Identity Crisis

March 12, 2009
72 Views

If you haven’t been seeing it already, now is a good time to start watching what is happening in the identity management space.  This technology area is not one I have spent a lot of time in, but several things I’ve noticed recently led me to think we may be approaching the tipping point on this technology. In the face of horizontal identity management standards with multi-market appeal, it will be interesting to see whether any of the vertically-specific standards efforts will survive and thrive. And regardless of who wins, adoption will open some doors for analytics.

Let’s start with the obvious. In the life sciences market, there has been growing interest in the SAFE-BioPharma Digital Identity and Signature Standard. This standard continues to make progress, and has some sizeable sponsors behind it. Unfortunately, there is one problem with the Signatures and Authentication For Everyone standard: it’s not actually for everyone. The standard is really designed for authentication and verification of signatures and identities associated with regulatory submissions and their respective data and systems. Due to the regulatory requirements associated with establishing and managing..


If you haven’t been seeing it already, now is a good time to start watching what is happening in the identity management space.  This technology area is not one I have spent a lot of time in, but several things I’ve noticed recently led me to think we may be approaching the tipping point on this technology. In the face of horizontal identity management standards with multi-market appeal, it will be interesting to see whether any of the vertically-specific standards efforts will survive and thrive. And regardless of who wins, adoption will open some doors for analytics.

Let’s start with the obvious. In the life sciences market, there has been growing interest in the SAFE-BioPharma Digital Identity and Signature Standard. This standard continues to make progress, and has some sizeable sponsors behind it. Unfortunately, there is one problem with the Signatures and Authentication For Everyone standard: it’s not actually for everyone. The standard is really designed for authentication and verification of signatures and identities associated with regulatory submissions and their respective data and systems. Due to the regulatory requirements associated with establishing and managing those types of credentials, the standard does not really provide the type of flexibility typically associated with Identity 2.0 techniques. It also requires a licensing fee for each credential.

The Liberty Alliance is a project looking across vertical markets to drive support for open standards in identity management. They have a veritable who’s who of member companies across many markets, including AOL, Intel, Oracle, Sun, HIMSS, American Express, Paypal, The Open Group, US Department of Defense, BT, Ericsson, Nokia, Sprint, and Vodafone. They have both a strategic initiative as well as a special interest group focused specifically on the application of these standards in healthcare. There is a relatively recent Aetna case study on their site that gives a little more insight into how these standards are implemented if you are interested.

Beyond these industry initiatives, there seems to be some convergence around one of the horizontal identity approaches, a standard called OpenID. If you are not familiar with it, OpenID is an open, decentralized standard for user authentication and access control. As opposed to your typical userid/password model, an OpenID is in the form of a unique URL which is authenticated by the URL provider. As such, you do not need a central authority for authentication — any OpenID provider can authenticate a user to any OpenID-enabled application. By the end of 2008, we saw some pretty heavy hitters on board with OpenID: Yahoo, Google, Microsoft, IBM, Orange, Paypal, VeriSign, WordPress, Flickr, MySpace, Sun, and AOL just to name a few.

Of course, authentication and access control is only one dimension of an individual’s identity and credentials. If I use my OpenID on System A to log on to System B, today all that System B really knows is that I have a System A account. Most of the largest OpenID deployments only use login — the accounts themselves are not transferable across OpenID providers, so you are still maintaining different accounts (and therefore identities). Similarly, OpenID does not fix the fact that I can have an endless number of OpenIDs. For example, I have a Google account, a Microsoft Windows Live account, and a Yahoo account. Which account represents my consistent, trusted identity?

Accepting those current limitations, though, OpenID does seem like a good idea. One company that is adding some cool functionality around their implementation of OpenID is chi.mp. Though still in Beta, chi.mp gives you the ability to create and manage a more comprehensive identity, and control who is able to see what aspects of that identity. For an example, see my id, and notice that my id is actually a domain. Chi.mp can import feeds and contacts from your accounts on other services like Twitter, and — here’s the cool part — allows you to aggregate your contacts’ identities. So, if my friend Jane has an account on Twitter, an account on Facebook, and an account on Flickr, I can not only import her contact information from all 3 accounts into chi.mp, but I can tell chi.mp that these 3 contacts are actually the same person. From that point forward, information about Jane’s identity is all tied to a common contact. If anyone out there wants to give chi.mp a try, I’ve got a few private invitations to the beta program that I’ll give out to the first 5 people who twitter me their name and email address.

So why do I think identity management is a good thing for analytics? Well, for one thing, we are increasingly being asked to perform analytics around social networks. For example, data and text mining algorithms can be applied to better understand patient disease communities, physician influence networks, and healthcare fraud patterns. If I am able to associate a common identity across different networks, the power of my analytics increases. Also, the nature of research is such that we are increasingly relying on information outside our corporate firewalls. If a researcher is able to “take their identity with them” as they move from institution to institution and project to project, my ability to collaborate with that individual around the analysis of their data also improves. The same holds true for programmers and their code, data managers and their reviews, etc.

Have you tried any of these identity management areas? Any impressions to share?

Link to original post