Talking Identity Banner

A Twittorial on Trust Frameworks

Mar 5th, 2010
by Nishant Kaushik.
Comments

(Updated to reflect provisional status of OIX approval per this – thanks to Brett for telling me)

I just got back home from the RSA Conference in San Francisco this week, where the topic of Trust was second only to all things Cloud. While sessions on Identity Management were few and far between, there was lots of interesting news coming out of the conference (like the U-Prove announcement). I tweeted about the announcements that concern Trust Frameworks, a way for one site (Relying Party) to trust the identity, security, and privacy assertions/claims from a different site (Identity Provider) acting on behalf of a user.

The first announcement was on the launch of the Open Identity Exchange (OIX), a (yet another) non-profit organization (coming out of the OpenID Foundation and Information Card Foundation) that is dedicated to building trust in the exchange of online identity credentials across public and private sectors. The second announcement was regarding the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) provisionally approving both OIX and Kantara Initiative as a Trust Framework Provider to certify online identity management providers to U.S. federal standards for identity assurance (read more here).

Trying to digest all of this was a little difficult, so as I was stuck in traffic on my way home from the airport, I found myself riveted by a twitter exchange that was flying fast and furious between Paul Madsen (everyone’s favorite source for biting identity musings) and Brett McDowell (till recently Executive Director of the Kantara Initiative, and now technology evangelist at Paypal, one of the first IdPs certified by OIX – so you can see he has unique insight). I have reproduced it here for everyone’s benefit (with their permission, of course).

paulmadsen
ICAM is one federation willing to deal with multiple trust frameworks. Will others?
brettmcdowell
@paulmadsen ICAM isn’t actually dealing with multiple trust frameworks. It’s all just NIST SP800-63 w/ various means to prove you comply.
paulmadsen
@brettmcdowell ICAM is ‘accepting’ OIX, KI-IAF, InCommon . To me those are all trust frameworks (ie certification programs)
brettmcdowell
@paulmadsen ah, but what is a “trust framework”? The criteria for trust itself (M04-04 & 800-63) or the method for demonstrating compliance?
brettmcdowell
@paulmadsen P.S., in the Kantara case, IAF has criteria as well, but it’s been “mapped” to prove comparability to US Federal requirements.
paulmadsen
Components of a trust framework – policies, accreditation, certification, admin, metadata infrastructure, keg parties….
paulmadsen
@brettmcdowell if everybody agrees on 800 63 for the former, trust frameworks are distinguished by the latter
brettmcdowell
@paulmadsen IAF/OITF (frameworks) differentiated by criteria, KI/OIX (.org’s who certify) differentiated by due diligence on applicant
paulmadsen
@brettmcdowell thus KI (conditionally) approved for up to non-crypto LOA3 …
brettmcdowell
@paulmadsen M04-04 & SP800-63 is like the “spec”, IAF is like the SCR, and OIX is a registry of those asserting compliance to the spec
brettmcdowell
@paulmadsen “non-crypto” is another misleading term/issue. It rules out “pure PKI” but not “signed” assertions (SAML) or claims (IMI)
paulmadsen
@brettmcdowell but IAF is more than an extra level of policy detail on top of 800 63 criteria. And OIX is more than a registry
brettmcdowell
@paulmadsen for KI to be approved for AL3 PKI & AL4 in US Gov, it needs to cross-certify with the Federal Bridge
brettmcdowell
@paulmadsen re: “but IAF is more than” and “OIX is more than” Paul, cut me some slack, this is Twitter, some nuances are going to be lost!
paulmadsen
@brettmcdowell point was less about the ‘crypto’ part, and more that diff frameworks may target different parts of ‘assurance space’
paulmadsen
@brettmcdowell that’s why I avoid all subtleties & nuances :-)
brettmcdowell
@paulmadsen I wouldn’t draw conclusions (or battle lines) regarding trust frameworks just yet. Remember the OIX RFI dialog w/KI is ongoing
paulmadsen
@brettmcdowell as I complained to @ve7jtb , want to see matrix laying out components of a generic framework, specific instances mapped on
brettmcdowell
@paulmadsen that sounded like a proposal not a complaint. I accept your matrix proposal. Looking forward to reading it when you finish :-)

And of course, Paul had to have the last word, and it was typically Madsen-istic.

paulmadsen
@brettmcdowell you know, my wife made that same interpretation 16 years ago. Must be more precise

Hopefully that exchange was illuminating, and gave you enough pointers to standards and topics that might help deepen your understanding of Trust Frameworks. It certainly has given me a lot to think about. While RSA may have been weak on identity related discussions, these announcements are likely to have a huge impact on the identity landscape going forward.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · · · ·

Microsoft releases U-Prove under OSP

Mar 2nd, 2010
by Nishant Kaushik.
Comments

Back in 2008, Microsoft acquired some innovative technology called U-Prove that promised to solve an age old privacy question: How can I disclose the minimal information that I need to for the purpose of an online transaction, without having to also disclose additional (sensitive) information to establish trust in that first set of data. U-Prove does this using some innovative cryptographic techniques that are explained in the freely available e-book “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy” by the creator of the technology, Dr. Stefan Brands.

2 years later, today at RSA, Microsoft announced not only that U-Prove technology will be incorporated into their upcoming identity platform technologies, but (more importantly for the identity community) that they are releasing it under its “Open Specifications Promise”, allowing anybody to use and incorporate the technology royalty-free. You can read more detailed analysis on the announcement by Kuppinger Cole analyst Felix Gaehtgens here. Suffice to say, those of us in the identity and privacy community are glad to see this day finally come.

By enabling truly minimal identity disclosure as part of trusted online transactions, the technology has the potential to open up the floodgates on a number of identity-based transactions that were previously considered onerous if not near impossible due to privacy concerns. Microsoft’s demo during the RSA keynote demonstrated one of the most obvious use cases: creating trusted online IDs that are based on, but don’t expose, authoritative government issued IDs. Think of it as being able to show the bartender your drivers license for age verification, but with everything except the date of birth blacked out, and the bartender still is assured that the information presented is accurate. This means big things for the advancement of claims-based identity transactions. Should be interesting.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · ·

Rogue Accounts – Now Legally Challenging As Well

Feb 25th, 2010
by Nishant Kaushik.
Comments

legal_opinionThe impact that judicial courts are having on the world of tech has been in the news recently, whether it be an Italian judge ruling that content sites are liable for user uploaded content, or the class action lawsuit that Google Buzz faces over privacy issues. But another legal opinion was brought to my attention (thanks to Ashraf Motiwala) that has implications for anyone trying to run an IdM program at an enterprise.

Kurt Johnson at Courion blogged about a ruling in a case (LVRC Holdings v. Brekka) regarding wrongful use of enterprise accounts by an employee after being terminated. Read his post for a more detailed description of the case and the ruling, but it basically boils down to this: It is the employer’s responsibility to terminate access, and therefore the (terminated) employee did no wrong by using it since their access was not taken away.

I’ll stay out of the moral/ethical implications here, but what this means to a business is that making sure you take away access from your employees/contractors when they shouldn’t have it any more has suddenly become a much higher priority. Because if that person uses their accounts to do anything when you no longer want them to, it is not their fault, it’s yours. Ensuring prompt revocation of access was always good business practice, but now it becomes a business imperative because your legal protections (employee contract be damned) are greatly weakened.

When compliance became a bigger driver for IAM than IT efficiency, the approach to rolling out identity management projects did evolve to reflect this kind of thinking. But this case is as good a reason as any to reiterate what we have been preaching for years now – that your IAM deployment must have both proactive and detective controls in place to ensure compliance. The proactive control in this instance is Deprovisioning, while the detective control is Attestation.

A common best practice staged approach (thought not the only one) to IAM projects that incorporates this idea is:

  • Start by building up your Who-Has-What database (either in your provisioning product or in your identity governance product)
  • Put in place a periodic attestation process to force review and sign-off of user access by those in the know (managers, application owners)
  • Create a deprovisioning project. Start off with manual processes that are triggered off your HR and Contractor management systems. Evolve to an automated process over time, which should include linking your attestation process to your deprovisioning process for handling rogue accounts
  • Start rolling out request-based provisioning for application access. Start with manual processes and evolve to automated processes in a phased manner
  • Start working on a role management project as a way to implement role-based provisioning. Again, follow a phased approach.

The stakes in the IAM game just got a little bit harder. Make sure your project has these goals in its sights.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · · ·

SPML Under The Spotlight Again?

Feb 10th, 2010
by Nishant Kaushik.
Comments

SPML_SpotlightMark Diodati of the Burton Group (that’s still how I should be referring to them, right?) wrote a post entitled “SPML Is On Life Support“. It is a great read, as it captures all the issues that have been plaguing SPML for years now. And the simple fact is that SPML simply has not lived up to the expectations that were placed on it, leading many like me to wonder if alternative approaches are going to emerge and eat its lunch.

But as Mark also points out, “…it (or something like it) is desperately needed“. Because access provisioning is still the most complicated engagement in any identity management project, and the biggest complexity currently comes from the need to develop, customize, deploy and maintain connectors to hundreds, even thousands of systems. The cloud amplifies the issues to emerge, since without standardization, an enterprise simply will not be able scale out to meet the management needs of their environment.

At Oracle, we have been talking about Service-Oriented Security for a while. The idea is simple – all the security functions, which includes identity management, need to take the form of discrete, easy to consume, standardized services that are part of the platform on which applications are built. This has always been an easy concept to understand when discussing certain service categories like authentication. But provisioning has been a tougher nut to crack.

Provisioning systems today add a vital business process layer to your identity management deployment, dealing as they do with the lifecycle management of identities and the orchestration of policies, rules and workflows around that. So even in a future where architectures will rely on the “pull” model (as Bob Blakley has been talking about), there will be a need for the more complex applications to interface with a provisioning service (different from the attribute service use case) to deal with lifecycle management issues around application access. This is where we believe the next iteration of SPML (however radically different it looks) needs to fit in. This idea is illustrated in the figure below.

SPMLng

This is one of the challenges we have been trying to solve as part of our Fusion architecture project. Do we have it solved? Well, we’ve started the journey at least. Asking applications to come around to a new architecture and way of thinking takes time. And we have to remember that there are still a lot of applications that will not be dropping their user tables and identity silos any time soon, so we have to be mindful of accommodating those applications as well.

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · ·

Expanding on the Oracle-Sun IdM Strategy

Jan 29th, 2010
by Nishant Kaushik.
Comments

oracle_sun_smallWith the Sun acquisition complete, we can finally start talking about what this means for various product lines. Thomas Kurian touched on the identity management strategy in the big Wednesday launch event, and I recapped what he said in my previous blog post. Now, the next level of detail has come from Hasan Rizvi, SVP for Oracle Fusion Middleware, in this product strategy webcast. Definitely take the time to check out the webcast, as there is a lot of good information in there. Below is a brief overview for each of the IdM product areas.

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

  • In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
  • Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Slide 18

role mining, compliance attestation/recertification, and dashboards and reports for identity analytics
Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Oracle Identity Management.
Tagged: · · · · · · · · · · ·

Today is the day: Oracle + Sun = Exciting Days Ahead

Jan 27th, 2010
by Nishant Kaushik.
Comments

Well, it’s finally here. After months and months of delay, Oracle announced it finalized its acquisition of Sun.oracle_sun

It took so long, I think of lot of people thought this day was just a mirage. And unfortunately, the delay has cost us (in the identity management team) the opportunity to work with some great folks like Eve Maler and Pat Patterson. But now it is done, and the real work can begin as we start to lay out exactly how the IAM suites of the two companies – arguably the best in the business – will come together. It isn’t going to be easy, and our emphasis on our customers means that it can’t be quick, but the result should be great. In the Oracle+Sun strategy update this morning, Thomas Kurian gave the following overview on the Identity Management product strategy:

  • Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products
  • Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS
  • Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool
  • Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun
  • Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager
  • Oracle will also invest in Sun OpenSSO and integrate it with OAM

Of course, the devil is in the details, and I expect that the coming weeks and months are going to be a little crazy as those details are laid bare. Planning has been going on for a while, and now those plans can finally be communicated and the ramifications thrashed out. That should provide a fair amount of fodder for discussion in the blogosphere and twittersphere (so stay tuned). I’ll try to provide some information here as and when it can be made public.

And a warm welcome to all my new colleagues from Sun. Buckle in for what should be a very interesting ride. I’ll be at Oracle HQ in a couple of weeks to participate in some of the planning and discussions that will be happening. So if you will be around, then lets meet up.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Oracle Identity Management.
Tagged: · · · · ·

Kuppinger Cole’s free Virtual Conference on Access Governance

Dec 7th, 2009
by Nishant Kaushik.
Comments

The identity management analyst team over at Kuppinger Cole is organizing a free virtual conference on Enterprise Access Governance over the next two days (December 8 and 9). They’ll be putting forward their thoughts on what constitutes a complete access governance program, and what is the best, most optimal way to go about managing your risk and security needs.

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

  • How to Efficiently Implement SoD Controls: Which Level Works?
    • 11am EST| 8am PST | 5pm CET
  • How to Start: Recertification or Active Access Controls First?
    • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM.
Tagged: · · · · · ·

Can OAuth do what SPML hasn’t?

Nov 24th, 2009
by Nishant Kaushik.
Comments

I spent an interesting week at HQ last week, trying to deal with some of the craziness that occurs every time a major release is on its way. But far more interesting were all the identity management conversations I engaged in during the course of the week – in hallways, over meals and especially over drinks. Suffice to say that it was a very thought provoking week. I wanted to use this forum to expand on a conversation that started in one venue, and then spilled over into the Twitterverse.

One of the topics that has been fodder for some animated discussion has been the topic of federated provisioning. As the cloud has brought federated authentication back into focus, it has also shone a light on the need for federated provisioning to power cloud identity. After a very interesting discussion that I had with some folks who are looking at identity in the cloud, I posed the following question on Twitter:

Had an interesting discussion this morning on how OAuth could be to federated provisioning what OpenID is to federated SSO. Any takers?

The Thesis

Federated provisioning is about creating an account with appropriate privileges in underlying systems on the Relying Party side when triggered by an authentication event (user comes to the RP service from the Identity Provider, or IdP, side). Further, the authentication token being presented to the RP does not contain sufficient claims (attributes, etc) for the systems on the RP side to create the necessary account (there are other scenarios, of course, but this is the common one I am trying to address). Consequently, we have a need for the RP to get provisioned with data from the IdP side.

Now in my post “The Thing About Federated Provisioning“, I pointed out that there are challenges in doing all of this just-in-time. Enterprises often resort to out-of-band pre-provisioning of accounts across the domain boundaries, which is where SPML proves to be adequate. But the demand for JIT mechanisms still exists. The cloud exacerbates this problem greatly, because pre-provisioning is pretty much impossible when you move up to the scale and loose coupling of the cloud. And the nature of SPML requires that extensive integration be done before the connection between the RP and the IdP can go live.

And this is where I believe OAuth could play a role. OpenID is already viewed as a lightweight solution for enabling federated authentication, with attribute exchange supporting the simpler data transport scenarios. We could now augment this flow by adding an OAuth-based data provisioning mechanism that allows a Provisioning Service on the RP side to connect back to a Provisioning Service on the IdP side and retrieve the data it needs to create the underlying accounts. Being based on OAuth, this would require far less integration than the SPML based approach would.

Mapping the concepts, the RPs Provisioning Service becomes the OAuth Consumer, while the IdPs Provisioning Service becomes the OAuth Service Provider. The interactions are outlined in the diagram below (greatly simplified for the purposes of this discussion).

OAuth for Fed-Prov

The Challenge

But when you look at the actors involved in OAuth, you run into one problem – OAuth was defined with users in mind, not enterprises. So you find the User as part of the protocol, but nothing that would allow the Enterprise to have a say in the exchange. And this raises an interesting challenge.

Just like there are security issues to resolve in the OpenID protocol for it to satisfy enterprise requirements, there are policy challenges that would need to be resolved in the OAuth exchange as well. Connecting the services only requires that the user in the flow provide their assent, but if OAuth were to step in as a federated provisioning protocol, it would require some way for the enterprise to inject (fine-grained) business policy into the exchange. And what if approval workflow needs to enter the picture?

One thought would be to introduce an IGF style declarative policy mechanism that would allow the services on each side of the exchange to declare intent and policy, thereby allowing some automated decision making that ensures that security and business policies are honored by the exchange. Because when you are talking about fed-prov, a one-size-fits-all construct will be a non-starter.

My posting on twitter did generate some good feedback from folks like Eve Maler and Ashish Jain. I am interested to get people’s thoughts on the viability of this idea, and whether you think adding OAuth to provisioning systems would be part of the move to enabling enterprise identity management systems for the cloud.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM, The Cloud Identity Series.
Tagged: · · · ·

Executive IdM Session at OpenWorld: It’s All About Managing Risk

Oct 29th, 2009
by Nishant Kaushik.
Comments

One of the things I did at OpenWorld this year was attend an Executive IdM Session that brought together folks from the IdM team and some of our best customers to share information and talk about the future direction of identity management at Oracle. It was an interesting gathering with lots of good discussion that resulted in the session running well over its allotted time of 3 hours. As you can see from the picture below, it was a full room (what you don’t see is those of us who had to stand in the peanut gallery at the back of the room).

The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Security Inside OutAmit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

breakglassOne of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Insight IdM, Oracle Identity Management.
Tagged: · · · ·

Screencast of my OpenWorld Session on “IdM and the Cloud”

Oct 16th, 2009
by Nishant Kaushik.
Comments

On Monday, I presented at Oracle OpenWorld on the topic of “Identity Management and the Cloud: Stormy Days Ahead?“. The title proved to be a little too prescient, because the weather in San Francisco was pretty nasty. And as you can imagine, the number of jokes made about this became all to predictable.

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

IdM And The Cloud: Stormy Days Ahead?

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

  • A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
  • Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
  • A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.
Share This:
  • Twitter
  • Digg
  • Facebook
  • LinkedIn
  • StumbleUpon
  • Google Bookmarks
  • Identi.ca
  • del.icio.us
  • Reddit
  • Technorati
  • NewsVine
  • Slashdot
  • Suggest to Techmeme via Twitter
  • E-mail this story to a friend!

Posted in: Identity Services.
Tagged: · · · · ·

← Earlier Posts
Follow me on Twitter Connect on LinkedIn My Presentations on Slideshare Profile of Nishant Kaushik, architect for Identity Management