Tuesday, July 15, 2014

Health data deluge requires secure information flow via standards, says The Open Group’s new healthcare director

An expected deluge of data and information about patients, providers, outcomes, and needed efficiencies is pushing the healthcare industry to rapid change. But more than dealing with just the volume of data is required. Interoperability, security and the ability to adapt rapidly to the lessons in the data are all essential.

The means of enabling Boundaryless Information Flow, Open Platform 3.0 adaptation, and security for the healthcare industry are then, not surprisingly, headline topics for The Open Group’s upcoming event, Enabling Boundaryless Information Flow on July 21 and 22 in Boston.

And Boston is a hotbed of innovation and adaption for how technology, enterprise architecture, and open standards can improve the communication and collaboration among healthcare ecosystem players.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

In preparation for the conference, BriefingsDirect had the opportunity to interview Jason Lee, the new Healthcare and Security Forums Director at The Open Group. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: I'm looking forward to the Boston conference next week and want to remind our listeners and readers that it's not too late to sign up to attend. You can learn more at www.opengroup.org.

Let’s start by talking about the relationship between Boundaryless Information Flow, which is a major theme of the conference, and healthcare. Healthcare perhaps is the killer application for Boundaryless Information Flow.

Lee: Interesting, I haven’t heard it referred to that way, but healthcare is 17 percent of the US economy. It's upwards of $3 trillion. The costs of healthcare are a problem, not just in the United States, but all over the world, and there are a great number of inefficiencies in the way we practice healthcare.

Lee
We don’t necessarily intend to be inefficient, but there are so many places and people involved in healthcare, it's very difficult to get them to speak the same language. It's almost as if you're in a large house with lots of different rooms, and  every room you walk into they speak a different language. To get information to flow from one room to the other requires some active efforts, and that’s what we're undertaking here at The Open Group.

Gardner: What is it about the current collaboration approaches that don’t work? Obviously, healthcare has been around for a long time and there have been different players involved. What are the hurdles? What prevents a nice, seamless, easy flow and collaboration in information that creates better outcomes? What’s the holdup?

Many barriers

Lee: There are many ways to answer that question, because there are many barriers. Perhaps the simplest is the transformation of healthcare from a paper-based industry to a digital industry. Everyone has walked into a medical office, looked behind the people at the front desk, and seen file upon file and row upon row of folders, information that’s kept in a written format.

When there's been movement toward digitizing that information, not everyone has used the same system. It's almost like trains running on different gauge track. Obviously if the track going east to west is a different gauge than going north to south, then trains aren’t going to be able to travel on those same tracks. In the same way, healthcare information does not flow easily from one office to another or from one provider to another.

Gardner: So not only do we have disparate strategies for collecting and communicating health data, but we're also seeing much larger amounts of data coming from a variety of new and different places. Some of them now even involve sensors inside of patients themselves or devices that people will wear. So is the data deluge, the volume, also an issue here?

Lee: Certainly. I heard recently that an integrated health plan, which has multiple hospitals involved, contains more elements of data than the Library of Congress. As information is collected at multiple points in time, over a relatively short period of time, you really do have a data deluge. Figuring out how to find your way through all the data and look at the most relevant [information] for the patient is a great challenge.

Gardner: I suppose the bad news is that there is this deluge of data, but it’s also good news, because more data means more opportunity for analysis, a better ability to predict and determine best practices, and also provide overall lower costs with better patient care.
We, like others, put a great deal of effort into describing the problems, but figuring out how to bring IT technologies to bear on business problems.

So it seems like the stakes are rather high here to get this right, to not just crumble under a volume or an avalanche of data, but to master it, because it's perhaps the future. The solution is somewhere in there, too.

Lee: No question about it. At The Open Group, our focus is on solutions. We, like others, put a great deal of effort into describing the problems, but figuring out how to bring IT technologies to bear on business problems, how to encourage different parts of organizations to speak to one another and across organizations to speak the same language, and to operate using common standards and language. That’s really what we're all about.

And it is, in a large sense, part of the process of helping to bring healthcare into the 21st Century. A number of industries are a couple of decades ahead of healthcare in the way they use large datasets -- big data, some people refer to it as. I'm talking about companies like big department stores and large online retailers. They really have stepped up to the plate and are using that deluge of data in ways that are very beneficial to them -- and healthcare can do the same. We're just not quite at the same level of evolution.

Gardner: And to your point, the stakes are so much higher. Retail is, of course, a big deal in the economy, but as you pointed out, healthcare is such a much larger segment. So just making modest improvements in communication, collaboration, or data analysis can reap huge rewards.

Quality side

Lee: Absolutely true. There is the cost side of things, but there is also the quality side. So there are many ways in which healthcare can improve through standardization and coordinated development, using modern technology that cannot just reduce cost, but improve quality at the same time.

Gardner: I'd like to get into a few of the hotter trends. But before we do, it seems that The Open Group has recognized the importance here by devoting the entire second day of their conference in Boston, that will be on July 22, to healthcare.

Maybe you could provide us a brief overview of what participants, and even those who come in online and view recorded sessions of the conference at http://new.livestream.com/opengroup should expect? What’s going to go on July 22?

Lee: We have a packed day. We're very excited to have Dr. Joe Kvedar, a physician at Partners HealthCare and Founding Director of the Center for Connected Health, as our first plenary speaker. The title of his presentation is “Making Health Additive.”
It will become an area where standards development and The Open Group can be very helpful.

Dr. Kvedar is a widely respected expert on mobile health, which is currently the Healthcare Forum’s top work priority.  As mobile medical devices become ever more available and diversified, they will enable consumers to know more about their own health and wellness. 

A great deal of data of potentially useful health data will be generated.  How this information can be used -- not just by consumers but also by the healthcare establishment that takes care of them as patients -- will become a question of increasing importance. It will become an area where standards development and The Open Group can be very helpful.

Our second plenary speaker, Proteus Duxbury, Chief Technology Officer at Connect for Health Colorado, will discuss a major feature of the Affordable Care Act — the health insurance exchanges -- which are designed to bring health insurance to tens of millions of people who previous did not have access to it. 

He is going to talk about how enterprise architecture -- which is really about getting to solutions by helping the IT folks talk to the business folks and vice versa -- has helped the State of Colorado develop their health insurance exchange.

After the plenaries, we will break up into three tracks, one of which is healthcare-focused. In this track there will be three presentations, all of which discuss how enterprise architecture and the approach to Boundaryless Information Flow can help healthcare and healthcare decision-makers become more effective and efficient.

Care delivery

One presentation will focus on the transformation of care delivery at the Visiting Nurse Service of New York. Another will address stewarding healthcare transformation using enterprise architecture, focusing on one of our platinum members, Oracle, and a company called Intelligent Medical Objects, and how they're working together in a productive way, bringing IT and healthcare decision-making together.

Then, the final presentation in this track will focus on the development of an enterprise architecture-based solution at an insurance company. The payers, or the insurers -- the big companies that are responsible for paying bills and collecting premiums -- have a very important role in the healthcare system that extends beyond administration of benefits. Yet, payers are not always recognized for their key responsibilities and capabilities in the area of clinical improvements and cost improvements.

With the increase in payer data brought on in large part by the adoption of a new coding system -- the ICD-10 -- which will come online this year, there will be a huge amount of additional data, including clinical data, that become available. At The Open Group, we consider payers -- health insurance companies (some of which are integrated with providers) -- as very important stakeholders in the big picture.

In the afternoon, we're going to switch gears a bit and have a speaker talk about the challenges, the barriers, the “pain points” in introducing new technology into the healthcare systems. The focus will return to remote or mobile medical devices and the predictable but challenging barriers to getting newly generated health information to flow to doctors’ offices and into patients records, electronic health records, and hospitals' data-keeping and data-sharing systems.
Payers are not always  recognized for their key responsibilities and capabilities in the area of clinical improvements and cost improvements.

We'll have a panel of experts that responds to these pain points, these challenges, and then we'll draw heavily from the audience, who we believe will be very, very helpful, because they bring a great deal of expertise in guiding us in our work. So we're very much looking forward to the afternoon as well.

Gardner: I'd also like to remind our readers and listeners that they can take part in this by attending the conference, and there is information about that at the opengroup.org website.

It's really interesting. A couple of these different plenaries and discussions in the afternoon come back to this user-generated data. Jason, we really seem to be on the cusp of a whole new level of information that people will be able to develop from themselves through their lifestyle, new devices that are connected.

We hear from folks like Apple, Samsung, Google, and Microsoft. They're all pulling together information and making it easier for people to not only monitor their exercise, but their diet, and maybe even start to use sensors to keep track of blood sugar levels, for example.

In fact, a new Flurry Analytics survey showed 62 percent increase in the use of health and fitness application over the last six months on the popular mobile devices. This compares to a 33 percent increase in other applications in general. So there's an 87 percent faster uptick in the use of health and fitness applications.

Tell me a little bit how you see this factoring in. Is this a mixed blessing? Will so much data generated from people in addition to the electronic medical records, for example, be a bad thing? Is this going to be a garbage in, garbage out, or is this something that could potentially be a game changer in terms of how people react to their own data -- and then bring more data into the interactions they have with healthcare providers?

Challenge to predict

Lee: It's always a challenge to predict what the market is going to do, but I think that’s a remarkable statistic that you cited. My prediction is that the increased volume of person-generated data from mobile health devices is going to be a game changer. This view also reflects how the Healthcare Forum members (which includes members from Capgemini, Philips, IBM, Oracle and HP) view the future.

The commercial demand for mobile medical devices, things that can be worn, embedded, or swallowed, as in pills, as you mentioned, is growing ever more. The software and the applications that will be developed to be used with the devices is going to grow by leaps and bounds.

As you say, there are big players getting involved. Already some of the pedometer-type devices that measure the number of steps taken in a day have captured the interest of many, many people. Even David Sedaris, serious guy that he is, was writing about it recently in The New Yorker.

What we will find is that many of the health indicators that we used to have to go to the doctor or nurse or lab to get information on will become available to us through these remote devices.
There are already problems around interoperability and connectivity of information in the healthcare establishment as it is now.

There will be a question of course as to reliability and validity of the information, to your point about garbage in, garbage out, but I think standards development will help here This, again, is where The Open Group comes in. We might also see the FDA exercising its role in ensuring safety here, as well as other organizations, in determining which devices are reliable.

The Open Group is working in the area of mobile data and information systems that are developed around them, and their ability to (a) talk to one another, and (b) talk to the data devices/infrastructure used in doctors’ offices and in hospitals. This is called interoperability and it's certainly lacking in the country.

There are already problems around interoperability and connectivity of information in the healthcare establishment as it is now. When patients and consumers start collecting their own data, and the patient is put at the center of the nexus of healthcare, then the question becomes how does that information that patients collect get back to the doctor/clinician in ways in which the data can be trusted and where the data are helpful?

After all, if a patient is wearing a medical device, there is the opportunity to collect data, about blood-sugar level let's say, throughout the day. And this is really taking healthcare outside of the four walls of the clinic and bringing information to bear that can be very, very useful to clinicians and beneficial to patients.

In short, the rapid market dynamic in mobile medical devices and in the software and hardware that facilitates interoperability begs for standards-based solutions that reduce costs and improve quality, and all of which puts the patient at the center. This is The Open Group’s Healthcare Forum’s sweet spot.

Game changer

Gardner: It seems to me a real potential game changer as well, and that something like Boundaryless Information Flow and standards will play an essential role in. Because one of the big question marks with many of the ailments in a modern society has to do with lifestyle and behavior.

So often, the providers of the care only really have the patient’s responses to questions, but imagine having a trove of data at their disposal, a 360-degree view of the patient to then further the cause of understanding what's really going on, on a day-to-day basis.

But then, it's also having a two-way street, being able to deliver perhaps in an automated fashion reinforcements and incentives, information back to the patient in real-time about behavior and lifestyles. So it strikes me as something quite promising, and I look forward to hearing more about it at the Boston conference.

Any other thoughts on this issue about patient flow of data, not just among and between providers and payers, for example, or providers in an ecosystem of care, but with the patient as the center of it all, as you said?

Lee: As more mobile medical devices come to the market, we'll find that consumers own multiple types of devices at least some of which collect multiple types of data. So even for the patient, being at the center of their own healthcare information collection, there can be barriers to having one device talk to the other. If a patient wants to keep their own personal health record, there may be difficulties in bringing all that information into one place.
There are issues, around security in particular, where healthcare will be at the leading edge.

So the interoperability issue, the need for standards, guidelines, and voluntary consensus among stakeholders about how information is represented becomes an issue, not just between patients and their providers, but for individual consumers as well.

Gardner: And also the cloud providers. There will be a variety of large organizations with cloud-modeled services, and they are going to need to be, in some fashion, brought together, so that a complete 360-degree view of the patient is available when needed. It's going to be an interesting time.

Of course, we've also looked at many other industries and tried to have a cloud synergy, a cloud-of-clouds approach to data and also the transaction. So it’s interesting how what's going on in multiple industries is common, but it strikes me that, again, the scale and the impact of the healthcare industry makes it a leader now, and perhaps a driver for some of these long overdue structured and standardized activities.

Lee: It could become a leader. There is no question about it. Moreover, there is a lot healthcare can learn from other companies, from mistakes that other companies have made, from lessons they have learned, from best practices they have developed (both on the content and process side). And there are issues, around security in particular, where healthcare will be at the leading edge in trying to figure out how much is enough, how much is too much, and what kinds of solutions work.

There's a great future ahead here. It's not going to be without bumps in the road, but organizations like The Open Group are designed and experienced to help multiple stakeholders come together and have the conversations that they need to have in order to push forward and solve some of these problems.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:

Monday, July 14, 2014

HP network management heightens performance while reducing total costs for Nordic telco TDC

When Swedish communications services provider TDC needed network infrastructure improvements from their disparate networks across several Nordic countries, they needed both simplicity in execution and agility in performance.

Our next innovation case study interview therefore highlights how TDC in Stockholm found ways to better determine root causes to any network disruption, and conduct deep inspection of the traffic to best manage their service-level agreements (SLAs).

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

BriefingsDirect had an opportunity to learn first-hand how over 50,000 devices can be monitored and managed across a state-of-the-art network when we interviewed Lars Niklasson, the Senior Consultant at TDC. The discussion, at the HP Discover conference in Barcelona, is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: You have a number of main businesses in your organization. There’s TDC Solutions and mobile. There’s even television and some other hosting. Explain for us how large your organization is.

Niklasson: TDC is an operator in the Nordic region, where we have a network covering Norway, Sweden, Finland, and Denmark. In Sweden, we’re also an integrator and have a quite big consultant role in Sweden. In Sweden we’re around 800 people, and the whole TDC group is almost 10,000 people.

Niklasson
Gardner: So it’s obviously a very significant network to support this business and deliver the telecommunication services. Maybe you could define your network for us.

Niklasson: It's quite big, over 50,000 devices, and everything is monitored of course. It’s a state-of-the-art network.

Gardner: When you have so many devices to track, so many types of layers of activity and levels of network operations, how do you approach keeping track of that and making sure that you’re not only performing well, but performing efficiently?

Niklasson: Many years ago, we implemented HP Network Node Manager (NNM) and we have several network operating centers in all countries using NNM. When HP released different smart plug-ins, we started to implement those too for the different areas that they support, such as quality assurance, traffic, and so on.

Gardner: So you’ve been using HP for your network management and HP Network Management Center for some time, and it has of course evolved over the years. What are some of the chief attributes that you like or requirements that you have for network operations, and why has the HP product been so strong for you?

Quick and easy

Niklasson: One thing is that it has to be quick and easy to manage. We have lots of changes all the time, especially in Sweden, when a customer comes. And in Sweden, we’re monitoring end customers’ networks.

It's also very important to be able to integrate it with the other systems that we have. So we can, for example, tell which service-level agreement (SLA) a particular device has and things like that. NNM makes this quite efficient.

Gardner: One of the things that I’ve heard people struggle with is the amount of data that’s generated from networks that then they need to be able to sift through and discover anomalies. Is there something about visualization or other ways of digesting so much data that appeals to you?

Niklasson: NNM is quite good at finding the root cause. You don’t get very many incidents when something happens. If I look back at other products and older versions, there were lots and lots of incidents and alarms. Now, I find it quite easy to manage and configure NNM so it's monitoring the correct things and listening to the correct traps and so on.

Gardner: TDC uses network management capabilities and also sells it. They also provide it with their telecom services. How have you experienced the use in the field? Do any of your customers also manage their own networks and how has this been for your consumers of network services?

Niklasson: We’re also an HP partner in selling NNM to end customers. Part of my work is helping customers implement this in their own environment. Sometimes a customer doesn’t want to do that. They buy the service from us, and we monitor the network. It’s for different reasons. One could be security, and they don’t allow us to access the network remotely. They prefer to have it in-house, and I help them with these projects.
Now, I find it quite easy to manage and configure NNM so it's monitoring the correct things and listening to the correct traps.

Gardner: Lars, looking to the future, are there any particular types of technology improvements that you would like to see or have you heard about some of the roadmaps that HP has for the whole Network Management Center Suite? What interests you in terms of what's next?

Niklasson: I would say two things. One is the application visibility in the network, where we can have some of that with traffic that’s cleaner, but it's still NetFlow-based. So I’m interested in seeing more deep inspection of the traffic and also more virtualization of the virtual environments that we have.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in:

Wednesday, July 9, 2014

Panel tackles how to make mobile devices as secure as they are indispensable

As smartphones have become de rigueur in the global digital economy, users want them to do more work, and businesses want them to be more productive for their employees -- as well as powerful added channels to consumers.

But neither businesses nor mobile-service providers have a cross-domain architecture that supports all the new requirements for a secure digital economy, one that allows safe commerce, data sharing and user privacy.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Ping Identity.

So how do we blaze a better path to a secure mobile future? How do we make today’s ubiquitous mobile devices as low risk as they are indispensable?

BriefingsDirect recently posed these and other questions to a panel of experts on mobile security: Paul Madsen, Principal Technical Architect in the Office of the CTO at Ping Identity; Michael Barrett, President of the FIDO (Fast Identity Online) Alliance, and Mark Diodati, a Technical Director in the Office of the CTO at Ping Identity. The sponsored panel discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: We're approaching this Cloud Identity Summit 2014 (CIS) in Monterey, Calif. on July 19 and we still find that the digital economy is not really reaching its full potential. We're still dealing with ongoing challenges for trust, security, and governance across mobile devices and network.

Even though people have been using mobile devices for decades—and in some markets around the world they're the primary tool for accessing the Internet—why are we still having problems? Why is this so difficult to solve?

Diodati: There are so many puzzle pieces to make the digital economy fully efficient. A couple of challenges come to mind. One is the distribution of identity. In prior years, the enterprise did a decent job -- not an amazing job, but a decent job -- of identifying users, authenticating them, and figuring out what they have access to.

Once you move out into a broader digital economy, you start talking about off-premises architectures and the expansion of user constituencies. There is a close relationship with your partners, employees, and your contractors. But relationships can be more distant, like with your customers.

Emerging threats

Additionally, there are issues with emerging security threats. In many cases, there are fraudsters with malware being very successful at taking people’s identities and stealing money from them.

Diodati
Mobility can do a couple of things for us. In the old days, if you want more identity assurance to access important applications, you pay more in cost and usability problems. Specialized hardware was used to raise assurance. Now, the smartphone is really just a portable biometric device that users carry without us asking them to do so. We can raise assurance levels without the draconian increase in cost and usability problems.

We’re not out of the woods yet. One of the challenges is nailing down the basic administrative processes to bind user identities to mobile devices. That challenge is part cultural and part technology. [See more on a new vision for identity.]

Gardner: So it seems that we have a larger set of variables, end users, are not captive on network, who we authenticate. As you mentioned, the mobile device, the smartphone, can be biometric and can be an even better authenticator than we've had in the past. We might actually be in a better position in a couple of years. Is there a transition that’s now afoot that we might actually come out better on the other end?

Madsen: The opportunities are clear. As Mark indicated, the phones, not just because of its technical features, but because of the relatively tight binding that users feel for them, make a really strong authentication factor.

Madsen
It's the old trope of something you have, something you know, and something you are. Phones are something you already have, from the user’s point of view. It’s not an additional hard token or hard USB token that we're asking employees to carry with them. It's something they want to carry, particularly if it's a BYOD phone.

So phones, because they're connected mobile computers, make a really strong second-factor authentication, and we're seeing that more and more. As I said, it’s one that users are happy using because of the relationship they already have with their phones, for all the other reasons. [See more on identity standards and APIs.]

Gardner: It certainly seems to make sense that you would authenticate into your work environment through your phone. You might authenticate in the airport to check in with your phone and you might use it for other sorts of commerce. It seems that we have the idea, but we need to get there somehow.

What’s architecturally missing for us to make this transition of the phone as the primary way in which people are identified session by session, place by place? Michael, any thoughts about that?

User experience

Barrett: There are a couple of things. One, in today’s world, we don’t yet have open standards that help to drive cross-platform authentication, and we don’t have the right architecture for that. In today’s world still, if you are using a phone with a virtual keyboard, you're forced to type this dreadful, unreadable tiny password on the keyboard, and by the way, you can’t actually read what you just typed. That’s a pretty miserable user experience, which we alluded to earlier.

Barrett
But also, it’s a very ugly. It’s a mainframe-centric architecture. The notion that the authentication credentials are shared secrets that you know and that are stored on some central server is a very, very 1960s approach to the world. My own belief is that, in fact, we have to move towards a much more device-centric authentication model, where the remote server actually doesn’t know your authentication credentials. Again, that comes back to both architecture and standards.

My own view is that if we put those in place, the world will change. Many of us remember the happy days of the late '80s and early '90s when offices were getting wired up, and we had client-server applications everywhere. Then, HTML and HTTP came along, and the world changed. We're looking at the same kind of change, driven by the right set of appropriately designed open standards.

Gardner: So standards, behavior, and technology make for an interesting adoption path, sometimes a chicken and the egg relationship. Tell me about FIDO and perhaps any thoughts about how we make this transition and adoption happen sooner rather than later?

Barrett: I gave a little hint. FIDO is an open-standards organization really aiming to develop a set of technical standards to enable device-centric authentication that is easier for end users to use. As an ex-CTO, I can tell you the experience when you try to give them stronger authenticators that are harder for them to use. They won’t voluntarily use them.
FIDO is an open-standards organization really aiming to develop a set of technical standards to enable device-centric authentication that is easier for end users to use.

We have to do better than we're doing today in terms of ease of use of authentication. We also have to come up with authentication that is stronger for the relying parties, because that’s the other face of this particular coin. In today’s world, passwords and pins work very badly for end users. They actually work brilliantly for the criminals. 

So I'm kind of old school on this. I tend to think that security controls should be there to make life better for relying parties and users and not for criminals. Unfortunately, in today’s world, they're kind of inverted.

So FIDO is simply an open-standards organization that is building and defining those classes of standards and, through our member companies, is promulgating deployment of those standards.

Madsen: I think FIDO is important. Beyond the fact that it’s a standard is the pattern that it’s normalizing. The pattern is one where the user logically authenticates to their phone, whether it be with a fingerprint or a pin, but the authentication is local. Then, leveraging the phone’s capabilities -- storage, crypto, connectivity. etc. -- the phone authenticates to the server. It’s that pattern of a local authentication followed by a server authentication that I think we are going to see over and over.

Gardner: Thank you, Paul. It seems to me that most people are onboard with this. I know that, as a user, I'm happy to have the device authenticate. I think developers would love to have this authentication move to a context on a network or with other variables brought to bear. They can create whole new richer services when they have a context for participation. It seems to me the enterprises are onboard too. So there's a lot of potential momentum around this. What does it take now to move the needle forward? What should we expect to hear at CIS?

Moving forward

Diodati: There are two dimensions to moving the needle forward: avoiding the failures of prior mobile authentication systems, and ensuring that modern authentication systems support critical applications. Both are crucial to the success of any authentication system, including FIDO.

At CIS, we have an in-depth, three-hour FIDO workshop and many mobile authentication sessions. 

There are a couple of things that I like about FIDO. First, it can use the biometric capabilities of the device. Many smart phones have an accelerometer, a camera, and a microphone. We can get a really good initial authentication. Also, FIDO leverages public-key technology, which overcomes some of the concerns we have around other kinds of technologies, particularly one-time passwords. 

Madsen: To that last point Mark, I think FIDO and SAML, or more recent federation protocols, complement each other wonderfully. FIDO is a great authentication technology, and federation historically has not resolved that. Federation didn't claim to answer that issue, but if you put the two together, you get a very strong initial authentication. Then, you're able to broadcast that out to the applications that you want to access. And that’s a strong combination.

Barrett: One of the things that we haven't really mentioned here -- and Paul just hinted at it -- is the relationship between single sign-on and authentication. When you talk to many organizations, they look at that as two different sides of the same coin. So the better application or ubiquity you can get, and the more applications you can sign the user on with less interaction, is a good thing.

Gardner: Before we go a little bit deeper into what’s coming up, let’s take another pause and look back. There have been some attempts to solve these problems. Many, I suppose, have been from a perspective of a particular vendor or a type of device or platform or, in an enterprise sense, using what they already know or have.
Proprietary technology is really great for many things, but there are certain domains that simply need a strong standards-based backplane.

We've had containerization and virtualization on the mobile tier. It is, in a sense, going back to the past where you go right to the server and very little is done on the device other than the connection. App wrapping would fall under that as well, I suppose. What have been the pros and cons and why isn’t containerization enough to solve this problem? Let’s start with Michael.

Barrett: If you look back historically, what we've tended to see are lot of attempts that are truly proprietary in nature. Again, my own philosophy on this is that proprietary technology is really great for many things, but there are certain domains that simply need a strong standards-based backplane.

There really hasn't been an attempt at this for some years. Pretty much, we have to go back to X.509 to see the last major standards-based push at solving authentication. But X.509 came with a whole bunch of baggage, as well as architectural assumptions around a very disconnected world view that is kind of antithetical to where we are today, where we have a very largely connected world view.

I tend to think of it through that particular set of lenses, which is that the standards attempts in this area are old, and many of the approaches that have been tried over the last decade have been proprietary.

For example, on my old team at PayPal, I had a small group of folks who surveyed security vendors. I remember asking them to tell me how many authentication vendors there were and to plot that for me by year?

Growing number of vendors

They sighed heavily, because their database wasn’t organized that way, but then came back a couple of weeks later. Essentially they said that in 2007, it was 30-odd vendors, and it has been going up by about a dozen a year, plus or minus some, ever since, and we're now comfortably at more than 100.

Any market that has 100 vendors, none of whose products interoperate with each other, is a failing market, because none of those vendors, bar only a couple, can claim very large market share. This is just a market where we haven’t seen the right kind of approaches deployed, and as a result, we're struck where we are today without doing something different.

Gardner: Paul, any thoughts on containerization, pros and cons?

Madsen: I think of phones as almost two completely orthogonal aspects. First is how you can leverage the phone to authenticate the user. Whether it’s FIDO or something proprietary, there's value in that.

Secondly is the phone as an application platform, a means to access potentially sensitive applications. What mobile applications introduce that’s somewhat novel is the idea of pulling down that sensitive business data to the device, where it can be more easily lost or stolen, given the mobility and the size of those devices.
IT, arguably and justifiably, wants to protect the business data on it, but the employee, particularly in a BYOD case, wants to keep their use of the phone isolated and private.

The challenge for the enterprise is, if you want to enable your employees with devices, or enable them to bring their own in, how do you protect that data. It seems more and more important, or recognized as the challenge, that you can’t.

The challenge is not only protecting the data, but keeping the usage of the phone separate. IT, arguably and justifiably, wants to protect the business data on it, but the employee, particularly in a BYOD case, wants to keep their use of the phone isolated and private.

So containerization or dual-persona systems attempt to slice and dice the phone up into two or more pieces. What is missing from those models, and it’s changing, is a recognition that, by definition, that’s an identity problem. You have two identities—the business user and the personal user—who want to use the same device, and you want to compartmentalize those two identities, for both security and privacy reasons.

Identity standards and technologies could play a real role in keeping those pieces separate.The employee might use Box for the business usage, but might also use it for personal usage. That’s an identity problem, and identity will keep those two applications and their usages separate.

Diodati: To build on that a little bit, if you take a look at the history of containerization, there were some technical problems and some usability problems. There was a lack of usability that drove an acceptance problem within a lot of enterprises. That’s changing over time.

To talk about what Michael was talking about in terms of the failure of other standardized approaches to authentication, you could look back at OATH, which is maybe the last big industry push, 2004-2005, to try to come up with a standard approach, and it failed on interoperability. OATH was a one-time password, multi-vendor  capability. But in the end, you really couldn’t mix and match devices. Interoperability is going to be a big, big criteria for acceptance of FIDO. [See more on identity standards and APIs.]

Mobile device management

Gardner: Another thing out there in the market now, and it has gotten quite a bit of attention from enterprises as they are trying to work through this, is mobile device management (MDM).  Do you have any thoughts, Mark, on why that has not necessarily worked out or won’t work out? What are the pros and cons of MDM?

Diodati: Most organizations of a certain size are going to need an enterprise mobility management solution. There is a whole lot that happens behind the scenes in terms of binding the user's identity, perhaps putting a certificate on the phone.

Michael talked about X.509. That appears to be the lowest common denominator for authentication from a mobile device today, but that can change over time. We need ways to be able to authenticate users, perhaps issue them certificates on the phone, so that we can do things like IPSec.

Also, we may be required to give some users access to offline secured data. That’s a combination of apps and enterprise mobility management (EMM) technology. In a lot of cases, there's an EMM gateway that can really help with giving offline secure access to things that might be stored on network file shares or in SharePoint, for example.

If there's been a stumbling block with EMM, it's just been that the heterogeneity of the devices, making it a challenge to implement a common set of policies.
The fundamental issue with MDM is, as the name suggests, that you're trying to manage the device, as opposed to applications or data on the device.

But also the technology of EMM had to mature. We went from BlackBerry Enterprise Server, which did a pretty good job in a homogeneous world, but maybe didn't address everybody’s needs. The AirWatchs and the Mobile Irons of the world, they've had to deal with heterogeneity and increased functionality.

Madsen: The fundamental issue with MDM is, as the name suggests, that you're trying to manage the device, as opposed to applications or data on the device. That worked okay when the enterprise was providing employees with their BlackBerry, but it's hard to reconcile in the BYOD world, where users are bringing in their own iPhones or Androids. In their mind, they have a completely justified right to use that phone for personal applications and usage.

So some of the mechanisms of MDM remain relevant, being able to wipe data off the phone, for example, but the device is no longer the appropriate granularity. It's some portion of the device that the enterprise is authoritative over.

Gardner: It seems to me, though, that we keep coming back to several key concepts: authentication and identity, and then, of course, a standardization approach that ameliorates those interoperability and heterogeneity issues. [See more on a new vision for identity.]

So let’s look at identity and authentication. Some people make them interchangeable. How should we best understand them as being distinct? What’s the relationship between them and why are they so essential for us to move to a new architecture for solving these issues? Let’s start with you, Michael.

Identity is center

Barrett: I was thinking about this earlier. I remember having some arguments with Phil Becker back in the early 2000s when I was running the Liberty Alliance, which was the standards organization that came up with SAML 2.0. Phil coined that phrase, "Identity is center," and he used to argue that essentially everything fell under identity.

What I thought back then, and still largely do, is that identity is a broad and complex domain. In a sense, as we've let it grow today, they're not the same thing. Authentication is definitely a sub-domain of security, along with a whole number of others. We talked about containerization earlier, which is a kind of security-isolation technique in many regards. But I am not sure that identity and authentication are exactly in the same dimension.

In fact, the way I would describe it is that if we talk about something like the levels-of-assurance model, we're all fairly familiar with in the identity sense. Today, if you look at that, that’s got authentication and identity verification concepts bound together.
Today, we've collapsed them together, and I am not sure we have actually done anybody any favors by doing that.

In fact, I suspect that in the coming year or two, we're probably going to have to decouple those and say that it’s not really a linear one-dimensonal thing, with level one, level two, level three, and level four. Rather it's a kind of two-dimensional metric, where we have identity verification concepts on one side and then authentication comes from the other. Today, we've collapsed them together, and I am not sure we have actually done anybody any favors by doing that.

Definitely, they're closely related. You can look at some of the difficulties that we've had with identity over the last decade and say that it’s because we actually ignored the authentication aspect. But I'm not sure they're the same thing intrinsically. 

Gardner: Interesting. I've heard people say that any high-level security mobile device has to be about identity. How else could it possibly work? Authentication has to be part of that, but identity seems to be getting more traction in terms of a way to solve these issues across all other variables and to be able to adjust accordingly over time and even automate by a policy.

Mark, how do you see identity and authentication? How important is identity as a new vision for solving these problems?

Diodati: You would have to put security at the top, and identity would be a subset of things that happen within security. Identity includes authorization -- determining if the user is authorized to access the data. It also includes provisioning. How do we manipulate user identities within critical systems -- there is never one big identity in the sky. Identity includes authentication and a couple of other things.

To answer the second part of your question, Dana, in the role of identity and trying to solve these problems, we in the identity community have missed some opportunities in the past to talk about identity as the great enabler.

With mobile devices, we want to have the ability to enforce basic security controls , but it’s really about identity. Identity can enable so many great things to happen, not only just for enterprises, but within the digital economy at large. There's a lot of opportunity if we can orient identity as an enabler.

Authentication and identity

Madsen: I just think authentication is something we have to do to get to identity. If there were no bad people in the world and if people didn’t lie, we wouldn’t need authentication.

We would all have a single identifier, we would present ourselves, and nobody else would lay claim to that identifier. There would be no need for strong authentication. But we don’t live there. Identity is fundamental, and authentication is how we lay claim to a particular identity.

Diodati: You can build the world's best authorization policies. But they are completely worthless, unless you've done the authentication right, because you have zero confidence that the users are who they say there are.

Gardner: So, I assume that multifactor authentication also is in the subset. It’s just a way  of doing it better or more broadly, and more variables and devices that can be brought to bear. Is that correct?

Madsen: Indeed.
We have to apply a set of adaptive techniques to get better identity assurance about the user.

Diodati: The definition of multifactor has evolved over time too. In the past, we talked about “strong authentication”. What we mean was “two-factor authentication,” and that is really changing, particularly when you look at some of the emerging technologies like FIDO.

If you have to look at the broader trends around adaptive authentication, the relationship to the user or the consumer is more distant. We have to apply a set of adaptive techniques to get better identity assurance about the user.

Gardner: I'm just going to make a broad assumption here that the authentication part of this does get solved, that multifactor authentication, adaptive, using devices that people are familiar with, that they are comfortable doing, even continuing to use many of the passwords, single sign-on, all that gets somehow rationalized.

Then, we're elevated to this notion of identity. How do we then manage that identity across these domains? Is there a central repository? Is there a federation? How would a standard come to bear on that major problem of the federation issue, control, and management and updating and so forth? Let’s go back to Michael on that.

Barrett: I tend to start from a couple of different perspectives on this. One is that we do have to fix the authentication standards problem, and that's essentially what FIDO is trying to do.

So, if you accept that FIDO solves authentication, what you are left with is an evolution of a set of standards that, over the last dozen years or so, starting with SAML 2.0, but then going on up through the more recent things like OpenID Connect and OAuth 2.0, and so on, gives you a robust backplane for building whatever business arrangement is appropriate, given the problem you are trying to solve.

Liability

I chose the word "business" quite consciously in there, because it’s fair to say that there are certain classes of models that have stalled out commercially for a whole bunch of reasons, particularly around the dreaded L-word, i.e, liability.

We tried to build things that were too complicated. We could just describe this grand long-term vision of what the universe looked like. Andrew Nash is very fond of saying that we can describe this rich ecosystem as identity-enabled services and so on, but you can’t get there from here, which is the punch line of a rather old joke.

Gardner: Mark, we understand that identity is taking on a whole new level of importance. Are there some examples that we can look to that illustrate how an identity-centric approach to security, governance, manageability for mobile tier activities, even ways it can help developers bring new application programming interfaces (APIs) into play and context for commerce and location, are things we haven’t even scratched the surface of yet really?
Identity is pretty broad when you take a look at the different disciplines that might be at play.

Help me understand, through an example rather than telling, how identity fits into this and what we might expect identity to do if all these things can be managed, standards, and so forth.

Diodati: Identity is pretty broad when you take a look at the different disciplines that might be at play. Let’s see if we can pick out a few.

We have spoken about authentication a lot. Emerging standards like FIDO are important, so that we can support applications that require higher assurance levels with less cost and usability problems.

A difficult trend to ignore is the API-first development modality. We're talking about things like OAuth and OpenID Connect. Both of those are very important, critical standards when we start talking about the use of API- and even non-API HTTP based stuff.

OpenID Connect, in particular, gives us some abilities for users to find where they want to authenticate and give them access to the data they need. The challenge is that the mobile app is interacting on behalf of a user. How do you actually apply things like adaptive techniques to an API session to raise identity assurance levels? Given that OpenID Connect was just ratified earlier this year, we're still in early stages of how that’s going to play out.

Gardner: Michael, any thoughts on examples, use cases, a vision for how this should work in the not too distant future?

Barrett: I'm a great believer in open standards, as I think I have shown throughout the course of this discussion. I think that OpenID Connect, in particular, and the fact that we now have that standard ratified, [is useful]. I do believe that the standards, to a very large extent, allow the creation of deployments that will address those use-cases that have been really quite difficult [without these standards in place].

Ahead of demand

The problem that you want to avoid, of course, is that you don’t want a standard to show up too far ahead of the demand. Otherwise, what you wind up with is just some interesting specification that never gets implemented, and nobody ever bothers deploying any of the implementations of it.

So, I believe in just-in-time standards development. As an industry, identity has matured a lot over the last dozen years. When SAML 2.0 came along in Shibboleth, it was a very federation-centric world, addressing a very small class of use cases. Now, we have a more robust sets of standards. What’s going to be really interesting is to see, how those new standards get used to address use cases that the previous standards really couldn’t?

I'm a bit of a believer in sort of Darwinian evolution on this stuff and that, in fact, it’s hard to predict the future now. Niels Bohr famously said, "Prediction is hard, especially when it involves the future.” There is a great deal of truth to that.
Prediction is hard, especially when it involves the future.

Gardner: Hopefully we will get some clear insights at the Cloud Identity Summit this month, July 19, and there will be more information to be had there.

I also wonder whether we're almost past the point now when we talk about mobile security, cloud security, data-center security. Are we going to get past that, or is this going to become more of a fabric of security that the standards help to define and then the implementations make concrete? Before we sign off, Mark, any last thoughts about moving beyond segments of security into a more pervasive concept of security?

Diodati: We're already starting to see that, where people are moving towards software as a service (SaaS) and moving away from on-premises applications. Why? A couple of reasons. The revenue and expense model lines up really well with what they are doing, they pay as they grow. There's not a big bang of initial investment. Also, SaaS is turnkey, which means that much of the security lifting is done by the vendor.

That's also certainly true with infrastructure as a service (IaaS). If you look at things like Amazon Web Services (AWS). It is more complicated than SaaS, it is a way to converge security functions within the cloud.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Ping Identity.

You may also be interested in:

Monday, July 7, 2014

As the digital economy ramps up, expect a new identity management vision to leapfrog passwords

A stubborn speed bump continues to hobble the digital economy. We're referring to the outdated use of passwords and limited identity-management solutions that hamper getting all of our devices, cloud services, enterprise applications, and needed data to work together in anything approaching harmony. 

The past three years have seen a huge uptick in the number and types of mobile devices, online services, and media. Yet, we're seemingly stuck with 20-year-old authentication and identity-management mechanisms -- mostly based on passwords.

The resulting chasm between what we have and what we need for access control and governance spells ongoing security lapses, privacy worries, and a detrimental lack of interoperability among cross-domain cloud services. So, while a new generation of standards and technologies has emerged, a new vision is also required to move beyond the precarious passel of passwords that each of us seems to use all the time.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

The fast approaching Cloud Identity Summit 2014 this July gives us a chance to recheck some identity-management premises -- and perhaps step beyond the conventional to a more functional mobile future. To help us define these new best ways to manage identities and access control in the cloud and mobile era, please join me in welcoming our guest, Andre Durand, CEO of Ping Identity. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: The Cloud Identity Summit is coming up, and at the same time, we're finding that this digital economy is not really reaching its potential. There seems to be this ongoing challenge, as we have more devices, varieties of service and this need for this cross-domain interaction capability. It’s almost as if we're stymied. So why is this problem so intractable? Why are we still dealing with passwords and outdated authentication?

Durand: Believe it or not, you have to go back 30 years to when the problem originated, when the Internet was actually born. Vint Cerf, one of the founders and creators of the Internet, was interviewed by a reporter two or three years back. He was asked if he could go back 30 years, when he was creating the Internet, what would he do differently? And he thought about it for a minute and said, "I would have tackled the identity problem."

Durand
He continued, "We never expected the Internet to become the Internet. We were simply trying to route packets between two trusted computers through a standardized networking protocol. We knew that the second we started networking computers, you needed to know who the user was that was making the request, but we also knew that it was a complicated problem." So, in essence, they punted.

Roll forward 30 years, and the bulk of the security industry and the challenges we now face in identity management at scale, Internet or cloud scale, all result from not having tackled identity 30 years ago. Every application, every device, every network that touches the Internet has to ask you who you are. The easiest way to do that is via user name and password, because there was no concept of who the user was on the network at a more fundamental universal layer.

So all this password proliferation comes as a result of the fact that identity is not infrastructure today in the Internet, and it's a hard problem to retrofit the Internet for a more universal notion of who you are, after 30 years of proliferating these identity silos. 

Internet of things

Gardner: It certainly seems like it’s time, because we're not only dealing with people and devices. We're now going into the Internet of Things, including sensors. We have multiple networks and more and more application programming interfaces (APIs) and software-as-a-service (SaaS) applications and services coming online. It seems like we have to move pretty quickly. [See more on identity standards and APIs.]

Durand: We do. The shift that began to exacerbate, or at least highlight, the underlying problem of identity started with cloud and SaaS adoption, somewhere around 2007-2008 time frame. With that, it moved some of the applications outside of the data center. Then, starting around 2010 or 2011, when we started to really get into the smartphone era, the user followed the smartphone off the corporate network and the corporate-issued computer and onto AT and T’s network.

So you have the application outside of the data center. You have the user off the network. The entire notion of how to protect users and data broke. It used to be that you put your user on your network with a company-issued computer accessing software in the data center. It was all behind the firewall.

Those two shifts changed where the assets were, the applications, data, and the user. The paradigm of security and how to manage the user and what they have access to also had to shift and it just brought to light the larger problem in identity.
What we need is the ability for your identity to follow your browser session, as you're moving between all these security domains.

Gardner: And the stakes here are fairly high. We're looking at a tremendously inefficient healthcare system here in the United States, for example. One of the ways that could be ameliorated and productivity could be increased is for more interactions across boundaries, more standards applied to how very sensitive data can be shared. If we can solve this problem, it seems to me there is really a flood of improvement in productivity to come behind it.

Durand: It's enormous and fundamental. Someone shared with me several years ago a simple concept that captures the essence of how much friction we have in the system today in and around identity and users in their browsers going places. The comment was simply this: In your browser you're no longer limited to one domain. You're moving between different applications, different websites, different companies, and different partners with every single click.

What we need is the ability for your identity to follow your browser session, as you're moving between all these security domains, and not have to re-authenticate yourself every single time you click and are off to a new part of the Internet.

We need that whether that means employees sitting at their desktop on a corporate network, opening their browser and going to Salesforce.com, Office 365, Gmail, or Box, or whether it means a partner going into another partner’s application, say to manage inventory as part of their supply chain.

We have to have an ability for the identity to follow the user, and fundamentally that represents this next-gen notion of identity.

Gardner: I want to go back to that next-gen identity definition in a moment, but I notice you didn't mention authenticate through biometrics to a phone or to a PC. You're talking, I think, at a higher abstraction, aren’t you? At software or even the services level for this identity. Or did I read it wrong?

Stronger authentication

Durand: No, you read it absolutely correctly. I was definitely speaking at 100,000 feet there. Part of the solution that I play out is what's coming in the future will be stronger authentication to fewer places, say stronger authentication to your corporate network or to your corporate identity. Then, it's a seamless ability to access all the corporate resources, no matter if they're business applications that are proprietary in the data center or whether or not the applications are in the cloud or even in the private cloud.

So, stronger user authentication is likely through the mobile phone, since the phones have become such a phenomenal platform for authentication. Then, once you authenticate to that phone, there will be a seamless ability to access everything, irrespective of where it resides.

Gardner: Then, when you elevate to that degree, it allows for more policy-driven and intelligence-driven automated and standardized approaches that more and more participants and processes can then adopt and implement. Is that correct?

Durand: That’s exactly correct. We had a notion of who was accessing what, the policy, governance, and the audit trail inside of the enterprise, and that was through the '80s, '90s, and the early 2000s. There was a lot of identity management infrastructure that was built to do exactly that within the enterprise.
We now live in this much more federated scenario, and there is a new generation of identity management that we have to install.

Gardner: With directories.

Durand: Right, directories and all the identity management, Web access management, identity-management provisioning software, and all the governance software that came after that. I refer to all of those systems as Identity and Access Management 1.0.

It was all designed to manage this, as long as all the applications, user, and data were behind the firewall on the company network. Then, the data and the users moved, and now even the business applications are moving outside the data center to the public and private cloud.

We now live in this much more federated scenario, and there is a new generation of identity management that we have to install to enable the security, auditability, and governance of that new highly distributed or federated scenario.

Gardner: Andre, let’s go back to that "next-generation level" of identity management. What did you mean by that? 

Durand:  There are few tenets that fall into the next-generation category. For me, businesses are no longer a silo. Businesses are today fundamentally federated. They're integrating with their supply chain. They're engaging with social identities, hitting their consumer and customer portals. They're integrating with their clients and allowing their clients to gain easier access to their systems. Their employees are going out to the cloud.

Fundamentally integrated

All of these are scenarios where the IT infrastructure in the business itself is fundamentally integrated with its customers, partners, and clients. So that would be the first tenet. They're no longer a silo.

The second thing is that in order to achieve the scale of security around identity management in this new world, we can no longer install proprietary identity and access management software. Every interface for how security and identity is managed in this federated world needs to be standardized.

So we need open identity standards such as SAML, OAuth, and OpenID Connect, in order to scale these use cases between companies. It’s not dissimilar to an era of email, before we had Internet e-mail and the SMTP standard.

Companies had email, but it was enterprise email. It wouldn’t communicate with other companies' proprietary email. Then, we standardized email through SMTP and instantly we had Internet-scaled email.

I predict that the same thing is occurring, and will occur, with identity. We'll standardize all of these cases to open identity standards and that will allow us to scale the identity use cases into this federated world.
So whatever infrastructure we develop needs to normalize the API and mobile access the same way that it does the web access.

The third tenet is that, for many years, we really focused on the browser and web infrastructure. But now, you have users on mobile devices and applications accessing APIs. You have as many, if not most, transactions occurring through the API mobile channel than you do through the web.

So whatever infrastructure we develop needs to normalize the API and mobile access the same way that it does the web access. You don’t want two infrastructures for those two different channels of communication. Those are some of the big tenets of this new world that define an architecture for next-gen identity that’s very different from everything that came before it.

Gardner: To your last tenet, how do we start to combine without gaps and without security issues the ability to exercise a federated authentication and identity management capability for the web activities, as well as for those specific APIs and specific mobile apps and platforms?

Durand: I’ll give you a Ping product specific example, but it’s for exactly that reason that we kind of chose the path that we did for this new product. We have a product called PingAccess, which is a next-gen access control product that provides both web access management for the web browsers and users using web application. It provides API access management when companies want to expose their APIs to developers for mobile applications and to other web services.

Prior to PingAccess in a single product, allowing you to enable policy for both the API channel and the web channel, those two realms typically were served by independent products. You'd buy one product to protect your APIs and you’d buy another product to do your web-access management.

Same product

Now with this next-gen product, PingAccess, you can do both with the same product. It’s based upon OAuth, an emerging standard for identity security for web services, and it’s based upon OpenID Connect, which is a new standard for single sign-on and authentication and authorization in the web tier. [See more on identity standards and APIs.]

We built the product to cross the chasm, between API and web, and also built it based upon open standards, so we could really scale the use cases.

Gardner: Whenever you bring out the words "new" and "standard," you'll get folks who might say, "Well, I'm going to stick with the tried and true." Is there any sense of the level of security, privacy control management, and governance control with these new approaches, as you describe them, that would rebut that instinct to stick with what you have?

Durand: As far as the instinct to stick with what you have, keep in mind that the alternative is proprietary, and there is nothing about proprietary that necessarily means you have better control or more privacy.
There's a tremendous amount of the work that goes into it by the entire industry to make sure that those standards are secure and privacy enabling.

The standards are really defining secure mechanisms to pursue a use case between two different entities. You want a common interface, a common language to communicate. There's a tremendous amount of the work that goes into it by the entire industry to make sure that those standards are secure and privacy enabling.

I'd argue that it's more secure and privacy enabling than the one-off proprietary systems and/or the homegrown systems that many companies developed in the absence of these open standards.

Gardner: Of course, with standards, it's often a larger community, where people can have feedback and inputs to have those standards evolve. That can be a very powerful force when it comes to making sure that things remain stable and safe. Any thoughts about the community approach to this and where these standards are being managed?

Durand: A number of the standards are being managed now by the Internet Engineering Task Force (IETF), and as you know, they're well-regarded, well-known, and certainly well-recognized for their community involvement and having a cycle of improvement that deals with threats, as they emerge, as the community sees them, as a mechanism to improve the standards over time to close those security issues.

Gardner: Going back to the Cloud Identity Summit 2014, is this a coming-out party of sorts for this vision of yours? How do you view the timing right now? Are we at a tipping point, and how important is it to get the word out properly and effectively?

Durand: This is our fifth annual Cloud Identity Summit. We've been working toward this combination of where identity and the cloud and mobile ultimately intersect. All of the trends that I described earlier today -- cloud adoption, mobile adoption, moving the application and the user and the device off the network -- is driving more and more awareness towards a new approach to identity management that is disruptive and fundamentally different than the traditional way of managing identity.

On the cusp

We're right on the cusp where the adoption across both cloud and mobile is irrefutable. Many companies now are moving all in in their strategies to make adoption by their enterprises across those two dimensions a cloud-first and mobile-first posture.

So it is at a tipping point. It's the last nail in the coffin for enterprises to get them to realize that they're now in a new landscape and need to reassess their strategies for identity, when the business applications, the ones that did not convert to SaaS, move to Amazon Web Services, Equinix, or to Rackspace and the private-cloud providers.

That, all of a sudden, would be the last shift where applications have left the data center and all of the old paradigms for managing identity will now need to be re-evaluated from the ground up. That’s just about to happen.

Gardner: Another part of this, of course, is the user themselves. If we can bring to the table doing away with passwords, that itself might encourage a lot of organic adoption and calls for this sort of a capability. Any sense of what we can do in terms of behavior at the user level and what would incentivize them to knock on the door of their developers or IT organization and ask for this sort of capability and vision that we described.
When you experience an ability to get to the cloud, authenticating to the corporation first, and simply swipe with your mobile phone, it just changes how we think about authentication and how we think about the utility of having a smartphone with us all the time.

Durand: Now you're highlighting my kick-off speech at PingCon, which is Ping’s Customer and Partner Conference the day after the Cloud Identity Summit. We acquired a company and a technology last year in mobile authentication to make your mobile phone the second factor, strong authentication for corporations, effectively replacing the one-time tokens that have been issued by traditional vendors for strong authentication.

It’s an application you load on your smartphone and it enables you an ability to simply swipe across the screen to authenticate when requested. We'll be demonstrating the mobile phone as a second-factor authentication. What I mean there is that you would type in your username and password and then be asked to swipe the phone, just to verify your identity before getting into the company.

We'll also demonstrate how you can use the phone as a single-factor authentication. As an example, let’s say I want to go to some cloud service, Dropbox, Box, or Salesforce. Before that, I'm asked to authenticate to the company. I'd get a notification on my phone that simply says, "Swipe." I do the swipe, it already knows who I am, and it just takes me directly to the cloud. That user experience is phenomenal.

When you experience an ability to get to the cloud, authenticating to the corporation first, and simply swipe with your mobile phone, it just changes how we think about authentication and how we think about the utility of having a smartphone with us all the time.

Gardner: This aligns really well, and the timing is awesome for what both Google with Android and Apple with iOS are doing in terms of being able to move from screen to screen seamlessly. Is that something that’s built in this as well?

If I authenticate through my mobile phone, but then I end up working through a PC, a laptop, or any other number of interfaces, is this is something that carries through, so that I'm authenticated throughout my activity?

Entire vision

Durand: That's the entire vision of identity federation. Authenticate once, strongly to the network, and have an ability to go everywhere you want -- data center, private cloud, public SaaS applications, native mobile applications -- and never have to re-authenticate.

Gardner: Sounds good to me, Andre. I'm all for it.  Before we sign off, do we have an example? It's been an interesting vision and we've talked about the what and how, but is there a way to illustrate to show that when this works well perhaps in an enterprise, perhaps across boundaries, what do you get and how does it work in practice?

Durand: There are three primary use cases in our business for next-generation identity, and we break them up into workforce, partner, and customer identity use cases. I'll give you quick examples of all three.

In the workforce use case, what we see most is a desire for enterprises to enable single sign-on to the corporation, to the corporate network, or the corporate active directory, and then single-click access to all the applications, whether they're in the cloud or in the data center. It presents employees in the workforce with a nice menu of all their application options. They authenticate once to see that menu and then, when they click, they can go anywhere without having to re-authenticate.
That's the entire vision of identity federation. Authenticate once, strongly to the network.

That's primarily the workforce use case. It's an ability for IT to control what applications, where they're going in the cloud, what they can do in the cloud to have an audit trail of that, or have full control over the use of the employee accessing cloud applications. The next-gen solutions that we provide accommodate that use case.

The second use case is what we call a customer portal or a customer experience use case. This is a scenario where customers are hitting a customer portal. Many of the major banks in the US and even around the world use Ping to secure their customer website. When you log into your bank to do online banking, you're logging into the bank, but then, when you click on any number of the links, whether to order checks, to get check fulfillment, that goes out to Harland Clarke or to Wealth Management.

That goes to a separate application. That banking application is actually a collection of many applications, some run by partners, some by run by different divisions of the bank. The seamless customer experience, where the user never sees another login or registration screen, is all secured through Ping infrastructure. That’s the second use case.

The third use case is what we call a traditional supply chain or partner use case. The world's largest retailer is our customer. They have some 100,000 suppliers that access inventory applications to manage inventory at all the warehouses and distribution centers.

Prior to having Ping technology, they would have to maintain the username and password of the employees of all those 100,000 suppliers. With our technology they allow single sign-on to that application, so they no longer have to manage who is an employee of all of those suppliers. They've off-loaded the identity management back to the partner by enabling single sign-on.

About 50 of the Fortune 100 are all Ping customers. They include Best Buy, where you don’t have to login to go to the reward zone. You're actually going through Ping.

If you're a Comcast customer and you log into comcast.net and click on any one of the content links or email, that customer experience is secured though Ping. If you log into Marriott, you're going through Ping. The list goes on and on.

In the future

Gardner: This all comes to a head as we're approaching the July Cloud Identity Summit 2014 in Monterey, Calif., which should provide an excellent forum for keeping the transition from passwords to a federated, network-based intelligent capability on track.

Before we sign-off, any idea of where we would be in a year from now? Is this a stake in the ground for the future or something that we could extend our vision toward in terms of what might come next, if we make some strides and a lot of what we have been talking about today gets into a significant uptake and use.

Durand: We're right on the cusp of the smartphone becoming a platform for strong, multi-factor authentication. That adoption is going to be fairly quick. I expect that, and you're going to see enterprises adopting en masse stronger authentication using the smartphone.

Gardner: I suppose that is an accelerant to the bring-your-own-device (BYOD) trend. Is that how you see it as well?
We're right on the cusp of the smartphone becoming a platform for strong, multi-factor authentication.

Durand: It’s a little bit orthogonal to BYOD. The fact that corporations have to deal with that phenomenon brings its own IT headaches, but also its own opportunities in terms of the reality of where people want to get work done.

But the fact that we can assume that all of the devices out there now are essentially smartphone platforms, very powerful computers with lots of capabilities, is going to allow the enterprises now to leverage that device for really strong multi-factor authentication to know who the user is that’s making that request, irrespective of where they are -- if they're on the network, off the network, on a company-issued computer or on their BYOD.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Ping Identity.

You may also be interested in: