Both these products attempt to solve a very interesting problem – providing controlled, audited access to passwords for highly privileged administrator accounts. Also referred to as service accounts, these types of accounts have been a problem in the IAM space for a long time. They usually do not belong to one person, though there is typically one administrator who “owns” the account. These accounts are often shared between different users, making it difficult to track who actually used the account when they logged into the system (a compliance nightmare). They are also used in application integration scenarios, making them especially critical to an enterprise’s complex infrastructure.

While a tool like OIM can be used to manage the lifecycle of these accounts, a tool like EPV can step in to provide a lot of help in the runtime usage of these accounts. The basic idea is simple: Any time a user wants to log in using one of these accounts, they obtain the account password from EPV (check out the password). They use that password to log in, and after finishing their work, they let EPV know that they are done using the account (in effect, checking in the password).

This simple methodology allows EPV to do some interesting things. Because of the need to check in and check out passwords, EPV makes sure that only one person is using the privileged account at any time, and is able to track who was logging in using that account at any given time – thereby solving the all important audit issues associated with such accounts. EPV is also able to then layer a lifecycle process around that password, changing it (through a connector mechanism) to a new, randomly generated value after it has been used (checked out and back in). This prevents any user from logging back into the system using that same password at a later time. In effect, it makes sure that all passwords used by anyone to log into a privileged account are random, one time passwords.

While the overhead of the password lifecycle could prove burdensome in certain usage scenarios for privileged accounts, it is not really a problem in the vast majority of use cases involving UNIX root accounts, DBA accounts and Windows Administrator accounts

You can learn more about Oracle and Cyber-Ark’s collaboration here.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Cyber-Ark, Oracle Identity Management, Password Management, Privileged Account Management

• Facebook demonstrates that opt-out privacy does not work.
• Fears over Facebook identity fraud

Both illustrate how the world that identity management operates in is changing rapidly, and that IdM needs to keep up.

The first article clearly points to the behavioral patterns that those entrusted with protecting users identity and privacy should understand. You can’t rely on users to protect themselves when they don’t know that they are at risk. Teenagers growing up with these technologies will have an inherent trust in these systems, and so the technology must learn to empower the user, not by giving them enough rope with which to hang themselves, but rather by giving them the right controls to determine correctly how they want to handle their information. In other words, adopt a more user-centric model (boy, I can hear the flames coming for that one).

The second article points to a far more subtle but important fact of digital life. The nature of “identity secrets” is changing. Once commonly accepted secrets for verifying a persons identity (like “mothers maiden name”, “city you were born in” or “the first car you ever drove”) are no longer secret in the age of blogging and tell-all MySpace pages. Bob Blakely put it out there pretty bluntly in a talk he did at Catalyst called The End of Secrecy – “You have no secrets anyway, get over it”. While he was talking about the nature of privacy, it also applies in a much more mundane way to the identity systems in play today – reliance on the same old model of individual secrets is not only passe, it is downright dangerous.

The new model being proposed nowadays is commonly encapsulated in the phrase “What I Have, What I Am, What I Know“. What I Have usually refers to some kind of strong authentication token (smart card, token, USB key). What I Am is an extension of the previous in the form of some biometric identifier (fingerprint, retinal scan, voice recognition). What I Know is a secret (password, PIN, mothers maiden name). As can be seen, the model still relies on a secret, but that has been bolstered by two other factors of authentication. While this is good enough for now, it does seem that new techniques will need to be discovered as increasing computation power and better technology weaken the other two factors over time.

Who knows, maybe the next big thing in identity management will be behavioral pattern analysis (“What I Will Do“) as a form of authentication (see the work being done at the University of Ottawa on a technology they call 3D Password).

Tags: Authentication Management, Burton Catalyst Conference, BurtonGroupCatalyst07, Facebook, Personal Identity Management

Identity Services, Where Art Thou?
The second half of day 2 was dedicated to the subject of identity services. While Burton has been leading the discussion on the subject, they have encountered similar obstacles as the rest of us in trying to define a vast, amorphous area that is constantly being pulled apart by different parties. Whether it be vendors or customers, identity services tends to get defined either by what they need most, or can do the best. So arriving at one clear definition is difficult, leaving us with the very abstract, high level view that we have been stuck with for a while.

One of the interesting things I found out was that Burton has formed an Identity Services Working Group (ISWG) consisting of 9 of their customers. It is much more formal than I was expecting, collaborating via members-only wiki and following the Chatham House Rule. It will be interesting to see what comes out of the effort.

Meanwhile I, Prateek and Phil had some good conversations with colleagues at other vendors on the possibility of collaborating on defining identity services. There is recognition of the fact that a good identity fabric can only defined through a collaborative effort.

It is also interesting to see that the most recent entry into the IdM space is also the one gaining most traction as a true identity service – authorization service (aka entitlement management).

Oracle Had A Busy Catalyst
Catalyst turned out to be a really busy time for Oracle, with the IdM division making some major announcements around a major expansion of the Extended Identity Management Ecosystem. The Ecosystem is a set of ISVs that provide value-added integrations to Oracle’s IAM offering, delivering comprehensive identity management solutions to customers. In all 8 new members were added to the eco-system, providing new capabilities in the following areas:

• Strong Authentication: Arcot, Imageware, TriCipher
• Physical Access Control: Quantum Secure
• Network Access Control: Juniper Networks, ForeScout
• Privileged Accounts Management: Cyber-Ark Software
• Federated Identity: Pay By Touch

You can read the press release here.

The solution that I found interesting was the one offered by Cyber-Ark. I’ll follow up on that solution in a future post.

Oracle and Wipro also announced an offering in the area of outsourced identity management services, called Managed Identity Services. It uses the various components in the Oracle IAM suite to deliver a set of managed services in the areas of provisioning, access control, federation, etc. Seems like Identity has arrived in the world of SaaS. You can read that press release here.

And We Had Some Fun Too
What I value most at these conferences is the opportunity to meet face-to-face with the people that shape and influence not just my approach to the space, but the very space itself. And this conference presented a host of such opportunities. Besides having some very interesting conversations with the Burton guys, I had the chance to meet up with a bunch of folks (some for the first time in person) at dinner, courtesy of good ol’ Mark MacAuley. The dinner had way too many Mark’s for one table, but proved to be a fun evening nonetheless, with some good banter. It was interesting to be sitting next to ex-Waveset and ex-Access 360 folks (Mark McClain and Ian Glazer respectively), folks who at one time probably had their faces painted on dart boards in the ex-Thor offices (I kid, I kid). But as Ian points out on his blog post about it, there is a thread that ties us all together, and it is good that we can sit down to laugh over our experiences in this industry.

Photo from Ian Glazer's blog at TuesdayNight

And the hospitality suites at Catalyst also offer a different way to connect with customers. Outside the usual confines of an exhibition hall booth, you get the opportunity to chat with them in an informal, fun atmosphere. And I think the casual atmosphere serves to loosen folks up a bit, because you definitely find yourself having a much more open discussion with folks.

And of course, many of the customers implementing OIM make an appearance at Catalyst as well, giving me a chance to talk with them about much more mundane, yet practical, matters.

And now, back to the drawing board.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Identity Services, Oracle Identity Management

Application-Centric IdM Goes Mainstream
One of the cool things for Oracle is that Burton has actually identified “Application-Centric Identity Management” as a legitimate methodology in the identity management space (in contrast to System Management methodologies). I have been blogging about this for a while now, as this is the main philosophy at Oracle. Of course, the reason for the elevation from buzzword to legitimate methodology is the wave of application vendors like Oracle, Microsoft and SAP that are entrenched in IAM now, and are working towards the creation of identity as a well-defined aspect of application development in their own applications and in the development environments they provide. This was reflected today when they took the stage in succession to explain their vision and strategy in the IAM space.

Federation Evolving
One of the interesting themes of the first day sessions was an exploration of the relationship between federation and user-centric technologies (like OpenID), and their impact on both consumer and enterprise environments. After starting with a hard look at how traditionally understood federation is doing, the discussion transitioned to the state of progress in user-centric identity technologies (through a characteristically entertaining presentation by Dick Hardt). Burton made the point that loosely coupled identity provider and relying party networks, connected via user-centric technologies like CardSpace and OpenID could change the way enterprises handle the problems that today rely on legally and procedurally heavy federation mechanisms.

The Theme For This Year: Identity Controls
Mike Neuenschwander did not disappoint the crowds yesterday with a hugely entertaining sketch involving Captain Controls, a superhero that I hope will become a recurring character (Go here to see a video of the sketch posted by IdentityWoman Kaliya Hamlin).

Captain Controls challenges Mike

And while it was entertaining, it beautifully illustrated the emergence of the latest buzzword in identity management – Identity Controls. Briefly introduced on Wednesday, the topic was thoroughly explored on Thursday through sessions that took on the emerging technologies in Enterprise Role Management, Entitlement Management (aka Authorization Services) and Identity Audit, a group that Burton has acronymed PPM (Policy and Privilege Management). It represents the next step in the continuous evolution of IAM from an IT concern to a Business concern, and reflects the growing importance of IAM in the area of corporate risk management and governance.

Microsoft and Oracle Get It; SAP Not So Much
The message of Identity Controls was further consolidated in the following presentations by Microsoft, SAP and Oracle. These sessions were revealing in that they showed the maturity of Microsoft and Oracle in the IAM space, while SAP is still trying to catch up. I’m sure this will be dismissed as a biased opinion, but my (some would say surprising) admiration of Microsoft’s new IAM philosopy will hopefully negate that. From the tone and content of the sessions, you could see that there is a huge gap between the deep understanding of IAM that Oracle and Microsoft have, and the early stages SAP finds itself in. SAP did get the GRC market going through the Virsa acquisition and integration, but they only recently seem to have realized the importance of identity in the controls business. It was illuminating that while the Microsoft and Oracle presentations both went into great detail about their vision for identity as an integral component of application architecture, the SAP talk concentrated on what they have learnt from their customers and on touting their recent MaxWare acquisition.

Oracle SVP Thomas Kurian explains Oracle's Application-Centric IdM

The second half of the day concentrates on Identity Services, something all of you know I am passionate about and am helping drive within Oracle. Phil Hunt of Oracle will be on a panel discussing the notion of identity as a service. Should be interesting.

Tags: Application-Centric IdM, Burton Catalyst Conference, BurtonGroupCatalyst07, Identity Controls, Identity Services, Oracle Identity Management, User-Centric Identity

The use cases presented by AOL, Boeing, Govt. of British Columbia, GM and US-GSA were quite detailed and very articulate with regards to the challenges being faced in their deployments. Since the discussion was one of standards and protocols, the discussions focused primarily on the authentication and federation pieces in the identity management puzzle (as those standards are the most evolved in the identity space).

Some common themes emerged in the discussions:

• Usability of the authentication process was identified as an area that is greatly lacking, and potentially needs some work by the standards bodies. The whole idea is to make the life of the end-user easier. Users shouldn’t have to worry about which credential they need to use, but should still have a choice of which credential they want to use.
• Seemingly at opposite ends of the spectrum, incorporation of the device into the authentication process (reliance on OS authentication) and independence from the device (for portability of identity across laptops, cellphones and kiosks) were identified as being key requirements
• Setting up federations still requires too much investment and time, preventing it from being a scalable solution to the single identity problem
• In the context of single sign-on across web applications, the topics of session timeouts and global logout generated much discussion
• Standards are being unevenly implemented by vendors. All cover the basic aspects of the spec, but none implement the whole spec, usually on edge features, which causes confusion, surprises and incompatibility.
• Everyone agreed that the non-technology aspects of federation are more complex than the technical aspects

The AOL use case was very interesting as it was the only one that was purely in the consumer space, and discussed the role their OpenID strategy plays in it. The others had more of an enterprise feel to them. At the same time, enterprises like Boeing and GM stated that they were actively trying to figure out where OpenID would fit into their business model. GM and Boeing both talked to the issues of deploying federation with 1000s of partners, and for a mobile workforce in manufacturing environments where issues of presence and entitlement management are key. The Govt. of British Columbia presented an interesting challenge of creating a federation with both large and small “organizations”, where organizations is a loose term that not only covers businesses but also small proprietorships like doctors offices, where the opportunity to deploy complex software does not exist.

The use case presentations engendered some lively discussions that were both entertaining and thought-provoking. Mike Beach of Boeing (never one to shy away from creating controversy) questioned the need for interoperability, postulating that maybe convergence of the standards is better. That is the essence of the challenge that Project Concordia faces – how to come up with an elegant, usable solution out of the morass of standards that different interests have thrown into the ring.

Tags: Application-Centric IdM, Authentication Management, Burton Catalyst Conference, BurtonGroupCatalyst07, Project Concordia

That is probably how a lot of us in the identity community feel about the topic of interoperability. We have been talking about interoperability for so long, and have seen so many efforts come and go, that we may be feeling a bit jaded despite knowing how crucial it is to the survival of all that we have worked for. However, this year has seen some promising developments that again give us hope. Microsoft announcing the interoperability of CardSpace with OpenID at the RSA Conference was one such development. And more recently, I have come to learn of the Concordia Project, launched by members of the Liberty Alliance.

From their website you get a sense of what they are trying to accomplish:

“The Concordia project is a global initiative designed to drive interoperability across identity protocols in use today. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios, and encouraging and facilitating the creation of protocol solutions in the appropriate “homes” for those technologies.”

Reading more on their wiki, it sounds like a big requirements gathering exercise aimed at documenting real problems that cannot be solved unless protocol interoperability exists. These requirements can then be fed to the appropriate technical group for resolution. The hope is that by focusing on requirement gathering, they can gather good data independent of vendor or protocol bias. Going back to basics is often a good way of avoiding the issues that plagued earlier attempts. Eric Norlin also points out that it is significant that this is the first organization focused on protocol interoperability that Microsoft will be an active participant in.

To take advantage of next week’s Catalyst Conference, the Liberty Alliance is co-sponsoring the Concordia Workshop on June 26 at the San Francisco Hilton (where Catalyst will take place). The workshop will try to define and understand deployer needs with regards to interoperability and harmonization of different identity standards and protocols, through presentations by AOL, Boeing, GM, the Government of British Columbia and the US GSA. Sounds like an interesting opportunity to hear what some of the active consumers of identity technology are trying to do. I will definitely be checking it out to understand more and figure out how the project may be helpful to us as we define the ISF.

Attendance at the workshop is free; you can register and review the agenda at the workshop registration page.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Information Cards, OpenID, Project Concordia

As always, I look forward to seeing how the discussion has evolved. Role management, for instance, was a hot topic last year when everyone seemed to be embarking on a role management project. This year we are seeing the area of entitlement management starting to merge with role management as one of the original A’s of identity management – Authorization – is redefined. And as enterprises are getting more comfortable with the idea of SOA, the need for a well-defined identity services infrastructure is emerging rapidly. As I have mentioned in this blog a number of times before, Oracle’s own Fusion initiative views this as a key element in the definition of the next generation applications architecture. Oracle’s own Thomas Kurian will be giving a talk on the integration of IdM with Business Applications on Thursday (June 28). And Phil Hunt, one of the architects of Oracle’s proposed Identity Governance Framework, will be participating in a panel discussion on identity services.

And the burning question as always: what will Mike Neuenschwander do next?

So head out to San Francisco to catch up on whats going on in the world of identity. It’s a little like attending a crash course – a lot to absorb, but a great way to catch up on everything. If you will be there, drop me a line. The hospitality suites are always fun and a good place to chat (Oracle will be hosting theirs on Wednesday). See you there.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Identity Governance Framework, Identity Services, IGF, Oracle Identity Management, User-Centric Identity