Tag Archives: identity and access management

Access and “Somewhat You Why”

In case you missed it, I’ve been pushing a sixth factor of authentication called “Somewhat You Why.”

“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”

And now Identity Jedi Harvey Lee is also asking the “why” question, but specifically in terms of access control.

“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….

“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….

“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”

Read “Intent Is the New Access Key.”

For example, if a dehydrated man wants to unlock a water tank, I have a pretty good idea of his intent.

Google Gemini.

Who or What is Evaluating Your Proposal?

As I’ve said before, you should write a proposal that resonates with the people who read it. In marketing terms, you write for the key personas in your target audience.

But what if your target audience never reads your proposal?

Diella, Albanian Minister of Procurement

In Albania, it’s possible that no person will read it.

“A new minister in Albania charged to handle public procurement will be impervious to bribes, threats, or attempts to curry favour. That is because Diella, as she is called, is an AI-generated bot.

“Prime Minister Edi Rama, who is about to begin his fourth term, said on Thursday that Diella, which means “sun” in Albanian, will manage and award all public tenders in which the government contracts private companies for various projects.”

Imagen 4.

The intent is to stop corruption from “gangs seeking to launder their money from trafficking drugs and weapons.”

When people evaluate proposals

But how savvy is Diella?

Let me provide a proposal evaluation example that has nothing to do with corruption, but illustrates why AI must be robust.

A couple of years before I became a proposal writer, I was a Request for Proposals (RFP) writer…sort of. A Moss Adams consultant and I assembled an RFP that required respondents to answer Yes or No to a checklist of questions.

When the consultant and I received the proposals, we selected two finalists…neither of whom responded “Yes” to every question like some submissions. 

We figured that the ones who said “Yes” were just trying to get the maximum points, whether they could do the work or not. 

Imagen 4.

The two finalists gave some thought to the requirements and raised legitimate concerns.

Can Diella detect corruption?

Hopefully Diella is too smart to be fooled by such shenanigans. But how can she keep the gangs out of Albania’s government procurements?

Imagen 4.

Certainly on one level Diella can conduct a Know Your Business check to ensure a bidder isn’t owned by a gang leader. But as we’ve seen before in Hungary, the beneficial owner may not be the legal owner. Can Diella detect that?

Add to this the need to detect whether the entity can actually do what it says it will do. While I appreciate that the removal of humans prevents a shady procurement official from favoring an unqualified bidder, at the same time you end up relying on a bot to evaluate the bidders’ claims to competency.

Of course this could all be a gimmick, and Diella will do nothing more than give the government the aura of scientific selection, while in reality the same procurement officers will do the same things, with the same results.

Let’s see what happens with the next few bids.

(She’s Tidied Up and) I Can’t Find Anything

Are you having trouble finding an asset such as a digital identity or a commercial asset? If you are, there are ways to make things easier to find.

An example from the identity world

Identity Jedi David Lee recently shared his thoughts on “The Hidden Cost of Bad Identity Data (and How to Fix It).” Lee didn’t focus on the biometric data, but instead on the textual data that is associated with a digital identity.

“Let’s say you’re kicking off a new identity program. You know you need user location to drive access policies, governance rules, or onboarding flows. But your authoritative source has location data in five different formats—some say “NY,” others say “New York,” and some list office addresses with zip codes and floor numbers.

“You tell yourself: “We’ll clean it up later.”

“What you’ve really done is commit your future self to a much more expensive project.”

Garbage in, garbage out.

An example from the commerce world

Krassimir Boyanov of KBWEB Consult provides another example of a problem in his post “Why AEM Assets Smart Tagging Makes Your Marketing Work Easier.” Let’s say that you’re managing the images (the “assets”) that display on a company’s online website. You have thousands if not millions of images to manage. How do you find a particular image?

One way to do this is to “tag” each image with descriptive information.

But if you do it wrong, there will be problems.

Tagging is inconsistent. If 10 people are tagging the items, the tags will probably be inconsistent. While one person tags an item as a “car,” another may tag a similar item as an “automobile.” Although the two assets are similar, this is hidden because of inconsistent tag use.”

Again, garbage in, garbage out.

An organizational solution from the identity world

Lee and Boyanov approach these similar problems from two perspectives.

Lee, as an Identity and Access Management (IAM) expert, approaches this as a business problem and offers the following recommendations (among others):

Clean early, not late: Push for authoritative sources to normalize and codify the data before it hits the IAM system….

Push accountability upstream: Don’t accept ownership of fixing problems you don’t control. Instead, elevate the data issue to the right stakeholder (hint: HR, IT, or Legal).”

While Lee can certainly speak to the technologies that can normalize and codify the data, he prefers in this post to concentrate on the organizational issues that cause dirty data, and on how to prevent these issues from reoccurring in the future.

A technological solution from the commerce world

Boyanov can also speak to business and organizational issues as an Adobe Experience Manager consultant who has helped multiple organizations implement the Adobe product. But in this case he concentrates on a technological approach offered by Adobe:

A Taxonomy is a system of organizing tags based on shared characteristics, which are usually hierarchical structured per organizational need. The structure can help finding a tag faster or impose a generalization.
Example: There is a need to subcategorize stock imagery of cars. The taxonomy could look like:

/subject/car/
/subject/car/sportscar
/subject/car/sportscar/porsche
/subject/car/sportscar/ferrari

/subject/car/minivan
/subject/car/minivan/mercedes
/subject/car/minivan/volkswagen

/subject/car/limousine

Once the taxonomy is defined, assets can be tagged (preferably automatically) in accordance with the hierarchy.

Presumably David Lee’s identity world can similarly come up with a method to standardize addresses BEFORE they are added to an IAM system.

As deep as any ocean

Whether you’re dealing with a digital identity or a commercial asset, you need to ensure that you can find this asset in the future. This requires planning beforehand.

And a content creation project also requires planning beforehand, such as asking questions before beginning the project.

If you are an identity/biometric or technology firm that requires content creation, or perhaps proposal or analysis services, Bredemarket can help. After all, content creation is science…and art.

Talk to me: https://bredemarket.com/cpa/

CPA