CSC - Ron Knode Keynote on Digital Trust from LEF '07 - 1 Translation(s)

Don't want to see Ads? Register for your free dotSUB account here!

CSC - Ron Knode Keynote on Digital Trust from LEF '07

Duration: 1 hour, 4 minutes and 42 seconds

Country: United States

Language: English

License: dotSUB Participatory-Commercial

Genre: Instructional

Views: 842 (83 embedded)

Posted by: thor on Aug 9, 2007

Report this video as offensive

Translate and Transcribe

Embed Video
Embed normal player
Embed a smaller player
Advanced Embedding Options
Embedding Options

Size:

Language:

Embed Code
Embed transcript
Embed transcript in:
Invite a user to dotSUB

Your invitation to join dotSUB was successful

There was an error inviting that user to dotSUB

Video Transcription

Show in new window

[Applause]
Thank you.
[♫ Soft piano music ♫]
Good morning.
[Laughter]
We wanted to bring you around a little more slowly.
I thought perhaps we were a little abrupt in trying—
I know it's early.
I need you fully alive and alert and well lubricated this morning.
So I thought this is a wonderful way to wake up so early.
[Laughter]
Good morning and wakey wakey.
[Laughter]
That music is very pretty, isn't it?
Don't you like that?
Isn't that a wonderful way to wake up?
That's claimed to be the most beautiful music ever written.
Those of you who have ever seen the play or the movie "Frankie and Johnny"
will recall that that was the music that was played by the all-night deejay
when Johnny, in a fit of passion for his beloved Frankie, and in a panicked attempt to woo her quickly
asked the deejay to play the most beautiful music ever written,
and that's the music that was played.
It's the "Clair de Lune" by Debussy, and I've always wanted to use the word 'woo' in a briefing.
So big day today.
[Laughter]
Well you and I are are going to make some beautiful music together this morning.
I don't know if it'll be as pretty as the Clair de Lune, but we're going to take a little look
and a little listen forward at the upcoming report on digital trust.
Digital trust.
Now to do this and to get ourselves fully alert, we're going to start with some mental calisthenics.
No jumping jacks this morning, but what I do want you to do is to pull out
the old nTAG gizmo.
Pull out your nTAG gizmo and scroll down for me to Live Voting.
Always better than dead voting.
Live voting.
We're going to do four questions here this morning.
Jefferson, if you could give me the four questions please.
Now do you know how to use this?
Go to Live Voting, you hit the checkmark button and you'll see answers 1-6.
When we show you a question like this one, all you need to do is scroll down
to your selected answer.
There's the question.
I'm going to let you read it.
You scroll down to the selected answer.
You can either use your little pick thing here or you can scroll.
You pick an answer, go follow along with me, and then you hit the Okay button.
Do it now.
Do it now.
[♫ Jeapordy theme song ♫]
Quickly, quickly, quickly. And as soon as you've done that.
Okay, okay, okay.
Jefferson is going to give us the tally.
There it is.
So, okay well you can see that racehorse.
Remember those.
We're going to use those a little bit later on.
Somebody here remember that.
Got it.
Okay, let's go to the second question there, Jefferson.
We'll do the same thing.
Do it again.
Okay, number one reason bumpty bump.
You've got six choices on there.
I'm going to pick an answer myself. Let me see here.
Hmm, hmm.
[♫ Jeapordy theme song ♫]
Do it, do it, do it.
Hit Okay.
[♫ Jeapordy theme song ♫]
Are you coming along?
Are you with me here?
You know, is this part working here?
Not just the chewing part.
Okay, good.
Look at that, and what have we got here?
And then—access control—oh it's a racehorse.
Okay.
Not bad, not bad, not bad.
Remember that.
We might use that a little bit later on.
Let's go to the next one, Jefferson.
Here we go.
How many in just two years?
Okay, pick a number.
Pick an answer.
I'm going to pick an answer.
[♫ Jeapordy theme song ♫]
Do it, do it, do it.
[♫ Jeapordy theme song ♫]
Oh wow.
Oh hey, oh— all right.
Isn't this exciting?
[Laughter]
This is just daggone exciting isn't it?
How did we ever do it without these?
Okay, let's go on to the fourth and final observation.
Okay, scroll down.
Live Voting.
[Laughter]
Pick one of those.
I know what I have to pick.
You just have to make your own choice.
Okay, do it, do it, do it.
Remember that one.
[♫ Jeapordy theme song ♫]
[Laughter]
All right, are you with me now?
Are you with me now?
Okay, let's go back to where we were when we left.
Fully lubricated.
This is all in gear.
I need your help.
So, we're back to digital trust, and perhaps the best thing we could do to get started
would be to talk just a little bit about what we mean by digital trust
and why the LEF decided to turn its lens of exploration on this particular circumstance.
So I'm going to ask you to do one more thing.
Find somebody very close to you, reach out and shake their hand.
Reach out, shake their hand.
Give it a good shake.
Let's go.
Shake that hand.
Okay, how did that feel?
Did that feel good?
Did that feel good?
Handshakes feel kind of good.
You know, there are studies that show in the process of doing a handshake,
there's actually a chemical transfer that occurs.
So that on some primitive basis, we learn something about each other and
that helps us make decisions at some level.
So what started out in the Middle Ages as a technique for safe greeting,
no weapons, has come to represent ever so much more.
In fact, it's representing all of the cues that we use to make decisions, good or bad.
Decisions about whether we should buy something or not buy it.
Whether we should participate further in a transaction.
Let it go or abort.
Whether we should sign a contract or not.
Whether we should enter into a partnership or not.
It's all about decisions, and the handshake has come to represent those confidence cues.
So what if handshakes, what if they disappeared, and not only did the handshake
itself disappear but all of the confidence cues that we've come to
depend on to help us make decisions.
What would we do?
Would we just like roll the dice and hope for a good result?
Would we cross our fingers and just wish for a good result?
Maybe what we could do is just spend our way into a good result.
Perhaps what we ought to do is open the Good Book and seek help from
a higher authority to help us make those decisions.
Well, we all know what it is we are looking for.
Even though we are rarely very explicit in what we mean.
And certainly, the piano man knows what the key issue is here.
[♫ And I don't want it to happen to us because it's always been a matter of trust ♫]
Yes indeed.
Billy Joel does know it is a matter of trust.
You know, we use a lot of words to try and explain what we mean by trust.
Words like assurance, belief, faith, confidence, security, reliance, reliability.
We use all of these words, and measures of trust have included for a long time
important sociological and psychological constituents dealing with degrees of
expectancy about the promises of another.
And in fact, I read one study recently that defined trust this way.
It said trust was the willingness to accept vulnerability based on the positive expectation
of another's behavior.
Some people say that trust really only can go between people and that certainly
you should trust no institution.
Certainly no political institutions and maybe nobody over 30.
Well those soft contributions to trust stay.
They're still important.
They matter.
What our report concentrates on are the technology contributions to trust.
Those things which are the sources of digital trust.
In other words, we're asking the question: how do I or can I shake hands with a digital enterprise?
Well, whatever your level of uneasiness about your understanding of trust,
we have in fact plowed ahead into the digital enterprise,
and we have not heeded the advice of those who say "we're just not ready.
We have—those handshakes have seemed to fade.
We're just not ready."
We've plowed ahead anyhow.
[♫ Stop the world, the grass isn't greener. ♫]
[♫ Stop the world, is it really getting better? ♫ ]
[♫ Stop the world. ♫]
No, no we didn't stop the world despite the pleadings of Leslie Clemmons.
Even though traditional handshakes have seemed to fade,
and this is a pretty impressive example of the degree to which we have plunged ahead
into the digital enterprise, some impressive numbers here.
In fact, you don't have to be too very old to remember when Ajax was
just a household cleaner.
When blogs were things you cleaned up off the kitchen floor right after they spilled.
When podcasts were ways of preparing vegetables for dinner.
When web 2.0 was Charlotte's latest work.
[Laughter]
When google was a sound your little granddaughter made and not a verb.
When wiki's were associations of witches.
I might be wrong on that one, but you get the idea.
And so anytime a new service, feature, function, activity, cool thing shows up,
man we grab that and we go for it because we think there's value there.
Look, some of these are pretty impressive numbers.
How many of you picked 80%? Look at the second bullet.
Raise your hand, give yourself a pat on the back.
I don't believe you.
[Laughter]
80% and by the way, that's a 180 degree shift in just the last 3 decades.
2 billion songs downloaded from iTunes.
We're making online identities left and right.
No problem here.
Large federations of companies --
I personally have 147 billion e-mail messages in my inbox today.
So the rest of you have the other 13 billion.
I don't know how I missed them.
And we are conducting elections in this country and other countries with electronic voting stations.
So we've plunged ahead.
We've moved forward.
Ready or not, digital trust or no digital trust, here we come.
But this plunge has not come without some problems.
Problems that lose money.
Problems that subrtract value.
Problems that send people to jail.
Problems that steal capacity for no productive reason.
Problems that generate entire business models based on digital theft and fraud.
So something is missing, and that something that is missing becomes
a little more clear when we start to ask the "why is it" questions.
Why is it that some voting machines are okay for electronic voting and others are not?
Why is it that some software is okay for use in national security and intelligence
but others is not?
Some INA, identification authentication soft—is okay for financial transactions, and some isn't.
That a digital tune downloaded without rights management costs 30 cents more
than the same digital tune downloaded with rights management.
That fingerprint authentication at Disney World is more valuable than a photo ID.
That you can buy your way through the TSA sometimes.
That losing some laptops with personal data is forgettable,
and losing other laptops with personal data is nearly fatal.
And that even perfect websites, even perfect websites can be subject to victims of threat and misuse.
So our report attempts to answer some of these "why is it" questions,
and see if there isn't some way of bringing greater value to the enterprise through security.
Now I don't want you to think that Ron Knode or the LEF or even CSC invented the phrase "digital trust."
Oh no no. Au contraire.
In fact, I Googled this phrase recently.
Oh look at me, how modern.
I Googled this phrase recently, and I got back 50,700 hits on the phrase "digital trust."
And due to my superb analytic capabilities, in a very short time,
I was able to catalog those 50,000 plus hits into 3 categories of use, and there you see them.
There you see them right there.
Well, we're not using it for that.
We're not using it for that.
In fact, we're not really interested in being just the 50,701st hit on digital trust.
We want to answer some of the "why is its" and again see about bringing--
if there is not a way of bringing greater value to the enterprise through security.
We want to answer the question, how do we shake hands with the digital enterprise?
So let's look at it this way.
Since the Renaissance, when in fact the mathematical notions of risk and risk management
Risk management and even information risk management has particularly been done this way.
Basically, a defensive strategy that says let's defend what we've got.
Whatever we've got, let's hold on to it, and let's reduce the chance of bad stuff happening.
So even when we do a perfect job at this, the best thing we can end up with
is that the total value of the enterprise remains exactly the same.
So we stared at this, and we said, gee, is there another way to look at this?
Because today, that just doesn't seem to be enough.
And so we started at it and we wondered if there was another side to this same issue.
And with the help of a loving spoonful, we were able to twirl this coin a little bit
and spin it around to look at the other side.
[♫ And there is another side to this life I've been living. And there's another side to this ride ♫]
And there it is, and this is digital trust.
It says, well wait a minute, maybe we can increase the value of what we have
if we approach it that way and improve the chance of good stuff happening.
Wouldn't that be wonderful?
Now if you're like me, you can't remember both sides of the coin at one time.
So let me give you a little help here.
So what we're going to show you is what was on the left side of the coin
and what's on the other side of the coin.
So we've got the bright shiny -- and I was sitting with a friend recently,
and we were looking at this picture, and we were both sort of biguiled and entranced
by the bright shiny side of the coin and marveling at the potential that
it suggested to us and congratulating ourselves on having seen
this other side of the coin thanks to a loving spoonful.
And then my friend said, well you know what Ron? Even though we're just so excited
is really serious business.
Still needs to be done.
Still needs to be done. And so we can't forget about that and then we thought
a little bit further and said, you know what? The metaphor still works.
You can't spend just one side of a coin.
So, this is the way it ends up.
So we have these model equations and those of you in the business
of information security, you recognize the one on the top.
It's in every textbook.
It's in every professionalization exam.
It's fundamentally an expression of the defensive strategy of information risk management
and risk exposure, and it's holding what you've got.
So there is really no way to account for a good idea of value expansion.
Let's say I had a good idea about rights management,
and if I apply this rights management idea, I could monotize our intellectual property
more completely and more quickly than otherwise without increasing its exposure to loss.
Well how would I possibly account for it in that equation?
Couldn't do it. And you know, this probably explains in great measure why
we often express our IT security budgets as merely a percentage of our overall IT budget,
and why for the last 20 years we've tried to figure out just how small
that percentage can be before risk exposure goes up.
Well then, on the other side, we look at this other model equation that says
let's focus on the business benefits.
Let's give ourselves credit for that first, and oh, by the way,
let's account for any changes in risk exposure.
That, in fact, is the digital trust strategy.
So here's what we end up with.
We end up with digital trusts being defined as you see here.
Evidence-based confidence.
That's real important that stuff is working the way it claims it's working.
There's nothing else going on.
So it's more than a risk of loss.
Now the good news for you and me is that it is in fact announced
with features and functions -- the things we see, the things we feel, and we say,
oh that's pretty cool.
That's working nice.
But it is completed. It's grown.
It adds value and it is used competitively to advantage with certain lifecycle
characteristics of design, development, deployment.
That's real important.
Now, believing that that's true, why would you not use that perhaps as a technology strategy.
As a security planning and implementation strategy focusing first by real
business pay offs of security and that which we call digital trust.
But also delivering risk reduction as a beneficial side effect.
Oh I know.
There are skeptics.
There are always skeptics.
In fact, one of the most prevalant skeptics I certainly know of is Perry Como
who often can be heard to say--
[♫ It's just impossible, impossible, oh impossible. ♫]
Well we'll see.
So what we decided to do, we picked six key issue areas as important contributers to digital trust.
And we picked them for three different reasons.
Here you see.
The first three--identity, intellectual property and compliance management--
we picked because we just couldn't imagine a transaction in digital enterprise
that didn't involve subjects of some kind.
Not always the wet-wear kinds.
There are subjects without a pulse.
In fact, there may be a few out there.
Intellectual property, there is always something of value involved in this,
and there are always a set of rules and so compliance and manage—
that takes care of the first three.
The next two are facts of life.
We control what we do.
We can't control that threat environment.
So digital trust, if it's to be real, has to be able to respond to e-threats and countermeasures.
Another fact of life is liquid security.
If you read the Connected World, the last LEF report, then you are familiar
with the notions of liquid, time and place.
Well, if digital trust is to work in the new digital enterprise, it must be equally liquid.
More about that later. And then finally, we like to measure things.
We want to measure digital trust if we can.
That gets us to transparency and assurance.
Now each of these key issue areas delivers a clear tone of contribution
to digital trust in and of itself.
[♫ ♫]
And also they can sound real sour notes of penalty when deficits to digital trust occur.
But they are most effective when they work in harmony of digital trust actions
and they amplify the digital trust result.
[♫ Crescendo in triumphant music ♫]
[Applause]
That might be a little over the top, but you get the idea.
It's not very far over the top.
This is real.
In addition to those six areas, we've put together some foundation questions
to help us check on the reality of digital trust in each of those key issue areas.
To see about the pay offs, the value enhancements that could in fact occur
and to look at the potential for penalties if there is a digital trust deficit.
Kind of important learnings right here.
The pay offs are real, but you have to target them.
They're not automatic with digital trust.
You have to intend for those pay offs to occur.
Unfortunately, the penalties seem to be automatic.
If you do have or suffer a digital trust deficit, the penalties come.
One more note.
Steven Covey, noted author and motivational speaker, published a book late last year,
and it was called "The Speed of Trust."
Now it wasn't written specifically to address digital trust, but many of the observations
and conclusions that he reached around trust are equally true for digital trust.
So we had to keep our head on a swivel looking both forward and backward.
Because yesterday—by the way, one of the most important truths he discovered
was that nothing moves as fast as the speed of trust. And now I can add:
nothing moves as fast as the speed of digital trust.
So we have to look forward and backward at the same time.
Even as we're working on the research because yesterday's future,
due to the speed of digital trust -- oh my goodness -- becomes tomorrow's past,
and there's a new tomorrow's future and then digital trust zooms right along.
So we're reminded that there's something we must always keep in mind
and certainly Fleetwood Mac helps us.
[♫ Don't stop thinking about tomorrow. ♫]
[♫ Don't stop, it'll soon be here. ♫]
Okay, so we have to keep our eye in both directions at the same time.
Now we're not done with this report.
But we do have some things we want to talk about with you.
We have—let's treat this as the beginning of the conversation.
It's not the whole conversation.
I'm going to leave a lot of stuff out because we don't have time.
So I invite you to come to the Innovation Lounge.
I have room for 13 billion more e-mail messages.
Please—you know—call me, and we'll continue that conversation.
It is the job of the LEF and these research projects to provoke a conversation in the marketplace.
And for right now right at this moment, you are the market, and this is the marketplace.
So we want to provoke a conversation.
But it's important that you get the full story of digital trust, and this is how you'll get it.
Come out in eight volumes, and you can see.
There will be one volume for each of the key issue areas that we've selected,
and so there will be a lot to learn and say and think about in each of those volumes.
Well, we do have a little bit of time this morning.
So let's take a little peak and a little listen forward at this upcoming report on digital trust.
And we're going to start by going around those six key issue areas
and spend just a few minutes on each of them.
Because we want to concentrate on the harmony of digital trust.
If we sing one note for too very long, we kind of forget what that harmony is.
So let's begin with identity management, and in our social enterprise
we're very comfortable with this.
We're very comfortable with this, and we often start our conversations around
identity management with a simple shout.
[♫ Who are you? ♫]
[♫ Who who, who who? ♫]
[♫ Who are you? ♫]
[♫ Who who, who who? ♫]
So The Who say it: "Who are you?"
And in a social enterprise, we're very comfortable with that,
and we know how to answer that, but when we push that into the digital enterprise
there's a couple of changes that are important and a couple of
value propositions that can be realized through digital trust.
First thing we have to realize that it's not just wet wear who are subjects.
In the digital enterprise, we have things without a pulse.
Other stuff that are subjects too, and they are becoming increasingly important,
and they are increasing opportunities for value.
Well wait a minute, wait a minute, wait a minute.
Oh I'm reminded, I'm reminded.
I'm about to lose my license to brief on identity management.
There's an obligatory slide that everybody who briefs on identity managment must show.
It's part of Union rules.
So if you'll just excuse me.
Here it comes.
There it is, there it is.
Now I'm sure you've seen it before.
Since 1993, this is a 15-year slide, and we all like to use it,
and it was true in 1993 and through security technologies and digital trust approaches,
it's becoming less true, but it's still true.
So I have to show this one.
And every time I show it -- you know, I've seen it hundreds of times,
but I'm really, really impressed by the earnestness of that dog on the floor.
And the ton of attention that the dog in the chair is getting.
And I hope that you're taking a lesson from that.
Okay, I'm fully certified to continue, so let's go back where we were.
So when we hear this shout of Who are you? from The Who in our social enterprise,
we're very comfortable answering. And in fact, Neil Diamond tells us how to answer.
[♫ "I am," I cried. "I am," said I. ♫]
So the shout of Who are you? is often answered back by the shout of I am.
In the digital enterprise, shouting is not quite so easy.
It doesn't really work that way.
We like identity so much because we all have one.
It turns out we all have many!
Consider when you go to a sporting event. You sit down next to somebody. You shake their hand.
You are whoever you say you are.
When you buy something in a store with a credit card, you are whoever that credit card says you are.
Mainly, you're a legitimate credit card holder. You pay the bill.
When you answer the phone for a political survey, for example Pollster,
you are WHATever you say you like or don't like.
When you're involved in an unfortunate traffic mishap, you are whoever your driver's license says you are.
And when you try to return to country after a visit abroad, you are whoever your legitimate passport says you are.
And our Italian friends can tell you a lot about that.
So our pseudonymous behaviour, in real life, we're quite comfortable,
but that has to happen in the digital enterprise, too.
And so that leaves us with a context-sensitive identity.
And so things, even before we get to worry about, oh, clever authentication--
more about that later--
and ways that the set of claims gets populated -- a little more about that later--
Digital trust brings value and identity management by shaping and contouring the set of claims
that is delivered for a specific purpose based on the context based on the purpose.
And delivers them in the most efficient way possible.
So if you answered the question--your mother, your brother, a biometric--eh.
You're all right.
And you know that digital trust shows up in all popular ways, all the popular identity models we use today.
And here's the first one. This is the one we're all comfortable with or familiar with.
It's what we call the walled garden of the enterprise.
And here are all of the subjects we need to communicate with, mostly,
and all of the applications we need to use, mostly--
are in one place, and we put a wall around it, and that's our enterprise, and that's where we sit and live.
And the most important thing there, and the way we get value out of that through digital trust technology
is in convergence. Convergence happens at two levels, though.
The one we're most familiar with is to say, Well, rather than have an identity stored for each of those applications,
let's put it all in one.
We've got some wonderful technology that helps us do that--
technology from Sun, and IBM, and CA, and BMC, and Oracle.
And we use them all. And what they do is attempt to converge
all of those identities into one identity store.
And the more we can do that, the better off we are.
The value proposition here is huge -- 78% savings in administrative costs.
Additional savings come from automated compliance reporting.
So convergence is -- every big company and big government organization is somewhere in the middle of this.
Well, how does it show up? Well, most of the time it shows up in things like single sign on.
And so we can get a big pay off with digital trust just in the logical convergent.
But wait.
There's another layer of convergence that is just starting to happen.
And the pay offs are almost off the chart for this one.
We saw it a little bit in the US in the Department of Defense with a common access card,
but now there's clever technology from companies like Improvada and Quantum Secure
that allow me to converge my logical identities with my physical identity,
so getting in a building and in a room and getting access to a particular cabinet.
All of that now is converged with logical identity.
And it almost looks free.
So the important thing -- the digital trust here emanates from a converged enterprise directory,
and the most important thing is not necessarily exactly what the identity claims are,
but just that you are a row in that directory.
That's what gets you paid.
Well, when we find that we can't live with just the subjects in our walled garden,
and just the applications in our walled garden, we evolve and associate ourselves with other walled gardens.
We often call this identity federation. It's really a federation of walled gardens.
And once you have done the laborious out-of-band work in negotiating a trust agreement,
out of band,
you can use digital trust technology to great advantage to implement and deliver
the value of what I like to call That's Good Enough For Me identity.
you become a subject in another walled garden and another walled garden and another walled garden,
through the magic of digital trust technologies.
There are two technology foundations for that.
SAML - Security Assertion Markup Language,
and cross certifying of public key certificates. We call that Bridge CA in a lot of places.
Really good examples of how this has paid off.
Aramark. Food services company.
They allow 250 -- more than 250 other companies to involve themselves directly
in the Aramark value chain and supply chain to order food and food stuffs,
without having to log in again. Just come on in.
Boeing and Southwest Airlines are allied like this in the maintenance chain.
Southwest is an all-Boeing airline -- all Boeing 737s.
So there's no faster way. The value proposition here is great.
For Bridge CAs, there are a bunch of really big ones that we all know about--
financial industry has Identrus -- 160 different countries, 60 different organizations.
The federal government in the US has Federal Bridge CA.
The aerospace and defense industry has CertiPath,
and here's one I want to spend just a second on -- the global pharmaceutical industry has one called Safe.
And for the first time ever -- this year -- February of this year --
for a new drug approval to the US Food and Drug Administration,
replacing a million pages of paper and thousands of handwritten signatures.
Totally electronically.
Can you imagine -- that was AstraZeneca, by the way --
using the Safe Bridge CA.
Can you imagine the value proposition behind that?
Finally, when our need for applications expands beyond any walled garden,
we have the model of an open garden. Now, this is fairly new.
It was tried before, maybe 10 years ago, and it didn't really work too well.
Fairly new. And we've got lots of alphabet soup of new acronyms and standards going on,
but this is a case where the digital trust emanates because we've been able to separate
the acquisition of the identity credential from the presentation of identity.
And so we have digital trust value because new industries are being created,
those digital identity service providers -- new businesses
Now, salesforce.com -- you might be familiar with them -- is probably one of the best enterprise examples
of somebody using the open garden in the enterprise.
This is really intended for the methods and applications that are identified in the laws of identity
written by Kim Cameron of Microsoft.
Now, I've retitled the Laws of Identity as the Laws of Consumer-Based Web Services Identity,
because that's really what they are.
And those seven laws point me to uses of this open garden where
the user actually filters and contours all identity credential providings.
Now you'll notice that none of these three really handle non-wet-wear identities very well.
as things like the global carbon market start to explode where people simply can't do the trading.
A word about identity.
Now, does identity -- some people say identity equals reputation.
And I've put myself in some really, really, really good company here.
I'm now hooked up with Shakespeare, Ben Franklin, and Warren Buffett.
That's not bad, huh? I'm doing pretty good.
And you can see that reputation for wet-wear subjects is worth money,
if you can capture it with digital trust technologies and expose it and leverage it,
it's worth 8.1% on eBay.
Now, reputation turns out to be one of the few ways we have to deal with non-wet-wear subjects.
There are companies like Iovation who first fingerprint a device and then track its behaviour
in certain transactions to amplify the identity, to decide whether it's a good identity
that we want to include in transactions, or a bad identity. Looking at the hardware.
And this is used in great measure by the online gaming industry.
Don't ask me how I know.
Why? What's the value?
The value is it gives their consumers a sense of fair play and more people come to play poker online.
More people come to play blackjack online.
Because they think it's a fair game because we're using this digital trust technology.
Oh, I've got to say a word about authentication.
I'm not going to say much. You'll have to read the report.
It turns out it is one of the fastest ways to gain digital trust
if you can add some sort of clever authentication, and everybody reads books about that.
There's also a big intersection -- ooh, Bill, Intersection -- title of the whole conference.
There's a big intersection between identity and authentication and compliance management.
We'll see that happen a lot with compliance.
I want to point out one, though, this knowledge-based authentication,
a real triple-play of digital trust value generation.
Mellon Investor Services, they want to get their investors online faster.
So, like so many people, they had this process of double mailings,
and I won't go through the whole thing,
but they wanted to use a hint-based system, but they didn't want the problems, Mike,
So they used public records data to generate the questions that you're supposed to answer.
So they get a triple-play. They get their investors online faster,
they have fewer calls to the help desk, and they have no privacy store to worry about because it's all public records data.
Ooh. Digital trust works for them.
Now, I've got to talk about biometrics.
You've heard me mention the USTSA frequent traveller program.
But at Disney World, you don't use picture IDs. You get your ticket, you go through this thing called Ticket Tag.
And it uses a fingerprint. And there you can see, there's a -- even little kids can use it.
That's a little girl's arm. She's reaching up, putting her finger in there,
because as soon as she does that, guess what?
[Sound of kids yelling "Yay!"]
They're off! They're off ... to Space Mountain.
Now, that really wasn't a tune, but that was music to my ears.
Well, those of you who answered the question about digital identities--
what's the best one, and authentication, and everything--
that's representative of our quest to see if we could, please, digitize our DNA.
Is there a Holy Grail?
One digital identity that works for all subjects in all contexts?
Wouldn't that be wonderful? If we could just find that.
Well, stop looking. [Laughs]
Because the Internet didn't come with any identity layer or consequently,
And so no single identity satisfies our pseudonymous behaviour,
and plus, there's no value proposition to really push us that way.
And we have these problems with subjects without a pulse.
And I can see the angst on your faces already,
saying, Oh my gosh, you know, I've heard so much about identity theft,
and Ron's talked about a bunch of places they could use my identity
and different claims of identity, and oh my goodness! Oh my goodness! What about me?
Well, I want to put your mind at rest.
Because no matter what we do to your identity and how we change it around,
[♫ You're still you ♫]
[♫ After all, you're still you. ♫]
I'm going to need a moment.
[Laughter]
But what about intellectual property, then?
I mean, this is going around that circle.
If you've done the arithmetic on the 80% thing, and you know what the S and P 500 Index is,
you know we're talking about a trillion dollars of intellectual property value.
There are exchange traded funds -- happy ones -- working today totally based on intellectual property.
And by the way, that ratio is only going to grow,
because as Jay Leno once said about Doritos, We'll make more.
And we're making more digitally. Since 1999, just about everything is being made digitally.
So now, there are really two approaches to this.
We heard from Sun Microsystems yesterday one approach.
[♫ If you love something, give it away. ♫]
Okay. Well, you know, that might work for Sun.
He would agree, then, with Emmylou Harris and Conor Oberst.
Most people don't. And we have another way of dealing with intellectual property.
First off, intellectual property protection is more than confidentiality. Way more.
And there are five value characteristics, all of which are important.
Second observation is, they all have to be preserved with digital trust technologies
in order to gain value through the entire life cycle of information.
And a third one might not be quite so obvious to you,
but let me just say it here.
And that is, digital trust on IP -- on intellectual property protection --
actually has the possibility of creating new value over intellectual property you already have.
We've seen it in the iTunes market. We'll see it again in newspapers and journals.
And repackaging newspapers so I only need to subscribe to the funny pages and the sports.
I don't need that nasty front page. That would be wonderful.
Well, what's happened is that, against those IP value characteristics,
we've seen the emergence of some older technologies be used new ways,
and some brand-new technologies.
And I don't have time to go through all of these here today, but I want to point out a couple to you.
Every college and university in the UK -- University of Colorado system, University of Iowa system,
many high school systems in the US, including the one in Fairfax County, Virginia,
Lexus Nexus, and -- okay, hold your hearts now --
Oprah Winfrey -- use digital trust technology from an outfit called TurnItIn.com
in order to check on the authenticity of claimed intellectual property.
If you'll remember, Oprah had a little problem with a book some time ago.
And they said, well, wait a minute. This can't be right. I want to make sure that it's original.
So that usage has come along wonderfully.
Fingerprinting and watermarking are used primarily in a consumer industry
to make sure that when you buy a movie, you get the one you bought.
Not some knock-off movie.
We see a lot of content encryption in rights management.
Apple, Microsoft, Rhapsody -- they've all generated rights management based on content encryption
that allows them to own the whole value chain,
the beginning, content creation, to content rendering.
Remember those 2 billion tunes coming down on iTunes?
What did they get played on?
iPods. iPods carried Apple for a couple of years there,
and it was because they were able to parlay a clever idea
and a stylish design with some digital trust technology around rights management.
Now, in the enterprise, what we're seeing is an attempt to move content--
intellectual property -- to places where it can be monetized more completely.
And so new things called content monitoring and filtering technology,
sometimes called data loss prevention technology --
plus PortAuthority and Tablus -- I don't know why they didn't begin with a V.
We see that a lot. Companies like DuPont, WorldComm, Raymond James Financial,
Now, if you stare at that chart for a long time, you start to think:
Gee, if I just arrayed the technology right, there's kind of a digital trust zone against those value propositions.
And what we're really seeing is that digital trust and IP protection
move the focus from the platform to the data itself.
So you've heard me mention that some companies were very consumer-oritented companies,
and then I named some companies that were really enterprise-style, business-to-business companies.
What we've learned and what we've seen is that many of the technologies that started in the consumer industry,
because there were fewer formats of information that we needed to worry about
and we could, in fact, control the whole value chain.
And we had a sense of what was being lost.
So the degree to which we could prevent loss -- guess what that was.
Another dollar of revenue coming in.
So it's worth doing. We get digital trust working for us.
But as we've moved that -- by the way, a little political and legal brouhaha there, too --
you'll read in the newspapers, no doubt --
but as we move over to the B-to-B value chain, some of those other technologies translate,
although haltingly -- rights management has had a real problem for a decade now
trying to find a niche because of the wide variety of formats and because we really have no sense of what we're losing,
so the value propositions get harder to quantify.
and we'll -- more about that a little bit later on.
Compliance management! Holy cow! We thought when we picked six, we'd gotten six dots here.
It turns out we had five dots and a dash.
Compliance management is different. It is the business of keeping the business in business,
and it's often the first order of business.
I had a boss once, an admiral, who, whenever I did something right,
however infrequently that might be,
he told me, he said: Ron, your reward is no further punishment.
And that's kind of the way it feels with regard to compliance management.
And we're all familiar with the fact that there's lots and lots of compliance going on.
There's no shortage of compliance mandates.
And we do have to deal with them.
And so, in certain cases, compliance itself is the real return.
And we always focus on the holy trinity of compliance in this country.
You know, you can't give a briefing if you don't say, Gramm-Leach-Bliley,
HIPAA, and Sarbanes-Oxley. And now we've added the fourth to the holy trinity,
so I guess it's holy quaterninity or something.
We've added the PCI data security standard for the payment card industry.
And that's all around the world, too.
But I want to point out that there are many, many others, and there are some game-changers here
and real opportunities for digital trust, in particular in legal discovery.
Now the good news for all of us security people is that
we can still use compliance management as the justification, even for a digital trust strategy.
If we haven't been able to convince the boss otherwise, we can say:
Well, boss, you know, guess what? Compliance happens. And we have to have a strategy for this.
And if we don't have a strategy for this...
[♫ I fought the law, and the law won. I fought the law, and the law won ♫]
Bobby Fuller is right! That's the Bobby Fuller Quartet. If you fight compliance,
if you fight the law, more often than not, the law will win.
Now, many people beleive [ahem], Mike,
that the world revolves around compliance, that there's actually a compliance solar system,
and compliance management is the sun in the middle.
And we've learned in our research that, in fact, that is actually true as long as it operates this way--
that the operational information coming from other digital trust services
feeds compliance management, and compliance management delivery back -- guess what? -- evidence.
Remember our definition? Do y'all recall that?
Just go like this. That's good. Okay.
I know you're with me.You're that dog on the floor: I got it.
All right. And by the way, that happens for compliance itself,
and so what we get out of this -- the value we get out of this in digital trust sense,
is fundamentally, efficiency.
But there is a double play, because we can use identity stores twice.
We can use intellectual property information twice.
And the degree to which we can use it over and over again means we don't have to pay out again.
Most of the time, this value shows up in customized reporting, and when that reporting is completely at the end,
and there's a head count reduction or some other kind of efficiency.
If you look inside that compliance management sun,
you see a lot of moving parts, which means there's a lot of opportunity
to connect and make this stuff work.
Arrayed around the outside, we see three kinds of digital trust technology foundations that are used
most broadly to achieve that digital trust result.
And some of these are brand new, and some of these are not so new,
but they're being used in new quantities and in new ways in order to get value.
Much of this is brand, brand new, and so our skeptic, Perry Como,
is kind of moving to our side of the wall here.
[♫ We've only just begun. ♫]
Normally, that would be Karen Carpenter, but during that week, Perry was working cheap.
So we've only just begun. So the story is not in yet.
I want to point out just one or two things here, though.
Content monitoring analysis, and you see that third bullet down that says e-discovery.
Now this is a game changer, because the entire compliance framework changes on us.
Most of the time, we're used to dealing with regulators, auditors, and some crazy regulatory framework,
and we can argue with them. We can negotiate with them.
With regard to e-discovery, you're dealing with lawyers, judges, and a legal framework.
Morgan Stanley was assessed a $1.5 billion fine for not being able to do e-discovery,
But also, the power of e-discovery is that you can use compliance management digital trust offensively.
And there are studies where individuals have pursued intellectual property pursuits
using compliance management technology -- digital trust technology--
offensively to go through millions of court records and pleadings to find the information they need.
Something they could never have done before, and we've seen hundreds of millions of dollars
of award based on an offensive use of what is essentially seen as a defensive strategy.
We're also seeing digital trust as a service
show up in vulnerability management, and vulnerability management go through
the enterprise in ways that we haven't seen before.
And finally, we see lots of cases where -- son of a gun! If we could just handle
the paperwork faster around compliance, then we could get an efficiency pay off.
Liquid security. This is a fun one.
If you remember the connected world: liquid, time, and place,
and what we heard from Sun yesterday -- and I'll just paraphrase here--
We're untethered. We don't have wires anymore.
Now, they mentioned Sun's kind of seeing that. BP is doing it.
For certain users in certain locations and with certain capabilities,
They dissolve the intranet. Everything is an internet service. Not completely.
I want to mention one technology for you, you'll read about. It's one of my favorite words for technology.
It's called Mojo Pack.
I'll let you imagine what that is.
That could solve the problem here. That's real digital trust technology at work.
So we have -- now wait a minute, now. We had liquid, time, and place--
now we have liquid configuration as well.
Things that used to just be on computers and stuff, now we've got them on things called mobiles.
And I can tune my TV, buy a soda, and do online banking in Japan with the very same device.
Isn't that wonderful?
And so everything -- even though we've got no wires, everything is connected to everything.
There's smart homes, smart cars, smart highways, smart offices, smart alecs...
and smart -- I'll let you fill in the last three letters.
And so our digital trust security must be as fluid as liquid, time, place, and configuration.
And so it must almost work like rain.
[♫ Purple rain, purple rain ♫]
Now, if Prince is in, how can we be wrong?
And so it has to fall like rain: in, around, over, and through this liquid time, place, and configuration.
E-threats and countermeasures. Well, you've seen these stories before.
You've seen many, many, many charts. Oh my goodness. Oh my goodness.
There are tons of vulnerabilites. We spend tens of billions of dollars dealing with them.
We're spending bazillions of dollars on identity and authentication and compliance
and intellectual property, and you know all that.
But even when we do everything exactly right -- even when we do everything exactly right,
bad things can happen. We don't control the outside.
[♫ "Jaws" theme music playing ♫] And we are swimming in a sea of threat.
[♫ "Jaws" theme music playing ♫]
So nasty things can continue to happen to us. [♫ music stops ♫]
Yes, indeed, there are nasty things. And so digital trust has to be able to respond to those nasty things.
Now, I sought a song for nasty things, and I found one.
This is a song -- I have the words here for you, but there's no recorded version,
so here we go, ladies and gentlemen.
We're going to have the LEF American Idol.
You come to the Innovation Lounge. You bring a tune for this song,
and I have a prize for you. I have a wonderful lariat that blinks blue and got a dog tag on it.
I'm sure nobody has one.
[Laughter]
Now we've picked these four areas that are representative of a situation
when you do everything right, bad things can still happen.
And what we've seen is that as the e-threats move around,
your need for digital trust changes.
I often have -- and people say, Well, Ron, I see this fourth -- I know them.
They're digital. I've got it. What's this no-tech exposure thing?
I thought this was digital trust. How can that be right?
Well, what we've seen here is that no tech exposures are reflected back into the digital enterprise
and show up as a digital trust deficit, and so the penalties really come through
a digital trust deficit.
I also happen to think that perhaps my next career is here.
Those of you who do no tech can see that I've got some real talent.
Okay. At any rate [ahem], that brings us to transparency and assurance.
Wouldn't we like to measure digital trust? How much do we have? How much do we need?
Is it better to get it from one place or another place?
Can we get it with reputation? Can we get through trust brokers?
Having a staff with special credentials. Does that make it any better?
Here, architecture matters!
And so we deal with digital trust in service-oriented architectures and with virtualization.
After all, what we're trying to do -- what we're trying to do here is to get all the participants
in a transaction in a digital enterprise to agree and to say about that enterprise and that transaction.
[♫ I really love you, and I really do ♫]
Thank you Kylie Minogue.
You Australians in the crowd will love that one.
Okay. Listen, this brings us back to the whole notion of trust and the power of trust.
And you can see -- these phrases, you probably see them all the time in literature and online.
There are phrases because people love this word trust.
It brings something to the conversation. It makes us be more believable.
Trust watch, trust digital. e-trust, trustee, cybertrust, entrust, cybertrust, web trust,
public trust, drive trust, and beyond trust.
They all show up. And we use that word for so many reasons.
Now, come closer. Come closer. Listen carefully.
Listen carefully. I found a new one.
The International Congress of Neuroendocrinology has identified oxytocin--
not OxyContin--
oxytocin as the hormone of love. The hormone of trust.
And Dr. Joyce Brothers recently said about a company who had been able to liquify this:
They've made a trust potion.
And I think it's only fair to tell you now. Maybe I should have told you earlier,
this liquid trust is intended to engender trust--
that before I came down here, before I came on stage,
I sprayed and gargled with liquid trust. So right about now, you should be in the palm of my hand.
and you should have a real sense of affection for me.
Can I feel the love?
[audience: woo hoo!]
All right. Okay. All right. So liquid trust. If you want -- you know--
There's value in that, too. See me later.
Okay. Trust power. All right. So here we are.
Even today -- even today -- or especially today, we are seeing enterprises showing
symptoms of a digital trust strategy and gathering the benefit of digital trust strategy
no matter what they call it. No matter what they call it.
And so learning how to become a digital trust enterprise becomes possible.
We've got people who have paved the way, at least a little bit.
And so we would ask the question, Gee, could there be, even today,
a digital trust poster child?
Would it be, for example, Motorola, whose CISO and Vice-President Bill Boni
works on a traditional impact-based risk assessment, risk--
information risk management methodology, but he's arranged it for his team and his organization
to get credit for doing business enhancement.
He's generated a wireless security service out of his information risk management practice,
and that he gets credit for. He has expanded the value of services out of Motorola.
Well, if not him, maybe it would be the EPA.
Now, one of the federal government's service centers for FISMA compliance,
they went from a near failing grade to an A plus. By the way, CSC helped them do this.
And now they're one of the federal service centers for FISMA compliance.
But they didn't do it just to get a better grade. They targeted a value-enhancing proposition.
They reduced the security incidence by 55%. Maybe they're it. Well, maybe not.
Maybe it's Aramark. I told you about them, whose CISO, Steve Erickson--
I love this guy. Look at the quote. "We are in the business to make it as easy as possible
for people to spend money with us."
This is a security guy!
Woo hoo! I love him!
Okay. Maybe it's him. Maybe not.
Maybe it's the US Department of Justice, the other federal service center for FISMA compliance and security
whose deputy CIO and director of IT security, Dennis Heretick,
built an entirely new system, the cyber security assessment methodology,
to track the plan and capture the data and give the reporting for that annoying little FISMA thing,
I get a good grade.
They also went from a failing grade to an A plus.
But at the same time, he's getting business value out of FISMA because he can let his agents--
FBI agents, DEA agents -- spend more time doing their real jobs than this other thing.
He's looking to get business value out of FISMA. Well, maybe not them.
Maybe it's Mellon Investor Services with that famous triple play using knowledge-based authentication.
Perhaps it's Apple who resurrected an entire market of single tunes coming out,
2 billion of them, with a parlay of a clever idea around mobile audio entertainment,
some very stylish designs, and some digital trust technology
that allowed them to dominate the content creation and content rendering end
of that value chain.
Well, maybe it's somebody a little closer to us. Somebody who is already a winner.
Somebody who's shown how digital trust can bring value.
Maybe it would be ...
>> The challenge: Create the border control system to verify documents against
counterfeits accurately and quickly, identify people using biometrics,
and enable electronic document technology.
>> The most difficult requirement was the ability of the system to perform
the entire control process in a short period of time, not more than 10 seconds.
Did you see what just -- you recognize them, right?
That's our Italian team. Did you see what Guissespe said?
What was the hardest requirement? It wasn't about, Oh, let's reduce the risk of loss.
It was, Let's do it in a short amount of time so that we can have a convenient, pleasant experience
for those coming in legitimately
and for the officials and officers at border stations who have a job to do.
Let them spend their time on their real job.
So that might be -- they might be the poster child for digital trust.
And if they are, I can think of no better way to scream They're Winners! once again, than this:
[♫ Opera music playing ♫]
Well, we don't know yet. We're still working. That's pretty darn good, though!
That's pretty darn good.
All right. So there's a lot more to say, and there' s a lot more we encourage--
the story of digital trust is still being written,
and the song is just being sung.
And even though we've evolved to a different point of view than that famous skeptic, Perry Como,
we still like his music.
[♫ Music from a Perry Como song playing ♫]
[♫ It is possible to make security a PLUS! ♫]
[♫ Oh, yes, it's possible ♫]
[♫ It is possible to grow with digital trust. Oh my, it seems possible. ♫]
[♫ If I told you that the value of your business could be greater, ♫]
[♫ and your enterprise would still be even safer, ♫]
[♫ would you strategize for trust? 'Cause it is possible. ♫]
[♫ It seems possible. Hmmmm mmmmmm. It's very possible. ♫]
[applause]
So thank you in nine different languages!
Let's go learn some stuff now. Huh? Let's go see some wonderful stuff.
Digital trust is possible.

CSC - Ron Knode Keynote on Digital Trust from LEF '07

Translate and Transcribe

Share

Video Transcription

Other videos from thor