View my documents ()
 Home > Insights 

Identity and Access Management (IAM)

Focusing on our views about deployment challenges, and some of the important trends related to Identity and Access Management

Monday, July 23, 2007 - Posts

  • The Significance of Identity 2.0

    It’s a little hackneyed to talk about how the Internet is expanding and how the potential to live, work and play on the Internet grows proportionately to this expansion, but it’s still true.  We are almost daily exposed to new, “up-and-coming” services and ways to interact with one another, the most recent of which is the loose grouping of “Web 2.0” connections.  This includes not only the burgeoning of Wikis and blogging, but also social-networking structures like MySpace, Friendster, Facebook and Second Life. The online world is coming to resemble, more-and-more, the offline world with new ways of forming associations and new opportunities for self-expression; and it seems that, positive-or-negative, there is an analog online for everything offline. And so we come to the notion of who we are as a digital persona in this brave new Web.

     

    The evolution of the Internet has led to an impasse around the management of our identities. As services have rolled out, the hosts for these services have created many disparate user stores.In effect, we have multiple identities among domains on the Web, from eBay or Amazon accounts to IM identities, from corporate identities within our company’s’ infrastructures to identities with your bank, all the way up to and including our MySpace account and second lives. The most egregious examples exist even within a particular “trust domain” when you have multiple identities within a unique infrastructure, as is often the case when you can’t remember your username and password at a site and have to go through the process of re-registering. The end result of this is that as you move around on the Web, you are forced to authenticate multiple times in multiple ways and errors and redundancies and lapses where we can’t remember our identities creep in. Worse, we potentially can suffer identity abuse, if not outright identity theft, since keeping track of and maintaining information associated with you in each of these Identity Islands is time consuming and can introduce inconsistencies.

     

    Along comes Identity 2.0: the promise of user-centric and user-managed digital identities and identity verification. The case has been made in a few places for an evolution from the identity island “model” above to a model that is more reflective of human real world societies. The challenge before everyone is to unify and simplify the way in which identities are governed world-wide.  No more the authoritarian, centralized domains with their independent identity stores. Instead,we users of the Internet will carry our credentials with us and will present them at our discretion when we interact with sites and services. The benefits to end users are numerable: a single identity, seamless single sign-on, and a common identity for moving among sites and domains and still being “you” in the eyes of all whom you deal with. Imagine if, as we move through the Internet, our behavior could be used to establish each of us and our “reputation” and trustworthy-ness could come with us. If you are a frequent shopper at Acme.com, wouldn’t it be nice to go to Widgets.com and be able to carry the reputation you’ve built with Acme with you?

     

    Companies that interact with user-centric identities will initially face architectural challenges in separating the notion of identities within their domains from the entitlements that users should have. They will also face challenges in implementing authentication correctly, especially when their user populations will gradually adopt (and need to be educated on) the process of getting their unique “Internet Driver’s License.” Embracing Identity 2.0 will, however, have substantial long term benefits in terms of reduced cost of management, increased scalability, improvements in speed, better user satisfaction and richer services and affiliations via partnerships in the “entitlements management” rather than “identity management” game. Imagine if anyone who “walks” through the Web portal can be uniquely and rapidly identified and referred to when dealing with other companies—benefit programs, frequent flyer programs, “premium shopper” clubs will become the focus of Federation rather than the relatively simpler notions of single sign-on.

     

    There are, however, substantial obstacles to implementation of a ubiquitous, reliable Identity 2.0-enabled infrastructure. First and foremost, the “architecture” of the Internet isn’t sufficiently sophisticated in a centralized, managed form for a user-centric infrastructure to emerge overnight or even in the space of the next year or so. It will have to be a gradual evolution that will have most of us getting our “internet driver’s licenses” while still having to prove to banks, companies, shopping sites and so on independently, which is why I prefer the term “evolution” to the more radical “revolution” frequently associated with Identity 2.0.  Further, the requirement in some instances for varying levels of strength of authentication mean that either the bar for Identity 2.0 will be set too low for all to adopt immediately or that there will have to be progressive levels of digital identity as we move forward.

     

    Last but not least, there are issues around what a user-centric model means for security and privacy of the individual.  First and foremost among these are issues around identity theft and “phishing.” If you lose your identity once, it now would potentially affect you on a much wider scale.  In effect, centralization of any form can create a single-point-of-failure. Also, the ability to control privacy and to know how your reputation works among sites is critical—although this last control issue will likely evolve to mirror (if not merge with) more traditional forms of reputation and “offline” identity management such as credit ratings. In the end, we have to make this about the individual Internet user and about empowering people to manage their own identities (I’ve advocated a basic Internet Bill of Rights and an Internet Declaration of Independence, perhaps there should be an Internet Congress* at some point – maybe in Second Life!).

     

    The expansion of the Web that I started this post with continues; and I’ve no doubt that by the time I finish this post, I’ll find there’s a new Web 2.0 advance happening. But as we move ahead with our Brave New Worldwide Web (2.0), Identity 2.0 will happen.  I firmly believe that it’s not a question of “if” but is rather one of “when.” Put another way, it’s a question of “how long will it take to get this right and for companies and users to learn about and embrace the technologies?” It’s compelling, but there’s still a long way to go.

     

    Notes:

    1. Burton Group’s Mike Neuenschwander recently reviewed a book by John Clippinger (June 14) that’s made my “must read” list, and he discusses how the book relates “social theory to digital identity”:  I’ll post more hear once I’ve had a solid few evenings to read and digest it.
    2. OpenID is a user-centric digital identity initiative that uses unique, personalized URLs instead of username/password combinations for authentication. Jeff Broberg has a great post on OID2.0.
    3. Microsoft’s CardSpace is at the heart of their “Identity Metasysten,” and there is good information available on wikipedia.
    Share this post: Email it! | bookmark it! | digg it! | reddit!
    Posted Jul 23 2007, 11:35 AM by Sam Curry with no comments
    Tags:

  • Identity Federation: Transitioning to Mainstream use but not the Solution to all IM Challenges

    Being a contrarian by nature, I view the recent session at Burton Catalyst on Federation by Burton analyst Mike Neuenschwander, (Evaluating the Growth of Federation Deployments: Is There a Glass Ceiling?) and a companion research report by Mike (Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity), as actually being more positive then the titles suggest.  In general new technologies usually start to enter the mainstream only after exiting what another analyst firm calls the “Through of Disillusionment”. That is, after vendors, customers, journalists and analysts start to realize that the new thing—in this case federation in its traditional form—doesn’t solve all related problems that came before it. Or the total set of problems that people think it might be able to solve.

     

    While I wasn’t in the room during the birth of standards-based federation, the SAML standard (which basically started off as the Netegrity-driven Security Services Markup Language (S2ML)—before it was contributed to OASIS), I arrived on the scene while the baby was still just flapping around post birth. I know one of the fathers of federation quite well and chatted with him after Mike’s Catalyst session.  We agreed that federation at its inception with the SAML standard was really trying to solve a pretty narrow problem—single sign-on between security domains, both inside an enterprise and between enterprises. That pretty much was it. 

     

    Being very deep in the Web access management and SSO security world, we came across many customer requirements of separate but partnering organizations trying to provide more seamless joint application access for their users through SSO. From this, a form of proprietary federation was born which later morphed into SAML, thus giving birth to this whole discussion and continued federation-based creativity and invention—all good from my point of view as long as we keep hold of our historical perspectives.

     

    Are federation trust relationships trivial to set up legally and technically?  Does federation single handedly solve the credential explosion problem that is endemic on the Internet because its lack of inherent security? Do federation partnerships occur without meaningful IT collaboration?  Does federation eliminate all remote identity provisioning? Does federation always give users direct control over the use of their identity? No - No - No - Generally No - No. Are organizations using federation today successfully for what it was initially intended, for what it was born to do? Yes—absolutely by the hundreds—probably even by the thousands of organizations worldwide. While there are certainly more problems to solve, I don’t think we relegate federation to mediocrity just because in its first form it didn’t win the war.

     

    My personal bottom-line is that there is no one-size fits all in this world, security management and IAM very much included. Identity federation as currently constituted (think SAML-based SSO for simplicity) is widely available from more than a dozen vendors and elsewhere and successfully solves real problems, perhaps more narrow than some would hope or dream of today, at real organizations. While it is very healthy to kvetch about problems yet unsolved and get on with trying to solve them, I also think that it is important to keep some historical perspective here and recognize that we wouldn’t be complaining about a technology that had no utility. Technologies with no utility are relegated to the dustbin of history and are simply forgotten. Every technologist should have their favorite one of these.  My personal favorite is the CueCat that I got by being a subscriber to Forbes Magazine.

     

    Coming back from my digression—like all things in the IT world, often the hard part is knowing which tool to apply to which problem. And conversely, when not to apply the tool. Federation is just another tool. If you apply it well, you benefit. If you don’t, you don’t. I encourage you to seriously consider Mike’s point of view while keeping my perspective here in mind.

    Share this post: Email it! | bookmark it! | digg it! | reddit!
    Posted Jul 23 2007, 11:24 AM by Matthew Gardiner with no comments
    Tags:
 
 
Page Tools