The Real World: Catalyst Conference Edition

Another Catalyst conference has come and gone, leaving us with a lot of material to chew on and ponder. Burton always forces us to think about what we are doing, especially those of us that have products to deliver. And it’s always interesting to see all the new companies that are popping up in the space (Lori’s slide this year showing all the identity management companies looked like it needed a magnifying glass to read).

I’m not going to recap all the interesting sessions that I attended. If you followed my twitter postings (and a big “Hi and Thank You” to everyone who tripled my following last week by connecting, including some folks who signed up for Twitter just to follow me), you got a sense of what was being talked about, and my thoughts on the same. For some great reporting on the key sessions, read Mark Dixon’s blog postings (this post is a map to the various posts he has written covering the conference).

I’ll simply present what I saw as the theme of the conference: Reality Hits The World Of Identity. People are realizing that the only way this identity stuff is going to work is if the online experience and constructs mirror how we operate in the real world. And this opens up a whole set of new areas to explore.

You Complete Me
relationships A key realization that is taking hold is that relationships must be made a key part of the fabric of identity, and that relationships can form the trust basis for identity related transactions. While I don’t completely agree with Jamie’s assertion that a lot of work in the real world happens before any contracts are drawn up (no contractor can even begin work for Oracle until a contract is signed; similarly I can’t work for Oracle and get access to systems till an employment agreement is in place), I do recognize that the value proposition of transactions is a continuum, along which are different levels that require different levels of assurance. Assurance can be built up over time as a function of relationships (user is related to this company, user has X friends, user is certified by this identity provider, etc). Eve Maler gave a very interesting talk on how relationships can be nurtured and made available in the online world, and connected it to some of the work being done on R-Cards and Project VRM.

I Need An Authority Figure
authenticity_seal_ovalAnother sign that real world concepts are seeping into the online world was the increased discussion on the topic of Identity Proofing, and the externalization of Authoritative Identity Providers. Just like in the real world, companies are realizing that in order to scale  and distribute liability, they would like someone else to be responsible for vetting identity data and providing a validated, trustworthy identity into their environments. This is the first sign of a legitimate market emerging for the Identity Oracle that Bob Blakely has defined, and that I have discussed so often in the context of Identity Services. The Liberty Alliance has jumped in here to help out by proposing an Identity Assurance Framework (our old friend Frank Villavicencio is co-chair of the effort) that can define a trust language in this context. And everyone knows that I consider the work being done on the IGF a critical part of such an infrastructure.

I Got Your GRC Right Here (Not!)
croc-bathing-at-your-risk Burton decided to take the IAM vendors to task for using GRC as a crutch to sell all manner of products. Referring to GRC as a four letter word, Bob attempted to blow up the myths surrounding GRC and posited that all the bluster around GRC has made companies lose sight of what they really need to address. He stated that each discipline conflated within GRC should be looked at independently by businesses with regards to its objectives, and that tools and processes should be put in place that address the specific needs identified. The message was clear – there is no such thing as a GRC product; instead there are a multitude of products that provide tools for addressing specific problems that fall under one of these disciplines, and enterprises should take a fresh look at what GRC means to them and how to approach it.

For me, the highlight of the conference was the talk by Nick Leeson, the securities trader who brought down Barings Bank. Not a technical talk at all, his explanation of how his actions exploited failings in the areas of governance and compliance drove home the point about process and tools being complementary parts of the puzzle.

The rest of the conference had some interesting announcements and decent discussions on the usual topics of Authentication, Provisioning and Role Management. I did what little I could to break the monotony and generate some controversy, but I’ll cover all of these in my upcoming posts.