Identity and Access Management (IAM)

I recently returned from a week at the RSA Conference which is somewhat of an annual pilgrimage for IT security people that takes place in the heart of San Francisco in the Moscone Center. 

http://www.rsaconference.com/2008/US/home.aspx

Even though the Olympic flame relay was also in town on its only stop in North America on its worldwide tour, we RSA Conference attendees stayed focused on IT security.

http://edition.cnn.com/2008/US/04/08/us.olympic.torch/index.html

As I arrived in San Francisco on the Sunday before the start of the conference, one question on my mind was where are we in the adoption of identity federation?  This is a question I get asked a lot so I am always looking for evidence supporting one view or another.  So I wanted to find out how interested the average RSA Conference attendee was in the topic of federation?  This would certainly be a valid data point to help answer the larger question.

Fortunately I had a great way to gauge that because the very next day on the afternoon of "workshop monday" at the start of the RSA Conference, the Liberty Alliance was having a half-day workshop entitled, "Identity Federation & Web Services: Happening Today - Enabling Tomorrow".  Certainly one measure of interest and adoption can be taken from the nearly 500 people who registered and attended this workshop.  To see the slides from all of the presentations from this workshop please go to the Liberty Alliance Web site here: 

http://projectliberty.org/liberty/resource_center/presentations_webcasts. 

One of the key points of this workshop was to show interested RSA Conference attendees how the use of standards-based identity federation technologies can provide immediate business value as well as prepare the organization to thrive in a heavily federated and trust-based world that is rapidly descending on us in the form of SaaS, identity as a service, application outsourcing, user centric identity or whatever terminology or perspective fits your view of the world.

CA was fortunate to have two excellent federation customer case studies presented during the event, the first one from BT's Chief Security Architect, Robert Temple, in which he discussed their success in extending their Web security infrastructure to enable browser-federation with many partners of BT.  The second CA customer case study session was from Chris Sharp of MEDecision in which he discussed the key enabling role of a centralized, policy-based security service for SOA & Web services based applications.

My personal perspective is that federation in its broadest sense is now entering mainstream usage.  Will it solve all identity related problems that came before it?  Of course not.  But it has proven itself to be a valuable tool when applied by experienced practitioners to the right project.  To me that is a sign that mainstream, thought not necessarily ubiquitous usage, is currently unfolding.