In my last post, I talked about the SIG meetings that I attended prior to the conference actually starting. There was lots of good content and discussion, which continued on into the actual sessions. I had thought of splitting my time between the Identity and Cloud Computing (new to Catalyst this year) tracks. But the content in the IdPS track was compelling enough that I found myself only able to attend a couple of CC sessions.
Day 1: A focus on IdM evolution
I don’t know if this was par for the whole conference, but at least in the IdPS track, each half day was devoted to a particular theme. The first half of day 1 was a landscape update as usual, and focused on some of the interesting developments in the space, like Oracle’s pending acquisition of Sun (that’s all I’m going to say on that topic), the integration of DLP (data leakage prevention) with IdM programs, and the emergence of some commercial Identity Oracles.
I especially liked Bob Blakley’s discussion on Identity Services, since it resonated with a lot of what I have been talking about on this blog and the work I have been doing at Oracle. In his talk on the subject, Bob pointed out that cloud-based identity services will challenge the fundamental architectural notions of IdM infrastructure. The large blocks of IdM functionality that we are used to – access management, provisioning etc – will get broken down into smaller, modular pieces – like identity proofing, enrollment, identity risk assessment, breach remediation – that can interplay within enterprise environments as required. This is pushing the market towards smaller, specialist vendors that handle specific services rather than the large IdP that is a one stop shop for all identity needs. And these services have to work in concert with each other to provide the enterprise the value they are looking for. The vendors that have emerged in this space are delivering their services via various deployment models – ranging from on-premise SaaS to cloud-based services – but mostly stick with the per-user/per-transaction billing model. And all of them are going to get a big push when some of the cloud security issues currently holding enterprises back get resolved.
The second half of the day focused on a big part of IdM’s evolution – the mainstreaming of role management and the ascending discussion on the nature of Entitlement Management. Role Management is now widely accepted as an important part of any comprehensive identity management practice, and Kevin Kampman’s talk on the subject highlighted the importance of positioning it as a business problem instead of a technical problem. In discussing the results of a survey Burton conducted with customers that did role management projects, Kevin laid out the premise that the tools are actually secondary when it comes to implementing role management. First and foremost is the need for customers to understand the business processes that impact the design and use of roles, and document the same so that a practice could be built around them.
And as role management has taken hold in the conscious of IdM practitioners everywhere, entitlement management is rearing its head as a disruptive topic. In what was a theme for the conference, Burton laid out a terminology issue that exists around the term “entitlement management”, which is often used to describe tools that deal with runtime evaluation of fine-grained authorization decisions (like what Oracle Entitlement Server does), and neglects the lifecycle management practice around entitlements and their assignments. As customers dig deeper into their role management projects, they are finding that what they really want to do is entitlement management. And the tools to help with the lifecycle side of this equation are just not there.
The day finished at the hospitality suites, where a lot of the evolution being discussed here was on display. There was also a very successful interoperability event demonstrating SSO for cloud-based applications, a first step towards management of the extended cloud-based enterprise by enterprise IdM deployments. All in all, day 1 was quite satisfying. But the best was yet to come.