Thursday, February 01, 2007

Symantec's version of Microsoft Passport?

I talked about Symantec's pending announcement of their "Security 2.0" initiative earlier today. Well, they're calling it their "Identity Initiative", but it's essentially Symantec's statement that they've arrived into the world of Identity...and Identity 2.0 at that.

For them to announce it at an event like Demo (traditionally a showcase for Startups) implies they want to be seen as innovators in this space. They've long been in the world of Antivirus and when they realised this was becoming commoditised, they started to diversify and move into managed services and more recently into Security Management software (see earlier post). CEO John Thompson is an ex-IBMer so he clearly understands all about expanding/diversifying a portfolio and moving away from commoditised, low profit margin markets (Note: A slightly IBM-biased view, but my excuse is that I've been force-fed IBM propaganda for the past 6 years).

Symantec understand they have the consumer market with their Antivirus products. So instead of going up against the likes of IBM, CA, Oracle, Sun, Novell, BMC et al in the space we know as Enterprise Identity Management, they've decided to play to their strengths and start their foray into Identity by going where there are far less competitors and where the market is far less mature (Not that one could call Enterprise Identity and Access Management a mature market, but I'm speaking in terms of relativity here). Work in the User Centric Identity space is still very new and their entry allows them to cultivate their image as being innovators.

As I've said before, Microsoft's CardSpace, OpenID and i-names are various popular technologies that attempt to tackle the User Centric Identity issues prevalent within the Internet. They are however, just a bunch of standards, protocols and specifications around how this can be done. Sure, Microsoft has a CardSpace client to enable this to happen and Sxip has a few technologies like Sxipper and Whobar that do similar things in terms of providing some of the infrastructure required. There's just 1 problem...most of the world doesn't know about Identity 2.0. They need to be educated...and this will take awhile - even in light of all the security threats out there in the big bad Internet.

In this respect, Microsoft has a "leg up" on the competition. Eventually, all Windows users will have CardSpace capabilities built into Explorer and there may even be non-web clients that are CardSpace-enabled. If Microsoft's evil plan comes together, we'll all be using CardSpace eventually to do certain things (probably not everything though). It may not be so bad however, because Microsoft learned from their mistakes with their dismal attempts at CardSpace's predecessor, Passport. The biggest problem with Passport was that you had to trust Microsoft with ALL your information. They would store it on their servers and the plan was for them to be your central point of reference for your online identity. CardSpace has no such requirements. Your personal information is stored on your machine as Information Cards. The CardSpace client allows you to select the relevant Information Card required for the purpose of your identity transaction. This way, you don't give up all the keys to your kingdom, and the information exchanges are done securely via encryption mechanisms and set protocols.

Symantec seems to have realised that the key to User Centric Identity is to make it all invisible for the end user/consumer. In fact, it should be seamless, painless, secure and require little impact. What better way to do this than by leveraging existing infrastructure? Enrique Salem, group president with Symantec’s consumer business unit is quoted here as stating the following:
"We have a strong base to build from, with almost half of our active Norton user base already enrolled in a basic Norton Account. We’ll enable our millions of customers to extend the functionality of their Norton Account to manage all their information, all in one place."

Did I read that right? All their information in one place? I hope they don't mean to store everyone's details in one single place and leverage this the same way Microsoft tried to with Passport?

If they DO indeed decide to do that, hopefully they at least have the good sense to practice responsible disclosure of information or even adopt the concepts mentioned as part of the functionality offered by the Higgins project's Identity Mixer (yes it was donated by IBM, but my point here it not to promote it but rather to highlight a feature) which essentially subscribes to the concept of using something akin to "vouch for" tokens. e.g. Instead of saying someone is 35, the token states that they are over 21 because the consuming party often just needs to know that fact rather than their actual age.

I wonder if Symantec are looking long term big picture here and positioning themselves to be the "Identity Oracle" that Bob Blakley talks about here (at the time of posting, Bob's blog seems to be down)? If they are, then it's a very brave move. It may come to be a brilliant move. Only time will tell, but you've got to give them credit for having the guts to think big if this is indeed where they're heading. It may work, as long as they don't make the same mistakes as Microsoft did with Passport. If they keep privacy at the top of their list of considerations with this initiative, they may get somewhere.

Symantec have also stated that the initiative will work with CardSpace and OpenID. That's a good start I suppose. Watch this space.

No comments: