chances of broad adoption for any new Internet technology are as good as the odds for a wild card team to win the Superbowl extremely slim. Identity services are no exception to the rule. So, the Foundation's primary goal will be to ensure that OpenID always remains open and free to the Internet community. Concretely, this means that the Foundation will work with identity vendors and the community to protect OpenID Intellectual Property Rights and its free usage policy. Technologies always evolve and improve; we needed a body to exercise ongoing vigilance. There cannot be any compromise on this point. The good news is that everyone on the board has already embraced this idea as a fundamental principle.

Where the Ying and the Yang Meet:

OpenID is essentially a grassroots technology. So far, the specification and the implementation have been mostly driven by the technical community. I would argue that it is a good thing. Had the vendors be involved too early, the technology may not have ended up as brilliantly simple and as easy to deploy, and OpenID may not have enjoyed the initial community enthusiasm and rapid deployment (remember Liberty Alliance?). This grassroots model has proven to work so we must keep it moving forward. At the same time, as large identity service providers and software vendors join the OpenID bandwagon, we needed an entity to facilitate the exchange of ideas and product requirements between the grassroots and business communities. A Yahoo! or a Google may need specific product enhancements. A VeriSign may ask for some additional security elements. At the same time, the OpenID technical community needs to be able to keep on innovating and take the technology into new directions. The Foundation will be the place to facilitate the debate and prioritize the efforts.

Creating a Second to None OpenID Experience:

With Google, AOL and Yahoo! deployments, OpenID is off to a great start. 350M users have now access to the technology. One challenge remains: very few of these 350M consumers are using OpenID or are even aware that the technology exists. This leads to one of the important roles for the Foundation: to drive consumer adoption. The Foundation will own the Open ID brand and logo. It will define and protect its proper context of use. More importantly, the Foundation will need to make these assets to be synonymous to "insanely great user experience' in the mind of the consumers. There is little doubt that the success of OpenID will be tied to the quality of the user experience it brings to millions of consumers. Yahoo! already improved that user experience. The Foundation will take it further and enable a true "one-click" or even "zero-click" user experience for login, registration, payment and all other forms of Internet activities that require identity information exchange. The Foundation will be the place to funnel the best ideas from the community and set the best deployment practices.

At VeriSign, we are truly excited to be board members of the Foundation and support its mission. Bill Washburn, a former colleague, and a friend is heading the Foundation, and I cannot think of a better person to help drive consensus across so many distinct personalities. That certainly makes it yet more reasons to be excited. Let us get to work!

Posted by at 8:42 AM | Permalink | Comments (0)

We have all heard about it. On Wednesday, Microsoft invested $240M into Facebook, beating Google to the punch, and giving the folks on University Avenue a $15B valuation ("yes, mini-me, $15B dollars...") and a war chest large enough to start buying a few buildings even in Palo Alto.

Of course, everybody is wondering why paying so much for so little ($240M for 1.6% of the company). With revenues around $150M and 50M registered users, elementary school maths already tells a lot about Microsoft's fascination for Facebook. According to Microsoft, Facebook is worth 100 time current revenue or $300 per registered user. Such multiples would make any VC sell their mother and first born. So, let us try to understand this Balmerian burst of generosity (or desperation depending how you look at it).

The OS theory.

The first theory is the Operating System theory. In the last year, Facebook has been very successful attracting developers to build applications using its APIs. Facebook must therefore be the new operating system. Microsoft being the incumbent OS dominatrix, it must pay to control the new Web OS. Hum...The theory is daring but not quite convincing. Although Facebook as a widget platform is definitely powerful, it is not the entire Web OS. Social networking is an important primitive but it is only one facet of the Web. Facebook applications are great but none of them truly measure to Microsoft Office. So, Facebook as a programming platform is certainly part of the attraction but there has got to be more to the story.

The International theory.

The second theory is International growth. 60% of Facebook users are non US. Since Internet growth is faster outside the US, the deal gives Microsoft a stronger position in the race for global domination over the fast growing advertising market. No doubt that the foreign dimension of Facebook is strategically valuable to Redmond. Nevertheless, despite the fast growth and a 30M foreign user base, this alone cannot justify the numbers either.

The conspiracy theory.

The third theory is a conspiracy theory. All along the negotiations, Google raised the stakes to drive the price higher. Then at the last minute, they withdrew, leaving Microsoft all alone at the bidding table with an insanely high bid. I know that guys are Google are smart but this sounds more like a James Bond movie than corporate development to me. It is clear Google was at the bargaining table. It is likely that they bargained hard, forcing Microsoft to move aggressively. However, I have to believe that it takes more than such a simple trap for Mr Ballmer to sign such a large check.

Ok, so what is it? Clearly, it must be about advertising. Advertising is a soon to be $80B market. It is one of the few markets large enough to move the Microsoft needle. This is also the oxygen tank of Microsoft's #1 rival, Google. In plain English, advertising is a highly strategic market to Microsoft. You don't win strategically by being cheap, especially when you are the underdog.

Think AD Sense 2.0 and Facebook deportalization.

Microsoft views Facebook as as an advertising platform, the asset that can help Redmond make up for the lost time to Google in search. An interesting fact about Facebook is that they know a lot about their users. With Facebook, folks like you and me expose their complete profile well beyond ZAG (Zip code, Age and Gender). Many reveal their personal interests by joining specific groups and registering to special events. So, Facebook has deep segmentation and behavioral information about consumers. Such consumer intelligence should allow them to do more precise ad targeting. In turn, relevant targeting should allow them to command a premium in advertising rates.

How does it compare to Google? Google draws advertising relevance from queries and hyperlink rank. In fact, Google is the undisputed king of the hill when it comes to contextual advertising. However, outside of search, contextual match may not always provide the most effective targeting. In many ways, demographic and behavioral targeting may prove more effective when it comes to videos and the long tail of content available on the internet. Behavioral targeting is where the advertising balance of power could eventually shift, creating a chip in the Google armor. That chip alone may well be worth $15 billion dollar to Microsoft.

Interestingly, social networking sites such as Facebook may not be the best place to advertise. The rumor is that Google AdSense has led to abysmal click-through on MySpace. After all, when interacting with friends, one has little attention span for ads. So,maybe, the true leverage of Facebook may be to evolve it into an advertising network for relying party sites such as MSN. After the Facebook application platform would come the Facebook advertising platform: a behavioral and social ad network to drive improved monetization outside of Facebook.

Today, AdSense is the only real game in town and a significant driver of revenue growth for Google. With 245M of new R&D dollars, fueled by identity intelligence, but respectful of user privacy and trust, Facebook may well hold enough assets in hands to become the alternative ad platform. IDSense anyone? Easier said than done of course, but at least, this perspective sounds like a worthwhile $15 billion bet to me.

Posted by at 10:46 AM | Permalink | Comments (0)

Last week, the Wall Street Journal posted an interesting article. According to WSJ, Facebook is working on an advertising system that leverages the massive amount of information that people reveal about themselves on the site. The intent is clear: drive higher monetization of Facebook advertising real-estate. But could there be a bigger idea there? Can identity and real-time consumer intelligence do for social networks and identity providers what search and page ranks did for Google: drive ad relevance and become a formidable monetization engine for identity platforms?

Of course, this is not quite a new idea. Targeting ads based on location and demography has always been part of ad network bag of tricks. Today, behavioral ad networks use cookies to track our navigation events and derive a consumer profile that can be used to target ads across sites and web sessions. Google is also doing some of that with GMail, although many folks are worried that reading their email to target advertising is as close to doing evil as California sparkling white wine to French champagne.

Nevertheless, it is clear that none of the guessing can be as accurate as what consumers are genuinely willing to reveal about themselves. Of course, this is precisely what most of us do on Facebook: publicly share personal information and interests. So, yes! Social communities are different animals in the sense that users have are pre-disposed to talk about themselves and reveal a lot. But, no! That does not mean that these users consent to let that information be used to drive more targeted advertising.

As a matter of fact, a study from Forrester indicates that only a third of us would welcome personalized ads. The probable truth is that but many consumers may find the approach way too spooky and a dangerous intrusion of their privacy. Eh! I sure would. So, this means that Facebook and other need to be extra careful before crossing the Rubicon of personalized advertising. Of course, if you are a marketer, 30% is not a rounding error. Consumer intelligence can be a significant business asset. Therefore, the evil temptation will be there.

So, can it work? I think so, but only under one fundamental and very strict principle: let the user decide, let the user opt-in, let the user be in control. That is where Facebook and everyone else need to borrow a page from "user-centric" identity management and OpenID. The user needs to be making the decision. In other words, the trick is to motivate consumers to opt-into personalized ads. Transparency is key. Service providers should explain that only non-identifiable information is being used. Then, they should pause and take a hard look at answering the mother of all questions: what is in it for the user?

If users are in control, then identity intelligence sharing can become a monetization engine. On the Internet, the exchange of name and password has very little business value which is why we still live in a world of identity silos despite the technological coolness of OpenID and the likes. Finally, a business model to share identities. Yet, this is a double edge sword. There is a long devide between consumer trust and ad personalization. In the end, consumers will have to decide whether any profile information is worth sharing with marketers. Facebook and the future identity providers cannot be self-serving. Their community must agree to it and it must benefit the community. Otherwise, that same community is likely to revolt. Once again, the answer is simple: make it worth the user's while. Welcome to the user-centric Internet!

Posted by at 10:42 AM | Permalink | Comments (0)

The idea of identity as a service and identity federation is almost 10 years old. Happy birthday, identity people. If the protocols have changed a bit from SAML to WS-Federation, CardSpace and, OpenID, the vision of identity as a service has predominantly stayed the same. That is a good thing. Vision alignment inexorably drives technology convergence in the end. On the application, single sign and attributes exchange across identity providers and relying parties still dominate the use cases. Yes, after all this time, our show off moment is still a login demo! In the meantime, my content friends are wooing customer and analysts with HD quality movie streaming to the desktop. What is wrong with that picture?

What we need is a new demo. Jokes aside, there may lay a critical observation. Although an interesting feature, the brutal truth is that SSO is no killer app. Of course, the implications of a shared login are not to be underestimated. User convenience, increased trust and stronger security are important. Bien sur, reducing all these cool new technologies to access control is an unfair characterization. OpenID's user centric paradigm that puts consumers in charge of their identity may well be the foundation to a massive rethink of today's Internet services. As big as these ideas may be, however, no one in the industry has really been able to translate them into killer consumer services. Rarely does new technology succeed unless the experience and benefits it enables outweighs the status quo by an order of magnitude. So, If we truly aspire to mass deployment, we need to provide more value to consumers. We definitely need to go much farther than access control and attribute exchange.

Continue reading "Identity: It is the Network" »

Posted by at 11:52 AM | Permalink | Comments (0)