Finally, another podcast episode - more on Web 2.0

It's been a while since our last 'cast, and for that we apologise. We blame too much paid consulting work, combined with holiday...

This podcast episode attempts to pick up where we left off in our last episode, and talk more about our ongoing research programme looking at the evolution of the Web and how this ties into the ways that business is changing.

In this 37'30" episode Neil Macehiter and Neil Ward-Dutton talk about our idea of the "uncompany", and show how emerging web-related technologies and techniques tie into this idea.

It's interesting stuff (though of course we would say that).

We recorded more conversation today, but for the sake of listeners' sanity decided to split it into chunks. We'll post the second chunk (which focuses on SOA governance, and some related news) early next week.

As usual you can download the audio, or subscribe to the feed. Enjoy! posted by Neil Ward-Dutton @ 4:28 PM 0 comments permalink

Sun acquires close to home to increase the velocity of identity management deployments

Earlier this week Sun announced the acquisition of Neogent, an Austin, Texas-based services company which specialises in the implementation of identity management and enterprise content management solutions. Neogent does not just provide implementation experts. The company exploits that expertise, together with the experience gleaned from deployments, to put together implementation packages in it's Velocity Lab, which combine pre-installed/configured hardware and software and professional services to accelerate deployments. The company currently offers three such packages: for identity management implementation (Velocity Identity Package) and installation (Velocity Identity Installer) as well as a package which adds Day's Enterprise Content Management product (Velocity Enterprise Package). It also provides a managed services offering (with the non-intuitive name of Constituent Automation Suite) for identity and content management and a solution for role-based access control (RBAC). Neogent's customers include the likes of AMD, Cisco and the the US government.

Neogent, as any good services company should, mentions a range of partners whose technology it works with. But in the case of identity management it's pretty clear that its focus is Sun - it's Velocity identity offerings and the RBAC solution are based on Sun's Java System Identity Manager and it is a reseller of Sun's identity management suite. The reason for this focus becomes clear from a quick look at the company's executive team: the VPs of consulting and product development plus the marketing director herald from Waveset (which was acquired by Sun in November 2003 and whose personnel continue to drive the identity management business).

These very close links to Sun's identity management business are not enough to justify the acquistion and Neogent has neither the size or the reach to provide Sun with a significant identity management consulting capability. So why did Sun loosen the purse strings? It's primarily about Velocity. Sun has acquired packaged intellectual property which can be added to the kit bag of its implementation consultants, together with productised services that its sales people will be more comfortable selling. I say primarily because Neogent's Constituent Automation Suite is a nice complement to Sun's Managed Services offering. The future for Neogent's content management business, however, is not so clear: it's not a focus for Sun and Neogent works with FileNET which is of course now part of IBM.

Our discussions with organisations embarking on identity management initiaitives indicate that they are crying out for the best practice advice and guidance, as well as implementation capability, to help them get to grips with the complex of array of drivers and technologies. The acquisition of Neogent should help Sun respond more rapidly to those cries for help. posted by Neil Macehiter @ 1:29 PM 3 comments permalink

Identity management collaboration is more than talk

I've mentioned on numerous occassions the significant amount of very important collaboration that is going on in the world of identity management (here's just one example), exemplified most recently with the announcement of Microsoft's open specifications promise, driven in no small part by Microsoft's chief identity architect Kim Cameron. Whilst this collaboration is obviously essential if the promise of interoperable identity solutions - within and across organisational boundaries - is to be realised it can all seem somewhat intangible (particularly if you're not party to the discussions). Similarly, although technology demonstrations such as this from Ping Identity showing interoperable federation help to make things a little more real, there's nothing like trying it out yourself.

Today, I managed to set aside a few minutes (and that's all it took) to experience some of the fruits of all this valuable discussion. In this case the fruit in question concerned Microsoft's CardSpace and more specifically extensions/plug-ins for Firefox/Safari web browsers which perform some of CardSpace's identity selector functions: detecting whether a site is CardSpace enabled and allowing you to create a self-asserted identity and use it to authenticate to the site. Much of this is down to the stirling work of Chuck Mortimore, who built a Java-based Firefox extension (and has also built a Java-based relying party capable of requesting and accepting cards from CardSpace). All you need to know about installing and using the Firefox extension is here. Ian Brown has taken Chuck's Java implementation and wrapped it as a plug-in for the Safari browser for Apple Macs. The plug-in performs the same functions as the Firefox extension with the addition of populating the self-asserted card from Apple's AddressBook application. See here for the installation details.

If you haven't looked at CardSpace at all, then it is worth investing the small amount of time required to get a feel for the identity selector experience. Even if you have, its worth the time anyway to show that all this collaobration is more than just talk.
posted by Neil Macehiter @ 2:54 PM 0 comments permalink

Identity management is making its mark

Jon Oltsik from CNET was out at the Digital ID World conference and has posted a summary of this thoughts here: organisations are serious about deployment; projects are moving from tactical to strategic; SOA approaches apply to identity too; standards are starting to help; and identity is an infrastructure issue. In fact, a pretty good summary of the key drivers, enablers and implications we call out in our identity management report. As the primary author of that report, it's comforting to receive such validation from Digital ID World because its primary focus is those adopting identity management solutions, rather than those selling them, or as Jon puts it:

To be honest, I expected a Vendorthon featuring business card exchanges, partnering discussions, and cocktail parties. Instead I heard real business discussions, user requirements, and bright technologists discussing solutions. This was not only refreshing but it also reflects the improving state of identity technology.

Indeed it does! posted by Neil Macehiter @ 9:03 AM 0 comments permalink

IBM's response to Microsoft's promise

Bob Sutor has responded to the question (indirectly anyway - he was responding to the same question raised by David Berlind at ZDNet) I raised in my post about Microsoft's open specification promise. It's certainly succint:

nice start, but there is such a long, long way for them to go after being such active opponents to open collaboration and innovation. The first step was perhaps hard, but they now need to start running fast to catch up to where the industry has been around open operating environments, open middleware, open development environments, and so forth.

and not quite as positive as the response from Simon Phipps, his equivalent at Sun, who welcomes the news, with some caveats related to the specifics of the promise.

I was hoping that Bob would put competition to one side and outline IBM's stance regarding the WS-* specifications which the company has co-authored with Microsoft (and others). Does IBM promise the same? As James Governor at Redmonk put it:

My question is: what does IBM do to up the ante? If there is one war I will sign up to enthusiastically its the war for open standards, unencumbered by potential chilling effects. So come on IBM lets see you really nail it. The 500 OSS patent pledge was just a tester. Lets see more irrevocable stuff.

You could argue IBM covenants are not a bluff, but I have yet to see anything as clear and domain-specific as Microsoft's new policy.

So, over to you Bob. posted by Neil Macehiter @ 4:24 PM 0 comments permalink

Reasons to be cheerful in IT service management

It’s always dangerous to be too optimistic in this industry, but there appear to be signs of progress in IT service management, specifically with the adoption of best practice in IT operations. About a year ago, when vendors started jumping on the service management bandwagon, there didn’t appear to be much interest from potential adopters, that is, enterprise organisations with sizeable IT departments. As a self-confessed evangelist of best practice, this was depressing to say the least. More recently however, conversations have been turning from the “what”, or indeed the “why bother”, to the “how do we do it.” The signs of this are rife, including from the end-user community, both in personal discussions and more general research (I’ll point to some soon, when it is released), but also in how this is translating into sales activity from vendors. A briefing call with IT management vendor Numara yesterday confirmed this; we are hearing similar things from the larger vendors such as CA.

When it comes to the how, in our report “IT service management: jumping on a moving train” we’ve been advocating an evolutionary approach, based on a 5-stage maturity model. There is no mega-suite of products that can transform a chaotic IT department into a well-oiled machine; however, tools can help support best practice adoption and the automation of key tasks. One such area would be the use of workflow (or business process management, depending on your taste and background) tools to control the operational processes of IT management, which is why we welcome in principle the announcement by Lombardi and Covestic to release a set of process templates based around the IT Infrastructure Library (ITIL) best practice framework.

As well as being further indication that there is a growing market for such tools, the Lombardi/Covestic ITIL Change Management BPM product (snappy title, I know) offers a first step towards the “how do we do it.” Implementation of IT best practice is a change management programme in its own right, and using such a tool enables companies to compare their current approaches with the ITIL standard, deploying specific processes incrementally and using the reporting capabilities of the tool to gauge progress and, more importantly, whether the planned benefits are being achieved. If organisations want to get “there”, it’s a good place to start, better perhaps than the read-only equivalents from the major vendors (such as IBM’s Tivoli Unified Process, ITUP).

Of course any such product is not going to be a silver bullet. We would recommend deployment alongside training in ITIL and more general notions of IT best practice; equally, we would recommend that organisations ensure such solutions can be integrated into the existing environment. The real value from these tools in the longer term will come when operational processes can link to automation of systems tasks – for example to trigger a password reset, a patch deployment or a restore from backup. Organisations should look carefully at Lombardi/Covestic’s long-term plans, for example - and we don’t know the answer to this yet - does the product offer suitable interfaces to enable integration with management tools from other vendors, for example to support the recently announced standards for Configuration Management Database (CMDB) integration?

Yes, it is dangerous to be too optimistic in this industry, but keep in mind that it is all about supply and demand. IT vendors have catalysed best practice adoption through their own acceptance of ITIL-based standards; now it is time for enterprise customers to respond: by being more demanding, the supply side will be encouraged to grow and improve, and we should see more offerings such as this. We shall shortly be releasing our requirements on IT service management offerings: if any readers would like to share any insights, please do let us know. posted by Anonymous @ 10:37 AM 1 comments permalink

Brocade buys McData in summer sale

Happening as it did just as I was going on holiday this one nearly passed me by, but it still deserves a post - at the beginning of August Brocade announced its intentions to spend $713M on acquiring the only acquirable competition in the storage switch space (the other guy's Cisco), namely McData. Interesting times indeed, not least as Brocade, once one of the darlings of the storage networking revolution, is giving indications that it's getting back in the driving seat. Brocade’s star fell as fast as its share price at the start of the downturn; more recently it has had difficulties in growing its business beyond storage networking; while it has had its own internal problems it is currently showing there's still money to be made out of switching. McData brings a heritage in mainframe-class switching, and has long since given up on the notion that man can live on switches alone, as illustrated by last year's acquisition of CNT on the hardware side and in 2003, Nishan and Sanera on the software side. Put it all together and you start to get a pretty comprehensive storage portfolio.

The acquisition won't complete until next year, which gives us plenty of time to think about the consequences. Meanwhile, here's some food for thought. There must be a reason why there are so few vendors of storage switches, and why the largest companies in the storage space - think IBM, EMC and HP - choose to partner with companies like Brocade rather than building their own switches. The answer, I believe is that it is very hard to build a storage switch - far easier to partner than to attempt to compete and fail. So – by taking out the competition, Brocade is strengthening its position and broadening its offering as a good partner should. However, it is now starting to talk in more general terms of "data centre optimisation", as if storage networking is a done deal and Brocade’s sights are turning to data networking. While this might be just the rhetoric of acquisition, if I were Brocade I’d be careful not to target the bigger guys too directly. Perhaps they won't feel too threatened, but equally, Brocade should perhaps stick to its knitting (one is reminded of VMware's focus, and its resulting success, as a comparison).

It may not make much difference anyway. By buying McData, Brocade has turned itself into quite an attractive acquisition target. The major storage vendors may not want to upset the careful equilibrium that exists between them, but by Juniper (or indeed, by Cisco), there are sure to be others that would see an investment in Brocade as further advancing their own data centre strategies. posted by Anonymous @ 1:59 PM 1 comments permalink

Microsoft's open specification promise

Yesterday, Microsoft announced an "irrevocable promise not to assert" for 35 web services-related specifications (as far as I can tell all of the WS-* specifications that the company has contributed to), ranging from SOAP, WSDL, WS-Security through to WS-Management, WS-Trust and the web SSO specifications developed with Sun. What this basically means is that Microsoft will not enforce its rights to any of the patents associated with the specifications. The commitment extends beyond technology developers and vendors through to the ultimate users of the technology.

I first came across the news on the Identity Gang mailing list, where the response has been universally positive. I have previously highlighted the significant amount of open source activity in the world of identity, including a possible implementation of Microsoft's CardSpace - via the OSIS project. I said when OSIS and the related Heraldry project first reared their heads

Obviously, it is still very early stages for both Heraldry and OSIS (not least because the intellectual property issues need to ironed out!) but this is a good start

Yesterday's announcement from Microsoft gets the ironing board out and begins the pressing, which explains the positive response. It seems pretty clear that Microsoft's identity architect Kim Cameron, who has been working so closely with the identity community, has played a significant role in this. Kim is an engaging and persuasive orator and these skills have undoubtedly been put to effective use in persuading the (multiple) powers that be in Microsoft to get to this point. (As an aside, take a look at this post from Doc Searls - another driving force behind the open, collaborative work going on in the identity space which has been acknowledged with his fellowship at the Berkman Center for Internet and Society - for this great description of Microsoft: a legal department traveling as a software company).

I am not qualified to comment on the detailed legal aspects of Microsoft's promise. But that's the beauty of the blogosphere: there are others out there who are. I often find myself turning to Andy Updegrove, over at the ConsortiumInfo.org blog, on occasions such as this. Once again, Andy has a digestible and comprehensive analysis, which concludes:

I think that this move should be greeted with approval, and that Microsoft deserves to be congratulated for this action. I hope that the standards affected will only be the first of many that Microsoft, and hopefully other patent owners as well, benefit with similar pledges.

Andy also points out that IBM (and BEA) have proposed many if not all of these specifications and so I am looking forward to seeing what Bob Sutor, IBM's VP of Standards and Open Source has to say.

The specifications have far broader applicability than just identity - SOA, IT service management etc etc. The promise is thus good news for organisations embarking on a wide variety of IT initiatives. It should allow for greater open source innovation and also help to allay some of the concerns about the adoption of open source so allowing organisations to actually benefit from that innovation. posted by Neil Macehiter @ 8:19 AM 0 comments permalink

Sun Identity Manager: compliance is about more than saying what you should be doing to comply

At the Digital ID World conference taking place in California (Eric/Phil - how about extending the world of digital ID to Europe and hosting something here), Sun Microsystems announced Identity Manager 7.0, the next iteration of its identity lifecycle management (aka user provisioning) solution due for release next quarter. The key new feature of this release is what Sun refers to as identity auditing: extending compliance auditing beyond provisioing processes to the applications and systems which actually use the provisioned identity data.

Regulatory compliance has undoubtedly boosted organisations' interest in identity management solutions and the vendors have been quick to respond. However, that response has largely focussed on ensuring that policies are enforced, and can be demonstrated to have been enforced, when identity data is provisioned e.g. to ensure that users in a particular role are only provided with read-only access to a particular application. As I have discussed in our identity management report, effective compliance requires a more comprehensive response: organisations need to be able to ensure that the application actually enforces that read-only access, that any deviations are logged and so forth. Identity auditing is Sun's response to address that need and a welcome response at that. This is something I also highlighted in my discussion of Novell's integration of the Sentinel assets it acquired with e-Security.

Whilst I am positive about this new set of capabilities, I think Sun is slightly over-egging the press release pudding with the following:

enhancements to its market-leading identity management software suite that are the first to combine the capability to prevent inappropriate user access to systems and applications while detecting violations in the company's user access policies

Reading on Sun is quite careful to point out that it is the first to combine user provisionig with identity auditing but I think IBM, with Tivoli Access Manager's Common Auditing and Reporting Services could justifiably claim to deliver the same business outcome (and that after all is what the business is concerned about), albeit not tied directly into its user provisioning solution. That gripe aside, this is a good move by Sun and extends the company's already strong identity management proposition.

Organisations who are turning to identity management as part of their compliance initiatives need to carefully scrutinise potential solutions. If the vendor is focussing exclusively on the provisioning process then it's time to ask some tough questions.

posted by Neil Macehiter @ 7:29 PM 0 comments permalink

Well that answers that then: webMethods to acquire Infravio

BEA's acquisition of Flashline a few weeks ago caused the other Neil to ponder:

But when I look a bit deeper, I do wonder why BEA didn't end up chomping Infravio instead. (They might well have tried and failed for some reason, of course - if anyone knows anything about that, let me know!)

Today, we have a possible answer: Infravio is to be acquired by webMethods.

The fact that Infravio is being acquired does not come as a great surprise! There is broad agreement that SOA registry/repository technology is one of the key capabilities of the service infrastructure required for effective SOA initiaitves and Infravio is one of the comparatively few pure-play providers of that technology. The likes of BEA, HP, IBM and Oracle have all invested heavily in a combination of in-house development, OEM relationships and acquisition to bolster the registry/repository capabilities of their offerings and it was only a matter of time before Infravio went the way of Flashline and Systinet and became an acquisition target.

I must admit that webMethods would not have been top of my list of potential acquirers though. With Systinet now out of play, I could have seen the likes of Oracle or SAP (and BEA pre-Flashline) opening their wallets. So this is a bit of a coup for webMethods.

This certainly makes sense for webMethods. In our assessment of webMethods service infrastructure offerings, we discuss the fact that webMethods' Fabric, and more specifically its Servicenet product, provides surprisingly strong support for service lifecycle management but that:

webMethods plans to enhance these capabilities - adding service dependency checking and impact analysis

and

there are areas where the two technology environments [Enterprise Service Platform and Servicenet] could be better integrated - for example in the specification, storage and publication of information about service policies, service interfaces, and integration orchestrations

The Infravio acqusition should enable webMethods to both provide the lifecycle management enhancements and improve the integration of the Enterprise Service Platform and Servicenet.

webMethods has done a good job of exploiting its heritage in application integration and combining it with facilities for implementing and managing a SOA initiative to offer a comprehensive set of service infrastructure capabilities. The Infravio acquisition certainly adds to what is already a strong offering and webMethods is striving to shift to more of a business-focussed proposition based around business process improvement and vertical industry solutions built on top of Fabric.

Despite these strengths, the challenge for the company is to exploit its current advantage and remain relevant in the face of competitors with far greater resources at their disposal. With SOA governance and registry/repository so hot at the moment, the acquisition should certainly increase awareness of webMethods amongst organisations embarking on SOA initiatives. Whether webMethods can maintain the momentum once the buzz has died down is less certain.


posted by Neil Macehiter @ 12:55 PM 1 comments permalink

More positive interoperability news from Liberty

About a year ago, the Liberty Alliance announced the successful completion of SAML 2.0 interoperability testing by 8 organisations. I commented at the time that this was "ecouraging news". I was remiss in my blogging and didn't pick up on the addition of 4 more to the list in November - IBM, NEC, NTT and RSA Security (now EMC of course!). I am trying to make amends now: yesterday Liberty announced another 4 (well sort of) - Entrust, HP, Oracle and Ping Identity. Why only sort of? Oracle was in the original 8, so this appears to be a recertification of the latest release of Oracle Identity Management 10g, and HP is presumably there as a result of the November acquisition of Trustgenix, which also featured in last year's press release.

Don't get me wrong. The double counting shouldn't detract from the fact that this is good news. The assurance that is provided by this testing - federation is about interoperability after all - is very important for potential adopters. It would be good so see the other leading enterprise identity management players (BMC and CA where are you?) joining the party. And there is, as I said last year, still the small matter of providing similar levels of assurance when it comes to the other major federation standard:

More importantly - and more challenging - is the providing similar levels of assurance in the case of interoperability with the WS-Federation, co-authored by IBM, Microsoft and VeriSign. The Burton Group's July Catalyst Conference included such demonstrations, for example from Trustgenix, but demonstrations are not enough.

plus, of course, all the work going on in the world of user-centric identity (some of which is discussed here).

Assurance will certainly help with adoption but I think Roger Sullivan, Vice President of Business Development for Oracle Identity Management and Vice President of the Liberty Alliance, put it rather well here:

“We do need enterprise Service Providers to begin to deploy these Identity Provider services more rapidly.” I mean that the financial institutions, government agencies, etc. should be doing the deploying of the 75 solutions that the vendors have created.

So, the technology exists to solve this business problem. The question remains: Who will take my money to manage this for me securely?

The promise of increased convenience, security, privacy etc for individuals will only materialise if these interoperable solutions, be they of the Liberty, WS-*, Yadis, DIX variety, are actually implemented. Without that, interoperability testing means very little! posted by Neil Macehiter @ 3:52 PM 0 comments permalink

Complex event processing and the predictive business

I just came across this podcast from Information Age featuring Vivek Ranadive, the CEO of Tibco, discussing The Power to Predict his follow-on to The Power of Now. The premise of his second book is the evolution of the real-time but reactive organisation of the first to one which is still real-time (I guess it would have to be!) but now proactive, enabled by Complex Event Processing (CEP).

It's worth listening to for some persuasive examples of CEP in action (particularly how to deal with disenchanted gamblers losing money in the casino!). However I recommend that you take a look at my previous post on CEP to put this in context. It's also worth reading this from the other Neil, which explains why Tibco shouldn't need to succumb to the pressure to attach the fictional ESB product category to its offerings. posted by Neil Macehiter @ 4:30 PM 0 comments permalink

Sun puts its money where its mouth is with OpenDS and OpenSSO

It was over a year ago when I commented on Sun's initial foray into open source identity management with the Open Web Single Sign-On (OpenSSO) project. Now more than a year later, whilst I was braving the British summer under canvas on the south coast, the project has been formally launched. Sun has been true to its word with OpenSSO and is releasing the source code for significant chunks of its Java System Access Manager required for web-based single sign-on, including session management, policy and federation as well as administration capabilities. I have seen nothing at the OpenSSO project site to change my original analysis:

This is a smart move by Sun. First, it continues the ‘participation age’ theme promoted by COO Jonathan Schwartz and manifested in its recent rebranding. Second, whilst web single sign-on is valuable both in terms of simplifying the user experience and easing user administration, the real opportunity lies in user provisioning, federated identity management, auditing for compliance etc. Eric Leach, a Sun product manager is quoted as saying “"The idea is that we're going to give developers the tools they need to build basic security into their internal Web infrastructures without additional cost,". In other words, OpenSSO provides customers with a free platform for Intranet-based single sign-on from which Sun can then build with its suite of identity management products offering higher value identity management capabilities.

Irrespective of Sun's motivations, organisations with any reasonably significant identity management initiative should dedicate at least a small amount of resource to investigate the project. Whether or not that investigation leads to deployment (and who knows, even contribution!), organisations that make that small investment should enhance their understanding based on exposure to what is a comprehensive and well-proven product in Access Manager.

But Sun didn't stop there. The company has also announced the OpenDS directory service project. Following the same logic as with OpenSSO and Access Manager, I assumed that OpenDS is the open sourcing of Sun's Java System Directory Server. My assumption was wrong! Whilst OpenDS sets out to deliver a similar set of capabilities:

The directory service includes not only the Directory Server, but also other essential directory-related services like directory proxy, virtual directory, namespace distribution and data synchronization. The Directory Server is a network-accessible database that is able to store information in a hierarchical form. Clients may communicate with it using standard network protocols (at present LDAP and DSML are supported) to retrieve and update information in a variety of ways.

the project is starting from scratch. It is not exploiting its own Directory Server code base or other open source directory server initiatives, such as OpenLDAP, ApacheDS and Red Hat Fedora Directory Server. The project FAQ provides some justification for these decisions, which can be boiled down to a combination of scope, licensing and implementation language.

OpenDS is a very ambitious undertaking, extending as it does beyond the core identity data repository to provide capabilities, such as virtual directory and data synchronisation, required for the identity data management layer I discuss in our identity management report. It's going to be years, rather than months, before the project is completed, so it comes as no surprise that Sun will continue to develop Directory Server and does not anticipate releasing any products based on OpenDS for at least 18 months (and even then they won't be part of the Java Enterprise System).

My thoughts on OpenDS mirror those for OpenSSO. It furthers the company's open source commitments whilst providing a foundation for its higher value identity management suite and is something which organisations should at least investigate.

As I have previously discussed here, here and here, there's an awful lot of open source activity in the world of identity management, what with Higgins, Bandit, Heraldry and OSIS. It will be interesting to see where these projects from Sun fit. The fact that Higgins (elements of which are part of Bandit) is an Eclipse project certainly won't make things easy with Sun dogmatically pursuing its NetBeans alternative. posted by Neil Macehiter @ 1:47 PM 1 comments permalink

Getting started with biometrics

The ever-growing need to mitigate the risks of identity theft, coupled with regulatory compliance and general concerns about the reliability of passwords, are such that multi-factor authentication is a hot issue in identity management circles. The factors in question are well understood: something you know; something you have; or something you are in various combinations.

The "something you are" factor - biometrics - has long been discussed as a means of addressing the limitations of the other factors. But it has largely remained just that - discussion. However, government identity cards, passports etc are increasing the volume and widespread implementation is becoming a serious (in more ways than one!) possibility.

With that in mind, I recommend you take a look at this recent post from Jerry Fishenden, Microsoft's National Technology Officer for the UK. Whilst Jerry discussions broader societal issues, there is some sage advice for organisations evaluating biometrics as part of a multi-factor authentication strategy, not least:

I use fingerprint readers at home both for access to my office and on one of my PCs - where they are a great convenience and work reasonably well (if occasionally taking a few times to succeed). However, I don't like the way in which they merge authentication and identification into a single process, unlocking the PC for example just with a fingerprint without any other form of credential. This would certainly not be a sustainable model in an environment where proper security was required.

and

One of the core principles of computer-based security is the separation of identification from authentication. After all, if you merge the two, what happens when your biometrics are compromised? By keeping these aspects separate, it remains possible to issue different credentials to be used alongside our biometrics. Stronger systems ideally adhere to the established 3 factor principle: something you know (such as a PIN), something you have (such as a smart card) and something you are (which is, of course, where biometrics typically come in).

posted by Neil Macehiter @ 11:23 AM 0 comments permalink