Holidays Ahead: All aboard the content marketing express

Gavin Heaton

Founder
Disruptors Co

Gavin is the Founder of Disruptors Co, one of Australia’s leading independent strategy and innovation companies. Gavin advises firms on strategy, marketing, product development and innovation. He is also a member of the Orbits program, the influencer network of award winning analyst and advisory firm, Constellation Research. Gavin advises boards and leadership on innovation strategy, marketing, data-driven product development and corporate venturing. Gavin is on the board of Vibewire, a youth-led social enterprise based in Sydney, Australia and on the Technology Advisory Group for Good2Give – the workplace giving platform. ...

Read more

1

At the beginning of the year, Oracle Eloqua released a State of Content Marketing Survey Report that revealed the trends that were impacting content marketing and approaches that would be taken through 2014. And now, as we are closing in on what is possibly the most explosive time of year for content marketing (yes, I mean the Christmas/Holiday period), I thought it worth running a fine toothed comb across the findings to consider what has changed and what hasn’t. In doing so, we may find a worthwhile insight to drive our holiday content marketing efforts.

Some of the things to consider in your own content marketing include:

• Grow your own content: With 93% of respondents creating their own content in-house, 2014 was set to be a strong year for client-side marketers. However, just a little over half are regularly creating content for sales enablement. This leads to a disconnect between marketing and sales which can cause internal challenges and misalignment between business and marketing objectives. Lesson: Work with external agencies to expand content creation capabilities
• Tool-up to measure effectiveness: Almost 50% of respondents expected to successfully align content with the buyer’s journey by mid-2014. However, only 22% have an effective measurement strategy, and 23% don’t have the tools they need for measurement. This further exacerbates the disconnect between marketing and sales. Lesson: There are increasingly powerful measurement tools available. Now is the time to invest, evaluate and refine your measurement approach ahead of the holiday period
• Feed your marketing automation machine with quality content: Just like data, you get out what you put into content marketing. It’s not just a matter of “pumping out” content – the challenge for marketers is creating a centre of gravity which attracts customers, leads and opportunities to engage. This is done with quality content, and with 24% of marketers indicating they struggle to engage their audiences, it’s clear there is work to be done here. Lesson: The dream of one-to-one conversations at scale is only possible with a deep understanding of your customer’s journey, marketing automation that has been tuned to that path, and quality content that nurtures leads and moves your audiences from anonymity visitors to known customers. 

Most marketers will have clear plans for the next two months, but it’s worth pausing and asking the question “Are we doing the right things and doing things right?”. In this digital age, strategy, execution and measurement are no longer time consuming – and marketers must learn to iterate their marketing at the speed of their customers’ lives. Find people who can help you experiment and climb aboard the content marketing express.

Marketing Transformation Next-Generation Customer Experience Innovation & Product-led Growth Tech Optimization Oracle Marketing B2B B2C CX Customer Experience EX Employee Experience AI ML Generative AI Analytics Automation Cloud Digital Transformation Disruptive Technology Growth eCommerce Enterprise Software Next Gen Apps Social Customer Service Content Management Collaboration Chief Customer Officer Chief Marketing Officer

Customer Case Study - Constellation SuperNova Award Winner - RMH Franchise Corporation

Holger Mueller

Vice President and Principal Analyst
Constellation Research

Holger Mueller is VP and Principal Analyst for Constellation Research for the fundamental enablers of the cloud, IaaS, PaaS and next generation Applications, with forays up the tech stack into BigData and Analytics, HR Tech, and sometimes SaaS. Holger provides strategy and counsel to key clients, including Chief Information Officers, Chief Technology Officers, Chief Product Officers, Chief HR Officers, investment analysts, venture capitalists, sell-side firms, and technology buyers.  Coverage Areas: Future of Work Tech Optimization & Innovation  Background: Before joining Constellation Research, Mueller was VP of Products for NorthgateArinso, a KKR company. There, he led the transformation of products to the cloud and laid the foundation for new Business Process as a…...

Read more

Once a year - at the yearly Constellation Connected Enterprise conference, we award innovative executives in each of our research areas. It was my honor this year to award the winner in our research area of 'Consumerization of IT / The new C-Suite'.
 

This year''s winner, Robin Jenkins (@RobinJenkins) of RMH Franchise Corp. balanced these two forces perfectly. 

I had the pleasure to do a short video interview with Jenkins, that you can watch here:
 

Highlights in the video are

• RMH Franchise operates over 130 Applebee's franchises in 15 states across the Midwest
• Faced with 120% employee attrition RMH decided to use the power of gamification to increase employee engagement and ultimately retention
• Previous system were back to managers abilities and not being successful. 
• Jenkins researched the topic and stumbled across a game called 'Dino Dash' - which created the idea to use gamification as an instrument to increase employee engagement
• RMH Franchise ultimately selected Bunchball as the vendor showed more commitment than its competitors. visiting locations, making best practice suggestions and helping the small RMH Franchise IT team.
• RMH Franchise went live in June 2014, it's too early to see formal results but overall employee engagement is already up 
• With the industry average being 92%, RMH Franchise will see significant savings reducing attrition. The company has calculated that a 10 percentage point reduction will equate to 1M US$ in savings, paying fully for the project.
• Jenkins recommends other practitioners to look into gamification as a tool to get employees more engaged. The value is not in the software, tools and leadership boards, but in the change of the thought process and shift in values of employees facing customers.
• The biggest challenge Jenkins sees is the change management to get executives, managers and employees on board to use the system.  

 

New C-Suite Chief People Officer

Five Content Strategies for Advocate Marketing

Partner, Sensei Marketing
Partner, Sensei Marketing

Sales & marketing veteran with almost 30 years’ experience and now 1800 digital projects to his credit for clients including Morgan Stanley, AOL, Hyatt Gaming Management, Snyder's of Hanover, Hitachi, the Home Depot, Kraft Foods, Drees Homes, American Idol, and hundreds more, including leading agencies around the North America.     ...

Read more

1

Marketers have long accepted the fact that successful content is that which is helpful to the business’s audience and not overt brand advertising. We know that if the content we produce is to be consumed and shared, it must entertain and inform our audience, instead of simply selling to them. As more and more businesses produce such useful content, however, making your content more relevant has become a new challenge.

Drew Bernard, the founder of Facebook app development firm Action Sprout, recently shared his “lessons learned” on content creation and how to make it more appealing (and thus viral) for advocate marketing. He says not only must content be relevant and informative to its audience, it must be “something that fans want to be personally connected with as it becomes part of their online personal narrative.”

Below are the five content strategies for advocate marketing he recommends to do just that.

1. Bring a smile

While we all love a post that makes us smile, marketers often feel pressure to stay on message. This often translates into being serious because organizations fear that making light of something could cheapen their brand. If you’re creating content for an organization with a serious mission, look for tasteful ways to inject humor into your Facebook posting regimen and you will find that overall reach and engagement will go up.

2. Be Inspiring

Look for content that will inspire hope or other positive emotions. Inspiring content consistently does well because Facebook users want inspiring content to be part of their personal narrative. One way to inspire people is to celebrate success.

The Sierra Club’s “Thank the California Fish and Game Commission Protecting the Gray Wolves” posts celebrate success and inspire hope while providing fans a way to inspire their own friends. As this post performed well organically, Sierra Club chose to promote it as well, which resulted in a very high return on investment: more than 1600 people signed up to receive email communication from Sierra Club from this post.

3. Help your fans become a trusted source of information

It’s long been known that one of the best ways to build a large and loyal network on Facebook is to be the trusted source of information on a topic which people care about. The real magic here is about fans wanting to be the trusted source of information to their friends, which leads them to share your content with their network. Infographics with interesting facts and figures are a good example of posts that typically outperform average content as they help fans show their friends they are a trusted source of information.

4. Empower people

Roughly 10% of people who engage with a given Facebook post that includes meaningful content are willing to do something beyond like, share or comment. Because fans almost certainly view your organization as working to bring about change they want to see in the world, they are willing to take an action that results in greater viral sharing and, in the process, sign up for email communication.

Posts that empower people to make a difference help them show others who they really are. Simultaneously, these posts work to deepen relationships as people sign up for future direct communication.

5. Run special offers that align with your mission

Contests and draws are proven strategies to boost engagement. To avoid engaging with people more interested in the value of the offer than your organization’s mission, I recommend offering the potential to win by taking an action (whether it’s simply clicking like or signing a petition) to tap into the power of offering something of small monetary value (e.g. your organization’s t-shirt) while still keeping it relevant. This keeps both engagement and quality high. The most effective of these campaigns make your fans feel like they are doing their friends a favor by inviting them to participate, too.

The practice of advocate marketing must become a more subtle science. Consumers have become less likely to share brand or product information – however useful it is or however much they love the product – if it does not align with their personal brand narrative. That’s the common thread in this list: Content marketing that goes viral isn’t just about good content but the audience’s perception of how sharing that content will influence their personal brand among THEIR audience.

We’ve all become conscious of the fact that our social media posts form the basis for the world’s perception about us as individuals – professionally or personally.  Your consumers will share more of your content if it elicits a more positive impression of them or if it more closely aligns with their personal values.

Sam Fiorella
Feed Your Community, Not Your Ego

The post Five Content Strategies for Advocate Marketing appeared first on Sensei Marketing.

Marketing Transformation Chief Marketing Officer

Event Report: The Storify #CCE2014 TweetStream On #DigitalTransformation #DigitalBiz

R "Ray" Wang

Principal Analyst and Founder
Constellation Research

R “Ray” Wang is the CEO of Silicon Valley-based Constellation Research Inc. He co-hosts DisrupTV, a weekly enterprise tech and leadership webcast that averages 50,000 views per episode and blogs at www.raywang.org. His ground-breaking best-selling book on digital transformation, Disrupting Digital Business, was published by Harvard Business Review Press in 2015. Ray's new book about Digital Giants and the future of business, titled, Everybody Wants to Rule The World was released in July 2021. Wang is well-quoted and frequently interviewed by media outlets such as the Wall Street Journal, Fox Business, CNBC, Yahoo Finance, Cheddar, and Bloomberg. Short Bio R “Ray” Wang (pronounced WAHNG) is the Founder, Chairman, and Principal Analyst of Silicon Valley-based Constellation Research Inc. He…...

Read more

Constellation’s Connected Enterprise Brings The World Of Digital Transformation To Life

• Consumerizaiton of IT
• Data to Decisions
• Digital Marketing Transformation
• Future of Work
• Matrix Commerce
• Next Generation Customer Experience
• Technology Optimization and Innovation

Figure 1. The Storify Tweet Stream from #CCE2014

 

 

Resources

The post Event Report: The Storify #CCE2014 TweetStream On #DigitalTransformation #DigitalBiz appeared first on A Software Insider's Point of View.

 

Data to Decisions Future of Work Marketing Transformation Matrix Commerce New C-Suite Next-Generation Customer Experience Tech Optimization Innovation & Product-led Growth Connected Enterprise Event Report AI ML Machine Learning LLMs Agentic AI Generative AI Analytics Automation B2B B2C CX EX Employee Experience HR HCM business Marketing Metaverse developer SaaS PaaS IaaS Supply Chain Quantum Computing Growth Cloud Digital Transformation Disruptive Technology eCommerce Enterprise IT Enterprise Acceleration Enterprise Software Next Gen Apps IoT Blockchain CRM ERP Leadership finance Social Healthcare VR CCaaS UCaaS Customer Service Content Management Collaboration M&A Enterprise Service Executive Events Chief Customer Officer Chief Digital Officer Chief Executive Officer Chief Financial Officer Chief Information Officer Chief Marketing Officer Chief People Officer Chief Procurement Officer Chief Supply Chain Officer Chief Technology Officer Chief Data Officer Chief Analytics Officer Chief Information Security Officer Chief Operating Officer Chief Experience Officer

2014 SuperNova Award Winners Announced!

Constellation announces the winners of the 2014 SuperNova Awards at Constellation's Connected Enterprise.

Last night at the SuperNova Award Gala Dinner, Constellation announced the winners of the 2014 SuperNova Awards. 

The Constellation SuperNova Awards are the first and only awards to celebrate the leaders and teams who have overcome the odds to successfully apply emerging and disruptive technologies for their organizations. The SuperNova Award winners demonstrated great leadership in selecting, implementing, and deriving business value from disruptive technologies. Please read about their projects below. 

All applications were evaluated by the SuperNova Award Judges, comprised of industry thought leaders, and then put to a public vote. 

And the winners are....

Consumerization of IT & The New C-Suite - Robin Jenkins, RMH Franchise Corporation

Data to Decisions - Steve Schnur, MGM Resorts

Digital Marketing Transformation - Janelle Donovan, ServiceMax

Future of Work - Jason Grady, Northeast Georgia Medical Center

Matrix Commerce - Sanjib Sahoo, tradeMONSTER Group, Inc.

Next Generation Customer Experience - Ian White, Rackspace

Technology Optimization & Innovation - William Cooper, University of California Office of the President

 

The Rewards

All SuperNova Award Winners win:

• One ticket to Constellation's Connected Enterprise 2015

• One one-year subscription to Constellation's research library

Congratulations to the winners! Continue to be brave, innovative, and disruptive!

Data to Decisions Future of Work Marketing Transformation Matrix Commerce New C-Suite Next-Generation Customer Experience Tech Optimization Chief Customer Officer Chief Digital Officer Chief Executive Officer Chief Financial Officer Chief Information Officer Chief Marketing Officer Chief People Officer Chief Procurement Officer Chief Supply Chain Officer

SuperNova Award Winners Announced Tomorrow

The winners of the SuperNova Awards will be announced tomorrow at the SuperNova Awards Gala Dinner on October 29, 2014 in Half Moon Bay, California. The gala dinner takes place on the first night of Constellation’s Connected Enterprise innovation summit.

Check back tomorrow to see who won! 

The Constellation SuperNova Awards are the first and only awards to celebrate the leaders and teams who have overcome the hurdles of technology adoption to successfully introduce emerging and disruptive technologies to their organizations.  

SuperNova Award Finalists

CoIT & The New C-Suite

Robin Jenkins, Regional Marketing Manager, RMH Franchise Corporation
Sanjib Sahoo, Chief Technology Officer, tradeMONSTER Group, Inc.
Gordon Smith, Supervisor, Client Hardware Engineering and Mobile, Intermountain Healthcare
Jason Grady, NGMC Regional STEMI Coordinator & Paramedic, Northeast Georgia Medical Center
Jeff Trom, Chief Technology Officer, Workiva

Data to Decisions

Chris Frye, Director of Innovation, Crate and Barrel
Dave Berman, President, RingCentral
Dr. Joel Dudley
Graeme Aitken, Vice President of Business Controlling, DHL Express
Steve Schnur, Director of Merchandise Planning & Analytics, MGM Resorts

Digital Marketing Transformation

Heather McBrien, Digital Marketing Manager, AAA Carolinas
Janelle Donovan, Sr. Director Of Marketing, Demand Generation, ServiceMax
Scott Loft, VP of Ticket Sales and Retentions, The Oklahoma City Thunder
Todd Wilms, Head of Social Business Strategy, SAP

Future of Work

Bob Hernon, Vice President of Finance & Treasury, Aéropostale, Inc.
Chris Salles, Director, eLearning, Guitar Center
Rob Wavra, President, Sentinel Applied Analytics
Gordon Smith, Supervisor, Client Hardware Engineering and Mobile, Intermountain Healthcare
Jason Grady, NGMC Regional STEMI Coordinator & Paramedic, Northeast Georgia Medical Center
Robin Jenkins, Regional Marketing Manager, RMH Franchise Corporation

Matrix Commerce

Darrell Haskin, Director of IT, Delta Air Lines
Larry Sibilia, Head of Merial’s Information Management Group, Merial 
Sanjib Sahoo, Chief Technology Officer, tradeMONSTER Group, Inc.
Travis Morrison, IT Director, New Belgium Brewing

Next Generation Customer Experience

Ian White, Manager of Support, Rackspace
Liz Pedro, Director Customer Success Marketing, Mitel
Darrell Haskin, Director of IT, Delta Air Lines
Michael Landauer, Digital Communities Manager, The Dallas Morning News
Steve Hilker, Dell Product Manager, Dell
Tom Wyland, Program Director, Paid Services Engineering, AOL

Technology Optimization & Innovation

Ed Martin, IT Director, UCSF
John West, Owner, Image Uniforms
Jonathan Feldman, CIO, City of Asheville IT Services
Kenneth Seeton, Central Plant Manager, California State University, Dominguez Hills
Marcel Chiriac, Group CIO, KMG International (Rompetrol)
Rick Taylor, Vice President of IT & Supply Chain, Youngevity
Wade Sendall, Vice President of IT, Boston Globe Media Partners, LLC
William Cooper, Associate Vice President and Chief Procurement Officer, University of California Office of the President (UCOP)

Data to Decisions Future of Work Marketing Transformation Matrix Commerce New C-Suite Next-Generation Customer Experience Tech Optimization Innovation & Product-led Growth AR Executive Events Chief Customer Officer Chief Digital Officer Chief Executive Officer Chief Financial Officer Chief Information Officer Chief Marketing Officer Chief People Officer Chief Procurement Officer Chief Supply Chain Officer

My Thoughts On Jive Software’s Jiveworld 2014

Alan Lepofsky

Vice President & Principal Analyst
Constellation Research

Alan Lepofsky - VP and Principal Analyst, Constellation Research. With almost two decades of experience in the collaboration software industry, Lepofsky helps organizations improve the way their employees work together to get their jobs done. Lepofsky’s primary research area The Future of Work, focuses on: integrating collaboration and business processes (Purposeful Collaboration), structuring work via Social Task Management, leveraging analytics and digital assistants to work more productively, the strategic impact of mobile computing on business transformation, and measuring workforce culture based on Digital Proficiency instead of age. Twitter: @alanlepoLinkedIn: https://ca.linkedin.com/in/alanlepo     , Title: Big IdeasIntelligent Collaboration: The Intersection of…...

Read more

Last week in Las Vegas Jive Software held their annual JiveWorld conference.  In front of around 1600 people Jive talked about how their products and services enable people to "Work Better Together".

Below is my analysis of some of the key announcements, including:
- Google Apps and Microsoft Office 365 integration
- A new view for "Top and Trending" in the newsfeed/activity stream
- The introduction of Jive's WorkTypes tool
- Analytics and insights, including a look at their future "Chord Diagram" feature

---

Future of Work Next-Generation Customer Experience Data to Decisions Innovation & Product-led Growth New C-Suite Tech Optimization Chief People Officer Chief Information Officer Chief Digital Officer Chief Experience Officer

First Take - IBM Insight Day 1 Keynote - BigData, Analytics, Content, Watson and… glue

Holger Mueller

Vice President and Principal Analyst
Constellation Research

Holger Mueller is VP and Principal Analyst for Constellation Research for the fundamental enablers of the cloud, IaaS, PaaS and next generation Applications, with forays up the tech stack into BigData and Analytics, HR Tech, and sometimes SaaS. Holger provides strategy and counsel to key clients, including Chief Information Officers, Chief Technology Officers, Chief Product Officers, Chief HR Officers, investment analysts, venture capitalists, sell-side firms, and technology buyers.  Coverage Areas: Future of Work Tech Optimization & Innovation  Background: Before joining Constellation Research, Mueller was VP of Products for NorthgateArinso, a KKR company. There, he led the transformation of products to the cloud and laid the foundation for new Business Process as a…...

Read more

We have the opportunity to attend IBM Insight currently happening in Las Vegas, with over 12k+ attendees, Insight is the largest IBM conference, centering on BigData, Analytics, Content and of course Watson.

 

Data to Decisions Tech Optimization IBM ML Machine Learning LLMs Agentic AI Generative AI AI Analytics Automation business Marketing SaaS PaaS IaaS Digital Transformation Disruptive Technology Enterprise IT Enterprise Acceleration Enterprise Software Next Gen Apps IoT Blockchain CRM ERP finance Healthcare Customer Service Content Management Collaboration Cloud CCaaS UCaaS Enterprise Service Chief Information Officer Chief Technology Officer Chief Information Security Officer Chief Data Officer Chief Executive Officer

The worst privacy misconception of all

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

I was discussing definitions of Personally Identifiable Information (PII) with some lawyers today, one of whom took exception to the US General Services Administration definition: information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual". This lawyer concluded rather hysterically that under such a definition, "nobody can use the internet without a violation".

Similarly, I've seen engineers in Australia recoil at the possibility that IP and MAC Addresses might be treated as PII because it is increasingly easy to link them to the names of device owners. I was recently asked "Why are they stopping me collecting IP addresses?". The answer is, they're not.

There are a great many misconceptions about privacy, but the idea that 'if it's personal you can't use it' is by far the worst.

Nothing in any broad-based data privacy law I know of says personal information cannot be collected or used.

Rather, what data privacy laws actually say is: if you're collecting and using PII, be careful.

Privacy is about restraint. The general privacy laws of Australia, Europe and 100-odd countries say things like don't collect PII without consent, don't collect PII beyond what you demonstrably need, don't use PII collected for one purpose for other unrelated purposes, tell individuals if you can what PII you hold about them, give people access to the PII you have, and do not retain PII for longer than necessary.

Such rules are entirely reasonable, and impose marginal restrictions on the legitimate conduct of business. And they align very nicely with standard security practice which promotes the Need To Know principle and the Principle of Least Privilege.

Compliance with Privacy Principles does add some overhead to data management compared with anonymous data. If re-identification techniques and ubiquitous inter-connectedness means that hardly any data is going to stay anonymous anymore, then yes, privacy laws mean that data should be treated more cautiously than was previously the case. And what exactly is wrong with that?

If data is the new gold then it's time data custodians took more care.

New C-Suite Digital Safety, Privacy & Cybersecurity Security Zero Trust Chief Information Officer Chief Information Security Officer Chief Privacy Officer

PKI as nature intended

Steve Wilson

Former Vice President and Principal Analyst
Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

Few technologies are so fundamental and yet so derided at the same time as public key infrastructure. PKI is widely thought of as obsolete or generically intrusive yet it is ubiquitous in SIM cards, SSL, chip and PIN cards, and cable TV. Technically, public key infrastructure Is a generic term for a management system for keys and certificates; there have always been endless ways to build PKIs (note the plural) for different communities, technologies, industries and outcomes. And yet "PKI" has all too often come to mean just one way of doing identity management. In fact, PKI doesn't necessarily have anything to do with identity at all.

This blog is an edited version of a feature I once wrote for SC Magazine. It is timely in the present day to re-visit the principles that make for good PKI implementations and contextualise them in one of the most contemporary instances of PKI: the FIDO Alliance protocols for secure attribute management. In my view, FIDO realises PKI 'as nature intended'.

"Re-thinking PKI"

In their earliest conceptions in the early-to-mid 1990s, digital certificates were proposed to authenticate nondescript transactions between parties who had never met. Certificates were construed as the sole means for people to authenticate one another. Most traditional PKI was formulated with no other context; the digital certificate was envisaged to be your all-purpose digital identity.
Orthodox PKI has come in for spirited criticism. From the early noughties, many commentators pointed to a stark paradox: online transaction volumes and values were increasing rapidly, in almost all cases without the help of overt PKI.

There were many practical problems in "big" centralised PKI models. The traditional proof of identity for general purpose certificates was intrusive; the legal agreements were complex and novel; and private key management was difficult for lay people. So the one-size-fits-all electronic passport failed to take off. But PKI's critics sometimes throw the baby out with the bathwater.
In the absence of any specific context for its application, "big" PKI emphasized proof of personal identity. Early certificate registration schemes co-opted identification benchmarks like that of the passport. Yet hardly any regular business transactions require parties to personally identify one another to passport standards.

"Electronic business cards"

Instead in business we deal with others routinely on the basis of their affiliations, agency relationships, professional credentials and so on. The requirement for orthodox PKI users to submit to strenuous personal identity checks over and above their established business credentials was a major obstacle in the adoption of digital certificates.

It turns out that the 'killer applications' for PKI overwhelmingly involve transactions with narrow contexts, predicated on specific credentials. The parties might not know each other personally, but invariably they recognize and anticipate each other's qualifications, as befitting their business relationship.

Successful PKI came to be characterized by closed communities of interest, prior out-of-band registration of members, and in many cases, special-purpose application software featuring additional layers of context, security and access controls.

So digital certificates are much more useful when implemented as application-specific 'electronic business cards,' than as one-size-fits-all electronic passports. And, by taking account of the special conditions that apply to different e-business processes, we have the opportunity to greatly simplify the registration processes, user experience and liability arrangements that go with PKI.

The real benefits of digital signatures

There is a range of potential advantages in using PKI, including its cryptographic strength and resistance to identity theft (when implemented with private keys in hardware). Many of its benefits are shared with other technologies, but at least two are unique to PKI.

First, digital signatures provide robust evidence of the origin and integrity of electronic transactions, persistent over time and over 'distance' (that is, the separation of sender and receiver). This greatly simplifies audit logging, evidence collection and dispute resolution, and cuts the future cost of investigation and fraud. If a digitally signed document is archived and checked at a later date, the quality of the signature remains undiminished over many years, even if the public key certificate has long since expired. And if a digitally signed message is passed from one relying party to another and on to many more, passing through all manner of intermediate systems, everyone still receives an identical, verifiable signature code authenticating the original message.

Electronic evidence of the origin and integrity of a message can, of course, be provided by means other than a digital signature. For example, the authenticity of typical e-business transactions can usually be demonstrated after the fact via audit logs, which indicate how a given message was created and how it moved from one machine to another. However, the quality of audit logs is highly variable and it is costly to produce legally robust evidence from them. Audit logs are not always properly archived from every machine, they do not always directly evince data integrity, and they are not always readily available months or years after the event. They are rarely secure in themselves, and they usually need specialists to interpret and verify them. Digital signatures on the other hand make it vastly simpler to rewind transactions when required.

Secondly, digital signatures and certificates are machine readable, allowing the credentials or affiliations of the sender to be bound to the message and verified automatically on receipt, enabling totally paperless transacting. This is an important but often overlooked benefit of digital signatures. When processing a digital certificate chain, relying party software can automatically tell that:

• the message has not been altered since it was originally created
• the sender was authorized to launch the transaction, by virtue of credentials or other properties endorsed by a recognized Certificate Authority
• the sender's credentials were valid at the time they sent the message; and
• the authority which signed the certificate was fit to do so.

One reason we can forget about the importance of machine readability is that we have probably come to expect person-to-person email to be the archetypal PKI application, thanks to email being the classic example to illustrate PKI in action. There is an implicit suggestion in most PKI marketing and training that, in regular use, we should manually click on a digital signature icon, examine the certificate, check which CA issued it, read the policy qualifier, and so on. Yet the overwhelming experience of PKI in practice is that it suits special purpose and highly automated applications, where the usual receiver of signed transactions is in fact a computer.

Characterising good applications

Reviewing the basic benefits of digital signatures allows us to characterize the types of e-business applications that merit investment in PKI.

Applications for which digital signatures are a good fit tend to have reasonably high transaction volumes, fully automatic or straight-through processing, and multiple recipients or multiple intermediaries between sender and receiver. In addition, there may be significant risk of dispute or legal ramifications, necessitating high quality evidence to be retained over long periods of time. These include:

• Tax returns
• Customs reporting
• E-health care
• Financial trading
• Insurance
• Electronic conveyancing
• Superannuation administration
• Patent applications.

This view of the technology helps to explain why many first-generation applications of PKI were problematic. Retail internet banking is a well-known example of e-business which flourished without the need for digital certificates. A few banks did try to implement certificates, but generally found them difficult to use. Most later reverted to more conventional access control and backend security mechanisms.Yet with hindsight, retail funds transfer transactions did not have an urgent need for PKI, since they could make use of existing backend payment systems. Funds transfer is characterized by tightly closed arrangements, a single relying party, built-in limits on the size of each transaction, and near real-time settlement. A threat and risk assessment would show that access to internet banking can rest on simple password authentication, in exactly the same way as antecedent phone banking schemes.

Trading complexity for applicability

As discussed, orthodox PKI was formulated with the tacit assumption that there is no specific context for the transaction, so the digital certificate is the sole means for authenticating the sender. Consequently, the traditional schemes emphasized high standards of personal identity, exhaustive contracts and unusual legal devices like Relying Party Agreements. They also often resorted to arbitrary 'reliance limits,' which have little meaning for most of the applications listed on the previous page. Notoriously, traditional PKI requires users to read and understand certification practice statements (CPS).

All that overhead stemmed from not knowing what the general-purpose digital certificate was going to be used for. On the other hand, if particular digital certificates are constrained to defined applications, then the complexity surrounding their specific usage can be radically reduced.

The role of PKI in all contemporary 'killer applications' is fundamentally to help automate the online processing of electronic transactions between parties with well-defined credentials. This is in stark contrast to the way PKI has historically been portrayed, where strangers Alice and Bob use their digital certificates to authenticate context-free general messages, often presumed to be sent by email. In reality, serious business messages are never sent stranger-to-stranger with no context or cues as to the parties' legitimacy.

Using generic email is like sending a fax on plain paper. Instead, business messaging is usually highly structured. Parties have an expectation that only certain types of transactions are going to occur between them and they equip themselves accordingly (for instance, a health insurance office is not set up to handle tax returns). The sender is authorized to act in defined types of transactions by virtue of professional credentials, a relevant license, an affiliation with some authority, endorsement by their employer, and so on. And the receiver recognizes the source of those credentials. The sender and receiver typically use prescribed forms and/or special purpose application software with associated user agreements and license conditions, adding context and additional layers of security around the transaction.

When PKI is used to help automate the online processing of transactions between parties in the context of an existing business relationship, we should expect the legal arrangements between the parties to still apply. For business applications where digital certificates are used to identify users in specific contexts, the question of legal liability should be vastly simpler than it is in the general purpose PKI scenario where the issuer does not know what the certificates might be used for.
The new vision for PKI means the technology and processes should be no more of a burden on the user than a bank card. Rather than imagine that all public key certificates are like general purpose electronic passports, we can deploy multiple, special purpose certificates, and treat them more like electronic business cards. A public key certificate issued on behalf of a community of business users and constrained to that community can thereby stand for any type of professional credential or affiliation.

We can now automate and embed the complex cryptography deeply into smart devices -- smartcards, smart phones, USB keys and so on -- so that all terms and conditions for use are application focused.
As far as users are concerned, a smartcard can be deployed in exactly the same way as any magnetic stripe card, without any need to refer to - or be limited by - the complex technology contained within (see also Simpler PKI is on the cards). Any application-specific smartcard can be issued under rules and controls that are fit for their purpose, as determined by the community of users or an appropriate recognized authority. There is no need for any user to read a CPS. Communities can determine their own evidence-of-identity requirements for issuing cards, instead of externally imposed personal identity checks. Deregulating membership rules dramatically cuts the overheads traditionally associated with certificate registration.

Finally, if we constrain the use of certificates to particular applications then we can factor the intended usage into PKI accreditation processes. Accreditation could then allow for particular PKI scheme rules to govern liability. By 'black-boxing' each community's rules and arrangements, and empowering the community to implement processes that are fit for its purpose, the legal aspects of accreditation can be simplified, reducing one of the more significant cost components of the whole PKI exercise.

Fast forward

The preceding piece is a lightly edited version of the article "Rethinking PKI" that first appeared in Secure Computing Magazine in 2003. Now, over a decade later, we're seeing the same principles realised by the FIDO Alliance. 

 

The FIDO protocols U2F and UAF enable specific attributes of a user and their smart devices to be transmitted to a server. Inherent to the FIDO methods are digital certificates that confer attributes and not identity, relatively large numbers of private keys stored locally in the users' devices (and without the users needing to be aware of them as such) and digital signatures automatically applied to protocol messages to bind the relevant attributes to the authentication exchanges.

Surely, this is how PKI should have been deployed all along.

New C-Suite Data to Decisions Next-Generation Customer Experience Digital Safety, Privacy & Cybersecurity FIDO Security Zero Trust Chief Information Officer Chief Information Security Officer Chief Privacy Officer