Published: May 12 2009, 12:19 PM
by Matthew Gardiner

As promised in my last blog entry, here are my top 5 observations from last week's European Identity Conference 2009, put on by the Germany analyst firm Kuppinger Cole.  The conference Web site is here -  http://www.id-conf.com/eic2009 where you can find conference podcasts, Twitter postings and more.

• Lots of talk about Information Cards & User-Centric identity - Anyone who knows about the Venn of Identity - http://www.xmlgrrl.com/publications/IEEESecPriv-MarApr2008-MalerReed-Venn.pdf - knows about the federation technology triumvirate of OpenID, SAML, and Information Cards. There was a lot of discussion of Information Cards and their role in Internet-based, cross domain security. The Information Card Foundation even won the award for Best New or Improved Standard http://informationcard.net/blog/icf-receives-eic-2009-award. My takeaway: Information Cards provide a very elegant system for use cases which require and/or benefit from explicit user participation. With Microsoft's impending release of supporting server side tooling, it will be an important force in Web identity management for many years to come. However, for applications for which explicit user participation is unnecessary or counter-productive - simple Internet SSO being the goal - SAML remains the best choice. OpenID's focus remains on easing access to applications for which assuring true user identity is not really necessary.
• More signs that SAML has reached maturity - One sign that the use of SAML has entered the early-mainstream is its adoption by vertically-focused industry consortia as an enabler of cross-organization collaboration. At this event there were presentations from a BMW-centric , automotive industry consortium (http://www.odette.org/html/activities_tc.htm) as well as a financial group of Canadian banks. Add this to aerospace, bio-pharma, e-government, oil and gas, and other similar industry consortia that I knew about before, and one can see that SAML is setting itself up for its next stage of maturity and adoption and it's driven by industry ecosystems that inherently share users.
• Identity in the Cloud is still pretty foggy - There were a number of sessions which addressed the topic of how identity and access management could impact Cloud or SaaS-based computing. From my perspective not much fog was parted on the topic. My current view is that the SaaS/Cloud role in managing identity and access for traditional on-premise applications is pretty thin. However there might be a logical role for "outsourcing" portions of IAM as part of a more comprehensive partner ecosystem set of applications.
• SOA Security and Identity are still looking for each other - From my perspective the session which focused on this topic failed to adequately link the real challenges of effectively managing access to services (mostly XML-based) which are really starting to break-out in enterprises. This session leaned heavily toward mitigating XML-threats (granted not an unimportant issue), but didn't talk about how to manage identities and their access to enterprise Web services in a scalable way - similar to managing identities and access to traditional Web sites and portals.
• Beer halls in Munich are pretty cool - Of course only visited after conference hours - there really is nothing comparable to a Munich beer hall garden on a nice Spring evening - http://en.wikipedia.org/wiki/Beer_garden - Definitely some cross organization collaborations were hatched over a "Mas" (one liter beers) or two.

Share this post:  Email

Share