How Content in Context Within Apps and Process Strengthens Marketing Muscle

Transcript of a BriefingsDirect discussion on the changing nature of content as people and companies move to a greater use of apps, big data and context-aware processes.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS. Download the transcript.

Dana Gardner: Welcome to the next BriefingsDirect podcast as we explore the changing role and impact of content marketing, using the IT industry as an example. Just as companies now communicate with their consumers and prospects in much different ways, with higher emphasis on social interactions, user feedback, big data analysis, and even more content to drive conversations, so too the IT industry has abruptly changed.

Gardner

There's more movement to cloud models, to mobile applications, to leveraging data at every chance -- and they are also facing lower-margin subscription business models. The margin for error is shrinking in the IT industry. If any industry is the poster child for how to deal with rapid change on all fronts, it is surely the global information technology market.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this forward-looking discussion on how the nature of marketing is changing.

To explore how we can expect the IT industry to adjust and how the nature of marketing is impacting it, we're joined by Lora Kratchounova, the Founder and Principal at Scratch Marketing and Media in Cambridge, Mass.

Welcome, Lora.

Lora Kratchounova: Thanks for having me, Dana.

Find out what Scratch Marketing and Media
Can Do for You
Click Here to Access A Free Webinar on Market Reputation

Gardner: Lora, you and I have been talking about marketing for years now. We're in an interesting field, and it’s been such a dynamic time. I have some interesting ideas about where technology is going and where marketing is intercepting, and how they are both changing.

So, let’s start at a high level. Content marketing has proven to be very successful, and you and I have had a hand in this. Creating compelling stories, narratives about what’s going on, and how people can learn from peers as they go through problems and solve them, has become a mainstay in marketing. From your perspective, why is content marketing so important? Why has it been so successful?

Kratchounova: There are couple of reasons for that. The pace of change is tremendous now. People are trying to get their bearings on what’s going on in their markets, and a lot of times, they need to get educated. What has changed with social media now, information is a lot more immediate and transparent, and you can get it from many more sources than the just online presence of a company, for example.

Kratchounova

The top-down modeling in the marketing is changing. We used to rely on companies to tell us how to think about the world, and now we can form our own opinions. As we realize that the customer is in the driver’s seat, they educate themselves, and they make the right decisions about how to go about change, companies are realizing that they need to feed into that flow and be part of that discussion. So content marketing has been so successful, because you become an educator, not just selling to people, and especially in IT.

Gardner: And I think people have become much more accustomed to conversations, rather than just a one-direction information flow. "We're the seller and we're going to tell you what it is." Now, people want to relate. They want to hear what others have to think. It’s much more of an actual conversation.

Ongoing conversation

Kratchounova: Exactly. Look at any IT domain. It’s interesting when we look at who is influencing and who the main voices in it are, who the voices that people consider experts are. You pretty much consistently see reporters, journalists, and the analysts folks like you, but then we see that there are a lot of C-level executives from IT companies who are becoming that kind of a voice as well.

That just points to the need for that ongoing conversation, the need for sharing at all levels of the buyer funnel. Once people have bought into a selection, they need to make sure of adoption, and they are maximizing the investment.

So the conversation is very important, and the immediacy of having access to folks and having the ability to exchange a few thoughts on Twitter or LinkedIn has changed the dynamic completely. So it’s absolutely about conversations and storytelling, but it's still mapped to the buyer’s funnel.

People are still educating and still looking at options for a change or for replacement, one or the other, until they select the people they want to work with. And it’s usually people in brands. It's not just that they want to work with this company, but the people behind it. We're moving more to a people economy.

Gardner: As you point out, you can get to the real source of the knowledge nowadays. Publishing is available to anybody whether they're tweeting, blogging, posting on Facebook, or putting something up on their company website. Anybody who has something to say can say it. It can get indexed and it can be made available to anybody who wants to hear about that particular topic.

The ability to publish is great, and it democratizes the means of how we communicate with each other and educate each other, but yet you still have to earn it.

Most people now don’t just sit back and wait for information to reach them. They're proactive. They go out, they start to search, they do hashtag searches on Twitter, and they can do Google or Bing on web.

It’s much more of, "I know something; I'm putting it out there." And there's another case of someone saying, "I need to know something; I am seeking it." They come together on their own. The content makes that possible. The better the content, the better the likelihood that those in a need to know and those in a need to tell come together.

Kratchounova: Exactly, but I think you hit on something very important. Everybody can publish, and a lot of people are publishing. Yet, we're interested in a love for your people, falling in love for your people, and what they have to say.

The ability to publish is great, and it democratizes the means of how we communicate with each other and educate each other, but yet you still have to earn it. This is very important. People who really are influential are usually domain experts and they're there to help other people. That’s the other aspect of it that both companies and their marketing teams and their executives need to think about. You have to actively participate and show your expertise, it doesn’t come for granted.

Important of curation

Gardner: And there's another aspect to greasing the skids between the knowledge and the acquirer of the knowledge, and that is content curation. There are people who point at things, give it credence, and say that it's a good thing, you should read it; or that’s a bad thing, don’t waste your time -- and that helps refine this.

Kratchounova: It’s pretty exciting.

Gardner: There are machines doing the same thing. There are algorithms, there's indexing, there's both human and machine aspects of winnowing down the good stuff and providing it to people in a need to know, and that’s when we are going to get more powerful.

Kratchounova: Great. I'm sure you know about Narrative Science. I've had a professional crush on this company for few years now. They take data, turn it into storytelling, and they think this is phenomenal. Obviously, that’s not going to replace some of the human storytelling that needs to happen, but some of the data storytelling will come from technology. This is one particular application where marketing and technology come together to bring something completely new into life.

Gardner: So we can get knowledge through expertise or we can get knowledge through experience, someone who has gone through it already and is willing to share that with you. If you're acquiring IT, it’s super important to avail yourself of everything, because it changes so rapidly and the costs are high.

IT depends on the IT buyer, because we can’t necessarily lump them together and ask how the IT buyer goes about it. There are people with different needs, and it depends on their role.

If you make a big mistake in how you're designing a data center, you're out millions of dollars, your products don’t work, and your front office are going to come screaming down on you. You have to make the big decisions and you have to make them correctly in IT. It’s not just a service to the business; it is the business.

So, let’s think about the IT industry in particular, and then think about how content marketing as we’ve discussed is powerful. How do IT people acquire content marketing? Do they get it through websites, emails, or tweets? Is it delivered to them at a webinar that they opt into? How does content marketing reach somebody who's an IT buyer?

Kratchounova: IT depends on the IT buyer, because we can’t necessarily lump them together and ask how the IT buyer goes about it. There are people with different needs, and it depends on their role. If you're CIO or CTO, there is a different mix of channels and sources you use. If you're on the dev or on the ops side and looking for specific solutions, you're going into completely different channels.

For example, if you're a DevOps professional, you're maybe on Stack Overflow and you might be seeking advice from other folks. You might be on GitHub and sharing open-source code and getting feedback on that.

If you're a CIO or CTO, what we have found working with number of different companies, be that global companies or maybe companies that are growing, is that they do seek their peers to validate what the peers are going through. One of the best things that companies can do, when they try to talk to the C-level, is expose some of those connections that they already have from their customers. Make sure that the customers are part of the discussion, and they can chime in.

Another important source of information for the C level in IT would be folks like you, analysts, and strategic system integrators like Accenture and Deloitte, because these folks are exposed to the kinds of challenges that a CIO or CTO would go through. So they have a lot to bring to the table in terms of risk mitigation, optimal deployment, and maximization of the investment in IT. Making those connections and sharing those experiences we have seen work really, really well.

Let me just throw this in as well. The other thing we have seen is that the C level is still going on Google. They're still doing the searches. We have compelling data, across the board, that in any B2B complex enterprise environment folks are self-educating as well. So it’s not a question of either/or; it’s what’s the right mix for each company depending on channels, depending on where people sit.

Spectrum of content

Gardner: So there is a spectrum of content, some highly technical and defined, on places like GitHub that are germane to a technologist. Then, there is that spectrum up from there to a higher level toward peer review of products and peer review of solutions. Then, there are more business topics about what is strategic, what’s the forward direction, how do I understand at an architectural-level decision processes, and where can I go for more information to find out what’s coming down the pike and then put it in place.

Kratchounova: Think about Spiceworks. They're probably at five million IT professionals at this point, and the community is there for a reason. So again, with each particular, there isn’t one size fits all. One thing that we always recommend to folks is that if you’re looking to develop an influential strategy and approach IT, it really depends on what domains you span.

You find that even if you're doing mobile application development, the folks who were really influential and set the standards of that stage are somewhat different from the folks who are concerned with security in mobile app development. So there isn’t necessarily one pool of influencers that you need to go then to develop a relationship and understand what’s in their mind. It really depends on your domain.

Gardner: So if you're a marketer and you recognize that quality content is super important, you need to have a spectrum of content. It needs to be some content that would be germane to a technologist that’s highly detailed, a how-to type. You need to have peer review and stories, case studies, testimonial type content where the customer is telling what they’ve done, why it benefited them, and what you can learn from that.

You also need to have higher-level discussions with experts to help people chart the next course, the strategic level. So content needs to come across a spectrum, and we recognize that the way in which people get that content might be through search. It might be through web, e-mail, webinars, webcasts, reading certain online sites, listening to certain Twitter feeds or groups, or having a select group of people that you follow. All of that happens.

But what’s interesting to me, Lora, is that all has to do with the web. But what we're seeing in IT is a rapid movement toward mobile apps, rather than just the web. And in many cases, they're starting to overtake the web as to where people spend their time. I'm sure you're using a smartphone and you have mobile apps. You're not going on the web to find a cab; you’re going to the Uber app to find a cab.

If you're looking for a restaurant review, you’re not necessarily going on the web and doing a search. You’re going into a specific app on Yelp, OpenTable, or somewhere else to find out where your restaurants are and you’re going into Google Maps to find out how to get there.

Find out what Scratch Marketing and Media
Can Do for You
Click Here to Access A Free Webinar on Market Reputation

So more-and-more, we're seeing, on the consumer side, people using mobile apps for more of their processes, for their inquiry, for their actual productivity. Then, on the enterprise side, the business-to-employee (B2E) side, we're seeing people using cloud services.

We're moving more toward mobile applications, cloud services, an API-driven world that leverages big data and analytics in order to put context into process. It's all about user experiences, and mobile delivers the best. How then does content continue to reach people? Do we lose the ability to deliver content when they are in apps?

Different perspective

Kratchounova: I have a different perspective on what you're describing. I don’t know that we are moving to a mobile app experience necessarily. When we think about the apps and the examples you gave -- Yelp or Uber -- yes, they're best-of-breed applications that we use because these are the most frequently used applications.

But what you're seeing is actually a digital transformation. Digital no longer means the web, as we know it, going online through your computer. You're actually navigating on a mobile device. So it’s this digital transformation that’s happening, and the trend that we're seeing is aggregation.

It’s not about one individual app, but it’s more about what is the Flipboard within the enterprise. You're seeing that sort of aggregation bubbling up to the top because information overload is a huge problem. People can’t prioritize anymore. They can’t toggle among those different applications and companies.

For example, one of our clients, not to necessarily add a plug for them, actually is very germane to the discussion. Harmon.ie does exactly that.

Once you understand, then you understand what a partner is trying to do. Why are they are here, what’s the context, what’s the most logical next step or the optimal next step?

In those kinds of environments, what we're finding and where I totally agree with you, is the ability to read and understand context, so that you can support the user, be that an employee with internal work experience, or external customers, to support them to get the job done.


The role of content is actually merging with big data, because big data is helping us to understand context and say, "What do we serve this person here?" On the marketing side, and the lingo side it’s more about ongoing customer journeys. Think about the same thing on the employee side, ongoing employee journeys or partner journeys.

Once you understand, then you understand what a partner is trying to do. Why are they are here, what’s the context, what’s the most logical next step or the optimal next step? Now, content becomes both an ability for people to find something, but also for marketers or product development folks. I think those functions are emerging as well to deliver the right content in the right format so that the user can get the job done. That’s my perspective on that.

Gardner: There's no disagreement from me on this issue of context to process, context to location, context to need for knowledge all being much more granular and powerful going forward. What I am concerned about is that, when I talk to developers, the vast majority of them are much more interested in a mobile-first, cloud-first world.

They're not much interested in building what we used to think of as big honking applications in the enterprise. They're much more interested in how to bring services -- and microservices -- together in context to provide a better productive outcome and how to leverage low-cost services in APIs and from any cloud.

Discovering inference

So, to me, it becomes, on one hand, all the more important to have the ability to deliver content contextually into these processes, but at the same time these processes are becoming fragmented. They're going across hybrid-cloud environments, they include both what we call cloud and SaaS, and I'm not sure where the marketer now can get enough inference to support the injection of content appropriately.

The ways that it’s been done now is usually through the web where we have links, and we have code, and we can do cookies. It’s sort of like, it’s Web 1.0 mechanisms by which marketers are injecting content, but we are moving not only pass Web 2.0, we're into Web 3.0  cloud platform. To me this is a big question mark.

Kratchounova: It is a question mark. I don’t know that there is going to be one mode of delivering what we're talking about or one approach or one framework. I'll give you one example. Look at how web content management has changed. It used to be about managing pages and updating content. Now, web content management is becoming the Marketing Command Center, if you look at a web content management system like Sitefinity, for example.

Now, marketers can deal with the customer through his own mobile and on the web, so they can inject the content that needs to happen there. The reason they can do this now is because there is this ability, the analytics that come from all of these customer interactions of you, actually creating cohorts of people as they're going through your web experience or online experience. You know why they're there and what’s the optimal path for them to get where they need to be.

You're seeing this ability to distribute content to post content to people, but in a much more contextual way. So, there is going to be a pull and push, but the push is getting a lot smarter and very contextual.

So, you're seeing this ability to distribute content to post content to people, but in a much more contextual way. So, there is going to be a pull and push, but the push is getting a lot smarter and very contextual.

Gardner: So it’s incumbent upon us who are examining this marketing evolution in the context of the IT industry to create that spectrum of content to make it valuable, to make it appropriate and not too commercial or crass, but useful. And at the same time now, think about how to get this in front of right people at the right time.

It seems to me that if I'm an IT company, and more and more of my services, whether it’s a B2B, B2C, B2E, or all of the above, I need to be thinking about ways that I'm going to communicate with my existing universe or market and move them toward new products and services as they need them in context of their process.

Think about this in a B2C environment in retail, where I am walking through Wal-Mart. I have my smartphone and, as I turn the corner, they know that now I am interested in home goods, and they are going to start to incentivize me to buy something. That’s kind of an understood mechanism by which my location and the fact that I turned a corner and made a decision provides an inference that then they can react to with content or information.

But take that now to the B2B environment where I'm in a business setting. I'm in procurement, I'm in product development, or I'm looking for a supply chain efficiency. I want to move into a new geographic location and I need to find the means to do that. All of those things are also like turning a corner in a Wal-Mart, except you're in a business application using cloud services, using a mobile device and apps.

If I'm an IT vendor, I'm going to want to have content or information that I can bring to that situation, perhaps even through an example of what other people have done when they face that same process crossroads. So the content can be more important and more germane. These are multi-million-dollar decisions in some cases.

Don’t you think that big companies should be starting to make content with the idea that it’s going to become part of their application services, part of their cloud delivery services, and that they need to use big data and analytics to know when to inject it?

Understanding context

Kratchounova: I absolutely agree. I think that difference between the example you just gave for Wal-Mart and a B2B environment is that, in Wal-Mart, you don’t need to understand so much about who the person is, what their role is, whether they work at an accounting firm or whether they are a physician, for example.

In a B2B environment you do need to understand context, and context is the location or the point where they are in their journey, whatever that journey maybe, and their role as well, because different people do have different decisions to make.

It’s a little bit more complex to bring context in a B2B environment, but it’s absolutely essential. You used the word inference. We always get enamored by the concept of the big data and guess what, once the machines are there, they're going to analyze everything and it's going to be this perfect world of marketing where everyone is aligned. 

Just look at the history of marketing. We don’t know ourselves as people. We individually don’t know ourselves as well, let alone someone else getting to know us that well. Inference is very important, but it’s going to be a balance between inferring what the person needs and allowing the person to customize this experience as well. So it’s going to come both ways.

Some people still believe that it’s a relationship-based world and, therefore, there's no need for a digital experience for their customers or for their potential buyers, which is actually never the case.

Some people going to one extreme or the other. Some people still believe that it’s a relationship-based world and, therefore, there's no need for a digital experience for their customers or for their potential buyers, which is actually never the case. Other people believe that it’s all digital; therefore they don’t need to touch them in any other way, which is rarely the case, especially in IT. 

Gardner: I also suggest to you that the data is more readily available, because I, as an employer, as a corporation, control what’s going on. I know what that employee is doing. I know what apps they're using. I know what data they're seeking. 

They're going to provide a feed of data back to you about what’s going on, on those apps from your very own employees.
What I'm suggesting then, as we begin to think about closing out this fascinating conversation, is that you need to have content, stories, and customers lined up, so that you can uncover their path to truth, their path to value, and have that content context-ready. Not only you are going to be using it in webinars, webcasts, podcasts, blogs, but pretty soon, if my hypothesis is correct, you're going to be using that content in the context of process and inside of applications in cloud services and on mobile devices.

Way of the future

Kratchounova: Maybe this is an opportunity, because it is the way of the future, and some people are more mature and others are less mature, but maybe we can bring other people into the discussion and see what other folks in the field think about where the content is going, how to contextualize and how to deliver it. One of the biggest question is how do we scale this. You can still do a meaningful experience or create a meaningful experience one-on-one, but it’s hard to recreate that even if your customers are 200, 500, or even 5,000 within the IT space. 

Gardner: You also have to remember that people's connections to apps, cloud services and context-aware processes are only going to increase. The Internet of Things and new classes of devices like the Apple Watch are expanding the end points and ways to connect to them. One of the things that’s important with the Apple Watch functionally is that it’s very good at alerts and notifications. It can also detect a lot of context of what you're doing physically and your location, and it can relate, because it integrates to your phone, with what you're doing with applications and cloud services.

Wouldn’t it be interesting if you're wearing an Apple Watch or equivalent, you're in a business setting, and you come up against a problem that you might not even know yet, but all of these services working together are going to say, "That person is going to be facing a problem; they are going to need to make a decision. Let’s put some information, content, and use cases together for them that will help them as they face that situation to make a better decision." That’s the kind of role I think we're heading toward. 

Before we sign off, Lora, tell me more about Scratch Marketing and Media, what you do and why that’s related to this discussion we have had today.

Find out what Scratch Marketing and Media
Can Do for You
Click Here to Access A Free Webinar on Market Reputation

Kratchounova: Scratch Marketing and Media is an integrated marketing agency. We help B2B technology companies with market growth. Sometimes that means helping the sales folks within IT companies and sometimes it means working with the marketing folks on things like content marketing programs, PR, and all its relations, and influence their relations in social media.

Gardner: And how could they find out more information about Scratch Marketing Media?

Kratchounova: You can go online at www.scratchmm.com.

Gardner: I'm afraid we will have to leave it there. We've been discussing the change in role and impact of content marketing using the IT industry and the great changes happening there as an example. We've seen how the nature of marketing with customer sharing and big data and the rapidly evolving technology industry coming together, perhaps gives us a bellwether that it will happen among many other industries. So, with that I want to thank our guest, Lora Kratchounova, the Founder and Principal at Scratch Marketing and Media in Cambridge, Mass. Thanks so much, Lora. 

Kratchounova: You're welcome, Dana.

Gardner: And a big thank you to our audience for joining this special BriefingsDirect discussion on the changing impact of content marketing.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host. Don’t forget to come back next time to BriefingsDirect. We've certainly enjoyed having the time to be with you, and we hope that you found this valuable, too.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS. Download the transcript.

Transcript of a BriefingsDirect discussion on the changing nature of content as people and companies move to a greater use of apps, big data and context-aware processes. Copyright Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

• Big data, risk, and predictive analysis drive use of cloud-based ITSM, says panel
• Beyond look and feel--The new role that total user experience plays in business apps
• Rolta AdvizeX experts on hastening big data analytics in healthcare and retail
• Enterprises opting for converged infrastructure as stepping stone to hybrid cloud
• The future of business intelligence as a service with GoodData and HP Vertica 
• Redcentric orchestrates networks-intensive merger using advanced configuration management database
• HP pursues big data opportunity with updated products, services, developer program
• How eCommerce sites harvest big data across multiple clouds 
• How Localytics uses big data to improve mobile app development and marketing 
• HP hyper-converged appliance delivers speedy VDI and apps deployment and a direct onramp to hybrid cloud
• Full 360 takes big data analysis cloud services to new business heights
• GoodData analytics developers on what they look for in a big data platform
• How big data technologies Hadoop and Vertica drive business results at Snagajob
• Zynga builds big data innovation culture by making analytics open to all developers

How Globe Testing Helps Startups Make Leap to Cloud- and Mobile-First Development

Transcript of a BriefingsDirect discussion on how Globe Testing pushes the envelope on Agile development and applications development management using HP tools and platforms.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing sponsored discussion on IT innovation and how it’s making an impact on people's lives.

Gardner

Once again, we're focusing on how companies are adapting to the new style of IT to improve IT performance and deliver better user experiences, as well as better business results.

Our next innovation case study interview highlights how Globe Testing, based in Madrid, is helping startups make the leap to cloud-first and mobile-first software development. We'll hear how Globe Testing pushes the envelope on Agile development and applications development management using HP tools and platforms.

Reduce post-production issues by 80 percent
Download the HP white paper
Build applications that meet business requirements

To learn more about modern software testing as a service we're joined by Jose Aracil, CEO of Globe Testing, based in the company's Berlin office. Welcome to Briefings Direct, Jose.

Jose Aracil: Hi. How are you Dana? Thank you.

Gardner: I'm great. First tell us a little bit about Globe Testing. Are you strictly a testing organization? Do you do anything else? And how long have you been in existence?

Aracil

Aracil: We're a testing organization, and our services are around the Application Development Management (ADM) portfolio for HP Software. We work with tools such as HP LoadRunner, HP Quality Center, HP Diagnostics, and so on. We've been around for four years now, although most of our employees actually come from either HP Software or, back in the day, from Mercury Interactive. So, you could say that we're the real experts in this arena.

Gardner: Jose, what are the big issues facing software developers today? Obviously, speed has always been an issue and working quality into the process from start to finish has always been important, but is there anything particularly new or pressing about today's market when it comes to software development?

Scalability is key

Aracil: Scalability is a big issue. These days, most of the cloud providers would say that they can easily scale your instances, but for startups there are some hidden costs. If you're not coding properly, if your code is not properly optimized, the app might be able to scale -- but that’s going to have a huge impact on your books.

Therefore, the return on investment (ROI) when you're looking at HP Software is very clear. You work with the toolset. You have proper services, such as Globe Testing. You optimize your applications. And that’s going to make them cheaper to run in the long term.

There are also things such as response time. Customers are very impatient. The old rule was that websites shouldn't take more than three seconds to load, but these days it's one second. If it's not instant, you just go and look for a different website. So response time is also something that is very worrying for our customers.

Gardner: So it sounds like cloud-first. We're talking about high scale, availability, and performance, but not being able to anticipate what that high scale might be in any given time. Therefore, creating a test environment, where you can make the assumption that cloud performance is going to be required and test against it, becomes all more important.

Aracil: Definitely. You need to look at performance in two ways. The first one is before the app goes into production in your environment. You need to be able to optimize the code there and make sure that your code is working properly and that the performance is up to your standard. Then, you need to run a number of simulations to see how the application is going to scale.

You might not reach the final numbers, and obviously it's very expensive to have those staging environments. You might not want to test with large numbers of users, but at least you need to know how the app behaves whenever you increase the load by 20 percent, 50 percent, and so on.

The second aspect that you need to be looking at is when the app is in production. You can't just go into production and forget about the app.

The second aspect that you need to be looking at is when the app is in production. You can't just go into production and forget about the app. You need to carry on monitoring that app, make sure that you anticipate problems, and know about those problems before your end users call to tell you that your app is not up and running.

For both situations HP Software has different tools. You can count on HP Performance Center and HP Diagnostics when you're in preproduction in your staging environment. Once you go live, you have different toolsets such as AppPulse, for example, which can monitor your application constantly. It's available as software as a service (SaaS). So it's very well-suited for new startups that are coming out every day with very interesting pricing models.

Gardner: You're based in Berlin, and that's a hotbed of startup activity in Europe. Tell us what else is important to startups. I have to imagine that mobile and being ready to produce an application that can run in a variety of mobile environments is important, too.

Mobile is hot

Aracil: Definitely. Mobile is very hot right now in Berlin. Most of the startups we talk to are facing the same issue, which is compatibility. They all want to support every single platform available. We're not only talking about mobile and tablet devices, but we're also talking about the smart TVs and the wide array of systems that now should support the different applications that they're developing.

So being able to test on multiple operating systems and platforms and being able to automate as much as possible is very important for them. They need the tools that are very flexible and that can handle any given protocol. Again, HP Software, with things such as Unified Functional Testing (UFT), can help them.

Mobile Center, which was just released from HP Software, is also very interesting for startups and large enterprise as well, because we're seeing the same need there. Banking, for example, an industry which is usually very stable and very slow paced is also adopting mobile very quickly. Everyone wants to check their bank accounts online using their iPad, iPhone, or Android tablets and phones, and it needs to work on all of those.

Most of the startups we talk to are facing the same issue, which is compatibility. They all want to support every single platform available.

Gardner: Now going to those enterprise customers, they're concerned about mobile of course, but they're also now more-and-more concerned about DevOps and being able to tighten the relationship between their operating environment and their test and development organizations. How do some of these tools and approaches, particularly using testing as a service, come to bear on helping organizations become better at DevOps?

Aracil: DevOps is a very hot word these days. HP has come a long way. They're producing lots of innovation, especially with the latest releases. They not only need to take care of the testers like in the old days with manual testing, automation, and test management. Now, you need to make sure that whatever assets you're developing on pre-production can then be reused when you go in production.

Reduce post-production issues by 80 percent
Download the HP white paper
Build applications that meet business requirements

Just to give you an example, with HP LoadRunner, the same scripts can be run in production to make sure that the system is still up and running. That also tightens the relationship between your Dev team and your Operations team. They work together much more than they used to.

Gardner: Okay, looking increasingly at performance and testing and development in general as a service, how are these organizations, both the startups and the enterprises, adapting to that? A lot of times cloud was attractive early to developers, they could fire up environments, virtualize environments, use them, shut them down, and be flexible. But what about the testing for your organization? Do you rely on the cloud entirely and how do you see that progressing?

Aracil: To give you an example, customers want their applications tested in the same way as real users would access them, which means they are accessing them from the Internet. So it's not valid to test their applications from inside the data center. You need to use the cloud. You need to access them from multiple locations. The old testing strategy isn't valid any more.

For us, Globe Testing as a Service is very important. Right now, we're providing customers with teams that are geographically distributed. They can do things such as test automation remotely, and that can then be sent to the customers so they are tested locally, and things such as performance testing, which is run directly from the cloud in the same way as users will do.

And you can choose multiple locations, even simulating the kind of connections that these users are using. So you can simulate a 3G connection, a Wi-Fi connection, and the like.

Other trends

Gardner: I suppose other trends we're seeing are rapid iterations and microservices. The use of  application programming interfaces (APIs) is increasing. All of these, I think, are conducive to to a cloud testing environment, so that you could be rapid and bring in services. How is that working? How do you see your customers, and maybe you can provide some examples to illustrate this, working toward cloud-first, mobile-first and these more rapid innovations; even microservices?

Aracil: In the old days, most of the testing was done from an end-to-end perspective. You would run a test case that was heavily focused on the front end, and that would run the end-to-end case. These days, for these kinds of customers that you mentioned we're focusing on these services. We need to be able to develop some of the scripts before the end services are up and running, in which case things such as Service Virtualization from HP Software are very useful as well.

For example, one of our customers is Ticketmaster, a large online retailer. They sell tickets for concerts. Whenever there's a big gig happening in town, whenever one of these large bands is showing up, tickets run out extremely quickly.

Their platform goes from an average of hundreds of users a day to all of a sudden thousands of users in a very short period of time. They need to be able to scale very quickly to cope with that load. For that, we need to test from the cloud and we need to test constantly on each one of those little microservices to make sure that everything is going to scale properly. For that, HP LoadRunner is the tool that we chose.

We need to be able to develop some of the scripts before the end services are up and running.

Gardner: Do you have any examples of companies that are doing Application Development Management (ADM), that is to say more of an inclusive complete application lifecycle approach? Are they thinking about this holistically, making it a core competency for them? How does that help them? Is there an economic benefit, in addition to some of these technical benefits, when you adopt a full lifecycle approach to development, test, and deployment?

Aracil: To give you an example of economic benefit, we did a project for a very large startup, where all their systems were cloud-based. We basically used HP LoadRunner and HP Diagnostics to look at the code and try to optimize it in conjunction with their development team. By optimizing that code, they reduced the amount of cloud instances required by one-third, which means a 33 percent savings on their monthly bill. That’s straight savings, very important.

Another example is large telecommunication company in Switzerland. Sometimes we focus not only on the benefits for IT, but also the people that they are actually using those services. For example those guys that go to their retail shops to get a new iPhone or to activate a new contract.

If the systems are not fast enough, sometimes you will see queues of people, which turns into lower sales. If you optimize those systems, that means that the agents are going to be able to process contracts much quicker. This specific example will reduce to one-fifth of the time by using Performance Center. That means that the following Christmas, queues literally disappear from all those retail shops. That turns into higher sales for the customer.

Gardner: Jose, what about the future? What is of interest to you as a HP partner? You mentioned the mobile test products and services. Is there anything else particularly of interest, or anything on the big data side that you can bring to bear on development or help developers make better use of analytics?

Big data

Aracil: There are a number of innovations that are coming out this year that  are extremely interesting to us. These are things such as HP AppPulse Mobile, StormRunner, both are new tools and they are very innovative.

When it comes to big data, I'm very excited to see the next releases in the ALM suite from HP, because I think they will make a very big use of big data, and obviously they will try to get all the information, all the data that testers are entering into the application from requirements. The predictive test and the traceability will be much better handled by this kind of big data system. I think we will need to wait a few more months, but there are some new innovations coming out in that area as well.

Gardner: Alright, nothing really stays the same for very long in test and development, does it?

Aracil: Definitely not.

Gardner: Okay, well thanks very much. We've been hearing about how Globe Testing is helping startups to make the leap to cloud-first and mobile-first software development. And we have heard also how Globe Testing has helped to push the envelope on Agile and development management for those organizations that it works for.

Reduce post-production issues by 80 percent
Download the HP white paper
Build applications that meet business requirements

So I'd like to thank our guest, Jose Aracil, CEO of Globe Testing, based in Berlin. Thank you.

Aracil: Thank you very much, Dana.

Gardner: Thank you too to our audience, for joining this special new style or IT discussion. We've explored solid evidence from early enterprise adopters and startups on how big data and development efficiencies help change everything for IT, for businesses, for governments as well as for you and me.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP-sponsored discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect discussion on how Globe Testing pushes the envelope on Agile development and applications development management using HP tools and platforms. Copyright Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

• GoodData analytics developers on what they look for in a big data platform
• ITIL-ITSM tagteam boosts Mexican ISP INFOTEC's operations quality
• Novel consumer retail behavior analysis from InfoScout relies on HP Vertica big data chops
• IT Operations Modernization Helps Energy Powerhouse Exelon Acquire Businesses
• ECommerce portal Avito uses big data to master rapid fraud detection
• How a Hackathon Approach Juices Innovation on Big Data Applications for Thomson Reuters
• How Waste Management Builds a Powerful Services Contiunuum Across Operations, Infrastructure, Development, and IT Processes
• GSN Games hits top prize using big data to uncover deep insights into gamer preferences
• Hybrid cloud models demand more infrastructure standardization, says global service provider Steria
• Service providers gain new levels of actionable customer intelligence from big data analytics
• How UK data solutions developer Systems Mechanics uses HP Vertica for BI, streaming and data analysis

The State of Mobile Security and How Identity Advancement Plays an Essential New Role

Transcript of a BriefingsDirect podcast on establishing identity and authentication in the face of a growing reliance on mobile devices in the enterprise.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ping Identity.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast panel discussion on blazing paths to a secure mobile future, how to make today’s ubiquitous mobile devices as low risk as they are indispensable.

Gardner

As smartphones have become de rigueur in the global digital economy, users want them to do more work, and businesses want them to be more productive for their employees as well as a powerful added channel to their end users. But neither businesses nor mobile-service providers have a cross-domain architecture that supports all the new requirements for a secured, mobile, digital economy, and the legacy web technology has serious drawbacks.

The fast approaching Cloud Identity Summit 2014 (CIS) July 19 gives us a chance to examine the problems and solutions for attaining a more functional mobile future. To help us explore the path to new mobile security, we're joined by our panel, Paul Madsen, Principal Technical Architect in the Office of the CTO at Ping Identity. Welcome, Paul.

Paul Madsen: Hey, Dana.

Gardner: We are here also with Michael Barrett, President of the FIDO (Fast Identity Online) Alliance. Welcome, Michael.

Michael Barrett: Great to be here.

Gardner: And we're also here with Mark Diodati, a Technical Director in the Office of the CTO at Ping Identity. Welcome, Mark.

Mark Diodati: Thanks so much, Dana.

Gardner: Mark, let me start with you. We're approaching this Cloud Identity Summit 2014 in Monterey, Calif. on July 19 and we still find that the digital economy is not really reaching its full potential. We're still dealing with ongoing challenges for trust, security, and governance across mobile devices and network.

Even though people have been using mobile devices for decades—and in some markets around the world they're the primary tool for accessing the Internet—why are we still having problems? Why is this so difficult to solve?

Diodati: That’s a good question. There are so many puzzle pieces to make the digital economy fully efficient. A couple of challenges come to mind. One is the distribution of identity. In prior years, the enterprise did a decent job -- not an amazing job, but a decent job -- of identifying users, authenticating them, and figuring out what they have access to.

Once you move out into a broader digital economy, you start talking about off-premises architectures and the expansion of user constituencies. There is a close relationship with your partners, employees, and your contractors. But relationships can be more distant, like with your customers.

Emerging threats

Additionally, there are issues with emerging security threats. In many cases, there are fraudsters with malware being very successful at taking people’s identities and stealing money from them.

Diodati

Mobility can do a couple of things for us. In the old days, if you want more identity assurance to access important applications, you pay more in cost and usability problems. Specialized hardware was used to raise assurance. Now, the smartphone is really just a portable biometric device that users carry without us asking them to do so. We can raise assurance levels without the draconian increase in cost and usability problems.

We’re not out of the woods yet. One of the challenges is nailing down the basic administrative processes to bind user identities to mobile devices. That challenge is part cultural and part technology. [See more on a new vision for identity.]

Gardner: So it seems that we have a larger set of variables, end users, are not captive on network, who we authenticate. As you mentioned, the mobile device, the smartphone, can be biometric and can be a even better authenticator than we've had in the past. We might actually be in a better position in a couple of years. Is there a transition that’s now afoot that we might actually come out better on the other end? Paul, any thoughts about that?

Madsen: Perhaps we focus too much on the security challenges or issues of mobility and less so on the opportunities, but the opportunities are clear. As Mark indicated, the phones, not just because of its technical features, but because of the relatively tight binding that users feel for them, make a really strong authentication factor.

Madsen

It's the old trope of something you have, something you know, and something you are. Phones are something you already have, from the user’s point of view. It’s not an additional hard token or hard USB token that we're asking employees to carry with them. It's something they want to carry, particularly if it's a BYOD phone.

So phones, because they're connected mobile computers, make a really strong second-factor authentication, and we're seeing that more and more. As I said, it’s one that users are happy using because of the relationship they already have with their phones, for all the other reasons. [See more on identity standards and APIs.]

Gardner: It certainly seems to make sense that you would authenticate into your work environment through your phone. You might authenticate in the airport to check in with your phone and you might use it for other sorts of commerce. It seems that we have the idea, but we need to get there somehow.

What’s architecturally missing for us to make this transition of the phone as the primary way in which people are identified session by session, place by place? Michael, any thoughts about that?

User experience

Barrett: There are a couple of things. One, in today’s world, we don’t yet have open standards that help to drive cross-platform authentication, and we don’t have the right architecture for that. In today’s world still, if you are using a phone with a virtual keyboard, you're forced to type this dreadful, unreadable tiny password on the keyboard, and by the way, you can’t actually read what you just typed. That’s a pretty miserable user experience, which we alluded to earlier.

Barrett

But also, it’s a very ugly. It’s a mainframe-centric architecture. The notion that the authentication credentials are shared secrets that you know and that are stored on some central server is a very, very 1960s approach to the world. My own belief is that, in fact, we have to move towards a much more device-centric authentication model, where the remote server actually doesn’t know your authentication credentials. Again, that comes back to both architecture and standards.

My own view is that if we put those in place, the world will change. Many of us remember the happy days of the late '80s and early '90s when offices were getting wired up, and we had client-server applications everywhere. Then, HTML and HTTP came along, and the world changed. We're looking at the same kind of change, driven by the right set of appropriately designed open standards.

Gardner: So standards, behavior, and technology make for an interesting adoption path, sometimes a chicken and the egg relationship. Tell me about FIDO and perhaps any thoughts about how we make this transition and adoption happen sooner rather than later?

Barrett: I gave a little hint. FIDO is an open-standards organization really aiming to develop a set of technical standards to enable device-centric authentication that is easier for end users to use. As an ex-CTO, I can tell you the experience when you try to give them stronger authenticators that are harder for them to use. They won’t voluntarily use them.

FIDO is an open-standards organization really aiming to develop a set of technical standards to enable device-centric authentication that is easier for end users to use.

We have to do better than we're doing today in terms of ease of use of authentication. We also have to come up with authentication that is stronger for the relying parties, because that’s the other face of this particular coin. In today’s world, passwords and pins work very badly for end users. They actually work brilliantly for the criminals. 

So I'm kind of old school on this. I tend to think that security controls should be there to make life better for relying parties and users and not for criminals. Unfortunately, in today’s world, they're kind of inverted.

So FIDO is simply an open-standards organization that is building and defining those classes of standards and, through our member companies, is promulgating deployment of those standards.

Madsen: I think FIDO is important. Beyond the fact that it’s a standard is the pattern that it’s normalizing. The pattern is one where the user logically authenticates to their phone, whether it be with a fingerprint or a pin, but the authentication is local. Then, leveraging the phone’s capabilities -- storage, crypto, connectivity. etc. -- the phone authenticates to the server. It’s that pattern of a local authentication followed by a server authentication that I think we are going to see over and over.

Gardner: Thank you, Paul. It seems to me that most people are onboard with this. I know that, as a user, I'm happy to have the device authenticate. I think developers would love to have this authentication move to a context on a network or with other variables brought to bear. They can create whole new richer services when they have a context for participation. It seems to me the enterprises are onboard too. So there's a lot of potential momentum around this. What does it take now to move the needle forward? What should we expect to hear at CIS? Let’s go to you, Mark.

Moving forward

Diodati: There are two dimensions to moving the needle forward: avoiding the failures of prior mobile authentication systems, and ensuring that modern authentication systems support critical applications. Both are crucial to the success of any authentication system, including FIDO.

At CIS, we have an in-depth, three-hour FIDO workshop and many mobile authentication sessions. 

There are a couple of things that I like about FIDO. First, it can use the biometric capabilities of the device. Many smart phones have an accelerometer, a camera, and a microphone. We can get a really good initial authentication. Also, FIDO leverages public-key technology, which overcomes some of the concerns we have around other kinds of technologies, particularly one-time passwords. 

Madsen: To that last point Mark, I think FIDO and SAML, or more recent federation protocols, complement each other wonderfully. FIDO is a great authentication technology, and federation historically has not resolved that. Federation didn't claim to answer that issue, but if you put the two together, you get a very strong initial authentication. Then, you're able to broadcast that out to the applications that you want to access. And that’s a strong combination.

Barrett: One of the things that we haven't really mentioned here -- and Paul just hinted at it -- is the relationship between single sign-on and authentication. When you talk to many organizations, they look at that as two different sides of the same coin. So the better application or ubiquity you can get, and the more applications you can sign the user on with less interaction, is a good thing.

Gardner: Before we go a little bit deeper into what’s coming up, let’s take another pause and look back. There have been some attempts to solve these problems. Many, I suppose, have been from a perspective of a particular vendor or a type of device or platform or, in an enterprise sense, using what they already know or have.

Proprietary technology is really great for many things, but there are certain domains that simply need a strong standards-based backplane.

We've had containerization and virtualization on the mobile tier. It is, in a sense, going back to the past where you go right to the server and very little is done on the device other than the connection. App wrapping would fall under that as well, I suppose. What have been the pros and cons and why isn’t containerization enough to solve this problem? Let’s start with Michael.

Barrett: If you look back historically, what we've tended to see are lot of attempts that are truly proprietary in nature. Again, my own philosophy on this is that proprietary technology is really great for many things, but there are certain domains that simply need a strong standards-based backplane.

There really hasn't been an attempt at this for some years. Pretty much, we have to go back to X.509 to see the last major standards-based push at solving authentication. But X.509 came with a whole bunch of baggage, as well as architectural assumptions around a very disconnected world view that is kind of antithetical to where we are today, where we have a very largely connected world view.

I tend to think of it through that particular set of lenses, which is that the standards attempts in this area are old, and many of the approaches that have been tried over the last decade have been proprietary.

For example, on my old team at PayPal, I had a small group of folks who surveyed security vendors. I remember asking them to tell me how many authentication vendors there were and to plot that for me by year?

Growing number of vendors

They sighed heavily, because their database wasn’t organized that way, but then came back a couple of weeks later. Essentially they said that in 2007, it was 30-odd vendors, and it has been going up by about a dozen a year, plus or minus some, ever since, and we're now comfortably at more than 100.

Any market that has 100 vendors, none of whose products interoperate with each other, is a failing market, because none of those vendors, bar only a couple, can claim very large market share. This is just a market where we haven’t seen the right kind of approaches deployed, and as a result, we're struck where we are today without doing something different.

Gardner: Paul, any thoughts on containerization, pros and cons?

Madsen: I think of phones as almost two completely orthogonal aspects. First is how you can leverage the phone to authenticate the user. Whether it’s FIDO or something proprietary, there's value in that.

Secondly is the phone as an application platform, a means to access potentially sensitive applications. What mobile applications introduce that’s somewhat novel is the idea of pulling down that sensitive business data to the device, where it can be more easily lost or stolen, given the mobility and the size of those devices.

IT, arguably and justifiably, wants to protect the business data on it, but the employee, particularly in a BYOD case, wants to keep their use of the phone isolated and private.

The challenge for the enterprise is, if you want to enable your employees with devices, or enable them to bring their own in, how do you protect that data. It seems more and more important, or recognized as the challenge, that you can’t.

The challenge is not only protecting the data, but keeping the usage of the phone separate. IT, arguably and justifiably, wants to protect the business data on it, but the employee, particularly in a BYOD case, wants to keep their use of the phone isolated and private.

So containerization or dual-persona systems attempt to slice and dice the phone up into two or more pieces. What is missing from those models, and it’s changing, is a recognition that, by definition, that’s an identity problem. You have two identities—the business user and the personal user—who want to use the same device, and you want to compartmentalize those two identities, for both security and privacy reasons.

Identity standards and technologies could play a real role in keeping those pieces separate.The employee might use Box for the business usage, but might also use it for personal usage. That’s an identity problem, and identity will keep those two applications and their usages separate.

Diodati: To build on that a little bit, if you take a look at the history of containerization, there were some technical problems and some usability problems. There was a lack of usability that drove an acceptance problem within a lot of enterprises. That’s changing over time.

To talk about what Michael was talking about in terms of the failure of other standardized approaches to authentication, you could look back at OATH, which is maybe the last big industry push, 2004-2005, to try to come up with a standard approach, and it failed on interoperability. OATH was a one-time password, multi-vendor  capability. But in the end, you really couldn’t mix and match devices. Interoperability is going to be a big, big criteria for acceptance of FIDO. [See more on identity standards and APIs.]

Mobile device management

Gardner: Another thing out there in the market now, and it has gotten quite a bit of attention from enterprises as they are trying to work through this, is mobile device management (MDM).  Do you have any thoughts, Mark, on why that has not necessarily worked out or won’t work out? What are the pros and cons of MDM?

Diodati: Most organizations of a certain size are going to need an enterprise mobility management solution. There is a whole lot that happens behind the scenes in terms of binding the user's identity, perhaps putting a certificate on the phone.

Michael talked about X.509. That appears to be the lowest common denominator for authentication from a mobile device today, but that can change over time. We need ways to be able to authenticate users, perhaps issue them certificates on the phone, so that we can do things like IPSec.

Also, we may be required to give some users access to offline secured data. That’s a combination of apps and enterprise mobility management (EMM) technology. In a lot of cases, there's an EMM gateway that can really help with giving offline secure access to things that might be stored on network file shares or in SharePoint, for example.

If there's been a stumbling block with EMM, it's just been that the heterogeneity of the devices, making it a challenge to implement a common set of policies.

The fundamental issue with MDM is, as the name suggests, that you're trying to manage the device, as opposed to applications or data on the device.

But also the technology of EMM had to mature. We went from BlackBerry Enterprise Server, which did a pretty good job in a homogeneous world, but maybe didn't address everybody’s needs. The AirWatchs and the Mobile Irons of the world, they've had to deal with heterogeneity and increased functionality.

Madsen: The fundamental issue with MDM is, as the name suggests, that you're trying to manage the device, as opposed to applications or data on the device. That worked okay when the enterprise was providing employees with their BlackBerry, but it's hard to reconcile in the BYOD world, where users are bringing in their own iPhones or Androids. In their mind, they have a completely justified right to use that phone for personal applications and usage.

So some of the mechanisms of MDM remain relevant, being able to wipe data off the phone, for example, but the device is no longer the appropriate granularity. It's some portion of the device that the enterprise is authoritative over.

Gardner: It seems to me, though, that we keep coming back to several key concepts: authentication and identity, and then, of course, a standardization approach that ameliorates those interoperability and heterogeneity issues. [See more on a new vision for identity.]

So let’s look at identity and authentication. Some people make them interchangeable. How should we best understand them as being distinct? What’s the relationship between them and why are they so essential for us to move to a new architecture for solving these issues? Let’s start with you, Michael.

Identity is center

Barrett: I was thinking about this earlier. I remember having some arguments with Phil Becker back in the early 2000s when I was running the Liberty Alliance, which was the standards organization that came up with SAML 2.0. Phil coined that phrase, "Identity is center," and he used to argue that essentially everything fell under identity.

What I thought back then, and still largely do, is that identity is a broad and complex domain. In a sense, as we've let it grow today, they're not the same thing. Authentication is definitely a sub-domain of security, along with a whole number of others. We talked about containerization earlier, which is a kind of security-isolation technique in many regards. But I am not sure that identity and authentication are exactly in the same dimension.

In fact, the way I would describe it is that if we talk about something like the levels-of-assurance model, we're all fairly familiar with in the identity sense. Today, if you look at that, that’s got authentication and identity verification concepts bound together.

Today, we've collapsed them together, and I am not sure we have actually done anybody any favors by doing that.

In fact, I suspect that in the coming year or two, we're probably going to have to decouple those and say that it’s not really a linear one-dimensonal thing, with level one, level two, level three, and level four. Rather it's a kind of two-dimensional metric, where we have identity verification concepts on one side and then authentication comes from the other. Today, we've collapsed them together, and I am not sure we have actually done anybody any favors by doing that.

Definitely, they're closely related. You can look at some of the difficulties that we've had with identity over the last decade and say that it’s because we actually ignored the authentication aspect. But I'm not sure they're the same thing intrinsically. 

Gardner: Interesting. I've heard people say that any high-level security mobile device has to be about identity. How else could it possibly work? Authentication has to be part of that, but identity seems to be getting more traction in terms of a way to solve these issues across all other variables and to be able to adjust accordingly over time and even automate by a policy.

Mark, how do you see identity and authentication? How important is identity as a new vision for solving these problems?

Diodati: You would have to put security at the top, and identity would be a subset of things that happen within security. Identity includes authorization -- determining if the user is authorized to access the data. It also includes provisioning. How do we manipulate user identities within critical systems -- there is never one big identity in the sky. Identity includes authentication and a couple of other things.

To answer the second part of your question, Dana, in the role of identity and trying to solve these problems, we in the identity community have missed some opportunities in the past to talk about identity as the great enabler.

With mobile devices, we want to have the ability to enforce basic security controls , but it’s really about identity. Identity can enable so many great things to happen, not only just for enterprises, but within the digital economy at large. There's a lot of opportunity if we can orient identity as an enabler.

Authentication and identity

Madsen: I just think authentication is something we have to do to get to identity. If there were no bad people in the world and if people didn’t lie, we wouldn’t need authentication.

We would all have a single identifier, we would present ourselves, and nobody else would lay claim to that identifier. There would be no need for strong authentication. But we don’t live there. Identity is fundamental, and authentication is how we lay claim to a particular identity.

Diodati: You can build the world's best authorization policies. But they are completely worthless, unless you've done the authentication right, because you have zero confidence that the users are who they say there are.

Gardner: So, I assume that multifactor authentication also is in the subset. It’s just a way  of doing it better or more broadly, and more variables and devices that can be brought to bear. Is that correct?

Madsen: Indeed.

We have to apply a set of adaptive techniques to get better identity assurance about the user.

Diodati: The definition of multifactor has evolved over time too. In the past, we talked about “strong authentication”. What we mean was “two-factor authentication,” and that is really changing, particularly when you look at some of the emerging technologies like FIDO.

If you have to look at the broader trends around adaptive authentication, the relationship to the user or the consumer is more distant. We have to apply a set of adaptive techniques to get better identity assurance about the user.

Gardner: I'm just going to make a broad assumption here that the authentication part of this does get solved, that multifactor authentication, adaptive, using devices that people are familiar with, that they are comfortable doing, even continuing to use many of the passwords, single sign-on, all that gets somehow rationalized.

Then, we're elevated to this notion of identity. How do we then manage that identity across these domains? Is there a central repository? Is there a federation? How would a standard come to bear on that major problem of the federation issue, control, and management and updating and so forth? Let’s go back to Michael on that.

Barrett: I tend to start from a couple of different perspectives on this. One is that we do have to fix the authentication standards problem, and that's essentially what FIDO is trying to do.

So, if you accept that FIDO solves authentication, what you are left with is an evolution of a set of standards that, over the last dozen years or so, starting with SAML 2.0, but then going on up through the more recent things like OpenID Connect and OAuth 2.0, and so on, gives you a robust backplane for building whatever business arrangement is appropriate, given the problem you are trying to solve.

Liability

I chose the word "business" quite consciously in there, because it’s fair to say that there are certain classes of models that have stalled out commercially for a whole bunch of reasons, particularly around the dreaded L-word, i.e, liability.

We tried to build things that were too complicated. We could just describe this grand long-term vision of what the universe looked like. Andrew Nash is very fond of saying that we can describe this rich ecosystem as identity-enabled services and so on, but you can’t get there from here, which is the punch line of a rather old joke.

Gardner: Mark, we understand that identity is taking on a whole new level of importance. Are there some examples that we can look to that illustrate how an identity-centric approach to security, governance, manageability for mobile tier activities, even ways it can help developers bring new application programming interfaces (APIs) into play and context for commerce and location, are things we haven’t even scratched the surface of yet really?

Identity is pretty broad when you take a look at the different disciplines that might be at play.

Help me understand, through an example rather than telling, how identity fits into this and what we might expect identity to do if all these things can be managed, standards, and so forth.

Diodati: Identity is pretty broad when you take a look at the different disciplines that might be at play. Let’s see if we can pick out a few.

We have spoken about authentication a lot. Emerging standards like FIDO are important, so that we can support applications that require higher assurance levels with less cost and usability problems.

A difficult trend to ignore is the API-first development modality. We're talking about things like OAuth and OpenID Connect. Both of those are very important, critical standards when we start talking about the use of API- and even non-API HTTP based stuff.

OpenID Connect, in particular, gives us some abilities for users to find where they want to authenticate and give them access to the data they need. The challenge is that the mobile app is interacting on behalf of a user. How do you actually apply things like adaptive techniques to an API session to raise identity assurance levels? Given that OpenID Connect was just ratified earlier this year, we're still in early stages of how that’s going to play out.

Gardner: Michael, any thoughts on examples, use cases, a vision for how this should work in the not too distant future?

Barrett: I'm a great believer in open standards, as I think I have shown throughout the course of this discussion. I think that OpenID Connect, in particular, and the fact that we now have that standard ratified, [is useful]. I do believe that the standards, to a very large extent, allow the creation of deployments that will address those use-cases that have been really quite difficult [without these standards in place].

Ahead of demand

The problem that you want to avoid, of course, is that you don’t want a standard to show up too far ahead of the demand. Otherwise, what you wind up with is just some interesting specification that never gets implemented, and nobody ever bothers deploying any of the implementations of it.

So, I believe in just-in-time standards development. As an industry, identity has matured a lot over the last dozen years. When SAML 2.0 came along in Shibboleth, it was a very federation-centric world, addressing a very small class of use cases. Now, we have a more robust sets of standards. What’s going to be really interesting is to see, how those new standards get used to address use cases that the previous standards really couldn’t?

I'm a bit of a believer in sort of Darwinian evolution on this stuff and that, in fact, it’s hard to predict the future now. Niels Bohr famously said, "Prediction is hard, especially when it involves the future.” There is a great deal of truth to that.

Prediction is hard, especially when it involves the future.

Gardner: Hopefully we will get some clear insights at the Cloud Identity Summit this month, July 19, and there will be more information to be had there.

I also wonder whether we're almost past the point now when we talk about mobile security, cloud security, data-center security. Are we going to get past that, or is this going to become more of a fabric of security that the standards help to define and then the implementations make concrete? Before we sign off, Mark, any last thoughts about moving beyond segments of security into a more pervasive concept of security?

Diodati: We're already starting to see that, where people are moving towards software as a service (SaaS) and moving away from on-premises applications. Why? A couple of reasons. The revenue and expense model lines up really well with what they are doing, they pay as they grow. There's not a big bang of initial investment. Also, SaaS is turnkey, which means that much of the security lifting is done by the vendor.

That's also certainly true with infrastructure as a service (IaaS). If you look at things like Amazon Web Services (AWS). It is more complicated than SaaS, it is a way to converge security functions within the cloud.

Gardner: We're going to have to leave it there I'm afraid. You've been listening to a sponsored BriefingsDirect podcast panel discussion on blazing paths to a secure mobile future, how to make today’s ubiquitous mobile devices as low risk as they are indispensable.

While we have seen many new approaches for retaining a safe and protected era, I expect that we're going to be learning a lot more as this all comes to a head at the Cloud Identity Summit 2014 in Monterey, California beginning July 19.   

I want to thank our guests. We've been joined by Paul Madsen, a Principal Technical Architect in the Office of the CTO at Ping Identity. We've also been joined by Michael Barrett, President of the FIDO Alliance. And then lastly, Mark Diodati, a Technical Director in the Office of the CTO at Ping. Thanks to you all.

And so also a big thank you to our audience for joining this podcast. I appreciate your time and look for more information coming out of the CIS in just a few weeks.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator. Thanks for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ping Identity.

Transcript of a BriefingsDirect podcast on establishing identity and authentication in the face of a growing reliance on mobile devices in the enterprise. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

• As the Digital Economy Ramps Up, Expect a New Identity Management Vision to Leapfrog Passwords
• Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and Security
• The Open Group and MIT Experts Detail New Advances in Identity Management to Help Reduce Cyber Risk
• Effective Enterprise Security Begins and Ends with Architectural Best Practices Approach
• BYOD Brings New Challenges for IT: Allowing Greater Access while Protecting Networks
• Identify and Access Management as a Service Gets Boost with SailPoint's IdentityNow Cloud Service
• Identity Governance Becomes Must-Do Items on Personnel Management and Security Checklist