Personal data and a new business model

Interesting:

Instead of thinking of the digital data as something collected by others and somehow used against you, it becomes a mechanism for you to get companies to send you information about things you actually want to buy.

Wordle of blog.personal.com

Personal.com, located in the Washington, DC area, have built a personal data service that encourages users to enter personal information into Personal’s cloud-based vault.  The service allows people to organize their data into ‘gems’, then send this information to family, friends and business associates.  Here are some quick-hit videos that explain the company and the concept.

I have direct experience with personal data vaults and, frankly, the uptake on this type of service is currently poor.  It may well be a generational thing, and perhaps time has to pass before enough people will trust a cloud service with their secrets.

But I think that the real obstacle for existing personal vaults may well be the current ‘user pay’ business model.  People don’t see the value in a paid-for personal data service — but could they use a service that allows them to control and sell their own personal data?

Personal’s model anticipates a future where advertisers will seek out personal data from prospects and pay for the information.  Personal is hoping to capitalize on this by becoming the  broker for millions of personal data transactions, and take a percentage of the transaction fees as commissions.  We — as rightful owners of the data — get the rest!

Is this the future of personal data? Are we seeing a move away from intrusive data collection for the service operator’s profit alone (the Google and Facebook models) to a world where we own, control and reap the benefits of our own information?

Mike

IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

• Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
• PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
• TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.

Mike

Cloud Computing: Schneier and Ranum weigh in

Unless you’ve been living in a cave over the past six months, you are probably aware that Cloud Computing is Next Big Thing.  Of course, it isn’t new or unique — it is a form of centralized computing and application delivery has existed since the first time-sharing systems emerged in the 60s.

But the big vendors need a story to push their products and services, and Cloud Computing is it for 2009. It isn’t suprising that the information security and privacy protection aspects of cloud computing are starting to get a lot of attention as well.

What are the risks? How secure is my data in the Cloud? What privacy protections can I rely on? Do you really trust your service provider?

Bruce Schneier and Marcus Ranum have a video from their Face-Off series that is well worth viewing for anyone looking to take advantage of Cloud Computing services.

I like Ranum’s emphasis on limited data access and lack of portability. Locking clients into a hosted application and database is going to be a problem when the client wants to use another provider. Just how do you move five years of email from Gmail to your own mail server? Can you quickly extract and replatform your critical sales data from Salesforce.com if Salesforce gets bought out by one of your competitors?

Mike

PS2009 — Epilogue

The 2009 Privacy and Security Conference is over for another year. As usual I was entreated to some interesting new ideas, issues and solutions.

But this year I’m conscious of the number of times that I left the session with a feeling that the speaker had been cut-off or missed delivering their conclusion. It wasn’t that the presenters were weak (they weren’t) but rather that many sessions ended with unanswered questions.  Such is the state of privacy and security in 2009 I suppose…

A random sampling includes:

• How will IdM and access be effectively implemented in our hospitals and clinics? The physicians see authentication as an obstacle to delivering health services, yet health delivery organizations must have appropriate controls in place.  The CIO for Vancouver Island Health Authority had the problem well defined but didn’t give us insight as to what solutions she saw as promising.
• When, if ever, will the US introduce effective Federal privacy legislation?  This conference has a fair number of US-based speakers and each one tells an American story prefaced by ‘up here in Canada, this is less a concern because of your privacy laws’.
• Can government ever leverage Cloud Computing, or will data control always limit its ability to leverage the Cloud?  Nicholas Carr didn’t answer this question for us, and — given this was a public sector conference — I think most of us are skeptical that the Cloud will ever meet government needs.
• What is the ‘killer use case’ for user-centric IdM?  Stefan Brands was technically very good in his presentation, but too often user-centric IdM is focused on the model and technology.  We get the technology now — but what are we going to use it for beyond low-value SSO?  (This topic is certainly fodder for future posts on this blog.)

Despite these loose-ends, I enjoyed this conference again this year — it was good to meet new people, kibitz with a few clients and enjoy the spring-like maritime weather.  I’m sure to be back in 2010.

Mike

PS2009 — Winn Schwartau

Feb 4th, 9:40am
Live blog post…

Winn Schwartau is the President of Interpact Inc. He explains how easy it is to gather information on an individual; medical, financial and legal information are all available using a range of free and paid Internet services.

Key concerns:
- On the Internet today, there are approx. 500,000 databases containing personal information.
- Virtually no regulation exists to protect privacy especially in the US.
- No-one reads usage agreements that outline what a company can do with our data.
- Privacy rules/laws difficult to set because technology changes so rapidly.
- 75 percent of US residents have had data on them lost or stolen.

He makes a number of interesting points:
- Why can’t we treat our personal details as copyrighted information? Why can’t we own our own names?
- The questions are ethical not legal.
- We need to redefine ‘public domain’ to mean ‘for the public good’.
- We should be able to tell companies that they can only use our information for one transaction (unless we order otherwise).
- We must be able to request and receive all information held on us by companies.
- We must have data error repair rights and, if possible, some recourse for abuse.
- Need leadership and global cooperation to bring about change.

Interesing and thought provoking, more info at www.thesecurityawarenesscompany.com.

Mike