Kantara ID Pro BoK meeting TODAY 11am EDT
Greetings, Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/. All the best, Megan ### *BoK/Taxonomy WG* Monday, April 24, 2017 11:00am to 12:00pm Eastern Daylight Time Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303 Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357 You can also dial in using your phone. United States: +1 (571) 317-3116 <(571)%20317-3116> Access Code: 135-593-357 More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <(647)%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011> First GoToMeeting? Try a test session: http://help.citrix.com/getready -- Megan Cannon Kantara Initiative, Inc.
An interesting question is whether the BoK is to document the digital
identity status quo, or to also move our shared understanding into
relatively less-charted levels. For example, Ian Glazer proposed an
innovative threat model, and a maturity model, that I haven't seen
elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in
this post
http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll
note reference to Ian's thinking that transparency and accountability
controls must be added to preventative IAM controls. Note my thoughts there
that applying these and other advanced controls will be challenging in the
post-GDPR era - but perhaps essential for businesses to retain the ability
to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital
identity architecture than most think, and would be an advocate for a
forward-looking BoK...
Looking forward to today's discussion!
Dan Blum
Security Architects Partners / KuppingerCole
Check out the blog at http://security-architect.com
----------------------
We are a highly-experienced group of consultants dedicated to helping
clients plan, specify and develop security programs, policies and
technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon
Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 <(571)%20317-3116>
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <(647)%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011>
First GoToMeeting? Try a test session: http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
My view is that once a sub-domain can be accurately described in a
reasonably stable way then it qualifies for inclusion in the BoK. We can
have unfilled categories in the Taxonomy - no issue there with creating
forward-looking branches because it's easy to adjust as needed, up until
the point we fill in the BoK content (after that it's hard to change the
taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds
of events you might see taxonomy branches about those topics but no actual
BoK content.
Check back in a few years, once things have been tried out more and there's
a growing consensus (get it? ha!) on a few potentially viable paths forward
and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and
also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers
struggle to compose a reasonably sane description for a BoK section then we
can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*
o +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon
wrote:
Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 <(571)%20317-3116>
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <(647)%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011>
First GoToMeeting? Try a test session: http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Hi All, first, a quick recap from today's meeting * we talked about the idea to 'engage' and get some expertise from Knowledge Management Experts and the mentioned approaches (see my mail from yesterday regarding RoadMaps and vehicles). We havent concluded or decided on that yet. Lets wait if we get more replies to the mail and on that idea. Nevertheless I will personally reach out to the guys from ontotext, as I have other topics to discuss with them anyway. * We then discussed the draft for the presentation at EIC, I hope I can send a draft at least tomorrow * finally, a discussion arose about topics that might be missed in the taxonomy (example: Risk Management). My personal take on the later one: I dont think we should now specifically think about one missing topic in particular, but about the question in which dimension the taxonomy can/ should be extended if required, without the need to rewrite the whole BoK. Should we add another Category? another slice? or another ring around the cake as a whole? Or maybe another 'deck'? I would prefer either a new ring around the cake, or another deck. But not another category or slice, as I do not think we have anything that is NOT either related to Identities, Authentication, Authorization and Management. And each of those can fully be described with Standards/Good Practice/Concepts/Regulations. In a worst case scenario, there is always the 'Management/Concept' combination, where everything can be sorted in, without shamefully getting red in the face. T. On 24.04.2017 20:27, Andrew Hughes wrote:
My view is that once a sub-domain can be accurately described in a reasonably stable way then it qualifies for inclusion in the BoK. We can have unfilled categories in the Taxonomy - no issue there with creating forward-looking branches because it's easy to adjust as needed, up until the point we fill in the BoK content (after that it's hard to change the taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds of events you might see taxonomy branches about those topics but no actual BoK content.
Check back in a few years, once things have been tried out more and there's a growing consensus (get it? ha!) on a few potentially viable paths forward and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers struggle to compose a reasonably sane description for a BoK section then we can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com mailto:AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ http://ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
mailto:dan.blum@security-architect.com> wrote: An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com http://security-architect.com/ ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon
mailto:megan@kantarainitiative.org> wrote: Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854923... https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854923...
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357 https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 tel:%28571%29%20317-3116
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 tel:+61%202%208355%201034 Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 tel:%28647%29%20497-9372 Denmark: +45 69 91 84 58 tel:+45%2069%2091%2084%2058 Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 tel:+49%2069%20257367206 Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 tel:+64%209-974%209579 Norway: +47 21 04 30 59 tel:+47%2021%2004%2030%2059 Spain: +34 931 76 1534 tel:+34%20931%2076%2015%2034 Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 tel:+44%2020%203713%205011
First GoToMeeting? Try a test session: http://help.citrix.com/getready http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org mailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org mailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
On the call today with Torsten and the others we seemed to be in general
agreement that the BoK could be made more extensible by adding a few more
(or different) cross-cutting considerations. For example:
- Concepts
- Best practices
- Regulations
- Standards and Protocols
Could become
- Governance and Management
- Use cases
- Risks, vulnerabilities, and threats
- Regulations
- Standards and Protocols
- Future considerations
Rationale
- Cognitively it is good to have between 4 and 7 items on a graphical
list like that
- Best practices (aka good practices) could be added as a 7th or just
assumed to be included pervasively in the 4 major functions and the
cross-cutting considerations alike
- Use cases (aka user stories) can capture a lot of things from the
mainstream use cases to industry sector, geographic differences, edge
cases. We could also include the critical topic of business enablers (or
business opportunities) in use cases.
- Governance and Management are crucial and should not be omitted, they
can also capture many models, methodologies and concepts including how do
you measure ROI on identity
- Future considerations is a handy category for all the things you want
to keep track of that could become important, like Blockchain identity,
etc. We had that as part of the Burton/ Gartner reference architecture.
Having it as a well-maintained category would help the BoK be future-proof
and evolve.
For me, this now would approach "comprehensive".
Dan Blum
Security Architects Partners
Check out the blog at http://security-architect.com
----------------------
We are a highly-experienced group of consultants dedicated to helping
clients plan, specify and develop security programs, policies and
technology solutions.
On Mon, Apr 24, 2017 at 2:27 PM, Andrew Hughes
My view is that once a sub-domain can be accurately described in a reasonably stable way then it qualifies for inclusion in the BoK. We can have unfilled categories in the Taxonomy - no issue there with creating forward-looking branches because it's easy to adjust as needed, up until the point we fill in the BoK content (after that it's hard to change the taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds of events you might see taxonomy branches about those topics but no actual BoK content.
Check back in a few years, once things have been tried out more and there's a growing consensus (get it? ha!) on a few potentially viable paths forward and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers struggle to compose a reasonably sane description for a BoK section then we can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
wrote:
An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon < megan@kantarainitiative.org> wrote:
Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 <(571)%20317-3116>
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <(647)%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011>
First GoToMeeting? Try a test session: http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Thanks Dan - as long as we can balance the amount of material against the
maintenance & upkeep load and also the sparse nature of the early BoK, I'm
OK with more categories. (can you tell that I'm mildly skeptical?)
I'd like to hear from others who are not deep into the infosec or systems
worlds to see how this fits the group.
I actually do like the suggestion of the finer structure - but that happens
to be a worrying sign :)
I think it is essential to retain the idea of 'Concepts' and 'Good
practice' - because those are the hardest things for practitioners on the
edges of the profession to figure out. Yes, 'use cases' and 'security' (r,
v, t) are good ones - but do they presuppose a particular conceptual
framework? Imagine you are the business manager for an online service where
mis-identification is a critical risk - you need to understand if your
teams have the skills and knowledge to effectively deal with it.
I don't know - need more input from the crowd
andrew.
*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*
o +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 12:49 PM, Dan Blum
On the call today with Torsten and the others we seemed to be in general agreement that the BoK could be made more extensible by adding a few more (or different) cross-cutting considerations. For example:
- Concepts - Best practices - Regulations - Standards and Protocols
Could become
- Governance and Management - Use cases - Risks, vulnerabilities, and threats - Regulations - Standards and Protocols - Future considerations
Rationale
- Cognitively it is good to have between 4 and 7 items on a graphical list like that - Best practices (aka good practices) could be added as a 7th or just assumed to be included pervasively in the 4 major functions and the cross-cutting considerations alike - Use cases (aka user stories) can capture a lot of things from the mainstream use cases to industry sector, geographic differences, edge cases. We could also include the critical topic of business enablers (or business opportunities) in use cases. - Governance and Management are crucial and should not be omitted, they can also capture many models, methodologies and concepts including how do you measure ROI on identity - Future considerations is a handy category for all the things you want to keep track of that could become important, like Blockchain identity, etc. We had that as part of the Burton/ Gartner reference architecture. Having it as a well-maintained category would help the BoK be future-proof and evolve.
For me, this now would approach "comprehensive".
Dan Blum Security Architects Partners Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 2:27 PM, Andrew Hughes
wrote:
My view is that once a sub-domain can be accurately described in a reasonably stable way then it qualifies for inclusion in the BoK. We can have unfilled categories in the Taxonomy - no issue there with creating forward-looking branches because it's easy to adjust as needed, up until the point we fill in the BoK content (after that it's hard to change the taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds of events you might see taxonomy branches about those topics but no actual BoK content.
Check back in a few years, once things have been tried out more and there's a growing consensus (get it? ha!) on a few potentially viable paths forward and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers struggle to compose a reasonably sane description for a BoK section then we can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
wrote: An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon < megan@kantarainitiative.org> wrote:
Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 <(571)%20317-3116>
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <(647)%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011>
First GoToMeeting? Try a test session: http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Hi Dan, I think we have a massive misunderstanding here, or at least I understand 'general agreement' differently! let me once again explain the goal of the taxonomy: (from the google working doc we are working on, pdf attached) *"Taxonomy, in this context, refers to the overall scheme of classification used to describe the Digital Identity practices body of knowledge."* The Taxonomy is NOT a kind of 'Table of content'! Changing it as you propose would mean questioning everything we have done (and agreed on a group level) during the past month. I am sorry, but it simply does not fit and your section 'rationale' is covered in the taxonomy already, please check the attached doc. What we (from my understanding) agreed on today, and what I have expressed in my meeting minutes mail, was that the taxonomy should be open/prepared to (some time in the future) be extended, as there might be totally new areas of knowledge that no one has thought of. But for now, I highly encourage to leave the taxonomy as it is, at least for this version 1.0 If the majority of the group decides differently, then I am fine to re-open that discussion. But I think we should continue to get a grip on the Body of Knowlegde. my 4 cent Thx, Thorsten On 24.04.2017 21:49, Dan Blum wrote:
On the call today with Torsten and the others we seemed to be in general agreement that the BoK could be made more extensible by adding a few more (or different) cross-cutting considerations. For example:
* Concepts * Best practices * Regulations * Standards and Protocols
Could become
* Governance and Management * Use cases * Risks, vulnerabilities, and threats * Regulations * Standards and Protocols * Future considerations
Rationale
* Cognitively it is good to have between 4 and 7 items on a graphical list like that * Best practices (aka good practices) could be added as a 7th or just assumed to be included pervasively in the 4 major functions and the cross-cutting considerations alike * Use cases (aka user stories) can capture a lot of things from the mainstream use cases to industry sector, geographic differences, edge cases. We could also include the critical topic of business enablers (or business opportunities) in use cases. * Governance and Management are crucial and should not be omitted, they can also capture many models, methodologies and concepts including how do you measure ROI on identity * Future considerations is a handy category for all the things you want to keep track of that could become important, like Blockchain identity, etc. We had that as part of the Burton/ Gartner reference architecture. Having it as a well-maintained category would help the BoK be future-proof and evolve.
For me, this now would approach "comprehensive".
Dan Blum Security Architects Partners Check out the blog at http://security-architect.com http://security-architect.com/ ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 2:27 PM, Andrew Hughes
mailto:andrewhughes3000@gmail.com> wrote: My view is that once a sub-domain can be accurately described in a reasonably stable way then it qualifies for inclusion in the BoK. We can have unfilled categories in the Taxonomy - no issue there with creating forward-looking branches because it's easy to adjust as needed, up until the point we fill in the BoK content (after that it's hard to change the taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds of events you might see taxonomy branches about those topics but no actual BoK content.
Check back in a few years, once things have been tried out more and there's a growing consensus (get it? ha!) on a few potentially viable paths forward and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers struggle to compose a reasonably sane description for a BoK section then we can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 tel:%28650%29%20209-7542 m +1 250.888.9474 tel:%28250%29%20888-9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com mailto:AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ http://ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
mailto:dan.blum@security-architect.com> wrote: An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com http://security-architect.com/ ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon
mailto:megan@kantarainitiative.org> wrote: Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854923... https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854923...
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357 https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 tel:%28571%29%20317-3116
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 tel:+61%202%208355%201034 Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 tel:%28647%29%20497-9372 Denmark: +45 69 91 84 58 tel:+45%2069%2091%2084%2058 Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 tel:+49%2069%20257367206 Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 tel:+64%209-974%209579 Norway: +47 21 04 30 59 tel:+47%2021%2004%2030%2059 Spain: +34 931 76 1534 tel:+34%20931%2076%2015%2034 Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 tel:+44%2020%203713%205011
First GoToMeeting? Try a test session: http://help.citrix.com/getready http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org mailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org mailto:DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Sorry about using the words "general agreement". Didn't mean to hoist a red flag. I was just suggesting ideas I hoped would be helpful. Kind regards, Dan On Mon, Apr 24, 2017 at 4:49 PM, Thorsten H. Niebuhr [WedaCon GmbH] < tniebuhr@wedacon.net> wrote:
Hi Dan,
I think we have a massive misunderstanding here, or at least I understand 'general agreement' differently!
let me once again explain the goal of the taxonomy: (from the google working doc we are working on, pdf attached)
*"Taxonomy, in this context, refers to the overall scheme of classification used to describe the Digital Identity practices body of knowledge."*
The Taxonomy is NOT a kind of 'Table of content'! Changing it as you propose would mean questioning everything we have done (and agreed on a group level) during the past month. I am sorry, but it simply does not fit and your section 'rationale' is covered in the taxonomy already, please check the attached doc.
What we (from my understanding) agreed on today, and what I have expressed in my meeting minutes mail, was that the taxonomy should be open/prepared to (some time in the future) be extended, as there might be totally new areas of knowledge that no one has thought of. But for now, I highly encourage to leave the taxonomy as it is, at least for this version 1.0
If the majority of the group decides differently, then I am fine to re-open that discussion. But I think we should continue to get a grip on the Body of Knowlegde.
my 4 cent
Thx,
Thorsten
On 24.04.2017 21:49, Dan Blum wrote:
On the call today with Torsten and the others we seemed to be in general agreement that the BoK could be made more extensible by adding a few more (or different) cross-cutting considerations. For example:
- Concepts - Best practices - Regulations - Standards and Protocols
Could become
- Governance and Management - Use cases - Risks, vulnerabilities, and threats - Regulations - Standards and Protocols - Future considerations
Rationale
- Cognitively it is good to have between 4 and 7 items on a graphical list like that - Best practices (aka good practices) could be added as a 7th or just assumed to be included pervasively in the 4 major functions and the cross-cutting considerations alike - Use cases (aka user stories) can capture a lot of things from the mainstream use cases to industry sector, geographic differences, edge cases. We could also include the critical topic of business enablers (or business opportunities) in use cases. - Governance and Management are crucial and should not be omitted, they can also capture many models, methodologies and concepts including how do you measure ROI on identity - Future considerations is a handy category for all the things you want to keep track of that could become important, like Blockchain identity, etc. We had that as part of the Burton/ Gartner reference architecture. Having it as a well-maintained category would help the BoK be future-proof and evolve.
For me, this now would approach "comprehensive".
Dan Blum Security Architects Partners Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 2:27 PM, Andrew Hughes
wrote:
My view is that once a sub-domain can be accurately described in a reasonably stable way then it qualifies for inclusion in the BoK. We can have unfilled categories in the Taxonomy - no issue there with creating forward-looking branches because it's easy to adjust as needed, up until the point we fill in the BoK content (after that it's hard to change the taxonomy)
So: if you are the type to hang out at "Identity on the blockchain" kinds of events you might see taxonomy branches about those topics but no actual BoK content.
Check back in a few years, once things have been tried out more and there's a growing consensus (get it? ha!) on a few potentially viable paths forward and the writers can start finding and curating the content for the BoK.
The BoK is the stuff an ID Pro should know (loosely body of knowledge) and also the stuff an ID Pro should know about (loosely taxonomy).
Finding the balance will be an ongoing challenge - but if content writers struggle to compose a reasonably sane description for a BoK section then we can suspect that it's still too early.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <%28650%29%20209-7542> m +1 250.888.9474 <%28250%29%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Apr 24, 2017 at 5:41 AM, Dan Blum
wrote: An interesting question is whether the BoK is to document the digital identity status quo, or to also move our shared understanding into relatively less-charted levels. For example, Ian Glazer proposed an innovative threat model, and a maturity model, that I haven't seen elsewhere.
I summarize and link to the Changing Face/Fate of Identity talk from Ian in this post http://security-architect.com/ciam-changing-fate-identity-part-2/. You'll note reference to Ian's thinking that transparency and accountability controls must be added to preventative IAM controls. Note my thoughts there that applying these and other advanced controls will be challenging in the post-GDPR era - but perhaps essential for businesses to retain the ability to go-to-market with customers in digital.
In short I believe that we may be earlier in the evolution of digital identity architecture than most think, and would be an advocate for a forward-looking BoK...
Looking forward to today's discussion!
Dan Blum Security Architects Partners / KuppingerCole Check out the blog at http://security-architect.com ---------------------- We are a highly-experienced group of consultants dedicated to helping clients plan, specify and develop security programs, policies and technology solutions.
On Mon, Apr 24, 2017 at 7:46 AM, Megan Cannon < megan@kantarainitiative.org> wrote:
Greetings,
Please join us today for our BoK / Taxonomy meeting at 11am EDT. Dial in details are listed below; you may view the complete list of call details for each meeting by accessing the Kantara calendar https://kantarainitiative.org/calendars/.
All the best,
Megan
###
*BoK/Taxonomy WG* Monday, April 24, 2017
11:00am to 12:00pm Eastern Daylight Time
Link to workspace: https://kantarainitiative.org/ confluence/pages/viewpage.action?pageId=85492303
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/135593357
You can also dial in using your phone. United States: +1 (571) 317-3116 <%28571%29%20317-3116>
Access Code: 135-593-357
More phone numbers Australia: +61 2 8355 1034 <+61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 28 08 4372 Canada: +1 (647) 497-9372 <%28647%29%20497-9372> Denmark: +45 69 91 84 58 <+45%2069%2091%2084%2058> Finland: +358 923 17 0556 France: +33 170 950 590 Germany: +49 692 5736 7206 <+49%2069%20257367206> Ireland: +353 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 208 080 759 New Zealand: +64 9 974 9579 <+64%209-974%209579> Norway: +47 21 04 30 59 <+47%2021%2004%2030%2059> Spain: +34 931 76 1534 <+34%20931%2076%2015%2034> Sweden: +46 775 757 471 Switzerland: +41 435 0026 89 United Kingdom: +44 20 3713 5011 <+44%2020%203713%205011>
First GoToMeeting? Try a test session: http://help.citrix.com/getready
-- Megan Cannon Kantara Initiative, Inc.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing listDG-IDPro@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-idpro
participants (4)
-
Andrew Hughes
-
Dan Blum
-
Megan Cannon
-
Thorsten H. Niebuhr [WedaCon GmbH]