Social Web TV Archives - Identity Woman

This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software – Privileged Account Management (PAM) for the Social Web – how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?

I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:

regular identity management in the enterprise,
regular Privileged Account Management in the enterprise
Privileged Account Management for the Social Web.

1) IdM (Identity Management) in the Enterprise

There are two words you need to know to get IdM and the enterprise: “provisioning” and “termination“.

a) An employee is hired by a company. In order to login to the company’s computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an “identity” that they can use to log in to the company systems.

b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.

The next thing to understand is logs.

So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems – it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.

I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.

2) Ok, so what is Privileged Account Management in the Enterprise?

A privileged account is an “über”-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.

They are not “owned” by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in

Sarbanes-Oxley
the Payment Card Industry Data Security Standard (PCI DSS),
the Federal Energy Regulatory Commission (FERC),
HIPAA.

Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].

Links to articles on PAM, [1] Burton Group Identity and Privacy Blog, KuppingerCole, Information Security Magazine.

3) Privileged Account Management on the Social Web.

Increasingly companies have privileged accounts on the social web. Dell computers has several for different purposes. Virgin America, (they link to the account from their website – thus “validating” that this is their real account), JetBlue, Southwest Airlines, Zappos CEO, (employees who twitter), Comcast Cares (Frank Eliason) (interestingly comcast on twitter is blank).

Twitter is just the tip of the iceberg – there are also “fan pages” on Facebook for brands. Coca-Cola, Zappos, NYTimes, Redbull, Southwest, YouTube Channels, Dunkin’ Donuts, etc, etc. on thousands of other platforms and yet-to-be-invented services.

These are very powerful accounts – they are managed and maintained by many employees around the clock and are the public voices of companies.

I have yet to see or hear of any software tools to enable enterprises to manage Social Web privileged accounts. How are companies managing access by multiple employees to these accounts?

Is there software that does this yet?

Is anyone working on these kinds of tools?

Leave your comments here or tweet with me @identitywoman

Last week it was announced that on on Friday Night at 9pm Pacific Facebook had a name space land rush. Everyone was free to pick for themselves their username that would appear in their URL. facebook.com/username

I actually found this a bit surprising – remember the big debate on the Social Web TV I had with Josh Elman about “real names.” He was against handles completely and felt that the big value facebook brought was “real names”. I argued for handles and the freedom to choose one’s “identity” on the web. I made the point that free society – having the ability freedom to have the option to have and use handles on the web NOT linked to our given/ in real life names. Another thing is that handles help us navigate namespace clash from regular names. Max from MySpace is 8bitkid not some other Max in a sea of Max’s.

I ran into Josh Elman at the Building43 party and we agreed I kinda won the debate with this latest development. It seems that having peoples pages rank higher in google is helped by having readable URL’s.

They of course “strongly encouraged” people to just pick a URL with one’s real name and did so by “suggesting” names that were derivatives of one’s name. You could override this and type in your own name choice (however defaults matter so most people will end up with names similar to their real name – rather then being asked to think up one). They give users an addressable identity.

Max Engel of MySpace became /8BitKid – his handle “everywhere”

David Recordon surprisingly didn’t go with DaveMan692 – his handle most places – he is /DavidRecordon

My friend Jennifer became /dangerangel as she had originally signed up for in Facebook but they disallowed her to have it.

I just became /Kaliya (I am hoping I can get enough fans to claim /identitywoman for that persona)

What is particularly interesting is the layers of identity in Facebook.

With a Facebook URLFacebook has the one’s username is not one’s e-mail address as it is with Google profiles and one also has a common name (or as they say “real name”) that is presented to throughout the system.

Google ironically enough they ask if you want a “contact” me button on your page that does not give away your e-mail address when the profile URL gives away your e-mail address.

Twitter has /usernames AND another display name of your choosing that is changeable (the /usernames are not). However most twitter clients display one or the other. If you are used to seeing the display name and then are on your phone that is only showing @handle /username then you don’t know who is talking.

Facebook usernames is another example Twitter feature adoption by Facebook others being activity streams becoming much more like twitter streams.

I said when I first “got” twitter about 18 months ago – a big part of the value it provided was its namespace. It gave me a cool anchor on the web that allowed communication between me and others via the web.

So how is it going so far? Inside facebook reports that over the weekend 6 million folks – 3% of their userbase gut URLs. 500,000 in the first 15 min, 1,000,000 in the first hour and 3 million in the first 14 hours.

There were several examples of FaceSquating. Mike Pence took Obiefernadez’s name.

Anil Dash has the funniest post ever about the whole thing. Highlight the point that users don’t need facebook URL’s they can just get their own domain name. He repeats this throughout the post about what these services are not telling you:

None of these posts mention that you can also register a real domain name that you can own, instead of just having another URL on Facebook.

I completely agree with him – he also misses a key point the usability of facebook is vastly higher then the usability of domain name registration, cpanel management and other things involved in getting ones own personal web presence going. DiSo isn’t hear yet so we can’t link to our friends without linking capability that a facebook provides. I suppose Chi.mp was trying to

He links to a post of his from December 2002 called privacy and identity control.

I own my name. I am the first, and definitive, source of information on me.

One of the biggest benefits of that reality is that I now have control. The information I choose to reveal on my site sets the biggest boundaries for my privacy on the web. Granted, I’ll never have total control. But look at most people, especially novice Internet users, who are concerned with privacy. They’re fighting a losing battle, trying to prevent their personal information from being available on the web at all. If you recognize that it’s going to happen, your best bet is to choose how, when, and where it shows up.

That’s the future. Own your name. Buy the domain name, get yourself linked to, and put up a page. Make it a blank page, if you want. Fill it with disinformation or gibberish. Plug in other random people’s names into Googlism and paste their realities into your own. Or, just reveal the parts of your life that you feel represent you most effectively on the web. Publish things that advance your career or your love life or that document your travels around the world. But if you care about your privacy, and you care about your identity, take the steps to control it now.

In a few years, it won’t be as critical. There will be a reasonably trustworthy system of identity and authorship verification. Finding a person’s words and thoughts across different media and time periods will be relatively easy.

What people don’t quite get is that if they anchor their whole online life around someone else’s domain they are locked in. When I first started paying attention to user-centric identity online this was one of the meta-long term issues that the first identity commons folks (Drummond Reed, Fen Lebalm, Owen Davis, Andrew Nelson, Eugene Kim, Jim Fournier, Marc Le Maitre, Bill Barnhill, Nikolaj Nyholm, etc).

A few of them wrote a paper about it all – THE SOCIAL WEB – Creating an Open Social Network with XDI.

They liked the XRI/i-names architecture because it addressed the URL recycling problem with a layer of abstraction. All i-names also have linked to them a conical identifier – an i-number. This number is never reassigned in the global registry. However one could “sell” one’s i-name (mine is =kaliya) and that new person could use it but it would have a different i-number assigned to it for that person.

This past week at the Online Community Unconference we were talking about the issue of conversation tracking around blog conversations. How an one watch/track the conversation about one’s work if it is cross posted on 10 different sites OR if it is just posted in one place and one is distributing a link through 10 different channels? We never did get to an answer – I chimed in that the web was missing an abstraction layer – that if one could have a canonical identifier for a post that was up in 10 different places this would make it easier to track/see conversations about that post. What we do have now that we didn’t have 3 years ago for helping track conversations across multiple contexts is OpenID at least so you can see if someone commenting in one place is the same as someone commenting in another.

There is an additional layer of abstraction in the XRI architecture that supports several things are key to helping people integrate themselves and information about themselves on thew web.

One is cross referencing – so I could have have two different (URI) addresses for the same information (in the identifier – not just mapped over one another leaving me with one address OR the other) and also have one version of my profile be the one I controlled and a different be a version that appeared in a certain social context.

There is also a concept of much finer grained data addressability and control – so I could have my home address in one place and instead of entering this into each website/services/company portal that I want to have this information – just hand them a link to the canonical copy I manage and then I don’t have to change it everywhere. This is of course where the VRM folks are going with their architectures and services.

We shall see how it all evolves. That is what we do at the Internet Identity Workshop is keeping on working on figuring this all out.