DigitalID article...........
By: Phil Becker
Topic: General
Posted: Sunday, July 27, 2003 (12:00 AM MDT)
DIDW: How do you see the trends in and awareness of identity changing over the last year, given your experiences at General Motors and in the various forums you visit?
Scott: I end up participating in a lot of external events, forums, discussions, etc. and what's been interesting to me over the last year is the rising barometer around awareness of, and also concern about digital identity. There's hardly a session I go to these days where it doesn't come up in some form - whether you're talking about intrusion detection, who's on our network, who should be on our network, or application strategy. I was with a group yesterday that were talking about "compute on demand" and how you would enable that infrastructure. Not surprisingly the conversation wound around to identity management. It seems to be a very pertinent and rising issue, particularly in corporations. Especially as you go collaborative as GM has, where we do a lot of work with outside partner vendors and suppliers. That is heartening, because without some fundamental understanding of the issue and potential solutions, you can't get very far.
DIDW: So you would say that the awareness in the enterprise of the interwoven nature of identity, and the fact that all of these apparently separate things end up leading to identity has risen dramatically in the past 8 to 12 months?
Scott: Yes. Everything goes through the hype cycle. I think [identity] is something that has gone through the initial "ok, this is interesting" phase, and now people are discovering the real down to earth nitty-gritty issues associated with digital identity in corporations.
DIDW: At GM, you saw a lot of this well in advance of most companies. You wear a lot of hats with GM's involvement in things like Liberty Alliance, etc. Do you feel like things that you learned a while back are coming into other people's view finders? What tells you that awareness is growing?
Scott: The way [growing awareness] has manifested itself is a lot of questions about "what are you doing?" "What have you learned?" and "What would you do differently?" And the good news in these forums is there seems to be a lot more information to share than there was a year ago. Things they have done, problems they've run into, different views on the problem, more breadth than you would have seen a year ago. A year ago people were strictly thinking "how do I get Single Sign-On." And while that's a huge issue, it's not the only issue that people are running into at this point.
DIDW: Is there an increased awareness that SSO isn't a target by itself but rather a group of things that lead there?
Scott: Yes. In fact there is the admission in some places that in the whole scheme of things as I put digital identity in place, one of the last or near the end things I might be able to accomplish is Single Sign-On. But there are a whole bunch of other benefits along the path.
DIDW: You talked about the fact that many people are starting to see the thread of identity in even places like intrusion detection and the management of on demand computing. A year ago that was a relationship it was difficult for many to see. What is causing them to see it now?
Scott: [A year ago] it wasn't real for a lot of people, but now it's becoming apparent or rising to the surface.
DIDW: Is this a reflection that for many of your corporate peers, we have reached a point where they are getting closer to having to take action on some of these things rather than just talk about them? Maybe to the point of running a test project or two that has grounded their outlook in a way it wasn't a year ago?
Scott: I think that's fair. I see two things in particular that have acted as catalysts [to increasing awareness.] One was SQL Slammer, where if you were a typical corporation (and I think we were fairly typical) this thing hit very quickly. It forced us to go around and very quickly identify where we had instances of the Microsoft SQL database running. This thing had a doubling time measured in seconds or minutes and within a couple of hours it was everywhere in the corporation. We had to put filters in our routers and firewalls; this was quarantine big-time. We found stuff under people's desks and everywhere.
The natural discussion that took place after SQL Slammer was "How can we figure out who's attaching things to our network and what are they attaching?" It turns out there are a lot of good solutions out there for the "what" - inventory applications, asset management applications, etc. I'm not saying all solutions are equal, but there's a lot of stuff out there. But for the "who" part, guess what? It's a lot more difficult. It turns out that at most corporations you don't need any credentials of any kind to attach anything to the network. Anybody can walk in, plug in, hook up and within some very broad guidelines be on the network with whatever they want. People worry about wireless networks, because wireless makes this just a tad easier, but it really was always easy. So SQL Slammer was huge just in terms of creating that awareness.
The second thing - and this is a subtle one - is spam. All of a sudden, everyone I talk to says spam is out of control. They've all reached their breaking point. They could tolerate a certain level of it, but it's gone beyond that threshold. I haven't met anybody in the last couple of months that when asked hasn't said "Yup, I'm there and I'm willing to do something about it."
When you start peeling away the onion on how you are ever going to actually [address spam], identity is key. Every conversation I have had in the past couple of months around spam, it is widely accepted that a major part of the solution is some form of reliable digital identity.
DIDW: Isn't that a shift in understanding of spam from a few months earlier? Didn't they use to think that with enough filters it could be solved?
Scott: Yes. If you talked to people six months ago, they would say "we can develop filters", "I've got this really smart algorithm", or "I've got this other technology answer to the problem." We've now proven it just doesn't work.
DIDW: GM has been involved with Liberty, and was talking about bringing it into GM for some pilot projects. What is the status of those efforts?
Scott: Our objective was to make sure that Liberty advanced to the point that companies were producing products that we could then use. With the release of the Version 1.1 spec, that occurred - products hit the market. So this year, 2003 portfolio year, we launched the first projects in GM to use Liberty compliant software for digital identity management. Those projects were funded and initiated. We use a fairly typical project life cycle here. We go through Plan, Define, Build, Deploy stages. Those projects are now in the Plan and Define stages and one of them is in the Build phase. So we don't have any "implemented production results" yet, but I would say the projects are moving along nicely and build on top of our directory strategy that we had made quite a bit of progress on even before this year.
DIDW: What is your time frame to see field results from these projects that you can evaluate?
Scott: End of this year. We launched the projects in April and May, and they are moving smartly through their project phases. The one area that will be interesting as we get into it is the volume testing. We have a reputation for finding out if things scale. We're not in that stage yet, but we're looking forward to seeing how broadly we can make this scale within GM.
DIDW: What will be the first of these Liberty-enabled projects to come online?
Scott: We have already established a corporate-wide people LDAP directory and we have an employee portal that's wide spread. So now we are integrating the identity management software in with that directory and portal architecture. We have rules about changing passwords. The plan is to put in stronger password aging rules and single sign-on enable a set of applications with [Liberty] company wide for 100,000 employees.
DIDW: You are using it initially to link the internal use applications, what about things that are common in employee portals such as 401k providers that are external to GM?
Scott: Stay Tuned. We have strong interest from a major 401k provider in doing the external link using federated digital identity.
DIDW: To summarize then, you see that in the enterprise awareness is rapidly growing that identity is a theme in many problems as opposed to one or two. You also see us leaving some of the earlier, primitive, "build it yourself" arenas and starting to get more settled on what the approaches should be. As a result, people are gaining awareness of the place of identity in corporate infrastructure and many are starting pilot projects.
Scott: Yes. Also, I think there is a greater understanding of where this fits architecturally in the whole scheme of things, how central identity is to enabling the infrastructure and applications of a company to really work.
