[Dave Birch] At the Management World event in Nice earlier this year ("Navigating the Digital Storm") I was flattered to be asked to chair the discussion session on Delivering Enterprise Cloud Services. I was keen to get a general perspective on the telecommunication sector's approach to this growing market. Naturally, I also thought I might be able to steal one or two decent ideas to pass on to our telecommunications clients who are looking to find a niche around enterprise cloud. I don't know very much about enterprise services as it's not really my day-to-day focus so I think I was asked to chair because some of the telcos felt that the "identity issue" was key to unlocking this market and, since I'd been droning on incessantly about identity for as long as any of them could remember, they thought I might be able to help direct some of the questioning.
It turned out to be a really interesting session. Before we talk about identity I just want to pull out a few things from my notes which I think might be relevant to the discussion. One of the discussions was around UBS. In round terms, UBS spends around $4 billion every year on IT. Of this, somewhere round about $1 billion per year is to deliver net new functionality to the business. That sounds pretty cool and it sounds like UBS must be delivering some incredible new services. Until, that is, you discover that almost all of the net new functionality is to do with regulatory requirements and changes in compliance. There is actually precious little resource going into delivering new products and services because the regulatory burden is so overwhelming. The smallest changes require colossal expenditure. Just witching from windows XP to Windows 7 cost something like $300 million. Imagine the pressure is on the bank IT department trying to support managers who want to use smart phones and iPads, desktop traders, homeworkers, contractors using goodness knows what and all of the other components of the modern enterprise. It is literally a nightmare.
Even in a small company such as Consult Hyperion you see a microcosm of these issues on a daily basis. It's no surprise that it many companies, people who are used to their Samsung S4, iPad Mini and smart TV at home get fed up with their enterprise IT infrastructure and, irrespective of company policies, start using Gmail and Dropbox, Yammer and a variety of other services.
Facebook has started to roll out a new file-sharing capability — and Dropbox shouldn't be the only worried party. The addition of a low-security file-sharing tool to the world's most popular social networking site could open a world of security pain on businesses and home users alike.
[From Facebook file-sharing could be security, piracy nightmare | Social networking – InfoWorld]
But back to the discussion. There is obviously an intimate relationship between enterprise use of (secure) cloud and enterprise identity infrastructure. Right now, most enterprises use proprietary identity management software that was never designed for cloud use and restricts not only the ability to take advantage of cloud services but also forms a barrier to organisational interworking that could be facilitated by the cloud.
Here's an example. A few weeks ago one of our retail banking clients asked me to prepare some material for them. The material included PowerPoint slides and notes and an audio file. When you tried to send it to the customer, it was too big for their email system so I put on Dropbox and sent them the link instead but they couldn't access it because Dropbox is blocked by their IT department. In order to get the file, they had to get me added as an authorised user to their "internal cloud" which took the best part of the day and then I used a special username and password to login and upload the file. Incidentally, a couple of days later when the client had asked me to make a few small changes and upload a new version of the slides, I had been deleted from the system and so had to go through the whole process again.
With an infrastructural, federated solution, it should have been entirely possible for the bank to accept Consult Hyperion credentials and provision limited access (in practice by issuing a certificate that I could then use to login on any device). It is easy to say, very difficult to implement. This is where, I thought, the telcos might have something to offer. But they'll have to move quickly, but the enterprise cloud players have a strategy toward identity (because they see it as strategically important) whereas the telcos (and the banks?) don't.
I expect Oracle customers using Oracle applications via SaaS will increasingly use their Oracle Cloud identity as the identity for a chunk of their user populations, rather than trying to maintain multiple identities in their on-premises system. Since Oracle is already maintaining a cloud identity for every Oracle Cloud user, that identity is portable as far as the user is concerned.
[From Trend Watch: Identity Management Top 5 « Discovering Identity]
Quite. And Oracle are not the only serious player to have realised the power of transforming identity management from something to do with single sign-on to a strategic element of their proposition.
At his company's first YamJam conference in San Francisco, Sacks just revealed plans to move beyond the surface resemblance to take on Facebook's core function of identity, and apply it to the workplace.
[From Yammer's Facebook-Like Strategy – Business Insider]
For LinkedIn and such like, this is an important step. It is easy to see how it might work in practice: I want access to an enterprise cloud so I log in using my LinkedIn identity and since the bank has access via that identity to my professional social graph it can make some pretty decisions about whether to let me in and what I might be allowed to look at.
Cloud growth has also led to APIs playing a more critical role in the connected business. Companies such as Salesforce.com encourage business users to create their own apps by providing access to enterprise-grade services such as workflow, approvals and even data models.
[From APIs: Driving the connected apps revolution | VentureBeat]
Where could the mobile operators, for example, play in this space? If they had a standard API for identity services they could offer this to Oracle, Salesforce, Yammer and everyone one to provide a global recognition service that brings together hardware-based two-factor authentication (using the SIM) with federated identity and value-added services around location, roaming and so forth. I can see that it would be rather convenient to log in to a client's cloud using my phone and my LinkedIn identity and surely it would be more secure than the sort of simple password-based non-security we deal with at the moment. Tom Noyes, who I always take seriously, calls this a "breakout business" for mobile operators and I'm sure he's right. Whether they can develop a co-ordinated strategy to exploit this opportunity is, naturally, another matter.
There are, of course, significant business implications, which is why guys like Salesforce take it so seriously. If I used my LinkedIn identity, say, to log in to various clients and online resources during the day, then LinkedIn would know what I was up to. If they see me log in to my good friends at Indeed.com, they might reasonably deduce that I am looking at the job market and send an alert to the numberless hordes of recruitment consultants who are constantly trying to link to me. I'm puzzled by the number of organisations that look at this with equanimity. It is huge.
You could have written this post five years ago, couldn’t you. In fact, you probably did.
Neither the banks nor the telcos would grasp the opportunity then and they still won’t.
That must tell us something.
The benefits aren’t as great as everyone else (apart from the banks and the telcos) imagines? Mistakes could have existential consequences for the company concerned.
The costs are a lot higher than everyone else imagines? Running a national identity management scheme doesn’t come cheap.
As you said it yourself, Dave, who is the trusted party? LinkedIn and your profile? What if I obtained your LI login credentials?..
IMHO, it should be out-of-bound 2FA, involving a smartphone (yes, I know that it’s not socially inclusive, and that’s a good point in some cases…) – the only form factor which we are likely to guard closely (and even then not immune to hacking).
More cumbersome option is a cloud-connected OTP token (to prevent RSA-style seed cracking disasters) coupled with, again, out-of-bound login. Easily deployable (sort of), and a major step forward compared to the current status quo.