To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://comment.silicon.com/0,39024711,10003726,00.htm

The Bloor Perspective: Nanotech, ID theft and whether to issue an RFP
Robin Bloor and his team this week look into the future of nanotechnology, protecting identities and how best to source IT...

By Bloor Research

Published: Monday 14 April 2003

Nanotechnology, they say, will be a $1tr market. They are probably right but it won't happen tomorrow. Right now we are in the early hype phase where there are more ideas than products. But still, there are a number of start-ups, and even one or two established products and companies. So what are they doing?

Well, the early applications of nanotechnology were a matter of 'improving" substances and surfaces. So there are body parts for vehicles and airplanes that are stronger and lighter because of nanotechnology. There are self-cleaning windows that use nano-engineering to keep dirt from sticking to glass and even materials from which clothes can be made that will repel stains. So in this stream of things, nanotechnology is really an extension of materials science.

The most startling 'idea' in this area of development followed on from the discovery of carbon nanotubes, which is attributed to Sumio Iijima (of NEC in Japan) and independently, Don Bethune (of IBM, Alamaden). The idea is to build an elevator into space which would be 100,000 kilometres long. (No, this is not a hoax.) The man behind the idea is Brad Edwards, CTO of High Lift Systems Inc. of Seattle. High Lift Systems, which counts NASA as one of its investors, is hoping to have the elevator built in about 10 years.

Nanotubes are "hexagonal lattices of carbon, wrapped in a tight cylinder". They are also very, very strong and although just a few nanometres wide, they can be up to a millimetre long. These tubes can be woven into strands and, in High Lift Systems' scheme of things, could be used to make a paper thin ribbon about one meter wide and 100,000 kilometres long. Such a huge ribbon would actually be stiff enough to stand up on its own.

The idea is to send up a spaceship with rolls of this ribbon and when it reaches a geostationary orbit (where gravitational force is exactly equal to centripetal force) start to unwind the ribbon in both directions, Going away from earth the centripetal force will keep it taught and, going down to earth, gravity will do the trick.

An elevator carriage can then be attached and move up and down the ribbon. High Lift Systems believes it can move the carriage at about 200kph. It estimates the construction cost at $10bn but says that such an elevator would reduce the cost of spaceflight by a factor of 400.

All of this may seem like a far cry from IT but much of the early work here was done in IT research labs and such work continues. Right now there seems to be a focus on building machines to build nanodevices. In other words 'nanofactories'. And many of the nano-devices will be IT products.

*A question of ID*

According to the Federal Trade Commission, online identity theft is the fastest growing crime, with internet-related incidents accounting for two-thirds of all complaints. The issue has such a high profile now that it is even covered in women's magazines. Don't ask, I just know.

What is an identity? This might seem obvious but is it? I would describe a digital identity as a set of attributes that describe an entity (be it person, process, system, server or thing) within the context of an event or request. Attributes are bound to a unique identifier, such as name, which is established through the process of authentication.

It follows that an identity management solution should provide highly granular rules and policy expression capability to enable administrators to easily define how identities are to be used within different contexts. By way of example, you might think of yourself in the capacity of citizen, employee, executive, contractor, supplier, buyer, partner, colleague and so on. What sort of identity attributes would you have? There can be quite a mix.

Security architectures and compliance methods need to be able to support a consistent means of determining how digital identities are formulated for and applied in business scenarios and to maintain the integrity of these by constant verification.

I came across a press release the other day of a fantastic example of how once again point technology is being offered as a solution that addresses only part of the problem. Wholesecurity claims to have developed a solution to solve the online ID theft problem by extending the SSL model - automatic, seamless protection, without downloads or upgrades - to the point of input. The company says Confidence Online will provide a secure, safe experience during any online transaction or data exchange to protect against criminals' new weapons - eavesdropping software and Trojan horse attacks.

Only that's not really the problem and, by the way, there is plenty of software out there that can more or less tell you if you have something unpleasant on your system.

From Wholesecurity's website it seems it is all about confidence. To my mind, the greatest risk is that back end systems holding more information about me than I care to think about get exposed because some admin person was in a hurry or just plain too busy.

As I look around the marketplace, there are a number of vendors along with Wholesecurity, such as Netegrity, Oblix, Quizid, RSA, VeriSign and Waveset who have parts of the identity management jigsaw but lack the whole solution. This means users have to take products from multiple vendors to build something that approaches a complete solution.

Fortunately, SAML and XACML are around as frameworks and many vendors are now supporting these, although we might question how well.

*To RFP or not to RFP?*

When an institution is looking to choose an IT solution to implement and it is a strategic choice important to the future of the business, finding the right technology vendor in a sea of offerings is not an easy task for the CIO.

One way they're narrowing down that selection process is by using a request for proposal (RFP). But RFPs aren't for the faint of heart. It's an extensive process that takes time and money.

You need to know who the players are, what questions you want to ask to actually have a useful RFP. While RFPs can help firms hone in on the right vendor, they are not always the best method for finding the right technological solution.

There is an alternative, if you do not know what options are out there but have a good idea of what you require. Adopt a less formal process. Canvass vendors and ask for a proof of concept - essentially a plan on how the vendor would tackle the problem.

An RFP is a very formal process and it generates a tremendous amount of work on both sides of the equation. You have to undertake business requirements analysis to determine the type of features you need to consider to solve your particular problem, to prepare an RFP that will provide comparable results and finally to conduct due diligence.

That means figuring out which vendor in the market has an appropriate solution. In some cases, vendors are readily identifiable. In others, you may have to start with an informal request for information (RFI) and visit vendors. That alone can be a laborious process. In addition to determining what it is the institution wants from the vendor, it needs to establish timelines and determine how it will judge the responses received to make sure that you compare apples to apples.

Experts say the key to a successful RFP lies in the issuer's ability to understand what it wants. It should not be a fishing exercise. You need a buying strategy from day one.

The success of an RFP depends on the ability to form a broad team from across the business involving the technology people, obviously, but also people from the business that have a good knowledge of the problem, some people that have responsibility for procurement and finally finance.

Also the institution should decide early if it wants to retain the services of a third-party consulting firm to help run the RFP and develop the evaluation process.

The RFP process is not one that is to be taken lightly. It is no walk in the park. I have been on both the sending and receiving end of this, so I know!

Bloor Research is a leading independent analyst organisation in Europe. You can find out more at www.bloor-research.com or by emailing mail@bloor-research.com.