The week before that, the Cloud Identity Summit (July 18-21) will once again be warming us up for Catalyst by hosting an impressive gathering of subject matter experts and thought leaders talking about the intertwined worlds of identity and the cloud. And this year, I’ll be there too, giving a talk on the future of identity provisioning (July 20 at 12:00pm). Following up on the talks I gave last year at Gluecon and at Catalyst, I’ll be bringing my cred as a provisioning expert to bear in examining if identity provisioning even has a future in the pull-based future of identity (spoiler alert: it does), and what it might look like, given recent developments in the space and advancements in cloud architectures. In an unfortunate scheduling mishap, I will be going up against Pamela Dingle’s session on identity and mobility, which I would have loved to sit in on myself. I’m sure she’ll be peppering her session with cuteness in the form of cats or cuddly toys, so I’m going to have to up the game and incorporate something bad-ass into my session, like Transformers or Angry Birds (Iron Man was so last year). Pam, you’re going down

Two weeks. Two great conferences. And me at both. So be there or be square!

Tags: Burton Catalyst Conference, Cat11, Catalyst11, CIS11, Cloud Identity Model, Cloud Identity Summit, Conference, Federated Provisioning, Gartner Catalyst Conference

This was the topic of discussion at a SIG on Standards-based Provisioning organized by Gartner’s Mark Diodati at the recent Catalyst conference. The meeting was attended by some really smart folks in the community, and engendered a lively discussion on the future of SPML and the direction it should take. Mark has published a statement on the Gartner blog network that reflects the outcome of the discussion. Given the recent reboot of the Provisioning Services Technical Committee at OASIS, this is an important document for everyone concerned to read.

One of the most important points raised during the meeting was this:

In trying to address every possible use case, interoperable provisioning services leveraging the SPML v2 standard became impractical. Since the approval, few (if any) conformant implementations exist due to the complexity of the v2 standard.

The path to success in the standards world is based on a focused approach to solving specific use cases. No standard can be all things to all people, and with provisioning in particular, we need to recognize that there are different approaches that solve the challenge in optimal ways for their use cases (my recent assertion regarding IGF as underlying pull-based provisioning is an example). So there need to be an effort to continue refinement of SPML 2.0, making it simpler to implement and based on specific use-cases that are of interest to the community. If you have such use-cases, please consider joining the discussion within the PSTC and submitting them there. There is much that needs to be done.

And a big thank you to Mark for pulling together the SIG. It was an excellent and timely effort, one that I hope proves instrumental in accomplishing it’s goal.

Tags: Burton Catalyst Conference, Cat10, Provisioning, SPML

On Wednesday, I gave a talk entitled “Beyond SPML: Access Provisioning in a Services World” which built on my Gluecon talk and work with Fusion architecture to provide a vision for the future of provisioning. The central thesis is that as we move from Push to Pull models in Identity, provisioning becomes a key component in making sure that policy and process controls are still enforced. But this requires a fundamental evolution in application and middleware architecture towards services-oriented security and externalized identity.

I was extremely gratified to receive lots of positive validation and feedback about the vision I expressed in my presentation. And it really fit in with the theme flowing through the presentations in the provisioning section, which was focused on moving to a more streamlined, manageable, scalable provisioning future. It also echoed sentiment that provisioning is a multi-faceted problem with different interaction points and flows and will therefore require a combination of standards rather than just one standard. This was really driven home by the extremely interactive SPML SIG meeting that I participated in (organized by Mark Diodati) where there was generally agreement that SPML needs to get really focused on specific use cases rather than trying to be all things to all possibilities.

I am looking  for input, so check out the deck and leave me comments on this post. I will definitely be building on the ideas in there with our identity management team to move the vision of service-oriented security forward. But for it to be useful, it has to resonate with the IdM and application development communities. And that’s where we all have to work together in making this a reality.

Tags: Burton Catalyst Conference, Cat10, Federated Provisioning, Provisioning, SPML

Please note that the rooms for the different tracks at Catalyst were switched, with IdPS moving to Sapphire AB. So if you were going off the information Oracle sent out, or the Oracle Hospitality Suite invite in your Catalyst registration bag, then please note that my session will not be in Sapphire CD, but will be in Sapphire AB instead.

And be sure to drop by the Oracle Hospitality Suite in Aqua 308 on Wednesday evening to check out the 11g demos, enjoy some good food and drink, and hang out with some of the cool cats of Oracle Identity Management (and me!).

Tags: Burton Catalyst Conference, BurtonGroupCatalyst10, Cat10, Oracle Identity Management, Provisioning

Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer‘s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory

Day 1: A focus on IdM evolution

I don’t know if this was par for the whole conference, but at least in the IdPS track, each half day was devoted to a particular theme. The first half of day 1 was a landscape update as usual, and focused on some of the interesting developments in the space, like Oracle’s pending acquisition of Sun (that’s all I’m going to say on that topic), the integration of DLP (data leakage prevention) with IdM programs, and the emergence of some commercial Identity Oracles.

I especially liked Bob Blakley’s discussion on Identity Services, since it resonated with a lot of what I have been talking about on this blog and the work I have been doing at Oracle. In his talk on the subject, Bob pointed out that cloud-based identity services will challenge the fundamental architectural notions of IdM infrastructure. The large blocks of IdM functionality that we are used to – access management, provisioning etc – will get broken down into smaller, modular pieces – like identity proofing, enrollment, identity risk assessment, breach remediation – that can interplay within enterprise environments as required. This is pushing the market towards smaller, specialist vendors that handle specific services rather than the large IdP that is a one stop shop for all identity needs. And these services have to work in concert with each other to provide the enterprise the value they are looking for. The vendors that have emerged in this space are delivering their services via various deployment models – ranging from on-premise SaaS to cloud-based services – but mostly stick with the per-user/per-transaction billing model. And all of them are going to get a big push when some of the cloud security issues currently holding enterprises back get resolved.

The second half of the day focused on a big part of IdM’s evolution – the mainstreaming of role management and the ascending discussion on the nature of Entitlement Management. Role Management is now widely accepted as an important part of any comprehensive identity management practice, and Kevin Kampman’s talk on the subject highlighted the importance of positioning it as a business problem instead of a technical problem. In discussing the results of a survey Burton conducted with customers that did role management projects, Kevin laid out the premise that the tools are actually secondary when it comes to implementing role management. First and foremost is the need for customers to understand the business processes that impact the design and use of roles, and document the same so that a practice could be built around them.

And as role management has taken hold in the conscious of IdM practitioners everywhere, entitlement management is rearing its head as a disruptive topic. In what was a theme for the conference, Burton laid out a terminology issue that exists around the term “entitlement management”, which is often used to describe tools that deal with runtime evaluation of fine-grained authorization decisions (like what Oracle Entitlement Server does), and neglects the lifecycle management practice around entitlements and their assignments. As customers dig deeper into their role management projects, they are finding that what they really want to do is entitlement management. And the tools to help with the lifecycle side of this equation are just not there.

The day finished at the hospitality suites, where a lot of the evolution being discussed here was on display. There was also a very successful interoperability event demonstrating SSO for cloud-based applications, a first step towards management of the extended cloud-based enterprise by enterprise IdM deployments. All in all, day 1 was quite satisfying. But the best was yet to come.

Tags: Burton Catalyst Conference, Catalyst09, Entitlement Management, Identity Services, Role Management

The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

• eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
• As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
• eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
• eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
• Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
• Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.

Tags: Authorization, Burton Catalyst Conference, Catalyst09, Cloud Computing, eBay, Identity Services, Kantara Initiative, Oracle_IDM, Project Concordia

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Identity Services, ISWG

It doesn’t look remarkably different from what I have presented previously on this blog, but it do want to point out some of the evolving ideas captured in the diagram above:

• Some of the ongoing discussions that I have blogged about previously have led to a clearer definition of the service called the Identity Hub . In fact, we just put out an Oracle whitepaper talking about the Identity Hub in detail.
• It has become clear that the API Interfaces that the applications rely on to consume these services should be coming from the container that the applications are built on.
• The provider model by which various IdM products plug into the architecture as Service Providers (within the container) is starting to take shape, thanks to good discussion happening in the standards and vendor communities. Consuming applications will not know or care about the specifics of the deployment. This also provides a way for the existing IdM investments to be leveraged (provided we can get all IdM vendors to agree to the requirements of being an Identity Service Provider).
• Authentication and Authorization are both going to have to support contextual and risk-based decisions. This will require greater communication from the applications into the services, and vice-versa.

You can check out a presentation I have put together on how the various IdM products in Oracle Identity Management can be used to create an initial version of this Identity Services Platform. This is an adaptation of my OpenWorld presentation that I will be using in discussions with some customers that are interested in working with us to define their identity services strategy. As always, input and feedback is welcome. And feel free to tell me specific portions that I should talk about in detail in this blog.

Remember, you can find all my published materials (the presentation referenced above, all the Oracle whitepapers on Identity Services, and more) on the downloads page of my blog.

Spreading the Word on Identity Services at Catalyst Europe

My exciting fall season continues as I head to Europe next week. My trip starts with a brief stopover in London for some meetings, after which I head to Prague for the Europe edition of Burton Group’s Catalyst Conference. I’ve been to Prague before (for pleasure, not business), and I absolutely love that city. So that is as good a reason to go as any.

My participation in Catalyst Europe is to continue to spread the gospel of Identity Services. On Thursday, Kevin Kampman will be presenting the results of the work that has been done so far in the ISWG. Following that, I will be on stage as part of a panel discussion involving both customers (TD Bank, BT, Credit Suisse) and vendors (IBM, Novell, Sun and of course Oracle) that are part of the ISWG.

Title: Identity Services Roundtable: Aligning Vendor Strategies with Customer Needs
Date: Thursday, 23 October 2008
Start time: 11:55 am
End time: 12:45 pm
Room: Congress Hall 2

Should be an interesting discussion. We’ve had some very good workshops in the working group, and we are anxious to put the results out there for people to see and comment on. It is very much a work-in-progress, so lots of feedback is expected. If you are going to be at Catalyst Europe, then please stick around for this roundtable (unfortunately, it is scheduled as the last session in the conference) and participate. And remember to follow me on Twitter for real-time updates on my Europe trip and the proceedings at Catalyst Europe.

Tags: Burton Catalyst Conference, Identity Hub, Identity Services

Day 2 of the Catalyst Conference turned towards the more pragmatic topics of role management and provisioning. It was with a great deal of interest that I heard Tim Weil discuss a standards effort he is leading to promote the implementation and interoperability of RBAC components. As I understood it, the goal is to make it easy for roles defined in one system (say ORM or SailPoint) to be used in another system (OIM or Sun IM), without having to do massive integration projects. Burton’s Kevin Kampman has blogged about this if you are interested.

Tim’s perspective on this is very relevant, having dealt with such practical issues through numerous implementation projects while at Booz Allen Hamilton. It was this very perspective that I wanted to tap into by asking him a question that vexes me a lot, but he gracefully sidestepped since it wasn’t directly related to the talk he was giving. However during a Twitter exchange with Ian Glazer I promised to explain my side fully in a blog post, so here goes.

My Question To Tim

Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions – relationships, the very thing that Burton spent day 1 of the conference stating was the missing link for IdM to tackle?

My Thesis

It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat.

My Rationale

In a conversation later with Ian and Lori, I illustrated my case with the following access control examples:

Scenario A

A doctor wants to enter a hospital he is assigned to, presumably using a physical access device like a Honeywell card. In order for the doctor to get into a hospital, all he needs is for his identity in the system to have a “Doctor” role that is checked for when he enters the hospital. This is a simple scenario that the NIST RBAC standard can easily take care of.

Scenario B

However, in order for that doctor, Dr. X, to view the medical charts (electronically) of a particular patient, Patient Y, the good doctor not only needs to have a “Doctor” role, but also needs to have the “Attending Doctor” role WITH RESPECT TO Patient Y. In other words, the Access Control around the medical charts is based on a specific relationship established between Dr. X and Patient Y, that could be expressed as a relationship-based role. NIST RBAC seems to be wholly unequipped to handle this use case.

NIST RBAC is an important tool to any discussion on role structures. But it should not be treated as complete by any means, merely a start. The use case illustrated in Scenario B is rapidly becoming the more common use case, as Fine-Grained Authorization needs and Data Security come front-and-center in the discussion around Access Control. Yet work on resolving such scenarios is currently excluded from discussions on RBAC and left up to the ABAC (Attribute-Based Access Control) crowd. Having two different mechanisms to implement security (often in the same systems) will surely lead to more holes than a chunk of swiss cheese.

Those that feel this is promotion for our ORM (formerly Bridgestream) product should know that it is not, since the relationship-based roles concept that they created has so far been limited to approval use cases, and has not made its way into any access control discussions. One reason I feel this isn’t happening is because it seems no one has figured out how to express this in an XACML policy, which can easily handle ABAC, but not Relationship-based RBAC. This led to the next controversial question I asked at Catalyst, which I will bring up in a later post.

I’d love to hear other perspectives on this, so leave me some comments.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, NIST RBAC, RBAC, Relationship-Based RBAC, Role Management