I was privileged to serve on a panel this weekend at SXSW with Bob Blakely from the Burton Group, and Joseph Smarr from Plaxo. And moderating the panel was Kaliya Hamlin, Super Hero/Identity Woman.
Overall, I would say that there was a lot of enthusiasm and discussion from both our panel as well as the audience about enterprises adopting OpenID, Oauth, data portability and the like. I wanted to comment on a couple of things on my blog, from the perspective of a service provider for enterprises looking to distribute apps via the Web, as well as a distribution channel for existing Web apps through our syndication program.
It's hard for enterprises to adopt something like OpenID or Oauth. Now when I am talking about enterprises, I am not talking about AOL, Google or Yahoo; rather I am talking about a SMB with 50-200 employees and perhaps even a few thousand users of technology. It's hard for them to adopt a technology that is something that has OpenID and Oauth effectively. Why? Our panel talked about several issues. One that I would like to elaborate a bit more on is the conflicts that arise with corporate identity and user identities with enterprises versus consumer applications.
The company identity
The company is an identity and the employees of a company are subordinate identities. Each user's email address at the company is an asset of the company. The information stored at and created at work are assets of the company. In the consumer Web, the user is synonymous with an account for the most part. Your Gmail account is yours. In the corporate world, your email account is the company's. So the notion of another entity owning the identity of the employees is very different.
A user that goes to work for a company should not use a consumer Web site-provided OpenID as their company identity. Why? All the data imported from your consumer site into the work site would become property of the company -- probably not a good thing. The reverse is also true.
Taking work assets from a work identity to a personal site could also create problems. Not to mention that you can get in trouble for company assets ending up where they shouldn't be. Your company could get into trouble for improper use as well. This interaction is confusing for company executives and makes it difficult to understand how to use OpenID and Oauth.
So A Single Identity is Multiple Users
An additional problem for users in companies trying to adopt Web technologies is the need to have multiple Web identities to log on to different apps. Trying to deal with this on your own creates a virtual identity crisis for the individual. If there are five apps that the company is using, there are now at least five log ons and it's confusing to track all that. The poor man's version of this is to synchronize or use the same UN/PW at all the sites. The bad deal is that one password leak is potentially damaging and irresponsible at the very least. So this confusion more than often leads a company to do nothing on web identity -- and potentially leaving valuable company assets at risk.
But isn't OpenID the solution?
Okay now for advocates of OpenID it would seem that this is the solution to the identity crisis. I agree on that point. If a business can "provide" OpenID accounts for it's users, then it can help manage the identity crisis. This is one of the main points we focused on as a panel.
The challenge is when businesses look at OpenID as a consumer of it for their staff, thereby accepting someone else's trust for registration of employees is clearly a difficult pill to swallow. While accepting someone else's OpenID for customers is a much easier pill to swallow.
However, I believe that businesses would benefit greatly by providing OpenID for their employees. Imagine if you will, giving your employees an OpenID to use to register with all company used applications. This would save tremendous time and create value in the use of technology.
The nay sayers will gladly remind me that there is more to the equation. OpenID and Oauth implementations can be very clunky still and while the intent is promising, the industry as a whole, still has a long way to go.
Meanwhile, here are some interesting things to check out:
Overall, I would say that there was a lot of enthusiasm and discussion from both our panel as well as the audience about enterprises adopting OpenID, Oauth, data portability and the like. I wanted to comment on a couple of things on my blog, from the perspective of a service provider for enterprises looking to distribute apps via the Web, as well as a distribution channel for existing Web apps through our syndication program.
It's hard for enterprises to adopt something like OpenID or Oauth. Now when I am talking about enterprises, I am not talking about AOL, Google or Yahoo; rather I am talking about a SMB with 50-200 employees and perhaps even a few thousand users of technology. It's hard for them to adopt a technology that is something that has OpenID and Oauth effectively. Why? Our panel talked about several issues. One that I would like to elaborate a bit more on is the conflicts that arise with corporate identity and user identities with enterprises versus consumer applications.
The company identity
The company is an identity and the employees of a company are subordinate identities. Each user's email address at the company is an asset of the company. The information stored at and created at work are assets of the company. In the consumer Web, the user is synonymous with an account for the most part. Your Gmail account is yours. In the corporate world, your email account is the company's. So the notion of another entity owning the identity of the employees is very different.
A user that goes to work for a company should not use a consumer Web site-provided OpenID as their company identity. Why? All the data imported from your consumer site into the work site would become property of the company -- probably not a good thing. The reverse is also true.
Taking work assets from a work identity to a personal site could also create problems. Not to mention that you can get in trouble for company assets ending up where they shouldn't be. Your company could get into trouble for improper use as well. This interaction is confusing for company executives and makes it difficult to understand how to use OpenID and Oauth.
So A Single Identity is Multiple Users
An additional problem for users in companies trying to adopt Web technologies is the need to have multiple Web identities to log on to different apps. Trying to deal with this on your own creates a virtual identity crisis for the individual. If there are five apps that the company is using, there are now at least five log ons and it's confusing to track all that. The poor man's version of this is to synchronize or use the same UN/PW at all the sites. The bad deal is that one password leak is potentially damaging and irresponsible at the very least. So this confusion more than often leads a company to do nothing on web identity -- and potentially leaving valuable company assets at risk.
But isn't OpenID the solution?
Okay now for advocates of OpenID it would seem that this is the solution to the identity crisis. I agree on that point. If a business can "provide" OpenID accounts for it's users, then it can help manage the identity crisis. This is one of the main points we focused on as a panel.
The challenge is when businesses look at OpenID as a consumer of it for their staff, thereby accepting someone else's trust for registration of employees is clearly a difficult pill to swallow. While accepting someone else's OpenID for customers is a much easier pill to swallow.
However, I believe that businesses would benefit greatly by providing OpenID for their employees. Imagine if you will, giving your employees an OpenID to use to register with all company used applications. This would save tremendous time and create value in the use of technology.
The nay sayers will gladly remind me that there is more to the equation. OpenID and Oauth implementations can be very clunky still and while the intent is promising, the industry as a whole, still has a long way to go.
Meanwhile, here are some interesting things to check out: