And if there are any questions you want to ask me, then ask them during the webcast, or send them my way ahead of time via twitter.

Tags: Application Security, Application-Centric IdM, Service-Oriented Security

“In talking to your fellow vendors, I can almost feel the panic – you can’t possibly support all of the new technologies coming out, you aren’t even supporting technologies that are years old – how do you choose?”

That sentence captures in a nutshell the need for Identity Services, and why those of us in the IdM industry would do well to develop this vision. Externalizing identity is all about providing application developers reusable services that are independent of the underlying provider of those services. That will enable, as Pam puts it, vendors to “set up your application so that the customers can write their own identity front-end integrations”.

Authentication and Authorization are definitely at the forefront of this revolution in application development, mainly due to the ratification of decent standards in this area (like SAML and XACML). But there are many more facets to identity that need to escape from the application black box.

Oracle, as an application vendor with its large suite of enterprise applications and its full stable of IdM products, is faced with this same issue, probably more so than any other vendor. It is a question that has produced many hours of hallway discussions and burnt up the conference lines (I wouldn’t want to see that phone bill). Oracle is tackling this issue head on, as should be evident from today’s announcement (and Thomas Kurian’s keynote) at RSA unveiling our strategy for Service-Oriented Security. SOS covers the four stages of an application lifecycle – development, deployment, administration and governance. With SOS, organizations can now centralize and externalize security solutions as part of a flexible security architecture. Recent identity related efforts like the Identity Governance Framework are also part of this architecture, providing the ability to deliver privacy-aware applications.

The vision for Identity Services that I have been (passionately) talking about on this blog and in conferences is part of this larger view of an application’s lifecycle. In fact, the IdM team has just published a whitepaper on Identity Services to accompany this announcement, to which I contributed a lot of the content that I have been developing and presenting in my talks. If you are up for some interesting reading, download and check out the whitepaper. And as always, send your comments on the ideas and thoughts my way. I would love to hear your views on the vision.

Tags: Application-Centric IdM, Identity Services, Oracle Identity Management, Service-Oriented Security

“Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead.”

Kim Cameron questioned this in his response. The flaw in his argument (imo) is in lumping directory and metadirectory technology together. Nobody is saying that the directory is dead. It still is (and will continue to be for the foreseeable future) the best storage mechanism available for identity data. What is being said is that the metadirectory approach of taking directory based storage and adding centralization processes and technology (the synchronization, arbitration and flattening of data inherent to the metadirectory story) doesn’t make sense in the brave new world of identity services we are moving towards.

Centralization of data still exists, and will continue to for some time to come. But for a while now, the solution there has been provisioning technology, not metadirectory (see my previous blog post on this topic). Provisioning adds a crucial overlay of policy, controls and process onto the rationalization of identity data (centralization being a byproduct of this).

Where workflow and process are not needed there is no longer a need to centralize, as virtual directory technology provides a scalable, manageable solution far superior to what metadirectory used to provide. Oracle (for one) recognized this a while ago when it bought the technology that became Oracle Virtual Directory.

Virtual directory technology is fast becoming the underpinning of the “identity bus” (as Kim calls it) in an Identity Services based architecture. It provides a services interface that pulls the identity data from where it sits, and transforms it into the claims that the consuming application is interested in. It acts as an abstraction/indirection layer between the identity producer (HR, CRM, Corporate Directory, you name it) and the identity consumer. It also acts as a gatekeeper, ensuring that data use is authorized and policy-compliant. Oracle’s efforts at defining the IGF standard is an attempt to add much needed controls into that interaction of producer and consumer, and OVD is on the very frontlines of this effort.

As always, the mantra should always be to choose the right tool that solves you problems. An Enterprise’s best bet is to put in place an infrastructure that is a nice blend of provisioning and virtual directory. This infrastructure will continue to evolve as the vision for Application-Centric identity evolves.

Tags: Application-Centric IdM, Identity Governance Framework, Identity Hub, Identity Services, IGF, Metadirectory, Oracle Identity Management, Provisioning, Virtual Directory

As usual, OpenWorld was chaotic, massive and entirely overwhelming. Between the claustrophobia induced by the crowds crossing Howard Street or cramming into keynotes, the rush of standing in front of folks to talk about identity management in fusion architecture, the late, late evenings with customers and co-workers, and almost being trampled by a couple of OpenWorld revelers dancing a wild jig at Lefty O’Douls, it’s been a crazy couple of days. Oh, and the conference has been interesting too.

OpenWorld always has the production values of a rock concert, and one of the interesting things that the organizing team did this year was incorporate a form of user-generated content into the opening for the Keynotes. Before the keynotes would start, a poll or questions would be posted on the giant screens in the keynote hall, and the audience members would be encouraged to send in their responses by text message, with the results being shown on the screen in real-time. While the poll questions elicited some good feedback from the audience, it was interesting to see some of the responses people sent in to questions like “The next killer app would be…“, “What features would you most like to see in Oracle products?” and “What was the first Oracle product you encountered?“. Messages ranged from the humorous to the thought-provoking, with a couple of digs at Larry.

Audience Polls before Keynotes

THE KEYNOTES
All the keynote speakers used their platform to really showcase their products and make some major announcements. The big announcement from Oracle was first made during Charles Phillips keynote on Monday, and then repeated throughout the week – the introduction of Oracle VM, Oracle’s server virtualization software technology (check it out). During his keynote, Charles also talked about Oracle’s growth by acquisition benefiting customers by moving the inter-application integration challenge off the customer’s shoulders and onto Oracle’s plate, delivered through Oracle Application Integration Architecture.

Thomas Kurian used his keynote to explain how Fusion Middleware was going to change how business is delivered by applications on the back of 5 middleware “pillars” – SOA, Enterprise Performance Management (EPM), Enterprise 2.0 technologies (which includes collaboration and communication tools, content management and rich user experience), Security and Identity Management, and Grid Computing.

Larry Ellison used his CEO Keynote to update everyone on Unbreakable Linux (which he launched at last year’s OpenWorld), expand on the launch of Oracle VM, and talk about the first Fusion Application that will be rolling off the production line – Sales Force Automation (SFA). A demo provided a first look at the 3 slick applications that make up SFA: Sales
Prospector, Sales References, and Sales Tools. Interestingly enough (for IdM), SFA incorporates social concepts into its functionality.

Oracle partners that gave keynote addresses this year were AMD, HP, Intel, Dell and Sun. Among the more interesting, Sun announced the launch of their open-source project in Server Virtualization, OpenxVM. AMD, Intel, HP and Dell all announced products focused on enabling greener Data Centers, where power utilization and efficiency are greatly improved.

Charles Phillips giving his Keynote

You can check out webcasts of all the keynotes here.

THE SESSIONS
As so often happens at these events, customer meetings eclipse my ability to attend sessions with any regularity. OpenWorld presents a good opportunity to listen to people from other parts of the company (that I would be hard pressed to find time with) introduce their products and talk about their plans for the same. The rate at which Oracle acquires companies and technologies sometimes means that this is the only way to figure out technologies we have in-house that can help in our development activities. So it was good to be able to go to sessions and learn about Coherence, Hyperion and a few other technologies.

The audience was definitely geared towards the database and applications side of the house. In terms of the topics that I touch on in this blog, interest was high in understanding the value that Oracle’s IAM suite brings to current deployments of Oracle Applications like E-Business Suite, and in understanding where Fusion Applications was going. While the attendance at IdM sessions was not as high, the quality of people in attendance was extremely high, with discussions exploring topics in quite a bit of depth.

IDENTITY SERVICES AT OPENWORLD
My session on “Identity Management in Fusion Architecture” was extremely well received and drew some quality feedback. The folks who showed up were really interested in seeing how the concept of identity will be woven into the fabric of Fusion Applications moving forward. And a number of them gave me some really good real-world information on challenges that they are facing today. A lot of them came to the session not exactly sure what identity even meant in the fusion concept, and left (hopefully) a little clearer on the topic.

I had hoped for a lot more people to come so that I could get some more input, but I’ll be more than happy if folks participate in a discussion via this blog as well. Check out the presentation I gave in my session by downloading it from here.

MESSAGES
Virtualization is hot, and information is more important than ever. Getting applications to work with each other in a seamless manner is the key to business innovation. And the next hot thing in applications is the incorporation of social concepts into their functionality, combining Business Intelligence with Human Intelligence in a way that will make it easier to solve the real challenges enterprise users face every day.

THOUGHTS
As I mentioned above, I had a number of interesting side discussions with customers and prospects at OpenWorld this year. I was really encouraged to finally connect with a customer that had some deep and well thought through needs for deploying enterprise identity services. Most of the customers I know who are thinking of identity services are thinking about it as an enterprise architecture project (because they know it is the right thing to do) without any concrete consumers lined up. This particular customer actually has projects planned that could really use identity services. It led to a very interesting conversation that I found quite stimulating. I will definitely be covering some of my thoughts that came out of this meeting in the coming weeks.

Also, I found a number of people interested in understanding fusion architecture as a way of figuring out how they should go about standardizing their application development efforts. The big thing I saw was that there are a few enterprises out there that want to put an identity services layer in place, and are debating whether to build it themselves or wait till someone in the identity community comes out with something. While I am pretty sure that frameworks like Higgins can help some of these folks, there were a number that talked about Higgins being too low level in the abstraction it offers.

The fact that concepts emerging from the social networking arena are actually being built into the way the next generation of applications will work presents an interesting challenge for identity management. Not only are identity services going to have to scale to a level that supports these kind of interactions in applications, they will also need to have the right controls in place to protect privacy while not preventing the kind of collaboration that social concepts will foster.

Well, looks like we are about ready to land. I will probably post this sometime tonight, with my next post probably focusing on the Gartner summit. But add some comments if you have some thoughts on OpenWorld, Fusion, IdM and the crazy world of Oracle. Oh, and if you were at my session and were one of the people taking photographs of me while I spoke, drop me an email with some of those pictures, will ya? I’d love to see what was drawing so many flashes

Tags: Application-Centric IdM, Fusion Identity Management, Identity Services, Oracle Identity Management, Oracle OpenWorld

I mentioned in my last post that the theme to emerge from the first three keynotes was that the nature of identity is about to change. The rest of the conference was a continued emphasis on this idea, and on the topic of identity as a service. And the sessions drawing big crowds were the ones that talked more about emerging identity technologies and architectures.

What of OpenID?
The session ‘Understanding OpenID and the Early Implementations‘ by David Recordon (SixApart) and Eve Maler (Sun) drew a pretty big crowd. Interest in understanding the value of OpenID was high (something the OpenID crowd has not been able to articulate clearly beyond the simple positioning as “SSO for the Web“, leading to some interesting discussions by Bob Blakely, Stefan Brands and David Recordon). Folks were especially interested to hear what Eve had to say, in light of the effort Sun made to issue all employees an OpenID. To be honest, it was a little disappointing. If I remember correctly, she said that uptake has been low. This could partly be because Sun did not create any value for the Sun issued OpenIDs by incorporating it into the work life of a Sun employee. None of Sun’s community sites (like those for open source projects) accept these OpenID’s for authentication, and it cannot be used at Sun partners or service providers either. In fact, it seems like it is mostly a curiosity, evident when she pointed out that the highest usage of these OpenIDs seems to be at a British gambling website. Oh well, it is still early, and hopefully some of the debate in the community will get us further along.

Microsoft makes a Services play
The talk ‘SOA and Identity with BizTalk Services‘ turned out to be a disappointing follow-up to Kim Cameron’s keynote. What I took away from the session was that Microsoft is taking the features they have in BizTalk Server, and rolling out hosted services on top of that. Maybe I am wrong and there is more to it. But with the demoware breaking a couple of times, poor Justin Smith had to resort to a couple of “I think you get the picture” statements to make whatever point he was trying to make.

British Columbia presents the Next Identity Architecture
Ian Bailey, Director of Application Architecture for the Province of British Columbia, gave a very interesting presentation on their undertaking to design an identity management architecture that will deliver what they call “Citizen-Centric Identity Services”. The solution he presented in his talk ‘A Claims Based Architecture for British Columbia‘, was quite interesting to hear. The content of the session has evolved from the presentation he gave previously at another conference, and included much more detail with regards to the identity services needed to make it practical. Their architecture document can be found here and makes for very interesting reading. His session was quite inspiring to me actually, as it gave me an answer (not necessarily the answer) for one of the areas of my presentation that I was having the most trouble with.

Identity Services
That part was the discussion of the API layer needed in any identity services framework. As I pointed out in my talk on ‘Externalizing Identity‘ (you can download the presentation here), the primary purpose of creating identity services is to make it available to application developers so that they can make identity a part of their business logic without having to build the necessary infrastructure. And the API they must code against must be simple enough to use easily, and abstract enough that it has no dependency on the underlying service providing product. Developers cannot code to XML-based standards, and so the idea of a claims-based API seems brilliant in its simplicity. Not sure if it is do-able just yet, but it is worth looking into.

Those familiar with my previous talks and blog posts about identity as a service will note that my architecture for the identity services layer has evolved over time, and has changed quite a bit even from my talk at the Jericho Forum not even a month ago. One of the key changes was the transformation of the “Identity Provider” service into an “Identity Oracle” service. It took a while, but I was finally able to articulate in detail the necessary features of this service that justify renaming it to the term that Bob Blakely (of Burton) introduced at last years Catalyst (or was it 2 years ago?). The feedback I got on the idea of a productized Identity Oracle, and the session in general, was quite interesting and encouraging. So send me your thoughts as well.

For those that are interested, I know that the DIDW folks recorded the audio of the session. I’ll try and make that available here if allowed. If you went to DIDW, you can access it from the post-conference website.

Tags: Application-Centric IdM, Digital ID World, Identity Services, OpenID, Personal Identity Management, User-Centric Identity

That’s exactly what Doc Searls did during a typically humorous and thought-provoking keynote roughly titled “The Decentralization of Identity” (actually re-titled in real time based on Phil Becker’s opening keynote) . He used Neo as representative of the consumer community in the marketplace; the ones whose identity are not in their control and who don’t have “choice” when it comes to the management and security of their identity data.

If there was one theme to the opening keynote addresses (by Phil Becker, Doc Searls and Kim Cameron), it was that the nature of identity needs to change, freeing it from the silos and walled gardens it is currently imprisoned in. They spoke of the need to redesign our approach to how identity data is used and managed. Doc Searls spoke of the need to get away from the notion of owning someone’s (your customers) identity, and moving from CRM systems to something he called VRM (Vendor Relationship Management) systems. As someone in the identity community, I completely understand the sentiment behind that; as a cog in the Oracle juggernaut, I have to be cautious about any cries of “Death to CRM”

Kim Cameron took his discussion of claims-based identity management (authentication and authorization) to the next level. In a headline capturing display, he introduced a term called “Legonics” (fusion of Lego and Electronics) as a new way of building applications by putting together pieces from componentized modules. Sounded an awful lot like a combination of SOA and Identity as a Service to me. But the demonstration on stage of a Lego robot that was controlled by claims illustrated his point quite well.

I am glad that the talk I will be giving tomorrow at DIDW fits in nicely with this emerging conference theme of freeing identity from the application silos it lives in. Building on the session I did at the Jericho Forum, my session on “Externalizing Identity” will present a roadmap to how applications will get re-architected to allows decentralization of identity in the manner that Phil and Doc are referring to. I say roadmap because I believe in transition, not quantum leaps. Enterprises want an approach that leverages the hefty investments they have already made in IdM infrastructure. And the identity equation has too many colliding imperatives for a simple solution (at least today). The real solution will come from a partnership between the IdM vendors, the application vendors and the consumer enterprises, as they all accept that identity is an asset and not a commodity.

If you are Digital ID World, look me up. Or come by my session tomorrow evening at 4pm. It’s the last session of the day, so I promise not to make it too heavy. But it should be interesting.

Tags: Application-Centric IdM, Digital ID World, Identity Services, User-Centric Identity

Interestingly, Oracle has pulled ahead of other vendors on “Completeness of Vision“. That is reflective of the strong leadership that exists within Oracle’s identity management group right now. It also reflects a lot of the innovation going into the vision for Fusion architecture and Application-Centric IdM. This is important considering the strong competition we face in the UP market (Novell and Courion just entered the Leaders quadrant in this report with some strong product offerings).

There is no intention within the team to rest on our laurels, and we have some really cool things planned for the Oracle Identity Manager product that will take it to the next level. You will start seeing these over the next few releases, so stay tuned to this blog for more on that.

You can read the report here.

Tags: Application-Centric IdM, Gartner Magic Quadrant, Oracle Identity Management, Oracle Identity Manager, Provisioning

Application-Centric IdM Goes Mainstream
One of the cool things for Oracle is that Burton has actually identified “Application-Centric Identity Management” as a legitimate methodology in the identity management space (in contrast to System Management methodologies). I have been blogging about this for a while now, as this is the main philosophy at Oracle. Of course, the reason for the elevation from buzzword to legitimate methodology is the wave of application vendors like Oracle, Microsoft and SAP that are entrenched in IAM now, and are working towards the creation of identity as a well-defined aspect of application development in their own applications and in the development environments they provide. This was reflected today when they took the stage in succession to explain their vision and strategy in the IAM space.

Federation Evolving
One of the interesting themes of the first day sessions was an exploration of the relationship between federation and user-centric technologies (like OpenID), and their impact on both consumer and enterprise environments. After starting with a hard look at how traditionally understood federation is doing, the discussion transitioned to the state of progress in user-centric identity technologies (through a characteristically entertaining presentation by Dick Hardt). Burton made the point that loosely coupled identity provider and relying party networks, connected via user-centric technologies like CardSpace and OpenID could change the way enterprises handle the problems that today rely on legally and procedurally heavy federation mechanisms.

The Theme For This Year: Identity Controls
Mike Neuenschwander did not disappoint the crowds yesterday with a hugely entertaining sketch involving Captain Controls, a superhero that I hope will become a recurring character (Go here to see a video of the sketch posted by IdentityWoman Kaliya Hamlin).

Captain Controls challenges Mike

And while it was entertaining, it beautifully illustrated the emergence of the latest buzzword in identity management – Identity Controls. Briefly introduced on Wednesday, the topic was thoroughly explored on Thursday through sessions that took on the emerging technologies in Enterprise Role Management, Entitlement Management (aka Authorization Services) and Identity Audit, a group that Burton has acronymed PPM (Policy and Privilege Management). It represents the next step in the continuous evolution of IAM from an IT concern to a Business concern, and reflects the growing importance of IAM in the area of corporate risk management and governance.

Microsoft and Oracle Get It; SAP Not So Much
The message of Identity Controls was further consolidated in the following presentations by Microsoft, SAP and Oracle. These sessions were revealing in that they showed the maturity of Microsoft and Oracle in the IAM space, while SAP is still trying to catch up. I’m sure this will be dismissed as a biased opinion, but my (some would say surprising) admiration of Microsoft’s new IAM philosopy will hopefully negate that. From the tone and content of the sessions, you could see that there is a huge gap between the deep understanding of IAM that Oracle and Microsoft have, and the early stages SAP finds itself in. SAP did get the GRC market going through the Virsa acquisition and integration, but they only recently seem to have realized the importance of identity in the controls business. It was illuminating that while the Microsoft and Oracle presentations both went into great detail about their vision for identity as an integral component of application architecture, the SAP talk concentrated on what they have learnt from their customers and on touting their recent MaxWare acquisition.

Oracle SVP Thomas Kurian explains Oracle's Application-Centric IdM

The second half of the day concentrates on Identity Services, something all of you know I am passionate about and am helping drive within Oracle. Phil Hunt of Oracle will be on a panel discussing the notion of identity as a service. Should be interesting.

Tags: Application-Centric IdM, Burton Catalyst Conference, BurtonGroupCatalyst07, Identity Controls, Identity Services, Oracle Identity Management, User-Centric Identity

The use cases presented by AOL, Boeing, Govt. of British Columbia, GM and US-GSA were quite detailed and very articulate with regards to the challenges being faced in their deployments. Since the discussion was one of standards and protocols, the discussions focused primarily on the authentication and federation pieces in the identity management puzzle (as those standards are the most evolved in the identity space).

Some common themes emerged in the discussions:

• Usability of the authentication process was identified as an area that is greatly lacking, and potentially needs some work by the standards bodies. The whole idea is to make the life of the end-user easier. Users shouldn’t have to worry about which credential they need to use, but should still have a choice of which credential they want to use.
• Seemingly at opposite ends of the spectrum, incorporation of the device into the authentication process (reliance on OS authentication) and independence from the device (for portability of identity across laptops, cellphones and kiosks) were identified as being key requirements
• Setting up federations still requires too much investment and time, preventing it from being a scalable solution to the single identity problem
• In the context of single sign-on across web applications, the topics of session timeouts and global logout generated much discussion
• Standards are being unevenly implemented by vendors. All cover the basic aspects of the spec, but none implement the whole spec, usually on edge features, which causes confusion, surprises and incompatibility.
• Everyone agreed that the non-technology aspects of federation are more complex than the technical aspects

The AOL use case was very interesting as it was the only one that was purely in the consumer space, and discussed the role their OpenID strategy plays in it. The others had more of an enterprise feel to them. At the same time, enterprises like Boeing and GM stated that they were actively trying to figure out where OpenID would fit into their business model. GM and Boeing both talked to the issues of deploying federation with 1000s of partners, and for a mobile workforce in manufacturing environments where issues of presence and entitlement management are key. The Govt. of British Columbia presented an interesting challenge of creating a federation with both large and small “organizations”, where organizations is a loose term that not only covers businesses but also small proprietorships like doctors offices, where the opportunity to deploy complex software does not exist.

The use case presentations engendered some lively discussions that were both entertaining and thought-provoking. Mike Beach of Boeing (never one to shy away from creating controversy) questioned the need for interoperability, postulating that maybe convergence of the standards is better. That is the essence of the challenge that Project Concordia faces – how to come up with an elegant, usable solution out of the morass of standards that different interests have thrown into the ring.

Tags: Application-Centric IdM, Authentication Management, Burton Catalyst Conference, BurtonGroupCatalyst07, Project Concordia

A while back, I was pulled out of the world of identity services, Open ID, protocols and exotic role structures by a simple request posed by a prospective customer. In evaluating our product, they were wondering (quite innocently) if there was any way to improve the rate of identity on-boarding and ongoing reconciliation by a factor of 10.

“A factor of 10″, we mused? Why? Obviously everyone wants fast performance, but this is taking things to a whole new level. As an engineering organization, we have already put in a fair amount of time optimizing the behavior of the product to make it work as efficiently as possible, bringing performance to a level that matches the benchmark requirements of our (fairly large and sophisticated) customer base. On top of that, we have tools and best practices to help customers create solutions that fit their needs. Despite all of these, we were not going to meet their requirements.

A little work helped us identify the solution to their problem (it was based on a divide-and-conquer approach of data segmentation and parallel scheduled jobs). So we were able to achieve the required throughput. But it required some fancy footwork and fancier system configuration.

And just this week, I heard the same requirement again. Except that this time, the required factor was a 100. It made me think “The more things change, the more they stay the same”. For all the fancy capabilities we are trying to add on to our product lines, we just can’t afford to ignore the fundamentals.

Yesterday I read a post by Mark Dixon talking about China Mobile. The statistics are incredible:

• 327 million subscribers
• 5.28 million subscribers added in May alone.

The implications are pretty clear. For identity services to become a reality, IdM products (like ours) need to scale up tremendously, without sacrificing all the bells and whistles that have been added (for auditing, role management, automated provisioning and compliance, among other things). As technologies like Open ID and CardSpace move us closer to the day of a single internet identity (one hopes), the applications that rely on the identity services to make all this possible are going to demand better functionality without any sacrifice in performance.

This will require work at every level of the stack – the data store, the application container, the IdM service provider, the identity frameworks and the applications themselves. Oracle is working hard on all of these. But for all that, I look at some of the efforts underway (like in the Higgins project) and some of the technology protocols (like XACML) and wonder: Are we really ready for something like this?

What do you think?

Tags: Application-Centric IdM, Identity Services, Oracle Identity Management, Oracle Identity Manager, Provisioning