Make Data Better: How Should We Respond to the Optus Data Breach?

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

One of Australia's worst ever data breaches occured in September 2022 when the telecommunication carrier Optus was attacked by cybercriminals and personal data on approximaley half the population was leaked. It triggered a mass response, knowing that so much personal data used to establish identity was coming onto the criminal black markets; many governments expedited the renewal processes for driver licences and the like. 

And there was sudden renewed interest in the various digital identity initiatives of Australian state & federal governments.  It just so happened that the federal myGov program was under review, andthe scope of that examination was broadened (at least unoffocially) to consider if the newish myGovID could be modified somehow to provide improved "digital identity resilience". 

But it's a mistake to think of these as identity problems. They are data problems.  To be precise, it’s the quality of the data that we use in identification that needs to be addressed.

Frankly, there is no such thing as "identity theft". What happens after a brach is that personal details used to establish identity fall into criminal hands and get reused behindour backs to impersonate us. That sounds like I’m splitting hairs, but the point is we can’t protect people by just updating their data. That’s no lasting fix. Changing driver licence data or passport data is not a sustainable response when another breach is inevitably around the corner. People deserve better safety in a modern digital economy. 

The root problem that makes people vulnerable after a breach today is that businesses can’t tell the difference between original data and copies. Websites can’t tell if a form is being filled in by a genuine customer or an imposter. So stolen data is traded on black markets and used by imposters behind our backs.

Data is the lifeblood of the digital world. Data sharing can only expand in coming years. Of course excessive, nefarious, covert and deceptive data collection must be fought, but well-intended data collection must continue. Instead of changing the way data is used, we must change the way data is presented.

We must make data better.

Instead of having people type raw numbers into forms to establish their bona fides, we should transition to digital presentation of cryptographically protected facts and figures. Digital credentials should be signed by their issuers when issued, to prove their origin, and must be signed again by their holders when presented, to prove the owner consented to each transaction, or was at least actively involved.

The signing is relatively easy. It’s built into mobile technologies and used seamlessly every time we bring up a virtual credit card from a mobile phone wallet.

We should be adding official digital copies of driver licences, Medicare cards, passports, and all official facts and figures into digital wallets — whether they be government mobile apps such as that of Service NSW, the Apple and Google wallets, or new versions of the future Open Wallet standard.

People should be able to move their important data around with exactly the same convenience, privacy and security as they move their digital money.

Stay tuned through 2023 as I publish more on Data Protection as a Service, andcheck out our Constellation Shortlist of Data Protection Infostructure solutions. 

Trust in the Post-Identity World

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

The Internet, e-commerce, and digital discourse are dominated by identity. Until recently, identity was all we had to go on when trying to trust other people online. We developed a terrible habit of over-identifying: Relying parties tend to collect circumstantial clues, like credit card verification codes and social security numbers, instead of properly verifying what really matters. People divulge excessive personal data (often unwittingly) which then leaks and gets abused by criminals. We have way too much identity, sloshing around.

Is there a paradigm shift coming? The most important developments in our industry — Self-Sovereign Identity, the FIDO Alliance, and verifiable credentials — are really not about identity at all, but authorship, provenance, integrity, and control. Let’s move beyond identity and imagine a world where cryptographic infostructure is as universal as electricity or clean water. All the data we need is hallmarked, traceable and trustworthy thanks to authentication technologies.

An Unhealthy Obsession

I make this call with great respect for my friends and colleagues in the industry: we must end our obsession with identity. For thirty years, identity has dominated digital practice and discourse. We overcook the Peter Steiner gag that “On the Internet, nobody knows you’re a dog”. That was just a wry joke about dogs getting up to mischief, not an editorial commentary on digital trust. Until recently, when trying to "trust" anyone online, identity was all we had to go on. When faced with higher risk, we would seek higher trust and ask for more identity. We put the quantity of identity ahead of quality. We put identity first.

Bad Habits

Obsessed with identity, we developed terrible habits. Instead of verifying the particulars that really matter about people we deal with, we drag in circumstantial evidence — almost always extra identifying data — from unrelated contexts, such as CVVs and SSNs, much of which is then stolen and bought and sold and replayed by fraudsters. Consider Knowledge Based Authentication (KBA), which places a premium on “out of wallet” details that ought to be less likely to be known to criminals. But personal information is everywhere on the Internet and KBA backfires by motivating a black market for personal data.

Identification for digital risk management is like putting out fire with gasoline. We should do more to secure the specific facts and figures that each transaction really depends on.

Data as a Utility

Meanwhile, data has become the lifeblood of modern society. The World Bank last year in its world development report Data for better lives called for a “new social contract for data” to protect citizens against harm arising from the information and power asymmetries created by big tech. Data is now a resource almost as important as clean drinking water. Yet we access, accept, and recommend data on an ad hoc basis; outside certain professions and intelligence circles, data is handled without any standards for quality or provenance.

Regulatory Pressure

And so regulatory pressure is building, quite properly, on data flows and processing, and also on what customers know about data. There is more onus on transparency and accountability. There should be no more digital Wild West!

Digital Truth

Cynics say we are “post-truth” but as cyberspace grows in importance, surely our biggest challenge really is digital truth. From payment card fraud and online scams through to misinformation and AI-driven Deep Fakes, every one of these problems is fundamentally about poor-quality data. We can’t trust the evidence of our own eyes anymore. Are we really contemplating digital twins in a synthetic metaverse without first taking better care of fidelity?

Concerted multidimensional responses to the data quality problem are underway (not to mention some narrow legislated bans on Deep Fakes). For one, several major mastheads have teamed with Microsoft Research in the Coalition for Content Provenance and Authenticity (C2PA). The group’s first draft standard draws heavily on technical measures familiar to the identerati, such as digital signatures and certificates.

And the new Verified Information Exchange (VIE) is an interdisciplinary research program hosted by UW with a work program focused on network or scheme-based business models for data supply. According to the VIA, “The global information environment is a form of 'market' that needs exchange protocols and local standards”

Another new effort, the Global Assured Interoperability Network (GAIN) was prominent at Identiverse 2022. It means different things to different stakeholders; even the ‘I’ in G.A.I.N. since the initial publication has been reframed to interoperability. One of the best features of the concept is the Service Provider: a fourth party in the data flow, intermediating the familiar End User, Issuer and Relying Party, to enhance scalability.

Infostructure

The payment card processing networks exist purely so that certain customer data — account numbers and some metadata — can be reliably presented to merchants and verified. GAIN represents an extension of the four-party model for presenting and verifying data more generally.

Card schemes are a paragon of infostructure: An organizational structure used for the collection and distribution of information (usually hardware, networks, applications, etc.) used by a society, business, or other group (Ref: Oxford English Dictionary). That is, verifiable data sharing will be underpinned by rules, technologies, and business models.

Data Means Business

We know data is big business — good and bad — and that information is being organized into value and supply chains. We are still in the very early stages of digital transformation. As cyberspace becomes civilized, we need data business to be more orderly and transparent.

If there is any truth in the comparison of data and crude oil, then let’s think in terms of assaying data. That is, let’s start to measure the properties of data that make it reliable, fit for purpose, and valuable. And then let’s bind the assays to the data records as they move through the information value chains. I envision a world with widespread cryptographic infostructure, so that verifiable data is available everywhere, just like stable electricity and clean drinking water. We have the tools to build such infostructure. We IDpros know we have these tools because we have already built them!

The Post-Identity World

So let’s shift focus from the abstract to the concrete. Notice that I haven’t used the word “identity” since the start of this piece. The idea of identity is simply not helping. I know that it strikes some as a sterile perspective but what we think in the digital identity echo chamber doesn’t matter because the tools developed by our industry have shown the rest of the world how to design for verifiable facts and protect them cryptographically. We can trust without identifying. We are familiar with “zero trust” - let’s try zero identity!

We can break old habits. Instead of starting with identity, let’s ask:

• What do you really need to know?
• Where will you get the data?
• How will you know if it’s true?  

It is perfect timing for a paradigm shift. We have intelligent devices at the edge, we have mobile digital wallets that make ideal verifiable containers for data, and we have clouds full of APIs for signing data. We can do better with digital identity; indeed, we can do something much bigger and better for all of cyberspace. Let’s apply our proven tools to build an infostructure that delivers data as a true utility.

News Analysis: IBM and AWS Crank Up Their Partnership Up A Notch With AWS Marketplace

R "Ray" Wang

Principal Analyst and Founder
Constellation Research

R “Ray” Wang is the CEO of Silicon Valley-based Constellation Research Inc. He co-hosts DisrupTV, a weekly enterprise tech and leadership webcast that averages 50,000 views per episode and blogs at www.raywang.org. His ground-breaking best-selling book on digital transformation, Disrupting Digital Business, was published by Harvard Business Review Press in 2015. Ray's new book about Digital Giants and the future of business, titled, Everybody Wants to Rule The World was released in July 2021. Wang is well-quoted and frequently interviewed by media outlets such as the Wall Street Journal, Fox Business, CNBC, Yahoo Finance, Cheddar, and Bloomberg. Short Bio R “Ray” Wang (pronounced WAHNG) is the Founder, Chairman, and Principal Analyst of Silicon Valley-based Constellation Research Inc. He…...

Read more

This year's Amazon Web Services reInvent brought over 55,000 attendees to one of the premier tech industry events.  The obvious and noticeable change in this year's event was an overemphasis on partnerships and alliances.  The AWS leadership team made it clear that partners were more than welcomed.  IBM's presence as the Global Partner of the year did not go unnoticed by the attendees and of course the other public cloud vendors who have not yet had the courage to host in-person events at scale.

reInventing Partnerships With Public Cloud Vendors

IBM’s transformative journey with AWS as a partner began earlier in 2022 when IBM Software became available as-a-Service on IBM Cloud.  The partnership gave customers the ability to access IBM software that runs cloud-native on AWS. The partnership has three key components:

1. Honoring customer cloud commitment spending. Resell partners can apply clients committed spend with AWS against IBM products from the AWS Markeplace.
2. Driving co-sell programs. Partners can sell offerings from IBM, Red Hat, and AWS solutions in the marketplace.  Since May, products such as IBM API Connect, IBM Db2, IBM Maximo Application Suite, IBM Security, Verify, and IBM Watson Orchestrate have been available on the AWS Marketplace.  At this year’s reinvent, IBM added Envizi ESG, IBM Planning Analytics with Watson, IBM Content Services and IBM App Connect Enterprise running as-a-service on AWS.
3. Leveraging the AWS’ ecosystem. In addition, ISVs can now purchase IBM software offerings from the AWS Marketplace with similar benefits as an IBM partner.

Meet Customers Where They Are At

IBMs revitalized strategy takes a customer-centric approach – “The client is at the center of everything IBM does,” noted IBM’s worldwide channel chief Kate Woolley in many keynotes and interviews.  This better together strategy enables clients to make the most out of the joint IBM – AWS relationship.  Further, as more IBM offerings are added to the AWS Marketplace customers can purchase and consume their offerings with more flexibility.  Both customers and partners can expect more offerings in the AI portfolio and the Embeddable AI portfolio to be added to the AWS Marketplace.

Modernize Compute Power With Cloud And Mainframe

IBM’s revamped public cloud strategy is a full 180 turn from former CEO and Chairman of IBM’s head on, belligerent approach to public cloud vendors such as Amazon.  This coincides with a strategic push to focus on high value workloads versus commoditized Infrastructure as a Service (IaaS) workloads.  The hybrid cloud and Multicloud models now form the heart of IBM’s strategy and the AWS partnerships is proof of this strategic shift that greatly benefits IBM, AWS, and customers.  

Starting with mainframe DevOps, IBM and AWS announced the IBM Z and Cloud Modernization Stack availability in the AWS Marketplace.  Developers will receive key tooling for public cloud platforms and support the modernization of applications. Astute clients may even take advantage of IBM Z’s confidential computing capabilities to encrypt data in and out for additional security.  Constellation believes this expanded pool of developers and tools, will enrich the overall ecosystem and enable customers to match the right work loads with the right compute power, with the right security model, at the right performance/value ratio.

Gain and Streamline Enterprise Class Security

Whether it be in AWS or hybrid cloud environments, IBM’s Security offering includes consulting, systems integration, technology, and managed security services on AWS. IBM has received a Level 1 MSSP Competency Partnership endorsement along with Premier Consulting Partner, Advanced Technology Competency Partner and ISV Accelerate Partner.
 

The Bottom Line: IBM's AWS Relationship Provides A Win-Win For Both Customers and Partners

Customers are already benefiting from the IBM relationship. In one case, FinnAir migrated 70 apps on 400 servers to AWS in partnership with IBM.  Many customers are moving on-premises applications such as SAP into AWS.  Moreover, customers and partners now have an access to IBM offerings on AWS via the AWS Marketplace. 

Having the IBM software and services portfolio accessible to the AWS ecosystem gives stakeholders access to IBM automation. IBM Data and AI, IBM Sustainability Software, IBM Security Software, IBM Security Services, and IBM Storage.  This shift in strategy provides both a customer and partner centric approach that will help accelerate cloud migration and acceleration.

Your POV

Are you both an IBM and AWS customer? Do you see this as a win-win? Will you be more likley to choose AWS because of the IBM relationship?

Add your comments to the blog or reach me via email: R (at) ConstellationR (dot) com or R (at) SoftwareInsider (dot) org. Please let us know if you need help with your strategy efforts. Here’s how we can assist:

• Developing your metaverse and digital business strategy
• Connecting with other pioneers
• Sharing best practices
• Vendor selection
• Implementation partner selection
• Providing contract negotiations and software licensing support
• Demystifying software licensing

Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.

News Analysis: FTC's Lina Khan Blocks $69 Billion Microsoft - Activision Acquisition

R "Ray" Wang

Principal Analyst and Founder
Constellation Research

R “Ray” Wang is the CEO of Silicon Valley-based Constellation Research Inc. He co-hosts DisrupTV, a weekly enterprise tech and leadership webcast that averages 50,000 views per episode and blogs at www.raywang.org. His ground-breaking best-selling book on digital transformation, Disrupting Digital Business, was published by Harvard Business Review Press in 2015. Ray's new book about Digital Giants and the future of business, titled, Everybody Wants to Rule The World was released in July 2021. Wang is well-quoted and frequently interviewed by media outlets such as the Wall Street Journal, Fox Business, CNBC, Yahoo Finance, Cheddar, and Bloomberg. Short Bio R “Ray” Wang (pronounced WAHNG) is the Founder, Chairman, and Principal Analyst of Silicon Valley-based Constellation Research Inc. He…...

Read more

Microsoft Faces Its Biggest Challenge Despite Its "Social" Standing

Microsoft's CEO Satya Nadella’s and Vice Chair and President Brad Smith face their toughest challenge.  There was always the belief that so long Microsoft acted like a “good citizen” on social issues they would be immune to anti-trust.  That myth has been burst.  The FTC has filed a lawsuit and a judge must decide if the case is strong enough to block the $69 billion deal.  To be blunt, the FTC fears Microsoft will not provide titles for other platforms.  Other headwinds include 16 countries that will have to approve the mega deal.  China will probably block the deal to protect TenCent's position.  Tencent also owns 5% of Activision.

"This is a battle for the future delivery of gaming and gaming platforms," Ray Wang at @constellationr explains as the FTC puts the brakes on Microsoft’s $75bn deal to buy Activision Blizzard. #CallofDuty #MSFT pic.twitter.com/2gvYQHIG1X

— Dan Murphy (@dan_murphy) December 9, 2022

Digital Giants Operate On A Different Dimension And Playbook

Should the deal be completed, Microsoft will become the third largest gaming player by revenue as they reach 3 billion users behind Tencent (#1) and Sony (#2).  Activision brings 31 million monthly active users (MAUs).  Xbox gaming brings 20 million users to the mix.  At the surface, Microsoft's argument about industry competition makes sense for the $200 billion gaming market. However, digital giants are collapsing industries into value chains.  A software company, gaming company, telecom company, and entertainment have collapsed value chains along four common elements:

• Content - titles, movies, software
• Network - monthly active users and subscribers
• Distributions channels - stores, cloud (Azure), internet, consoles
• Tech platforms - gaming platforms, consoles, marketplaces

Moreover, a concentration of competitors who have integrated content, network, distribution channels, and technology platform could stifle competition. This argument should be the heart of the FTC's argument around digital giant dominance and future digital giant dominance. 

Perceived Past History Haunts Microsoft's Argument

Activision has blockbuster titles such as Overwatch, Call of Duty, Diablo, Warcraft, and Candy Crush Saga.  The FTC's argument primarily rests on how Microsoft allegedly failed to keep its word on more open distribution of its titles post acquisition when it acquired Zenimax. The FTC claimed that Bethesda titles Starfeld and Redfall were not available on other platforms. 

Microsoft disputes the terms of the agreement by stating that "“Future decisions on whether to distribute ZeniMax games for other consoles will be made on a case-by-case basis, taking into account player demand and sentiment. Factors that will inform Microsoft’s decision-making on future games include consumer demand and preference and the willingness of third parties to work with Microsoft to launch games for their devices.” 

Despite the apparent confusion and displeasure by the FTC, labor unions such as the Communication Workers of America (CWA) are in favor of the deal.   While Microsoft's gaming head Phil Spencer has offered Activision's blockbuster title Call of Duty, (a $1 billion dollar franchise) for 10 years to both Sony and Nintendo, this may not have been enough for the FTC to back off.

The Bottom Line - Microsoft - Activision Will Become A Landmark Case In Antitrust

Tech companies who thought they could be immune by taking positions on social issues have now realized they are not immune to government interference. At the heart of this case will be how to define the current markets versus the future markets in anti-competitive activity and anti-trust. Dominance in content, network, distribution channels, and tech platforms will eventually become the standard, once this has been identified by the FTC.  For now, this is really about the FTC and Lina Khan needing a win as time is ticking for the current administration to make their point.

In the larger picture, a key factor should be how the innovation lifecycle plays a role in innovation.  Startups and mid-size companies need exits to fund new innovation.  Large digital giants often can not innovate fast enough, attract enough talent, and reach new markets without mergers and acquisitions. Over regulation on M&A will stifle market innovation. Yet, not understanding the dynamics of how digital giants operate in dominating markets will harm consumers in the long run. These factors make this deal a landmark case for the future and may also pave the way for the Metaverse ambitions of Microsoft.