Total Immersion

For anyone who’s interested in either topic, I’m going to be presenting on the role and impact of business governance in relation to virtual worlds, in a few weeks at the ISGIG conference in Pisa. What an irresistible topic - here’s my outline so far:

There is (currently anecdotal) evidence that immersive environments such as Second Life are losing their mainstream popularity, as potentially are such social networking sites as Facebook. All the same, together with such technologies as telepresence, the potential for such collaborative technologies is great, in terms of how it enables stronger relationships to develop with the subsequent impact on productivity; virtual worlds also offer the opportunity to interact physically and collaboratively, for example to demonstrate a product prototype. But there are plenty of downsides – not least the potential for abuse which is leading many corporations to ignore, if not avoid such technologies. This presentation considers the benefits and challenges of socially enabled virtual worlds, gives examples of where organizations are using them for corporate benefit, while minimizing the governance risks and operational challenges they cause. Where are the boundaries between real and virtual worlds, and how do they interface with social technologies? What are the problems of doing business in a virtual world, and how is that affected by real word business and regulations? Also, if Second Life is indeed losing its sheen, what’s Third Life going to be like?

Unfortunately Second Life doesn’t run on the OQO 01+ but if anyone’s interested, you can contact Nathan Neumann, I’ll be in there sporadically.

Like many people I suspect, I have struggled to get my head round identity management. This is less to do, I suspect, with the nature of the thing itself (great intro here, and I’d recommend Neil M’s reports on the subject), and more with the fact that there’s so much going on, in so many domains. The concept of identity itself is a nebulous beast, stretching from personal identity (yup, me, got that one) to corporate identity (aka managing and provisioning roles and access rights) and even more broadly, to that bar conversation – “every person, thing, asset etc can have an identity” – which can very quickly unravel into a flight of fancy.

Identity is a hot topic these days of course, what with incidents like the loss of all those records from the HMRC punting identity fraud into the public eye. Examples are legion, of identities being stolen, misused or otherwise abused – its perhaps surprising that incidents such as Goo-do-no-evil-gle and the Scoble Facebook hack have taken so long to materialise. While none of these examples are particularly relevant to the concepts being espoused by corporate identity management, one nonetheless stimulates interest in the other. There are overlaps of course - the hapless employee who lost the HMRC disks could have been deemed too dim to warrant access to the disks in the first place, but this thought process is in a different compartment to thinking about the risks caused by offering up our kids and (indeed) our bank details to all and sundry.

The issue for corporate technology sellers and buyers alike, is that while the subject of identity may no longer leave people glazing over at the slightest mention, conversations can munge all of the above issues into a convoluted glob, incorporating on one hand worries about the protection of personal information, and on the other practicalities around ensuring corporate information and systems are only accessed by those who have been granted access. Given that this industry thrives on three letter acronyms, perhaps we need a couple of new ones - “Personal Information Protection” for the former and “Enterprise Identity Management” for the latter. Thus, EIM could have been used to support PIP, in the HMCE case.

Taking just the corporate, “EIM” side of things. this looks to be an interesting year. The last couple of years have seen a number of acquisitions and product announcements in this space from the larger management vendors, notably CA and Oracle, IBM, BMC, Sun and Novell: the most recent step has been to bring in roles-based management and directory integration. There have been a number of challenges along the way, some of which remain – for example the architectural decision of whether a database or a directory is sufficiently scalable to serve up identity-related information at the required level of granularity; meanwhile a variety of standards are being put in place. Catalysed by the more general, populist buzz, all of these things put together should yield more general acceptance, and resulting deployment of identity management solutions.

I should admit to a level of personal interest here, in what amounts to “the greater good”. While I view the HMCE incident with disappointment, I don’t subscribe to the headline-grabbing faux-abhorrence that some press have expressed, and I certainly don’t believe any one person should carry the can. Given the problem is indeed systemic (I believe so too), and if we can also agree that such a thing could have happened in most organisations, then we require a systemic approach to solving it. Taken in the round, identity management can offer such an approach, underpinned by the appropriate use of technology – this is most definitely a place where technology alone cannot provide the answer, but neither can the problem be solved without it. Indeed, if the HMCE incident serves to raise awareness and adoption to the extent that other organisations do not suffer the same fate, then it will not have been without value.

In a break with tradition, I’m going to write about a specific company in this one, or at least a specific series of conversations. I’ve been talking quite a lot to the guys at Tier-3, a company specialising in software that can look for anomalies in how IT is being used. While there are many potential applications of such a capability the company has focused its efforts on looking at IT security, sucking in events from computer logs and looking out for things that don’t fit with the norm. Think intrusion prevention, unauthorised access and the like.

It sounds so great in theory - and indeed, the company has recently announced wins for its HUNTSMAN product with some quite sizeable players such as Toshiba, so it must have something going for it. I still find myself feeling dubious however, not least (indeed, mostly) because whenever we do research into who’s buying what in IT security, behavioral analysis software seems to come out near the bottom of the pile.

So, there appears to be a bit of a behavioral anomaly about the whole thing. If such products are recognised to be so blooming useful, why is nobody buying them? My conclusion has been that, while such security products as antivirus, firewalls and VPN are quite simple to explain and therefore cost-justify, it was always going to be harder to assemble a business case for such tools as behavioral analysis.

When I spoke to Tier-3 I put to them this position, and asked (on the back of such deals as Tosh), whether it was changing. What Peter Woollacott, CEO told me, was that it was true, but he shed a bit more light onto what made it so hard. “Anomaly detection investments are currently being driven by the value ascribed to IT/IP assets relative to cost,” he said, “yet many organisations still fail to understand the value of their IP assets.” In other words - if you don’t know what you’ve got, it’s difficult to work out its value, or indeed (as Peter explained), how vulnerable it is against the legions of potential threats.

It’s an interesting one, not least because (according to my illustrious colleague Martin’s report) the lack of asset knowledge is such an age-old problem in IT, leading to that other age-old chestnut- how can you secure your IT environment, if you don’t know what you’ve got?

Funnily enough however, the answer to the asset management issue may well come form considering some of the desired outcomes of security - not least that mother of all reasons, the reduction of business risk. Peter used the term “return on security investment” - the ramifications of which can be seen quite clearly in more regulated environments, and are starting to be visible in other verticals. “Just as Basel II rewards better operational risk managers with lower costs of capital,” commented Peter, “risk adjusted decision making is already featuring in corporate investment cases.”

Understanding of IT risk requires (and therefore drives the need for) understanding of IT assets, and their vulnerabilities. Ultimately this also drives the need for products such as those from Tier-3, but its unlikely that the company can currently use this as a product pitch. Rather, organisations that are already educated on the need to manage risk for business reasons, and are acting upon it, will also want to get on top of their IT assets and what they are up to.

To take this one step further, perhaps there is no business case for behavioral analysis per se. That is, if such analysis is seen purely as a security measure, i.e. a way of working out what went wrong after the event so the hole can be plugged, it will always be difficult to justify. Alternatively, organisations that “get” such topics as risk management will be able to see behavioral analysis as a way of achieving some of the higher level goals that ensue, such as ongoing monitoring of risk levels in an already well-managed environment. In this context, anomaly spotting becomes a feature, and not an outcome.

Which is perhaps, as things should be. Companies such as Tier-3 better be in it for the long haul however, as there is still plenty educating to be done just to get some organisations off the starting blocks.