I spent some time talking to Wes Kussmaul, CEO of The Village Group, about intellectual property and identity management. It's an area of business that is becoming increasingly important, and thus there is a lot of talk as to how best to secure and monitor access to collaboration systems.
We talked around a really interesting dilemma when it comes to securing intellectual property. How do you decide who is allowed inside the clubhouse? You not only have to decide which friends you're going to trust, but also which of their friends are allowed to tag along. Not easy, is it? When your clubhouse is your "circle of trust," it's more serious than just letting friends in. You have more at stake.
So, the key to controlling the flow of information (intellectual property) and to managing who gets access to what is enrollment. Your screening process must be controlled. You wouldn't give the keys to your office to just anyone, and the same goes with whom you choose to hire and to work with. These days, you don't just have employees. You have suppliers, contractors, advisors and more. Each of these people you work with need to be screened in the same way you do your employees. You don't want to invite your competitor into your clubhouse by mistake. Remember that not everyone who says they are "Fred from banking" will be telling the truth. You need to know, with some certainty, if Fred is being honest.
Wes points to three key ways to design an enrollment process that will reliably help me establish Fred's identity. The first two, auditing the enrollment systems of everyone in the circle of trust, and second channel verification (such as a phone call), are basic barriers from low-level threats. The third, however, poses much more potential - with much more debate. Universal ID.
Universal ID is a system that would establish Fred's ID, no matter where he was in the world. One such example of this is a PKI - Public Key Infrastructure. With the PKI, you can be assured that Fred is who he says he is. And, when it comes to managing intellectual property, you can see who has control over information. Whatever Fred had control of will be watermarked with a digital time/date-stamped signature. So, unless you have an enrollment issue of hiring people who are seriously out to steal your information, you can be reasonable assured that the PKI can manage the flow of information and restrict its access within your bounded space.
Sounds great, doesn't it? Problem is, it does not work in all situations. One important think about PKI is that, though it is secure, it is hard to deploy on a large scale. We've employed SSL, a PKI subset, on a large scale, but effective use of the PKI model for a Universal ID system would need to be deployed by the State, and managed therein. Face to face enrollment is almost a must, as well. You can see that the PKI system is a cumbersome one at the moment - one that it highly powered by initial person-to-person contact.
Another issue with PKI systems as we know them now comes in the area of privacy. Having a PKI, or any intellectual property infrastructure, means that it necessarily manages quite a lot. It controls all information access and keeps records of what you do. It also has a pretty nifty-sized record of who you are, as well. So, with all that against privacy, should we still push for large scale PKI or Universal ID systems?
Wes says yes, and I tend to agree. At first I was a little wary, but I think that it all comes down to information control. I would rather willingly hand over control of some of my information to a Universal ID system so that it can then protect not just corporate interests but my own privacy than have my information unwillingly gathered and used by others. One thing to note about Universal ID is that it is still a very open topic. There is a lot that can be done out there.
I think it will be a very interesting topic in coming years. Establishing if and how universal ID systems can protect that circle of trust. How to validate those in your circle. How to manage different layers of trust within that circle - your close friends or just associates. It's a complex net out there - convoluted with collaboration, security and intellectual property. Finding a way to manage, not hinder, collaboration while protecting both individual and corporate interests will be a challenge.
Wes Kussmaul comes to this field of development after a history in online services: founder of Delphi and now CEO of Global Village Group. Wes started dealing with intellectual property management with Delphi - it was built to have as many controls in the hands of managers as possible so they could manage access control and policy. Wes will be moderating a panel at CTC on Protecting Intellectual Property.
