Sun’s ID specialist: Don’t sweat PIPEDA

One of the hardest things Sun‘s identity management specialist had to figure out was who he wanted to be.

Bill Malik started writing COBOL for an insurance company in the 1970s, spent 12 years at IBM, joined Gartner as a research analyst

for a while, then paused to figure out his next move.

“”At the end of 2001, like a lot of people, I was thinking, ‘What do I want to do with the rest of my life?'””

He worked in KPMG’s risk and advisory practice for a time, then the Enron scandal hit and the bloom was off the corporate accounting rose. Back in technology, Malik joined identity management specialist Waveset as its CTO in 2002 and had just over a year under his belt before Sun Microsystems came calling and bought the company. Now he’s one of Sun’s 28 CTOs — the one in charge of identity.

Malik spoke to ITBusiness.ca recently about the challenges of managing personal data in a corporate environment, how to make sense of privacy legislation, and some of the initial impact of Sun’s recent agreement with Microsoft.


ITBusiness.ca: How different is your role at Sun from what it was at Waveset?

Bill Malik: I was brought in with the acquisition of Waveset, back in December. I’d been the chief technology officer — and there’s only one of those at Waveset — and my responsibility was not, as with some CTOs, to manage the development shop. In a sense, my job was to be chief talking officer. It would be customer-facing, managing relationships externally and a heavy dose of strategic planning inside.

The core of the Waveset stuff was provisioning — making sure that an individual’s permissions and profile are appropriate across all the various silos of applications that an enterprise has.

As chief technology officer (at Sun), my role has evolved to being a strategist and evangelist. I just position myself as someone who can talk about the higher level issues associated with putting an identity management infrastructure in place within a company or across multiple companies.

It’s true that Sun acquired Waveset, but in addition the Waveset team became the core of Sun’s identity management team. The guys that founded Waveset three and a half years ago were among the original founders of Tivoli. The CEO of Waveset, Mike Turner, who’s now the chief of development for the identity management group, had been employee number 23 at Tivoli.


ITB: What are the difficulties of deploying technology so that it fits challenging new legislation like PIPEDA?

BM: It’s all about policy. Technology is not a solution. You can read human history and say there’s no incident where a management problem was solved by a technology fix. But one way to read human history is to say it’s the story of how we came up with processes to cope with the limitations of available technology. Companies that deploy technology to solve management problems have discovered that not only are computers intelligence amplifiers, they’re also stupidity amplifiers. You take a bad process and automate it, you get an automated bad process. The way Sun helps is by providing the subject matter expertise to help clients figure out what they need to do to adhere to the goal of the specific privacy legislation.

Privacy in this sense is primarily a governance issue. History doesn’t repeat itself but it rhymes. The privacy legislation that came about in the 1890s in the United States was a reaction to the introduction to portable cameras. Up until then, if you wanted a photograph taken you had to make an appointment and go to a room. There was no concept of a right of privacy written down. So they had to create one. It was a paper in the Harvard Law Review in December of 1890 where they set up the definition of privacy as being three things: the right to determine what information of mine you get; the right that I have to govern and control how you use that information; and it’s the right to be left alone.

The message for the chief privacy officer of a corporation is, be sensitive to your audience. Be careful where you put your foot when you walk into a different culture. Just as the message of privacy legislation like PIPEDA is to tell companies, be careful with what you do with the personal information of your employees and of your customers.


ITB: Companies may have all the best intentions of complying with privacy legislation, but they still aren’t always prepared to adhere to it.

BM: We’re in the real early days. We’re still rubbing the sticks together to see which ones make fire, with regard to IT. I would be hard pressed to believe that a company that tried to do all the right things and missed some relatively minor legalism, would be the test case for privacy legislation.

Where we’re moving is, it’s not really opt-in versus opt-out, it’s really informed consent. You’ve got to let people know what you’re going to do with information and it’s got to be a clear opportunity for them to correct or remove themselves from the environment when things change.


ITB: How does identity management fit into this?

BM: Now we’re stepping past the security layer into the systems management issue, which says, “”If I am no longer an employee of that firm, I shouldn’t have access to those firms’ computers.”” An identity management solution allows you to manage a distributed environment. So I can take Mr. Smith out of the system when Mr. Smith is no longer in my employ. But I can take Ms. Jones’ data from my CRM database if Ms. Jones calls in or writes in and says, “”I don’t want to be in your database anymore.””


ITB: What has happened to the Liberty Alliance since Sun and Microsoft reached their agreement earlier this month? (The Liberty Alliance — a project set up by Sun, Bell Canada and others — was conceived as a way to create a standard to manage personal data in online transactions. It was set up partly as an alternative to Microsoft’s Passport initiative.)

BM: The Liberty Alliance project is vital and vigorous and will continue to be attended. And now we have the opportunity of coordinating Microsoft’s initiatives along the lines of Passport with the goals of Liberty.

If you’ve been following Liberty recently, what you’ve seen is they’ve started focusing an awful lot on the business processes associated with establishing trust across organizational boundaries. Why in the world would you want to do that if your goal is to try to sell hardware or install software? The answer is, you’re not going to deploy a federated identity scheme until you’ve figured out the contractual underpinnings.

What the Liberty Alliance is trying to do is set up a way to allow corporations to harmonize their security and identity management policies before they open the gates. You don’t want to do it piece by piece. You wouldn’t want Wal-Mart to have to send in the lawyers to deal with every supplier that Wal-Mart deals with. You would never complete that task. Let’s codify the legal agreements, the contractual underpinnings for secure electronic commerce, specifically allowing individuals to get access to different systems.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+