Social Networking and Identity – A g yCautionary Tale

November 5 2009Alice Wang

November 5, 2009awang@burtongroup.com

Mike Gottamgotta@burtongroup.com

All Contents © 2009 Burton Group. All rights reserved.

mikeg.typepad.com

Two Sides Of The Social Networking Coin 2

Why are we here…• Use of social networking tools and applications to improve

information sharing and collaboration will transform how information sharing and collaboration will transform how organizations think about, and manage, identities

• Profiles, social graphs, and activity streams enable employees to construct their own social identities across internal and external constituencies

• Participation in social networks and community contributions • Participation in social networks and community contributions enable employees to establish their own social roles and reputations

• However, what are the benefits, risks, and implications of more open collaboration and transparent knowledge sharing on identity management strategiesmanagement strategies

Two Sides Of The Social Networking Coin 3

zxcvbcvxvxcccb@bah.com+1-234-567-9012

zxcvxvxcccb

zxcvbcvxvxcccb@bah.com+1-234-567-9012

@

Source: Booz Allen Hamilton

Two Sides Of The Social Networking Coin 4

Benefits expected from social tools and applications• Connect people internally and externally

B k d i ti l b i d i f ti il• Break down organizational barriers and information silos• Promote employee innovation• Address generational shifts; meet technology expectations of • Address generational shifts; meet technology expectations of

younger workers• Support strategic talent and learning initiatives

However – open and transparent environments can raise identity and security concernsand security concerns

Use Case #1: Social Network Site 5

zxcvbcvxvxcccb@bah.com+1-234-567-9012

zxcvbcvxvxcccb@bah.com+1-234-567-9012zxcvxvxcccb

Trusted Identity Sources

Enterprise Identity HRMS Directory Other Systems-of-Record

Use Case #1: Social Network Site 6

zxcvbcvxvxcccb@bah.com+1-234-567-9012

zxcvbcvxvxcccb@bah.com+1-234-567-9012zxcvxvxcccb

Internal Social IdentityPersonalClaims

Use Case #2: Profile Proliferation 7

Employee Employee Women’s

A single profile? Multiple profiles? Federated profiles?Women

Returning To Profile #2Profile #2 Support

GroupWork After Extended

Leave

Employee Employee Employee Employee Outreach Internal Profile #3Profile #3

Employee Employee ProfileProfile

Outreach Network“Facebook

Site”

Community ProfessionalExchange of

Gay & Lesbian

CommunityEmployee Employee Profile #4Profile #4

Community Of PracticeExchange of

Best PracticesCommunity

Use Case #3: Activity Streams & Profiles 8

Over-sharing via social conversation and community actions

Employee Employee p yp yProfileProfile

Jane Doe: Joined Community:“Women Supporting Women”

J h D “W ki bi M&A d l

“Women Supporting Women”

John Doe: “Working on a big M&A deal,need to work late tonight… stay tuned!”

Fred Smith: &#%^%$* we just lost the Company ABC account…

“Gay & Lesbian Employees”Outreach

A t ti Company ABC account…

Jane Doe: Joined Community:“Gay & Lesbian Employees Outreach”

Betty Smith: @Bob Jones That patient

Automatic posting of community

actions y @ pID number is 123456789

Bob Jones: @SamJ I’ve changed the access controls so you can get into the workspace

Activity streams & “Enterprise Enterprise

Twitter” messages

Use Case #4: First Comes Aggregation 9

zxcvbcvxvxcccb@bah.com+1-234-567-9012

zxcvbcvxvxcccb@bah.com+1-234-567-9012zxcvxvxcccb

External Social Identities

PersonalClaims

Use Case #4: Followed By Correlation 10

Is it me? How much is being shared? Under what controls?

ProfileProfileStatus MessageA ti iti

ProfileGroupsContacts

ActivitiesPhotos

Following / Followers“Tweets”

Unification of an employee’s social Enterprise Identity

My politicsMy groupsemployee s social

structures

“The “The

Enterprise “Social Identity”y g p

My musicMy friends

WorkMe”

CitizenMe”

Use Case #5: Leveraging Consumer Tools 11

Enterprise roles and

“The

Enterprise roles and identities can collide with personal use of

social media“TheEmployee

Me”

social mediaCitizen

Me”

Use Case #6: Enterprise Roles 12

T t d Id tit S

HRMS Directory Other Systems-of-Record

Trusted Identity Sources

Role Sources

Authentication Role Management Applications

Authentication,Authorization,Provisioning,

zxcvbcvxvxcccb@bah.com+1-234-567-9012

Business ProcessManagement (BPM)Systems

RBAC, etc.

zxcvbcvxvxcccb@bah.com+1-234-567-9012zxcvxvxcccb

SystemsEnterprise Portals

My Roles• IT Architect• SME on “ABC”

Enterprise Roles• Approver for access to “XYZ”• Certified on “123”

Use Case #6: Emergence Of “Social Roles”13

“A P ” “Wiki G d ” “Id P ” “N Filt ”“Answer Person” “Wiki Gardener” “Idea Person” “News Filter”

Social Role Social Data Aggregation & Social Network

Social RolesAttributes Correlation Analysis

Use Case #6: Community Equity 14

From roles to reputation• Reputation is as aspect of someone’s identity; need a social value system

based on social activities• Analyze social data to derive community equity

• Aggregate social activities: edit, tag, bookmark, follow, comment, reply, post, attach subscribe joinattach, subscribe, join…

• Correlate patterns: participation, contributions, skills, reputation, social graph

ContributionsSkills

ReputationContributions

Social GraphParticipation

Reputation

Community Equity

Use Case #7: Analyzing Relationships 15

Social analytics• Assess, correlate, and visualize relationship structures

Di f l t t ti t l bl• Discovery of latent connections most valuable

Needs to figure out Needs to figure out how to help a

company deal with export / import l ti i t regulations in country

XYZNode 8To Node 10To Node 14

Has dealt with import / export problems in

country XYZ for

To Node 15

Source: Telligent

years in past job role

Use Case #7: Analyzing Relationships 16

Without proper controls, identity and security issues can arise• Evolution of tool capabilities can discover too much information on

organizational structures activities and relationshipsorganizational structures, activities, and relationships

Product B

Product C Person 4

Product BPerson 2 SCN Group1

Customer XProduct A Business Process 2Purchased

Marketing Campaign 1Person 5

Key talent in organization

developing new ideas and

Source: SAPPerson 3Sale Process 1 Part of

ideas and products

Awareness & Management Of Risks 17

General concerns relevant to identity and security teams• Identity

• Assuring profiles (identities) internal and external• Assuring profiles (identities) – internal and external• Populating profiles with trusted enterprise data • Assessing social identity attribute claims• Making sure that controls exist to satisfy privacy mandates

• Security• Applying policy-based management (including enforcement)• Applying policy-based management (including enforcement)• Inclusion of monitoring, discovery, and audit mechanisms• Validating "fine-grained” access controls and role modeling capabilities

S ti f i li di d l t d d t t ti t l • Satisfying compliance, discovery and related data-retention controls • Ensuring data loss protection

Awareness & Management Of Risks 18

Use Case concerns relevant to identity and security teams• Profiles And Profiling

• Credibility of profile and social claims• Credibility of profile and social claims• Possible bias against employees by co-workers based on race, diversity,

affiliation information made open and transparent via social media tools• Information Security

• Intellectual property, compliance, e-Discovery, monitoring…• Aggregation / correlation capabilitiesgg g / p s• Data management and data integration (profiles, roles, etc)

• Privacy• Adherence to regulatory statutes, level of employee controls, possible

stalking situations (hostile workplace)• Social Network Analysisy

• Makes relationships visible that perhaps should not (“connecting the dots”)• May lead to “befriend / defraud” situations, social engineering

Recommendations 19

Moving forward with social media and social networking efforts• Social media and social networking are strategic initiatives that are

here to stay saying “no” is not the right approachhere to stay – saying no is not the right approach• A decision-making framework and governance model is an

essential component of any strategy• Policies and procedures need to focus on the human element and

avoid technology as a panacea Id tit d it bj ti d t b i d th • Identity and security objectives need to be viewed on the same level as desires for openness and transparency

• IT teams that should be viewed as key stakeholders in social IT teams that should be viewed as key stakeholders in social media and social networking strategies include:

• Groups responsible for collaboration and community efforts Id tit t d it • Identity management and security groups

• Information management and data analysis groups

A Look Ahead 20

Do we someday reach a point where social networking, social roles, and community equity enable self-regulating systems?

EnterpriseRole

SocialRole

Social Role not associated with enterprise role or

No change

Enterprise SocialSocial role indicates synergies with enterprise

entitlement

Discovery of latent talent in the agency perhaps a Enterprise

RoleSocialRole

synergies with enterpriserole and entitlements

in the agency, perhaps a new subject matter expert

Social role becomessynonymous withenterprise role and

Provisioning and access controls adapt based level of community equity

EnterpriseRole

SocialRolep

entitlement performing social role

21

Q&AQ&A

All Contents © 2009 Burton Group. All rights reserved.