Identity and Access Management (IAM)

I was on an Identity Services panel at the recent Burton Group’s Catalyst conference in San Francisco. Burton Analyst Mark Diodati summoned architects from several companies (Phil Hunt/Oracle,  Nick Nikols/Novell, Bill Dettlebeck/BEA, Don Bowen/Sun as well as CA) to talk about Identity Services. Topics included: Why are identity services needed? Where is the state of the industry? Why should customers care? Are the standards ready? What standards? Again, why should anyone care?

First of all, fans of Jerry Springer were disappointed: There were no hurled insults or verbal wrestling. Instead, Web techies from five competitive companies were fairly aligned in our views on need and state of the identity standards and the need for identity service infrastructure. 

My viewpoint is simple: ID services are the glue of SOAs—period. Regardless of which SOA metaphor you choose: mesh, grid or bus, it is the common ID services that bind the business services and allows them to interoperate. It’s impossible to have any type of cross-service security without common identity.

In fact, we identity security geeks see WWW not as World Wide Web, but Who, Who, Who, as in: Who are you? Who can and should do what? (and why?) and Who did what? i.e., ID mgmt, ID delivery/session control, access control, compliance and audit.    

The crux of a real-world SOA is slipping these different facets of identity (management and flow) in between existing enterprise systems and the new tools and systems (compliance, cross-tier security audits, entitlement management, etc.). Identity services provide both a convenient abstraction and architectural place to provide this bridge.

So what identity standards will win? The beauty of small(er), composable standards is that the market decides which of the little standards survive. But my bet is that the likely winners are those which other standards use. Example: different parts of the SAML standard are being referenced by other standards. XACML is looking to WS-policy as a policy container, Liberty’s IDGov standard is looking to XACML’s privacy profiles. SAML, WS-policy, XACML—good bets.

So it was a fun panel with good industry colleagues. Maybe next time we can be more entertaining to Springer fans by stomping around and tipping over a few chairs.