Identity Crisis in the Land of Social Networks and Platforms

The Facebook platform debate continues to evolve with Dan Farber's recent piece on Facebook, social capitalists and open networks and Wired's very well thought out article Slap in the Facebook. The key question from my perspective is whether we consider the Internet as the platform or does Facebook or some other single entity come to dominate and become a platform. The history, and even the brief history of the internet, has examples of both - a platform owned by a single entity, and the internet itself as the platform with various platform players as parts of the whole:

• EBay: Ebay is a platform and is a pretty closed one. They recently had the chutzpah to even take on Google by banning Google Checkout. The APIs and other interfaces to Ebay allow you to enhance the functionality but does not offer any interoperability - you cannot cross list items on Ebay and some other auction site, etc.
  
• B2B: B2B Exchanges were an attempt to create a platform (remember Covisint) but eventually lost out to the Internet as the platform. Companies transact billions of dollars of business today on the B2B platform but they rely on protocols like RosettaNet and there is no single hub or platform that dominates.
• Instant Messaging: IM is an interesting case study as it started out as platform islands (Yahoo!, MSN, AOL) but over time and sometimes grudgingly they have learned to play well with each other. IM is still not an open network in the sense that I cannot create a new IM service and seamlessly connect to these proprietary IM networks.
• Email: Email is the ultimate open network. It has mostly worked great except the openness allows for spam and viruses to be spread using this platform. This security issue is a (valid?) excuse many platform players are using to keep their platforms closed.
  

What model is Facebook following?

So is Social Networking going the way of the EBay model, IM model or the Email model? Facebook today sits somewhere between the Ebaymodel and IM model. Under the Ebay model, Facebook does not enable to send messages back and forth to say MySpace - in fact, the messaging system could have been associated with an email address (@facebook.com) but is not. At the same time, unlike Ebay which blocked out Google Checkout, Facebook is allowing third-party applications to be shared and used in conjunction with its service - somewhat akin to the IM model. You still can't use your Facebook id to interact with someone that does not have a Facebook account.

The Identity Problem

Its been suggested several times that the lock in and lack of interoperability comes from the fact that the identity systems of Facebook and other services are not open and standards-based. If Facebook and others like Myspace all adopted the OpenID or equivalent identity system, it would be so much easier for users to leverage multiple services without worrying about whether they are built by Facebook, LinkedIn or MySpace. Irregular friend Dennis Howlett describes the conversation on Facebook use within the enterprise on his ZDNet blog post.

Dan Farber comments on this lack of interoperability:

Today, people are mostly content, experimenting with the more civilized walled gardens that aggregate information and friends and bank all the personal data and social capital. The revolution won’t happen until social capitalists realize that the capitalists–Facebook, Google, MySpace (News Corp.), etc.– shouldn’t have too much control over their digital lives.

Who will bell the cat?

I feel that the masses will not be the one's that change the status quo. It will be a game changer - a new Facebook or Google that will challenge the closed networks by offering a good enough service that is as good as MySpace or Facebook but is entirely open. In fact, Google could do this, and it would be much easier than you think. Here is what I would do if I were running Google social networks group (no, they haven't asked me):

• Google has the email accounts of several million users.
• Google could analyze my email messages to all users - this is where having stored all my emails helps - to determine my top 100 contacts. Repeat this for every user and you have created a social networking graph for all Google users and many non-Google users too.
• Google could then instantiate GoogleBook (I own the copyright!) accounts for every Google user ready to be activated. All a user would have to do is select and unselect the suggested links and the account would be all ready to go. For non-Google users, a 'claim this' GoogleBook account would be created which they can claim by requesting an email be sent to their email address.
• Google Groups - like functionality would be available for each user i.e., I can send messages to all my contacts, share calendar, files etc.
• And since you are NOT required to ever create a gmail (Google) account with a new id, the users wouldn't be forced to create yet another dan.farber@gmail/cnet/yahoo/etc.

Whether Google or some other new player does this anytime soon is anybody's guess but many of us are getting sick and tired of creating multiple user id's, checking messages on multiple inboxes and accepting the same 75 friends on 10 different social networks. For now here is my personal solution to the social networking problem - if you have my gmail address and my blog address, that is all that you need to reach me, read about me, see my pictures, date me, send me fan letters and/or harass me.

Update: Dan Farber has posted a response to this post on ZDNet and the conversation continues.

Update: Dan Farber reports that Google is planning a foray into social networking. I expect them to mine my email etc. for helping create my network - as I mention above - let's see what comes out.

Holistic is not just for Yoga anymore: Identity & Security

There has been a lot of interest in security and identity management in light of regulatory pressures and in response to incidents of theft and loss. I recently wrote the following article for Security Magazine- an excerpt follows.

A Holistic Approach to Physical and IT Security
When a famous bank loses thousands of credit card numbers or a hospital loses medical records, the customers and patients do not ask whether the theft happened over the wire or because of a break-in. There is loss of trust and damage to the value of the brand regardless of the method of breach. But many businesses continue to treat physical and IT security as unrelated silos. This approach is no longer acceptable against the changing realities, and many companies are beginning to realize the value of an integrated approach to security.

Identity Management Maturity Model

The Sarbanes-Oxley Compliance Journal published my piece on a maturity mdoel for identity management. You can read the full article here.

Achieving Compliance Through Identity Maturity
2006-10-27 12:00:00.0 CDT

Where do you want to be and how do you get there?

By Anshu Sharma

Security and identity management have become an important issue on the radar of CFO’s and CIO’s as wave after wave of regulations in the areas of financial controls, privacy protection, and identity theft prevention are adopted in various countries. US companies will spend upwards of $15 billion on technology products and professional services this year alone in order to adhere to new compliance regulations, according to AMR Research, Boston.

The initial response by organizations to these regulations has been to adopt a piecemeal approach but a duct-tape approach to fixing every possible identity and security loophole results in high expenditure without a sense of how close the business is getting to its end goal. The end goal is to be a secure, well-managed organization with optimized processes for employee on-boarding and off-boarding, and efficient controls that prevent fraud and detect problems in a timely manner. The path to this goal traverses through various levels of maturity.

...read full article

Oracle OpenWorld by kumasawa (Creative Commons license)

Nishan Kaushik who is an identity management guru and architect for the Oracle Identity Management products has written some excellent pieces on provisioning and role management at Talking Identity Blog.

Oracle OpenWorld is here to dominate San Francisco

Did I say dominate San Francisco? I meant Software!


Yes, Oracle is taking over San Francisco for the next week with its annual gala that has grown to over 40,000 attendees this year. I will be attending as a member of the Oracle Identity Management team- we have a signficant presence with demo booths and over 10 sessions. I will be presenting on "Managing Security in the World of Web2.0 and SOA". The aim of my presentation is to bring out the key common themes between Web2.0 and SOA, and at then address some of the common security concerns around web services. Another key enabling technology for Web2.0 and SOA is Federation that allows businesses and consumers to collaborate across organizational and network boundaries. I will also touch upon what is Enterprise2.0 and how do you apply mashups to enterprise services.

The event this year will include a much larger audience interested in applications with Siebel (Oracle|Siebel) and Peoplesoft (Oracle|Peoplesoft) having joined the ranks over the last 2 years. Fusion Middleware and Fusion Applications with emphasis on standards-based open architecture of SOA will be one of the key focus areas.

And yes, Sir Elton John will be performing. This should be fun. If you are attending, you should visit our Identity Management booth and say hello. And if you are not, visit the website to read material and watch the webcasts. And yes, Larry Ellison will be giving a keynote in addition to technology development leaders Chuck Rozwat and Thomas Kurian (his debut keynote at OpenWorld), and applications head John Wookey.

CNET's News.com has some nice pictures.