This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
Identity and Access Management (IAM)
July 2007 - Posts
-
The Significance of Identity 2.0
It’s a little hackneyed to talk about how the Internet is expanding and how the potential to live, work and play on the Internet grows proportionately to this expansion, but it’s still true. We are almost daily exposed to new, “up-and-coming” services and ways to interact with one another, the most recent of which is the loose grouping of “Web 2.0” connections. This includes not only the burgeoning of Wikis and blogging, but also social-networking structures like MySpace, Friendster, Facebook and Second Life. The online world is coming to resemble, more-and-more, the offline world with new ways of forming associations and new opportunities for self-expression; and it seems that, positive-or-negative, there is an analog online for everything offline. And so we come to the notion of who we are as a digital persona in this brave new Web.
The evolution of the Internet has led to an impasse around the management of our identities. As services have rolled out, the hosts for these services have created many disparate user stores.In effect, we have multiple identities among domains on the Web, from eBay or Amazon accounts to IM identities, from corporate identities within our company’s’ infrastructures to identities with your bank, all the way up to and including our MySpace account and second lives. The most egregious examples exist even within a particular “trust domain” when you have multiple identities within a unique infrastructure, as is often the case when you can’t remember your username and password at a site and have to go through the process of re-registering. The end result of this is that as you move around on the Web, you are forced to authenticate multiple times in multiple ways and errors and redundancies and lapses where we can’t remember our identities creep in. Worse, we potentially can suffer identity abuse, if not outright identity theft, since keeping track of and maintaining information associated with you in each of these Identity Islands is time consuming and can introduce inconsistencies.
Along comes Identity 2.0: the promise of user-centric and user-managed digital identities and identity verification. The case has been made in a few places for an evolution from the identity island “model” above to a model that is more reflective of human real world societies. The challenge before everyone is to unify and simplify the way in which identities are governed world-wide. No more the authoritarian, centralized domains with their independent identity stores. Instead,we users of the Internet will carry our credentials with us and will present them at our discretion when we interact with sites and services. The benefits to end users are numerable: a single identity, seamless single sign-on, and a common identity for moving among sites and domains and still being “you” in the eyes of all whom you deal with. Imagine if, as we move through the Internet, our behavior could be used to establish each of us and our “reputation” and trustworthy-ness could come with us. If you are a frequent shopper at Acme.com, wouldn’t it be nice to go to Widgets.com and be able to carry the reputation you’ve built with Acme with you?
Companies that interact with user-centric identities will initially face architectural challenges in separating the notion of identities within their domains from the entitlements that users should have. They will also face challenges in implementing authentication correctly, especially when their user populations will gradually adopt (and need to be educated on) the process of getting their unique “Internet Driver’s License.” Embracing Identity 2.0 will, however, have substantial long term benefits in terms of reduced cost of management, increased scalability, improvements in speed, better user satisfaction and richer services and affiliations via partnerships in the “entitlements management” rather than “identity management” game. Imagine if anyone who “walks” through the Web portal can be uniquely and rapidly identified and referred to when dealing with other companies—benefit programs, frequent flyer programs, “premium shopper” clubs will become the focus of Federation rather than the relatively simpler notions of single sign-on.
There are, however, substantial obstacles to implementation of a ubiquitous, reliable Identity 2.0-enabled infrastructure. First and foremost, the “architecture” of the Internet isn’t sufficiently sophisticated in a centralized, managed form for a user-centric infrastructure to emerge overnight or even in the space of the next year or so. It will have to be a gradual evolution that will have most of us getting our “internet driver’s licenses” while still having to prove to banks, companies, shopping sites and so on independently, which is why I prefer the term “evolution” to the more radical “revolution” frequently associated with Identity 2.0. Further, the requirement in some instances for varying levels of strength of authentication mean that either the bar for Identity 2.0 will be set too low for all to adopt immediately or that there will have to be progressive levels of digital identity as we move forward.
Last but not least, there are issues around what a user-centric model means for security and privacy of the individual. First and foremost among these are issues around identity theft and “phishing.” If you lose your identity once, it now would potentially affect you on a much wider scale. In effect, centralization of any form can create a single-point-of-failure. Also, the ability to control privacy and to know how your reputation works among sites is critical—although this last control issue will likely evolve to mirror (if not merge with) more traditional forms of reputation and “offline” identity management such as credit ratings. In the end, we have to make this about the individual Internet user and about empowering people to manage their own identities (I’ve advocated a basic Internet Bill of Rights and an Internet Declaration of Independence, perhaps there should be an Internet Congress* at some point – maybe in Second Life!).
The expansion of the Web that I started this post with continues; and I’ve no doubt that by the time I finish this post, I’ll find there’s a new Web 2.0 advance happening. But as we move ahead with our Brave New Worldwide Web (2.0), Identity 2.0 will happen. I firmly believe that it’s not a question of “if” but is rather one of “when.” Put another way, it’s a question of “how long will it take to get this right and for companies and users to learn about and embrace the technologies?” It’s compelling, but there’s still a long way to go.
Notes:
- Burton Group’s Mike Neuenschwander recently reviewed a book by John Clippinger (June 14) that’s made my “must read” list, and he discusses how the book relates “social theory to digital identity”: I’ll post more hear once I’ve had a solid few evenings to read and digest it.
- OpenID is a user-centric digital identity initiative that uses unique, personalized URLs instead of username/password combinations for authentication. Jeff Broberg has a great post on OID2.0.
- Microsoft’s CardSpace is at the heart of their “Identity Metasysten,” and there is good information available on wikipedia.
-
Identity Federation: Transitioning to Mainstream use but not the Solution to all IM Challenges
Being a contrarian by nature, I view the recent session at Burton Catalyst on Federation by Burton analyst Mike Neuenschwander, (Evaluating the Growth of Federation Deployments: Is There a Glass Ceiling?) and a companion research report by Mike (Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity), as actually being more positive then the titles suggest. In general new technologies usually start to enter the mainstream only after exiting what another analyst firm calls the “Through of Disillusionment”. That is, after vendors, customers, journalists and analysts start to realize that the new thing—in this case federation in its traditional form—doesn’t solve all related problems that came before it. Or the total set of problems that people think it might be able to solve.
While I wasn’t in the room during the birth of standards-based federation, the SAML standard (which basically started off as the Netegrity-driven Security Services Markup Language (S2ML)—before it was contributed to OASIS), I arrived on the scene while the baby was still just flapping around post birth. I know one of the fathers of federation quite well and chatted with him after Mike’s Catalyst session. We agreed that federation at its inception with the SAML standard was really trying to solve a pretty narrow problem—single sign-on between security domains, both inside an enterprise and between enterprises. That pretty much was it.
Being very deep in the Web access management and SSO security world, we came across many customer requirements of separate but partnering organizations trying to provide more seamless joint application access for their users through SSO. From this, a form of proprietary federation was born which later morphed into SAML, thus giving birth to this whole discussion and continued federation-based creativity and invention—all good from my point of view as long as we keep hold of our historical perspectives.
Are federation trust relationships trivial to set up legally and technically? Does federation single handedly solve the credential explosion problem that is endemic on the Internet because its lack of inherent security? Do federation partnerships occur without meaningful IT collaboration? Does federation eliminate all remote identity provisioning? Does federation always give users direct control over the use of their identity? No - No - No - Generally No - No. Are organizations using federation today successfully for what it was initially intended, for what it was born to do? Yes—absolutely by the hundreds—probably even by the thousands of organizations worldwide. While there are certainly more problems to solve, I don’t think we relegate federation to mediocrity just because in its first form it didn’t win the war.
My personal bottom-line is that there is no one-size fits all in this world, security management and IAM very much included. Identity federation as currently constituted (think SAML-based SSO for simplicity) is widely available from more than a dozen vendors and elsewhere and successfully solves real problems, perhaps more narrow than some would hope or dream of today, at real organizations. While it is very healthy to kvetch about problems yet unsolved and get on with trying to solve them, I also think that it is important to keep some historical perspective here and recognize that we wouldn’t be complaining about a technology that had no utility. Technologies with no utility are relegated to the dustbin of history and are simply forgotten. Every technologist should have their favorite one of these. My personal favorite is the CueCat that I got by being a subscriber to Forbes Magazine.
Coming back from my digression—like all things in the IT world, often the hard part is knowing which tool to apply to which problem. And conversely, when not to apply the tool. Federation is just another tool. If you apply it well, you benefit. If you don’t, you don’t. I encourage you to seriously consider Mike’s point of view while keeping my perspective here in mind.
-
Identity Services Panel – SOA glue
I was on an Identity Services panel at the recent Burton Group’s Catalyst conference in San Francisco. Burton Analyst Mark Diodati summoned architects from several companies (Phil Hunt/Oracle, Nick Nikols/Novell, Bill Dettlebeck/BEA, Don Bowen/Sun as well as CA) to talk about Identity Services. Topics included: Why are identity services needed? Where is the state of the industry? Why should customers care? Are the standards ready? What standards? Again, why should anyone care?
First of all, fans of Jerry Springer were disappointed: There were no hurled insults or verbal wrestling. Instead, Web techies from five competitive companies were fairly aligned in our views on need and state of the identity standards and the need for identity service infrastructure.
My viewpoint is simple: ID services are the glue of SOAs—period. Regardless of which SOA metaphor you choose: mesh, grid or bus, it is the common ID services that bind the business services and allows them to interoperate. It’s impossible to have any type of cross-service security without common identity.
In fact, we identity security geeks see WWW not as World Wide Web, but Who, Who, Who, as in: Who are you? Who can and should do what? (and why?) and Who did what? i.e., ID mgmt, ID delivery/session control, access control, compliance and audit.
The crux of a real-world SOA is slipping these different facets of identity (management and flow) in between existing enterprise systems and the new tools and systems (compliance, cross-tier security audits, entitlement management, etc.). Identity services provide both a convenient abstraction and architectural place to provide this bridge.
So what identity standards will win? The beauty of small(er), composable standards is that the market decides which of the little standards survive. But my bet is that the likely winners are those which other standards use. Example: different parts of the SAML standard are being referenced by other standards. XACML is looking to WS-policy as a policy container, Liberty’s IDGov standard is looking to XACML’s privacy profiles. SAML, WS-policy, XACML—good bets.
So it was a fun panel with good industry colleagues. Maybe next time we can be more entertaining to Springer fans by stomping around and tipping over a few chairs.
-
The IAM Market - Random Thoughts from the Burton Catalyst Conference
Many CA-folks attended the Burton Group Catalyst conference a couple of weeks ago. Not to be a shill for Burton, but I have always found this conference to be one of the most informative of all the major industry events. The sessions typically have more depth than most conferences, and there are a number of specific customer case studies that help to show how IAM is being successfully deployed in real-life (and complex) environments. End of shameless plug for Catalyst.There are multiple “tracks” in the Burton Conference, including ones on threat management, application security, and identity management. There was also a conference welcome session, at which Jamie Lewis (President of Burton Group) summarized some of the key security trends that have been occurring over the past year. As he went through them, it was quite noticeable how central IAM was in virtually all of these trends. One could certainly argue that this is due in some respects to Burton’s emphasis and expertise in this area. Even while acknowledging this fact, it seems clear that many of the recent security trends can be associated with a strong movement towards management of user identities and access across large environments.
Let me highlight the major ones listed so we can see how these trends are impacted by IAM technologies.
- De-perimeterization—the boundary between internal and external users continues to blur. As this occurs and larger numbers of users need access to protected IT resources, the relatively static authorization models that have worked in the past may no longer be sufficient. Authorization models need to be able to effectively model the often complex and dynamic attributes that many users have. In particular, authorization based on a relatively static set of roles or attributes/claims is evolving to a much more flexible model based on a wider set of dynamic attributes.
- Data center consolidation—as mergers, acquisitions, and business unit consolidations occur, data centers (across different companies or business units) are often merged, creating unique challenges around different identity mechanisms, directories, and other infrastructure components. This represents both a significant challenge but also an opportunity for increased automation and cost reduction as these different IT processes are centralized and merged into a single, more efficient mechanism.
- Islands persist, despite evolving standard—this will probably always be true, insofar as the challenges of widespread IAM deployment remain too daunting for some organizations. Still, one would hope that the pain of existing “silos” will tend to reduce the creation of new ones over time.
- Regulatory compliance and governance—this is very important, but old news. We’ve all known for a couple of years now that compliance was likely the most important driver of identity management deployments. In fact, compliance has been a major factor in the maturation of IAM within many organizations. And, even as some companies view compliance in a wider scope as part of their corporate risk management or governance program, it remains true that IAM can be an important underpinning of these programs.
So, when we look at some of the key security trends over the past year or more, IAM technologies are extremely well-suited to meet the challenges created by these trends. And, conversely, these evolving customer demands have caused changes in the IAM product space also. Simple examples include the rise of GRC solutions and identity auditing as natural outgrowths of the success of the core IAM technologies.
Another insight from this session was how much change had occurred in the IAM market over the past year or so. This is true not only in terms of acquisitions as well as new entrants, but also in the breadth of scope that the identity management market includes. For those of us who have been in the IAM market for a number of years, this constant flux has become very familiar to us. In addition, this is very unlikely to change in the near term at all—identity management has become a constantly evolving market in which a high rate of change is now the norm. Continual change is one of the many reasons why many of us find this area to be so exciting.
Print
Email
Rate+-+CA&dcsref=-&WT.cg_nid=120298&WT.cai_l1=120399&WT.cai_l2=120298&WT.cai_l3=&WT.cai_cntry=us){kind=small}