And if there are any questions you want to ask me, then ask them during the webcast, or send them my way ahead of time via twitter.

Tags: Application Security, Application-Centric IdM, Service-Oriented Security

This was the topic of discussion at a SIG on Standards-based Provisioning organized by Gartner’s Mark Diodati at the recent Catalyst conference. The meeting was attended by some really smart folks in the community, and engendered a lively discussion on the future of SPML and the direction it should take. Mark has published a statement on the Gartner blog network that reflects the outcome of the discussion. Given the recent reboot of the Provisioning Services Technical Committee at OASIS, this is an important document for everyone concerned to read.

One of the most important points raised during the meeting was this:

In trying to address every possible use case, interoperable provisioning services leveraging the SPML v2 standard became impractical. Since the approval, few (if any) conformant implementations exist due to the complexity of the v2 standard.

The path to success in the standards world is based on a focused approach to solving specific use cases. No standard can be all things to all people, and with provisioning in particular, we need to recognize that there are different approaches that solve the challenge in optimal ways for their use cases (my recent assertion regarding IGF as underlying pull-based provisioning is an example). So there need to be an effort to continue refinement of SPML 2.0, making it simpler to implement and based on specific use-cases that are of interest to the community. If you have such use-cases, please consider joining the discussion within the PSTC and submitting them there. There is much that needs to be done.

And a big thank you to Mark for pulling together the SIG. It was an excellent and timely effort, one that I hope proves instrumental in accomplishing it’s goal.

Tags: Burton Catalyst Conference, Cat10, Provisioning, SPML

Matt Flynn brought to my attention an article in which Dale Olds talks about the need for hosters (companies that provide the platform on which you deploy your Cloud/SaaS applications) to provide identity services (and as Matt points out, security services in general) as part of their offering.

<Side Note>No, I do not have a vendetta against Novell, though these last few blog posts may make it feel that way. I actually really like the Novell gang – Dale, Ben and Nick Nichols among others – and for the most part completely agree with their views on identity.</Side Note>

Now, I am with Dale for the first half of the article. Developers of these cloud applications just want to focus on the business logic that is at the core of their service, and not have to worry about the plumbing items, which would include identity management. This is fundamental service-oriented security principles at play, and the survey Dale mentions reflects this (I would argue that even the one-third of SaaS vendors that said they want to handle identity themselves are either saying so because they don’t know what’s involved or are just not happy with what they are getting from the platform and embeddable components). A good set of identity services goes a long way in making applications agile and more acceptable/appealing to customers.

But then the article talks about hosters using identity services as a way to make their platform sticky, because if the platform owns the user accounts for the service, then the service will be hooked. I actually envision the opposite of that when I think of identity services in the platform – identity services making it possible for the SaaS vendor to switch between platforms easily. What is being described sounds like an Identity Provider, which is a business service, not a platform service.

What the platform should provide, and what most enterprise customers would want, is an Identity Hub service, as opposed to an Identity Store service. This allows the customer of the SaaS application to plug it into their enterprise identity store (usually a corporate LDAP system, but it could also be their Salesforce user store) and also accept incoming identities over the wire, while still freeing the SaaS vendor from having to manage identities. In this model, the stickiness for the hoster comes not from owning the user accounts, but from the QoS of the identity services they are providing to their customers (the SaaS vendors and their delegated customers). It also doesn’t force a SaaS vendor to be married to one platform.

Now, I am going to be a little presumptuous here. Having spent some time with Dale, and knowing his past work, I think that he believes in the view I am taking as well. The article seems to be discussing the topic of identity services from a particular angle, which is that there is currently a market opportunity for hosters to leverage the lack of good (non-enterprise) Identity Providers to make their platforms more sticky. It is absolutely true that platforms can (and are actively seeking to) make themselves sticky by owning the accounts; Dale points out that this is exactly what Google did by leveraging GMail as the gateway drug (see, I told you the metaphor works). But as Google seeks to penetrate the enterprise market deeper, even they are recognizing the need to support federated identities as a necessary step for viability. (UPDATE: An old blog post of Dale’s actually clarifies this, and in essence agrees with the view point I am stating here – exactly as I thought he would )

Bob Blakley has long mused about what business models would make Identity Oracle’s viable. And the simple truth is that  platform players like Google or Force.com that can leverage an identity-rich business service that they also have are ideally suited to be trusted Identity Providers. But while a big platform player can certainly be a good Identity Provider, not all hosters should need to be Identity Providers to be successful. Instead, standards based identity services would be a great asset for hosters that want to be sticky (by being the best platform to deploy on) without having to take on the onerous task of being an Identity Provider (which has its own challenges) or passing on those responsibilities to their customers (which is what mostly happens today). And it would be an asset for SaaS vendors that want to have the freedom of choice that we all crave, and that want to be able to work with their customers identity infrastructure. As Dale says in the article:

You see, people can move an application from one host to another without much trouble.

Now, isn’t that a good thing, and something that we should be aiming for?

Tags: Cloud Identity Model, Identity Services, SaaS, Service-Oriented Security

(Some would argue – vigorously – that what we have actually doesn’t work. That is a battle for a different post.)

Let me be clear here; no one is saying that you need to throw out what you have, stop implementing IdM with the tools out there, and go back to the drawing board. This is about evolving architecture, not a revolution in technology. As I said in my presentation at Catalyst, enterprises will (probably for a long time) be dealing with both the push-based and the pull-based models. But what enterprises need to recognize (a lot of them already do) is that the pull-based model is the way of the future, starting now. And there are good reasons for it (in fact, Ben’s post actually points out scenarios where a pull-based model would be far more precise and cost-effective than a push-based model. And isn’t his last example actually a detective control, not a preventive control?). Enterprises need to start preparing for it now because this is not a transition that can be done overnight. And it is not one they are likely to avoid (or should want to).

• If an enterprise is considering using cloud services, they need to prepare their IdM infrastructure for a pull-based world, because that is where the majority of cloud services will go (just ask Salesforce)
• If a company is offering cloud-based services, they need to be prepared for a pull-based identity model, because that is what major IdPs and enterprises will demand of them (just look at Google Apps Marketplace, or why so many cloud vendors now support SAML and OpenID)
• If an enterprise builds applications in-house, they need to understand and prepare for pull-based identity, because the cost of maintaining their applications in the long run will drop significantly (just look at the work we’re doing with Fusion Applications)
• If an enterprise is looking to get out of the business of managing identity and instead wants to rely on 3rd party service providers (including cloud), then they need to focus on pull-based identity to make this happen (just look at the challenges facing Cloud IdM vendors)

Ideally, your IdM infrastructure should be able to handle both push and pull based models together (no one wants parallel infrastructure). Ben is correct when he says that he

…would rather not see enterprises cobble their identity infrastructures together with a little more than hope, bailing wire, and string. I maintain that enterprises need to build identity on a sustainable, scalable, identity and access management environment that is extensible enough to address potential future identity management models and standards as they arise.

I think where I feel differently from Ben is in how quickly we feel these “potential future identity management models” will be here for enterprises to tackle. I am not talking about some Utopian vision that is built on a foundation of sand here (as Ben seems to think). This is a very real change that is happening today. I have spent time with some very smart enterprise architects and program managers who are in the process of building identity services programs in their companies today that are built on this view. Within Oracle itself, Fusion Applications is a major undertaking that builds on this vision by leveraging identity standards, and the knowledge we gain from the effort is guiding our involvement in driving these standards forward.

Yes, there are unresolved challenges, but all of the identity standards are still evolving (though sometimes slower than we would like). The vision of Service-Oriented Security (which is built around pull-based identity) is a guiding force that is helping create a cohesive vision around which to rationalize the various standards efforts (which all too often have been disjointed), resulting in a better framework to build applications on. And it is well established at this point that application development is all about frameworks now (no one builds applications from the ground up any more).

By the way, I will be doing a live webcast on Service-Oriented Security on August 25 at 2pm ET/11am PT. A lot of what we are talking about here will be discussed during the webcast in far more detail. So register now and we can chat about the challenges and promise of pull during the webcast.

Tags: Cat10, Pull-Based Identity, Service-Oriented Security

As I detailed in my Catalyst talk, identity management has always been a very reactionary technological domain, influenced by the environment (architectural, regulatory) that it exists within. And the “pull” model is coming into its own because of two key factors driving next-gen application architectures – Identity Externalization and Federation/Cloud. Push architectures are built on the almost contradictory principles of guesswork and predictability – You have to guess ahead of time what it is that needs to be pushed to the target, and you have to rely on all flows and scenarios using identity data to be predictable within the use cases you have envisioned. Because of this, push forces us to overshare identity data on the off chance that something might be needed. But technology, and more importantly business, has advanced (on the back of standards) to the point where dynamism and flexibility are not only possible but expected and relied on. And concerns for privacy and regulatory compliance are forcing enterprises to re-evaluate how free they are in sharing identity data. In such an environment, the principles behind push are hopelessly outdated.

Me speaking at Burton Catalyst 2010 (image courtesy Ian Glazer)

Service-Oriented Security is not externalization just for the sake of it. It brings great benefits in terms of agility (reuse over duplication), consistency (same policies applied across environments) and collaboration (across application, domain and enterprise boundaries). And if you look at how identity management has become more process oriented (an argument Ben uses for the push model), you realize that a lot of that process exists because we need to push identity data into the targets. The move to pull is not just about technology and integration architectures, it is also about streamlining and optimizing business controls that had to be put in place because of the way we leverage identity data in applications.

Push is never going to disappear – the complexity of our enterprise environments all but assures that. But as I tried to demonstrate in my provisioning session, the idea is to transition to where you make the choice of model most appropriate to the business needs of the application. Push from the HR system to an Identity Store will likely still exist, and further push to complex ERP style applications may also continue. But the majority of applications will get streamlined to leverage external services, including authentication, authorization and identity services, with minimal need for local storage of identity data or authorization metadata.

It is important to note (as we discuss issues like performance) that pull doesn’t only mean centralized, externalized identity stores, though ideally that is the goal. Push vs Pull is also about which party is initiating data transfer. A large cloud provider like Salesforce really doesn’t want its enterprise customers to push all their identity data to them all the time. At the same time, it is likely not going to want to pull data across the internet from its customers identity stores every time it needs it. But it can (and will) decide when and how to pull data from those identity stores into its local run-time store (cache, if you will). This is still a “pull” model, though not necessarily externalized identity. It is, however, a necessary facet of our increasingly distributed IT infrastructure, and one at the heart of the Just-In-Time Pull-based Provisioning I described in my talk.

JIT Provisioning with OAuth & IGF-based Identity Pull

Through all this, keep in mind that standardizing identity pull is a far easier task than standardizing identity push (where there were way too many targets to influence, and SPML failed to make headway). And that will go a long way in driving adoption, especially as identity services makes its way into the platforms that applications are being built on. Given that Oracle has a stake in all parts of the equation – the identity products, the middleware platform and the applications built on top of them – we have unique insight into this aspect of the future of identity that makes me far more confident in making this assertion.

The way I see it, the pull model is the logical next step needed to power the upcoming enterprise application environment where mashups and loose connections are going to be more common and hard-coded integrations are going to be hard to justify.

Tags: Cat10, JIT Provisioning, Just-In-Time Provisioning, Service-Oriented Security

On Wednesday, I gave a talk entitled “Beyond SPML: Access Provisioning in a Services World” which built on my Gluecon talk and work with Fusion architecture to provide a vision for the future of provisioning. The central thesis is that as we move from Push to Pull models in Identity, provisioning becomes a key component in making sure that policy and process controls are still enforced. But this requires a fundamental evolution in application and middleware architecture towards services-oriented security and externalized identity.

I was extremely gratified to receive lots of positive validation and feedback about the vision I expressed in my presentation. And it really fit in with the theme flowing through the presentations in the provisioning section, which was focused on moving to a more streamlined, manageable, scalable provisioning future. It also echoed sentiment that provisioning is a multi-faceted problem with different interaction points and flows and will therefore require a combination of standards rather than just one standard. This was really driven home by the extremely interactive SPML SIG meeting that I participated in (organized by Mark Diodati) where there was generally agreement that SPML needs to get really focused on specific use cases rather than trying to be all things to all possibilities.

I am looking  for input, so check out the deck and leave me comments on this post. I will definitely be building on the ideas in there with our identity management team to move the vision of service-oriented security forward. But for it to be useful, it has to resonate with the IdM and application development communities. And that’s where we all have to work together in making this a reality.

Tags: Burton Catalyst Conference, Cat10, Federated Provisioning, Provisioning, SPML

Please note that the rooms for the different tracks at Catalyst were switched, with IdPS moving to Sapphire AB. So if you were going off the information Oracle sent out, or the Oracle Hospitality Suite invite in your Catalyst registration bag, then please note that my session will not be in Sapphire CD, but will be in Sapphire AB instead.

And be sure to drop by the Oracle Hospitality Suite in Aqua 308 on Wednesday evening to check out the 11g demos, enjoy some good food and drink, and hang out with some of the cool cats of Oracle Identity Management (and me!).

Tags: Burton Catalyst Conference, BurtonGroupCatalyst10, Cat10, Oracle Identity Management, Provisioning

1. The answer cannot be easily guessed or researched [Safe]
2. The answer doesn’t change over time [Stable]
3. The answer is memorable [Recall-ability]
4. The answer is definitive or simple [Simplicity]

Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.

Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).

Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.

And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.

Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.

Tags: Identity Proofing, Knowledge-Based Authentication, OAAM, OIM, Oracle Identity Management, Oracle Identity Management 11g, Password Management, Password Recovery Techniques, Security Questions, Service-Oriented Security

In a previous post, I described which IdM products were included in the first rollout of 11g last year. This phase includes the following products:

• Oracle Identity Manager
• Oracle Identity Analytics
• Oracle Access Manager
• Oracle Adaptive Access Manager
• Oracle Directory Server Enterprise Edition
• Oracle OpenSSO Secure Token Service
• Oracle OpenSSO Fedlet
• Oracle Navigator
• Oracle Enterprise Manager Grid Control Pack for IdM

As you can see, a major focus of this release (and a late add to the slate, I might add) was delivering on some of the promises we made to integrate the Sun IdM products into our portfolio. The other was to address customer concerns around manageability and usability of the products. If you saw the webcast, you saw the demos showing off the slick new desktop-like UI that the products are sporting, based on Oracle ADF. The shared services model removes inconsistencies between the different products in the suite, both from a behavior and functionality standpoint. And a lot of attention was paid to really ratcheting up performance to meet enterprise needs as they start to manage extranet environments in addition to their intranet environments.

In the coming weeks I and other bloggers in the Oracle IdM community will share a lot more detail about these releases. So stay tuned. In the meantime, check out the Fusion Middleware Launch Center, where you’ll find videos, data sheets, webinar’s, and white papers

Tags: Oracle Identity Management, Oracle Identity Management 11g, Service-Oriented Security

But the best part of the CAB was the response that our customers gave us for the upcoming Oracle Identity Management 11g release. No one is in a better position to judge whether we are delivering on what our customers need than the organizations that have been using our products for years now. We got positive affirmation that makes me believe that the focus we put on usability, manageability, identity services architecture and suite integration is going to pay off. The demo sessions were packed and warmly received, even running long because of all the discussions that ensued. And you know you did a good job when customers start to come up with new ideas that play off your new features instead of critiquing those features themselves.

Well, today is launch day, and finally the entire identity industry can see what we have been cooking and judge for themselves. To get started, you can check out the launch webcast today (Wednesday, July 21) at 10:00 a.m. PT / 1:00 p.m. ET. Our VP for development of Identity Management products, Amit Jasuja, will be providing a detailed introduction to this release, so register now. There will be a whole bunch of information being put up on oracle.com/identity. And if you are going to be at Burton Catalyst in San Diego next week, then you can stop by the Oracle hospitality suite (Wednesday, July 28 from 6-9 pm in room Aqua 308) and see demos of all the new products.

I can assure you that we build IdM products much better than we cook miniature ham croquettes minus the ham (you had to be there).

Tags: Oracle Identity Management, Oracle Identity Management 11g, Service-Oriented Security