Bredemarket

Fischer Identity, Baylor University, and IAM

Fischer Identity recently shared a link to a Chronicle of Higher Education article about campus digital identities. It specifically discusses how Baylor University worked with Fischer Identity and Amazon Web Services (AWS) to create an identity and access management (IAM) solution.

From https://www.chronicle.com/featured/digital-higher-ed/building-an-identity-and-access-management-solution.

I won’t give away all the information about the Fischer Identity-AWS effort at Baylor—you have to opt in to access a gated case study to obtain that—but I will say that the case study claims a 12-week implementation of an IAM system that stores “several hundred thousand identities.”

I assume the alumni at Baylor are a generous segment of the university community.

A Few Thoughts on FedRAMP

The 438 U.S. federal agencies (as of today) probably have over 439 different security requirements. When you add state and local agencies to the list, security compliance becomes a mind-numbing exercise.

For example, the U.S. Federal Bureau of Investigation has its Criminal Justice Information Systems Security Policy (version 5.9 is here). This not only applies to the FBI, but to any government agency or private organization that interfaces to the relevant FBI systems.
Similarly, the U.S. Department of Health and Human Services has its Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Again, this also applies to private organizations.

But I don’t care about those. (Actually I do, but for the next few minutes I don’t.) Instead, let’s talk FedRAMP.

Why do we have FedRAMP?

The two standards that I mentioned above apply to particular government agencies. Sometimes, however, the federal government attempts to create a standard that applies to ALL federal agencies (and other relevant bodies). You can say that Login.gov is an example of this, although a certain company (I won’t name the company, but it likes to ID me) repeatedly emphasizes that Login.gov is not IAL2 compliant.

But forget about that. Let’s concentrate on FedRAMP.

From https://www.informationweek.com/machine-learning-ai/how-fedramp-can-accelerate-cloud-adoption.

Why do we have FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP^®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
From https://www.fedramp.gov/program-basics/.

Note the critical word “unclassified.” So FedRAMP doesn’t cover EVERYTHING. But it does cover enough to allow federal agencies to move away from huge on-premise server rooms and enjoy the same SaaS advantages that private entities enjoy.

From https://marketplace.fedramp.gov/products.

Today, government agencies can now consult a FedRAMP Marketplace that lists FedRAMP offerings the agencies can use for their cloud implementations.

A FedRAMP authorized product example

When I helped MorphoTrak propose its first cloud-based automated biometric identification solutions, our first customers were state and local agencies. To propose those first solutions, MorphoTrak partnered with Microsoft and used its Azure Government cloud. While those first implementations were not federal and did not require FedRAMP authorization, MorphoTrak’s successor IDEMIA clearly has an interest in providing federal non-classified cloud solutions.

When IDEMIA proposes federal solutions that require cloud storage, it can choose to use Microsoft Azure Government, which is now FedRAMP authorized.

From https://marketplace.fedramp.gov/products/F1603087869.

It turns out that a number of other FedRAMP-authorized products are partially dependent upon Microsoft Azure Government’s FedRAMP authorization, so continued maintenance of this authorization is essential to Microsoft, a number of other vendors, and all the agencies that require secure cloud solutions.

They can only hope that the GSA Inspector General doesn’t find fault with THEM.

Is FedRAMP compliance worth it?

But assuming that doesn’t happen, is it worthwhile for vendors to pursue FedRAMP compliance?

If you are a company with a cloud service, there are likely quite a few questions you are asking yourself about your pursuits in the Federal market. When will the upward trajectory of cloud adoption begin? What agency will be the next to migrate to the cloud? What technologies will be migrated? As you move forward with your business development strategy you will also question whether FedRAMP compliance is something you should pursue?

The answer to the last question is simple: Yes. If you want the Federal Government to purchase your cloud service offering you will, sooner or later, have to successfully navigate the FedRAMP process.
From https://www.mindpointgroup.com/blog/fedramp-compliance-is-it-worth-it.

And a lot of companies are doing just that. But with less than 400 FedRAMP authorized services, there’s obviously room for growth.

Worldcoin Publicly Exposes Its Security

One advantage of an open source project is that there are far fewer secrets to hide. If a commercial firm develops biometric products, it has a responsibility to its investors to not release sensitive information.

From https://worldcoin.org/blog/worldcoin/orb-faqs

Worldcoin has few limitations on sharing information because it is an open source project, so when governments in Argentina, Kenya, and elsewhere raised questions about what Worldcoin does with its citizens’ biometric data, Worldcoin could afford to conduct a security assessment…and publicly share the results.

Although findings…describe potential attack surfaces and are of high or medium severity, (Trail of Bits’) analysis did not uncover vulnerabilities in the Orb’s code…
From https://github.com/trailofbits/publications/blob/master/reviews/2023-08-worldcoin-orb-securityreview.pdf

Read Trail of Bits’ full report at https://github.com/trailofbits/publications/blob/master/reviews/2023-08-worldcoin-orb-securityreview.pdf. Note that Trail of Bits ONLY analyzed the software running on the Orb, NOT the back-end software.

Also see Biometric Update’s coverage. It notes that Trail of Bits also analyzed the security of Voatz’s voting software.

What is B2B Writing?

Business-to-business (B2B) writing isn’t as complex as some people say it is. It may be hard, but it’s not complex.

Why do I care about what B2B writing is?

Neil Patel (or, more accurately, his Ubersuggest service) um, suggested that I say something about B2B writing.

And then he (or it) suggested that I use generative artificial intelligence (AI) to write the piece.

I had a feeling the result was going to suck, but I clicked the “Write For Me” button anyway.

Um, thanks but no thanks. When the first sentence doesn’t even bother to define the acronym “B2B,” you know the content isn’t useful to explain the topic “what is B2B writing.”

And this, my friends, is why I never let generative AI write the first draft of a piece.

So, what IS B2B writing?

Before I explain what B2B writing is, maybe I’d better explain what “B2B” is. And two related acronyms.

B2B stands for business to business. Bredemarket, for example, is a business that sells to other businesses. In my case, marketing and writing services.
B2G stands for business to government. Kinda sorta like B2B, but government folks are a little different. For example, these folks mourned the death of Mike Causey. (I lived outside of Washington DC early in Causey’s career. He was a big deal.) A B2G company, for example, could sell driver’s license products and services to state motor vehicle agencies.
B2C stands for business to consumer. Many businesses create products and services that are intended for consumers and marketed directly to them, not to intermediate businesses. Promotion of a fast food sandwich is an example of a B2C marketing effort.

I included the “B2G” acronym because most of my years in identity and biometrics were devoted to local, state, federal, and international government sales. My B2G experience is much deeper than my B2B experience, and way deeper than my B2C expertise.

Let’s NOT make this complicated

I’m sure that Ubersuggest could spin out a whole bunch of long-winded paragraphs that explain the critical differences between the three marketing efforts above. But let’s keep it simple and limit ourselves to two truths and no lies.

TRUTH ONE: When you market B2B or B2G products or services, you have FEWER customers than when you market B2C products or services.

That’s pretty much it in terms of differences. I’ll give you an example.

If Bredemarket promoted its marketing and writing services to all of the identity verification companies, I would target less than 200 customers.
If IDEMIA or Thales or GET Group or CBN promoted their driver’s license products and services to all of the state, provincial, and territorial motor vehicle agencies in the United States and Canada, they would target less than 100 customers.
If McDonald’s resurrects and promotes its McRib sandwich, it would target hundreds of millions of customers in the United States alone.

From https://www.mcdonalds.com/us/en-us/product/mcrib.html.

The sheer scale of B2C marketing vs. B2B/B2G marketing is tremendous and affects how the company markets its products and services.

But one thing is similar among all three types of writing.

TRUTH TWO: B2B writing, B2G writing, and B2C writing are all addressed to PEOPLE.

Well, until we program the bots to read stuff for us.

This is something we often forget. We think that we are addressing a blog post or a proposal to an impersonal “company.” Um, who works in companies? People.

(Again, until we program the bots.)

Whether you’re marketing a business blog post writing service, a government software system, or a pseudo rib sandwich, you’re pitching it to a person. A person with problems and needs that you can potentially solve.

So solve their needs.

Don’t make it complex.

But what IS B2B writing?

Let’s return to the original question. Sorry, I got off on a bit of a tangent. (But at least I didn’t trail off into musings about “the dynamic and competitive world.”)

When I write something for a business:

I must focus on that business and not myself (customer focus). The business doesn’t want to hear my talk about myself. The business wants to hear what I can do for it.
I must acknowledge the business’ needs and explain the benefits of my solution to meet the business needs. A feature list without any benefits is just a list of cool things; you still have to explain how the cool things will benefit the business by solving its problem.
My writing must address one, or more, different types of people who are hungry for my solution to their problem. (This is what Ubersuggest and others call a “target audience,” because I guess Ubersuggest aims lasers at the assembled anonymous crowd.)

From https://www.hinklefuncenter.com/attractions/laser-tag/.

Again, this is hard, but not complex.

It’s possible to make this MUCH MORE complex and create a 96 step plan to author B2B content.

But why?

So now I’ve answered the question “What is B2B writing?”

Can Bredemarket write for your business? If so, contact me.

Today’s Acronym is RAG (Retrieval-Augmented Generation)

Today’s acronym comes from Maira Ladeira Tanke of Amazon Web Services, who focuses her work on generative AI.

From https://aws.amazon.com/generative-ai/.

She delivered a Thursday presentation entitled “Customizing generative AI applications for your business using your data.” The tool that Tanke uses for customization is Amazon Bedrock, which supports Retrieval-Augmented Generation, or RAG.

Retrieval-Augmented Generation (RAG) is the process of optimizing the output of a large language model, so it references an authoritative knowledge base outside of its training data sources before generating a response. Large Language Models (LLMs) are trained on vast volumes of data and use billions of parameters to generate original output for tasks like answering questions, translating languages, and completing sentences. RAG extends the already powerful capabilities of LLMs to specific domains or an organization’s internal knowledge base, all without the need to retrain the model. It is a cost-effective approach to improving LLM output so it remains relevant, accurate, and useful in various contexts.
From https://aws.amazon.com/what-is/retrieval-augmented-generation/.

Because Amazon has obviously referred to my seven questions—OK, maybe they didn’t—the RAG page devotes time to the “why” question and the “benefits” question.

Amazon identified two problems with large language models, or LLMs (not to be confused with LMMs):

LLM responses are unpredictable.
LLM data is static.

So what happens when you use LLMs WITHOUT retrieval-augmented generation?

You can think of the Large Language Model as an over-enthusiastic new employee who refuses to stay informed with current events but will always answer every question with absolute confidence.
From https://aws.amazon.com/what-is/retrieval-augmented-generation/.

From https://sourcesofinsight.com/know-it-alls/.

Ouch.

How does RAG solve these problems? It “redirects the LLM to retrieve relevant information from authoritative, pre-determined knowledge sources.” RAG allows you to introduce more current information to the LLM which reduces cost, increases accuracy (and attributes sources), and supports better testing and improvements.

For more technical information, see “What is RAG?” and “Knowledge Bases for Amazon Bedrock.”

From https://aws.amazon.com/what-is/retrieval-augmented-generation/.

(Image sources: Amazon, SourcesOfInsight.com)

Ofcom and the Digital Trust & Safety Partnership

The Digital Trust & Safety Partnership (DTSP) consists of “leading technology companies,” including Apple, Google, Meta (parent of Facebook, Instagram, and WhatsApp), Microsoft (and its LinkedIn subsidiary), TikTok, and others.

The DTSP obviously has its views on Ofcom’s enforcement of the UK Online Safety Act.

Which, as Biometric Update notes, boils down to “the industry can regulate itself.”

Here’s how the DTSP stated this in its submission to Ofcom:

DTSP appreciates and shares Ofcom’s view that there is no one-size-fits-all approach to trust and safety and to protecting people online. We agree that size is not the only factor that should be considered, and our assessment methodology, the Safe Framework, uses a tailoring framework that combines objective measures of organizational size and scale for the product or service in scope of assessment, as well as risk factors.
From https://dtspartnership.org/press-releases/dtsp-submission-to-the-uk-ofcom-consultation-on-illegal-harms-online/.

We’ll get to the “Safe Framework” later. DTSP continues:

Overly prescriptive codes may have unintended effects: Although there is significant overlap between the content of the DTSP Best Practices Framework and the proposed Illegal Content Codes of Practice, the level of prescription in the codes, their status as a safe harbor, and the burden of documenting alternative approaches will discourage services from using other measures that might be more effective. Our framework allows companies to use whatever combination of practices most effectively fulfills their overarching commitments to product development, governance, enforcement, improvement, and transparency. This helps ensure that our practices can evolve in the face of new risks and new technologies.
From https://dtspartnership.org/press-releases/dtsp-submission-to-the-uk-ofcom-consultation-on-illegal-harms-online/.

But remember that the UK’s neighbors in the EU recently prescribed that USB-3 cables are the way to go. This not only forced DTSP member Apple to abandon the Lightning cable worldwide, but it affects Google and others because there will be no efforts to come up with better cables. Who wants to fight the bureaucratic battle with Brussels? Or alternatively we will have the advanced “world” versions of cables and the deprecated “EU” standards-compliant cables.

So forget Ofcom’s so-called overbearing approach and just adopt the Safe Framework. Big tech will take care of everything, including all those age assurance issues.

From https://dtspartnership.org/wp-content/uploads/2023/09/DTSP_Age-Assurance-Best-Practices.pdf.

DTSP’s September 2023 paper on age assurance documents a “not overly prescriptive” approach, with a lot of “it depends” discussion.

Incorporating each characteristic comes with trade-offs, and there is no one-size-fits-all solution. Highly accurate age assurance methods may depend on collection of new personal data such as facial imagery or government-issued ID. Some methods that may be economical may have the consequence of creating inequities among the user base. And each service and even feature may present a different risk profile for younger users; for example, features that are designed to facilitate users meeting in real life pose a very different set of risks than services that provide access to different types of content….

Instead of a single approach, we acknowledge that appropriate age assurance will vary among services, based on an assessment of the risks and benefits of a given context. A single service may also use different
approaches for different aspects or features of the service, taking a multi-layered approach.
From https://dtspartnership.org/wp-content/uploads/2023/09/DTSP_Age-Assurance-Best-Practices.pdf.

So will Ofcom heed the DTSP’s advice and say “Never mind. You figure it out”?

Um, maybe not.

The 21st Century’s Four Revolutionary Biometric Events

I define a revolutionary biometric event as something that COMPLETELY TRANSFORMS the biometric industry.

For me, the four events that have revolutionized biometrics in this century (so far) include:

The September 2001 use of commercial planes in a terrorist attack.
The April 2013 Boston Marathon bombings.
The September 2013 introduction of Touch ID on the Apple iPhone.

From Apple, https://support.apple.com/en-us/HT201371

The 2020 (and beyond) COVID-19 pandemic.

If you want to learn WHY I regard these four events as revolutionary, and why I DON’T regard the introduction of the Apple Vision Pro as revolutionary, see my June 2023 post.

Mass Casualties at Arrowhead Regional Medical Center…But Only a Drill

On Monday, March 4, Arrowhead Regional Medical Center (ARMC) in San Bernardino, California was one of two local medical centers to participate in a mass casualty drill.

The objective of the drill for ARMC was to test the hospital’s ability to respond effectively to a surge of patients resulting from a mass casualty incident. Throughout the exercise, ARMC staff demonstrated their proficiency in triage, patient care, communication and coordination of resources. The drill also provided an opportunity for staff to practice protocols for receiving patients, managing supplies and implementing surge capacity plans.
From https://main.sbcounty.gov/2024/03/07/arrowhead-regional-medical-center-participates-in-mass-casualty-incident-drill/.

It’s always good to conduct mass shooting drills in case they are needed in the future.

Or, in the case of Arrowhead Regional Medical Center, in the past.

By San Bernardino County Sheriff’s Department – Public Domain, https://commons.wikimedia.org/w/index.php?curid=45514432

Remember December 2, 2015?

At least 14 people were dead and another 17 injured in a shooting Wednesday in San Bernardino, California, when gunmen who were heavily armed and “on a mission” opened fire during a function at a center for people with developmental disabilities, police said.

Police believe two alleged shooters — a county employee and a woman with whom he was in a relationship opened fire around 11 a.m. at the Inland Regional Center. They were armed with assault weapons and “prepared to do what they did as if they were on a mission,” San Bernardino Police Chief Jarrod Burguan said….

Five people were taken to the nearby Loma Linda University Medical Center, two of which were critical but stable, two of which were fair and the one who was still being assessed, according to a hospital spokeswoman. Six other people are being treated at Arrowhead Regional Medical Center, though their conditions are unknown.
From https://abcnews.go.com/US/police-respond-reports-active-shooter-san-bernardino/story?id=35535995.

Although it wasn’t mentioned in San Bernardino County’s 2024 description of the drill, I’m sure some participants remembered what happened nine years ago.

In fingerprint capture, 14 is better than 20

In many instances of fingerprint capture, whether obtaining prints through ink or through livescan, the tenprint person captures 14 images. Not 10, not 20, but 14.

Why?

Quality control.

Because the 14 images contain two impressions of every print, you can compare the top set of prints (the rolled prints) against the bottom set (the slap prints).

Locations of finger 2 (green) and finger 3 (blue) for rolled and slap prints.

In the example above, if the green rolled print is NOT the same as the green slap print, or if the blue rolled print is NOT the same as the blue slap print, then you captured the fingerprints in the wrong order.

I discussed this in more detail in an earlier post.

If you need Bredemarket’s marketing and writing services to explain the benefits of your technology to your prospects and customers, contact me.