I recently attended the above conference (http://www.revolutionevents.plus.com/eema/index.htm) at the impressive Microsoft’s London offices in Victoria. Described as “Europe’s leading forum for this critical security application - tackling the key issues surrounding e-identity as a core enabler of today’s personal, business and government processes”, it was organised by eema (the European association for e-identity and security). Judging by the dominance of men in suits, the conference is aimed towards the business community where identity management is perceived to be an important issue. The following blog entry summarises some of the presentations from this event.

The morning session kicked off with some keynote presentations. One of these was from Kim Cameron (“eIdentity comes of age”), who believes we are at a tipping point where we have moved beyond the phase of initial adoption and now need to build on our initial successes. Identity management in the Cloud drew a lot of interest over the two days and Kim mentioned how cloud providers are adopting the same technologies (SAML, WS-Federation, WS-Trust) as a way of exchanging information. He believes that the real barriers are legal and governance not technological. There are also a number of “self-evident fallacies” that need to be corrected:

• Privacy is not opposed to security it’s a precondition of multilateral security.
• Identifying the masses is not likely to identify professional criminals
• We can prove we are not on a list without revealing who we are
• We can audit without creating a privacy and security vulnerability

Howard Schmidt’s keynote was an eID State of the Nation address. He looked at how eID is defined in different countries across Europe. Although some of these definitions might make uncomfortable reading to UK residents, as they involve a lot of government control over a citizen’s identity, he stated that in the UK who can argue with “an easy and secure way for legal UK residents to prove who they are?” I’m sure when put that simply people will tend to agree, but it’s more about how this information might be used and who controls it that is the issue. He talked about a “cradle to grave digital identity” but a digital identity will exist beyond a citizen’s life and needs to be preserved.

This was a truly European event with speakers from across Europe dealing with eID authentication, cross border eSignatures, the STORK project looking at providing online access to public services across EU borders, ID cards in the UK, etc. From further afield Bill Young from New Zealand gave an interesting presentation on the lessons they had learned implementing a shared government authentication service.

Day 2 started with a presentation on how IAM (Identity and Access Management) projects can be delivered on time and to budget despite a feeling that they are hard and complex. With the usual PowerPoint bullet point summary he listed four reasons as to why IAM projects fail to deliver:

• projects are often too big and take too long to deliver
• business speed and flexibility are sacrificed whilst pursuing improved security
• products are acquired rather than solutions
• lack of consultation with line of business

A roadmap to success should follow these rules:

• select a solution not a product
• consult with the business at all stages
• prioritise activities based on your strategic needs
• deliver quickly and develop incrementally over time

These rules could equally be applied to any IT project and not just one focussed on Identity and Access Management.

The importance of using Privacy Impact Assessments (PIA) to manage risk and reputation was the theme of Aaron Martin’s (LSE) talk. He believes that this isn’t done enough in IAM projects and because of this causes privacy problems. The assessment needs to be done early on and it’s well timed sound PIAs that result in privacy-friendly systems. The lessons learned from his research are that:

• Privacy by design is not something to fear
• PIAs when done properly can help manage risk and reputation
• Can be used to communicate the importance of privacy both internally and externally
• Build organisational trust
• There is a business case for privacy
• When in doubt, seek external advice to facilitate the process

Securing identity was the theme of the first session of the afternoon and the final presentation in this session was entitled “European Large Scale Action (ELSA) on future eID infrastructure – a new EU initiative”. When a presentation starts with the speaker telling us that ELSA will be dealing with things that are going to change the world we live in, it does grab your attention whether you believe it or not. The Commission is exploring ways to consider the demand and implementation of an eID infrastructure, which could be the basis for trustworthy services in e-government and e-commerce. It will take the digital identity beyond the STORK programme and address the needs of citizens, business and government. With digital identity at the focus of the EU commission ELSA will be a large programme (with an equally large budget) looking at a common trust policy and digital ID.

What struck me by the identity in the cloud session was that there is no unique definition or general consensus of Cloud Computing. It means different things to different people. What is clear though is that identity and identity management has a key role to play in the cloud.

The final session of the conference was the 2nd STORK Industry Group Meeting. “STORK is a large scale pilot in the ICT-PSP (ICT Policy Support Programme), under the CIP (Competitiveness and Innovation Programme), and co-funded by the EU. It aims at implementing an EU wide interoperable system for recognition of eID and authentication that will enable businesses, citizens and government employees to use their national electronic identities in any Member State. It will also pilot trans-border eGovernment identity services and learn from practice on how to roll out such services, and to experience what benefits and challenges an EU wide interoperability system for recognition of eID will bring.” - http://www.eid-stork.eu/ A lot of challenging questions were put to the presenters during this session. The minutes of this meeting will be available soon and will be worth reading for anyone interested in this programme.

I was asked to sit on the Panel Session at the recent JISC Leaping Hurdles: Planning IT Provision for Researchers event in London on 18 June 2009 (http://www.jisc.ac.uk/events/2009/06/leapinghurdleslondon.aspx). This event gave the opportunity for the JISC-sponsored Community Engagement projects to feed back some of their findings and to stimulate debate. The day started with presentations from the three Community Engagement projects eIUS, e-Uptake and ENGAGE and was followed by VRE projects, myExperiment, VERA, SDM VRE and CREW. There was a lot of useful discussion in the breakout sessions where barriers, and how these barriers might be solved, were discussed and then reported back to delegates.

The final part of the event consisted of the Panel Session where each member of the panel was asked the following question, “Who plans IT provision for researchers?”. The following is an extended version to the answer I gave during the session:

“One must remember that providing an e-infrastructure provides tangible benefits to the researcher – it speeds up their research, results are produced quicker, faster time to publication, an enabler for collaboration. The researchers benefits, the department benefits and the institution benefits. By funding researchers and giving them the e-infrastructure they need the institution benefits indirectly and this is something that needs to be realised so that it influences institutional planning.”

“The planning should be done at a national, institutional and research team level but they need to work together with an overall direction led at a national level.”

“Planning at the Institutional level must ensure researchers are served by the latest technology, realise the importance of research data and its value and ensure it is archived and accessible, ensure they are served adequately by their network and HPC clusters. They must give their researchers the support they need.”

“The funding bodies (research councils and the JISC) need to provide the required e-infrastructure but they also need to provide the help and support to use this e-infrastructure efficiently, to help join up communities and encourage collaboration, provide examples of best practice, identify successful projects and show how to overcome barriers.”

“Funding projects like the Community Engagement projects must influence institutional planning and not just national planning. There is no point having a national plan if there is no institutional plan, otherwise it’ll just cause barriers at an institutional level.”

Sponsored by the Oxford Internet Institute (OII - http://www.oii.ox.ac.uk/) this 2-day event (2/3 April 2009) combined presentations and group sessions to discuss a legal and policy framework for Identity Management.

Thanks to the wonders of Twitter I was also able to follow the Tweets for the Libraries of the Future Debate (http://www.jisc.ac.uk/whatwedo/campaigns/librariesofthefuture.aspx) on the first day by following the tag #lotf09, whilst also contributing to the IDM event (#oii-idm).

As the title suggests this was not a technical conference but one that wanted to look at the drivers for creating a legal and policy framework when dealing with identity management. It would seem that this is something that is not thought about before technical solutions are created and because of this it is preventing the uptake of these technologies.

The morning of the first day comprised of various presentations. The first talk dealt with managing risks and how organisations can act as digital Gods issuing an ID, understanding what you are doing with it and cancelling it when they choose. The point was also made that regulators are spending too much time helping the bad guys when they should be helping the good guys first. An interesting point from the second talk was that trust is related to culture and where you live in the world. Our digital life is moving to globalisation (aren’t we there already?) and we have fragmented authorisation and authentication systems. We used to know where jurisdiction was and the culture when things were kept local. This has become extremely complex as we have become more global. The idea that we all live peacefully in a global village is just not going to happen.

The idea of globalisation occurred in other talks as well. We need international policies and not just national ones. However, we need to start small and build outwards rather than trying to conquer the world in one go. Establishing a convention that other nations could sign up to should mirror the way passports became worldwide. Passports never existed until someone decided they were a good idea. They were introduced, other nations adopted them and they became global.

Some of the later talks dealt with issues like whether we can have separate public and private identities. Do we just have one identity but many personas? Should we even use the term “identity”? I wanted to know who had the most to gain from having a legal and policy framework. Is it the individual or the organisation/institution? Who benefits the most? Is it required so that organisations can manage risk? To get it to work it needs to benefit both sides. It even comes down to culture again. For example, if you trust your government (Sweden was used as an example) you are more likely to trust them to set basic rules regarding identity. How many other governments can be trusted in the same way?

Another presentation mentioned that it’s mainly the legal types that worry about legal frameworks and privacy issues. More people are moving towards a user-centric view and looking at what they can do now with their identity credentials.

After group sessions and discussions the workshop wrapped up with the conclusion that there is a need for a policy and legal framework that should support an infrastructure. It’s in an organisation’s interests to have some form of control but we need a means of redress if things go wrong. It was suggested that there should be a follow on workshop to discuss these issues further.

Last week I attended the successful and hugely popular JISC Conference (http://www.jisc.ac.uk/events/2009/03/jiscconference09.aspx). Yes I know I work for JISC so I would say that, but even before I joined JISC I was always impressed by the quality of their conferences, stands and their whole approach to marketing and communications. What I particular like about the JISC conference is the way the live feed opens up the event to everyone. Wouldn’t it be great if more conferences could do this? I am all for enablers and open access and this event was a perfect example. The JISC Events Blog (http://events.jiscinvolve.org/category/jisc09/) also allowed people to participate and give feedback to each part of the event.

The thing that struck me most about this year was how Twitter can be used as an efficient communication tool. This was particularly evident in James Farnhill and Lawrie Phipps’ “As You Like Identity” session (http://events.jiscinvolve.org/session-as-you-like-identity/) where not only were the audience Tweeting during the session but people who weren’t there were answering these Tweets. This session broke from the traditional format of having a number of presenters and was more of an interactive session which encouraged audience participation. With the live feed of keynotes and some sessions anyone tagging their Tweets with the tag JISC09 could get involved interactively even if they weren’t physically at the event. It didn’t just end when the event closed as people are still Tweeting and even if you don’t use Twitter you can read these on the main conference page (http://www.jisc.ac.uk/events/2009/03/jiscconference09.aspx).

As well as the sessions, the exhibition and the opportunity to network both the opening and closing sessions were excellent and thought provoking. I would recommend listening (or watching once the videos are online) to both of these if you get the chance. And to continue my Twitter theme, as Ewan McIntosh said in his closing keynote to the audience, if you’re not Twittering you are just watching, you are not involved. That might have alienated 95% of the audience but hopefully it has encouraged more people to get involved. A comment made to me at the end of the event was that the conference was great for coming up with ideas, but what happens after the event to move these forward. I would suggest that the Blog and the Twittering are key enablers in making this happen.

You can find my contact details on the JISC website.