Oct 12, 2012

Need new paradigm for Authentication and Customer Master Data

Building platforms that enable the automation of processes throughout the ecosystem, requires a different way to authenticate users, manage their master data and access security.  Why is it that?  Why are most cloud service providers not addressing that need?

For that reason are multi-tenant cloud architectures unlikely to become the method of choice for transforming the ecosystem.

Let's take a look at Salesforce.com, as being the most successful cloud based business applications platform today.

Every company joining the platform is subscribing to one or more "orgs" or "tenants".  A tenant is like a virtual private environment.  This tenant is "perfectly separated" from the other companies on the platform.
Every company is then configuring the application to their own liking and loading it with their own master data   This is in fact the exact same process as a company would use with an on-premise application.  The multi-tenancy characteristic is to the benefit of the SaaS software provider as it is a means for them to optimize their infrastructure capacity and to maximize their margin or - at best - to offer competitive prices for their customers.
The result is a traditional application owned and managed within the enterprise, automating their internal business processes they way they want to run these processes.

This concept of a tenant for each company with its own master data is a significant barrier if we want to be able to run applications that support processes that go across the various companies creating a seamless collaboration across all parties in the ecosystem.  For that to be possible, we need a shared platform complete with a core of master data, business rules and configured processes.  Around that core may reside company specific additions if needed.

For this shared master data to be usable for the whole ecosystem, new paradigms will have to be brought to  work.  Let me list a few:
  1. Master data needs to be sourced in some way, either:
    1. Crowd sourcing : People need to provide their own customer record, including permissions or restrictions, e.g. regarding sharing or contacting.
    2. Data providers:  Companies like Cegedim, IMS or Doccheck could provide such data for the pharma ecosystem, but presumably will only do so if they can still see a revenue model in it, and they are unlikely to have all records for all actors in the ecosystem.
    3. Authentication services could also be provided by Governmental organizations.
  2. Validation: Business applications will require trustworthy data before business application processes or workflows can rely on this data.  Various methods can be used, depending on the criticality of the application, e.g.:
    1. Social peer validation : this can work for non-critical applications.  Each user owns his own record.  Unless they register themselves on the platform, they will not be able to participate on it.  Their peer contacts in the platform can perform peer validation and confirm the correctness of the person's master data.  The master data will have some kind of "trustworthy" indicator, depending on the number and type of validation confirmations that are received.
    2. Delegated administration by authorized representatives of companies to administer their own people.  This will significantly improve the trustworthiness of the data provided that the administrators themselves are well controlled.
    3. Make use of authentication services or methods.  E.g. The use of electronic ID cards, PKI certificates etc.. 
  3. Security management:  With all companies working in the same shared platform with the same set of master data, this doesn't take away the need to limit access to what people are authorized to.  It is becoming even a more important need.  An additional complexity is that every ticket or transaction that is processed through the system may have different involved partners, and therefore access control will need to take into account that the partners involved in the processing of tickets can be different for every ticket. 
I believe the above issues are among the main barriers in building critical business applications serving a complete ecosystem.
Existing crowd sourcing based databases still have too many limitations that will need to be addressed before they can be used.  E.g.
  1. LinkedIn: Probably the best crowd sourced database for business purposes, but even this database lacks a number of must haves.  E.g. User names and data are not validated in any way.  The data lacks working relationships, org chart structures, project structures etc. and there is no way to add characteristics that might be important to describe authorizations.  For now, this just remains a networking and job recruitment site.
  2. Facebook: While this is the largest user database on the planet today, nicknames are quite common and the trustworthiness of the data is not even good enough to trust it to order a pizza.
  3. Google+ : While it was the intention to have only real names, also Google has given in on the wish of people to use nick-names, undermining its value as a person master database.  Also, the account pages are too weak for now to have it evolve in a real database of people with roles and responsibilities in companies and in business processes.
This need to be able to identify and authenticate a user who is connecting to an application is a basic requirement, yet as of today, it doesn't seem to be easy to resolve.  Even governments seem to fail to facilitate this in their countries.  E.g. Even in Belgium, where we introduced electronic identity cards with chips many many years ago, there are no generally available authentication services that make use of these ID cards.  Actually, how many PCs come with a reader for electronic cards?
This weekend, in Belgium we have our city elections, and guess what, it is still not possible to vote via the internet.  Come-on, we are 2012! 

So, what is going to become the dominant method for reliable user authentication?  Will it be based on your mobile phone?  On your electronic ID card?  On your credit card?  On a wireless memory key?  On your fingerprints? 
And who is going to solve this?  Google, Facebook, LinkedIn...or our Governments?

What do you think?






No comments:

Post a Comment