We’re Listening, Pamela. We’re Listening
The ever thought-provoking Pamela Dingle has issued a challenge to Enterprise Application vendors. In it, she puts forth the idea that technology and market demand has reached the point where those in the business of building and selling enterprise applications should (must?) figure out how to externalize authentication. But she also points out what has held off vendors from doing this already:
“In talking to your fellow vendors, I can almost feel the panic – you can’t possibly support all of the new technologies coming out, you aren’t even supporting technologies that are years old – how do you choose?”
That sentence captures in a nutshell the need for Identity Services, and why those of us in the IdM industry would do well to develop this vision. Externalizing identity is all about providing application developers reusable services that are independent of the underlying provider of those services. That will enable, as Pam puts it, vendors to “set up your application so that the customers can write their own identity front-end integrations”.
Authentication and Authorization are definitely at the forefront of this revolution in application development, mainly due to the ratification of decent standards in this area (like SAML and XACML). But there are many more facets to identity that need to escape from the application black box.
Oracle, as an application vendor with its large suite of enterprise applications and its full stable of IdM products, is faced with this same issue, probably more so than any other vendor. It is a question that has produced many hours of hallway discussions and burnt up the conference lines (I wouldn’t want to see that phone bill). Oracle is tackling this issue head on, as should be evident from today’s announcement (and Thomas Kurian’s keynote) at RSA unveiling our strategy for Service-Oriented Security. SOS covers the four stages of an application lifecycle – development, deployment, administration and governance. With SOS, organizations can now centralize and externalize security solutions as part of a flexible security architecture. Recent identity related efforts like the Identity Governance Framework are also part of this architecture, providing the ability to deliver privacy-aware applications.
The vision for Identity Services that I have been (passionately) talking about on this blog and in conferences is part of this larger view of an application’s lifecycle. In fact, the IdM team has just published a whitepaper on Identity Services to accompany this announcement, to which I contributed a lot of the content that I have been developing and presenting in my talks. If you are up for some interesting reading, download and check out the whitepaper. And as always, send your comments on the ideas and thoughts my way. I would love to hear your views on the vision.
About The Author
I think that the question Pamela asks also points right back to the issue of the users. I will go on the record that most technology is easier to figure out than most users. Technology changes frequently but so do user attributes, especially those that define the relationship with a company, group, or application. I believe it’s what gave birth to RBAC, and introduced a conundrum which is now that the users are granted access based on a company’s policies who maintains the identity and nature of the relationship with the policy, roles, and users that are all part of the equation.
Is it the users responsibility to keep their identity updated within the confines of the policy or do we manage by policy and application access and users be damned when the policy changes – whether the user is notified or not (and vice versa).
I think it opens up an interesting opportunity for discussion around users, policy and most importantly process. The more complex these each get, the more exponential the conotrol must be given the nature of the relationships and interdependencies.
isn’t this what OpenID aims to do? If not, how not?