{"id":1045,"date":"2009-06-02T01:28:00","date_gmt":"2009-06-02T09:28:00","guid":{"rendered":"\/?p=1045"},"modified":"2009-06-03T14:14:06","modified_gmt":"2009-06-03T22:14:06","slug":"information-cards-in-industry-verticals","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1045","title":{"rendered":"Information Cards in Industry Verticals"},"content":{"rendered":"<p>The\u00a0recent <a href=\"http:\/\/www.id-conf.com\/\">European Identity Conference<\/a>, hosted in Munich by the analyst firm <a href=\"http:\/\/www.kuppingercole.com\/\" class=\"broken_link\">Kuppinger Cole<\/a>,\u00a0had great content\u00a0inspiring an ongoing stream\u00a0of interesting conversations.\u00a0\u00a0\u00a0Importantly, attendance was up despite the economic climate, an outcome <a href=\"http:\/\/blogs.kuppingercole.com\/cole\/\" class=\"broken_link\">Tim Cole<\/a>\u00a0pointed out was predictable since identity technology is so key to efficiency in IT.<\/p>\n<p>One of the people I met in person was James McGovern, well known for his <a href=\"http:\/\/duckdown.blogspot.com\">Enterprise Architecture<\/a> blog.\u00a0\u00a0He is on a roll\u00a0writing about ideas he\u00a0discussed with a number of us at the conference, starting with\u00a0<a href=\"http:\/\/duckdown.blogspot.com\/2009\/05\/user-centric-identity-within-industry.html\">this piece<\/a> on use of Information Cards in <strong>industry verticals.\u00a0 <\/strong>James knows a lot about both verticals and identity.\u00a0\u00a0He has started a critical conversation, replete with the liminal questions he is known for:<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;Consider a scenario where you are an insurance carrier and you would like to have independent insurance agents leverage CardSpace for SSO. The rationale says that insurance agents have more personally identifiable information on consumers ranging from their financial information such as where they work, how much they earn, where they live, what they own to information about their medical history, etc. When they sell an insurance policy they will even take payment via credit cards. In other words, if there were a scenario where username\/passwords should be demolished first, insurance should be at the top of the list.&#8217;<\/p>\n<p>A great perception.\u00a0 Scary, even.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;Now, an independent insurance agent can do business with a plethora of carriers who all are competitors. The ideal scenario says that all of the carriers would agree to a common set of claims so as to insure card portability. The first challenge is that the insurance vertical hasn&#39;t been truly successful in forming useful standards that are pervasive (NOTE: There is ACORD but it isn&#39;t widely implemented) and therefore relying on a particular vertical to self-organize is problematic.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;The business value &#8211; while not currently on the tongues of enterprise architects who work in the insurance vertical &#8211; says that by embracing information cards, they could minimally save money. By not having to manage so many disparate password reset approaches (each carrier has their own policies for password history, complexity and expiry) they can improve the user experience&#8230;<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;If I wanted to be a really good relying party, I think there are other challenges that would emerge. Today, I have no automated way of validating the quality of an identity provider and would have to do this as a bunch of one offs. So, within our vertical, we may have say 80,000 different insurance agencies whom could have their own identity provider. With such a large number, I couldn&#39;t rely on white listing and there has to be a better way. We should of course attempt to define what information would need to be exposed at runtime in order for trust to be consumed.&#8217;<\/p>\n<p>This raises the matter of how trust would be concretized within the various verticals.\u00a0 White listing is obviously too cumbersome given the numbers.\u00a0 James proposes\u00a0an idea that I will paraphrase as follows:\u00a0 use claims transformers run by\u00a0trusted entities\u00a0(like state departments of insurance) to vet incoming claims.\u00a0\u00a0The idea would be to reuse\u00a0the authorities already involved in making this kind of decision.<\/p>\n<p>He goes on to examine the challenge of figuring out what identity proofing process has actually been used by an identity provider.\u00a0 In a paper I collaborated on recently (I&#39;ll be publishing it here soon) we included\u00a0the proofing and registration processes\u00a0as one element in a chain of factors we called the &#8220;security presentation&#8221;.\u00a0 One of the points James makes is that\u00a0it should be\u00a0easy to include\u00a0an explicit statement about the &#8220;security presentation&#8221; as one element of any claim-set being submitted (see\u00a0Jame&#39;s post for\u00a0some good examples).\u00a0 Another is that the relying party should be able to include a statement of its security presentation requirements in its policy.<\/p>\n<p>James concludes with a set of action items that need to be addressed for Information Cards to be widely usedl in industry verticals:<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;1. Microsoft needs to redouble its efforts to sell information cards as a business value proposition where the current pitch is towards a technical audience. It is nice that it will be part of Geneva but this means that its capabilities would be fully leveraged unless it is understood by more than folks who do just infrastructure work.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;2. Oasis is a wonderful standards organization and can add value as a forum to organize common claims at an industry vertical level. Since identity is not insurance specific, we have to acknowledge that using insurance specific bodies such as ACORD may not be appropriate. I would be game to participate on a working group to generate common claims for the insurance vertical.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;3. When it comes to developing enterprise applications using the notion of claims, &#8230;developers need to do a quick paradigm shift. I can envision a few of us individuals who are also book authors coming up with a book entitled: Thinking in Claims and XACML as there is no guide to help developers understand proper architecture going forward. If such a guide existed, we&#8230; (could avoid repeating) &#8230;the same mistakes of the past.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;4. I am wildly convinced that industry analysts are having the wrong conversations around identity. Ask yourself, how many ECM systems have on their 2009 roadmap, the ability to consume a claim? How many BPM systems? In case you haven&#39;t figured it out, the answer is a big fat zero. This says that the identity crowd is evangelizing to the wrong demographic. Industry analysts are measuring identity products what consumers really need which is to measure how many existing products can consume new approaches to identity. Does anyone have a clue as to how to get analysts such as Nick Malik, Gerry Gebel, Bob Blakely and others to change the conversation.<\/p>\n<p style=\"PADDING-LEFT: 30px\">&#8216;5. We need to figure out some additional identity standards that an IDP could expose to an RP to assert vetting, attestation, indemnification and other constructs to relying parties. This will require a small change in the way that identity selectors work but B2B user-centric approaches won&#39;t scale without these approaches&#8230;&#8217;<\/p>\n<p>I know some good work to formalize various aspects of the &#8220;security presentation&#8221; has been\u00a0going on in\u00a0one of the Liberty Alliance working groups &#8211; perhaps someone involved could post about the progress that has been made an how it ties in to\u00a0some of James&#8217; action items.\u00a0<\/p>\n<p>James&#8217; action items are all good.\u00a0 I\u00a0buy his point that Microsoft needs to\u00a0take claims beyond the current &#8220;infrastructure&#8221; community &#8211; though I still see the participation of this community as absolutely key.\u00a0\u00a0But we need &#8211; as an industry and as individual companies\u00a0&#8211; to widen the discussion and start\u00a0figuring out how claims can\u00a0be used in concrete verticals.\u00a0 As we do this, I expect to see many players,\u00a0with very strong participation from\u00a0Microsoft,\u00a0\u00a0taking the new paradigm to the &#8220;business people&#8221; who will really benefit from the technology.<\/p>\n<p>When Geneva is released to manufacturing later this year, it will be seen as a fundamental part of Active Directory and the Windows platform.\u00a0 I expect that many\u00a0programs will then start to kick in that turn up the temperature along the lines James proposes.<\/p>\n<p>My only caution with respect to James&#8217;\u00a0argument is that I hope we can\u00a0keep requirements simple in the first go-around.\u00a0 I don&#39;t think\u00a0ALL the\u00a0capabilities of claims have to be\u00a0delivered &#8220;simultaneously&#8221;, though I think it is essential for architects like James to understand them and build our current deliverables in light of them.\u00a0<\/p>\n<p>So I would add a sixth bullet to the five proposed by James, about beginning with extremely simplified profiles and getting them to work perfectly and interoperably before moving on to more advanced scenarios.\u00a0 Of course, that means more work in nailing the most germane scenarios and determining their concrete requirements.\u00a0 I expect James would agree with me\u00a0on this (I guess I&#39;ll find out, eh?&#8230;)<\/p>\n<p>[By the way, James also has an <a href=\"http:\/\/siglesideline.files.wordpress.com\/2008\/09\/200809080917.jpg\">intriguing graphic <\/a>that appears with the piece, but doesn&#39;t discuss it explicitly. I hope that is a treat that is coming&#8230;]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>James McGovern presents a set of action items that need to occur for Information Cards to become widely used in &#8220;industry verticals&#8221; like insurance. <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[52,37,2,8,42],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1045"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1045"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1045\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}