Talking Identity | Nishant Kaushik's Look at the World of Identity Management » BurtonGroupCatalyst08

Change We Need

Nishant Kaushik — Tue, 02 Dec 2008 03:56:22 +0000

It’s been a long time since I have been able to post. A lot conspired to make it difficult for me to keep up with my blogging, not the least of which has been a number of interesting, but under wrap, developments within the IdM group at Oracle (if you follow me on Twitter, you may know what I am talking about). I‘ve been knee-deep in meetings planning our development projects for next year, so stay tuned to this space for a look ahead.
My last post was just before I headed to Prague to participate in a panel on Identity Services at Burton’s Catalyst Europe conference. I could make some jokes about how it has taken me this long to recover from the craziness in Prague, and it would be partly true. But I wouldn’t even begin to know how to describe all of it, so this is me moving swiftly on.

During the panel discussion (thanks to Oracle’s own Dennis MacNeil for taking the photograph above), we talked about the work we’ve been doing in Burton’s Identity Services Working Group (ISWG). Kevin preceded the panel with a presentation outlining the results of the first phase of our work, which has focused on the basic services in an identity services architecture – attributes, authentication and authorization. I can’t really share the results of the work here, because of the rules we work under as part of the working group (I’ll try and talk Kevin into letting me share some of it). However, I will say that one of the interesting developments from the many meetings we had, and which informed the approach taken in this phase of the project, was the group adopting the thought that “Authentication is simply an Obligation in an Authorization process” (think about it). As a result, we have come up with an interesting take on the role of PEPs, PDPs and Claims in the architecture.
The bulk of the panel discussion focused on explaining the drivers for the work being done in the ISWG. The fact that all the folks on the panel were either vendors or financial industry folks meant that the talk was about creating efficiencies, standardizing deployment architectures, maintenance and upgrade headaches and freedom from vendor lock-in. All good reasons to keep in mind when understanding how identity services needs to evolve and get used.
But one of the things that didn’t come up was the fact that our industry as a whole is headed towards a seismic shift in how we deal with identity, and that having a good identity services story is crucial to being able to weather the storm. Change is definitely in the air, and not just because the recent election cycle or recession fears have put that word firmly in our conscious. You can sense this by doing a quick scan of the blogosphere. Rapid advancements in the area of Information Cards and OpenID, Microsoft’s recent work encapsulated in the Geneva announcement, our own work on the IDx project and the emerging talk of the “Open Stack” for identity are all key developments to follow to understand where we are headed as an industry. There is a lot of work still to be done in these initiatives, but one can already see the far-ranging implications of all these projects. And identity services will be the backbone that allows enterprises and applications to adapt in a scalable manner.
Much needed change is on the way, so buckle up.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Identity Services, ISWG

My Next Attempt at Controversy: Roles and the (ir)relevance of NIST

Nishant Kaushik — Wed, 09 Jul 2008 21:29:42 +0000

Well, I think I am done talking about directories now, especially after reading Ian Yip’s hilarious recap of the debate, as it were. Having now appeared as a significant bit player in this drama, I have decided to leave it in the hands of more capable people like Clayton and am moving on to familiar (and hopefully fertile) ground.

Day 2 of the Catalyst Conference turned towards the more pragmatic topics of role management and provisioning. It was with a great deal of interest that I heard Tim Weil discuss a standards effort he is leading to promote the implementation and interoperability of RBAC components. As I understood it, the goal is to make it easy for roles defined in one system (say ORM or SailPoint) to be used in another system (OIM or Sun IM), without having to do massive integration projects. Burton’s Kevin Kampman has blogged about this if you are interested.

Tim’s perspective on this is very relevant, having dealt with such practical issues through numerous implementation projects while at Booz Allen Hamilton. It was this very perspective that I wanted to tap into by asking him a question that vexes me a lot, but he gracefully sidestepped since it wasn’t directly related to the talk he was giving. However during a Twitter exchange with Ian Glazer I promised to explain my side fully in a blog post, so here goes.

My Question To Tim

Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions – relationships, the very thing that Burton spent day 1 of the conference stating was the missing link for IdM to tackle?

My Thesis

It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat.

My Rationale

In a conversation later with Ian and Lori, I illustrated my case with the following access control examples:

Scenario A

A doctor wants to enter a hospital he is assigned to, presumably using a physical access device like a Honeywell card. In order for the doctor to get into a hospital, all he needs is for his identity in the system to have a “Doctor” role that is checked for when he enters the hospital. This is a simple scenario that the NIST RBAC standard can easily take care of.

Scenario B

However, in order for that doctor, Dr. X, to view the medical charts (electronically) of a particular patient, Patient Y, the good doctor not only needs to have a “Doctor” role, but also needs to have the “Attending Doctor” role WITH RESPECT TO Patient Y. In other words, the Access Control around the medical charts is based on a specific relationship established between Dr. X and Patient Y, that could be expressed as a relationship-based role. NIST RBAC seems to be wholly unequipped to handle this use case.

NIST RBAC is an important tool to any discussion on role structures. But it should not be treated as complete by any means, merely a start. The use case illustrated in Scenario B is rapidly becoming the more common use case, as Fine-Grained Authorization needs and Data Security come front-and-center in the discussion around Access Control. Yet work on resolving such scenarios is currently excluded from discussions on RBAC and left up to the ABAC (Attribute-Based Access Control) crowd. Having two different mechanisms to implement security (often in the same systems) will surely lead to more holes than a chunk of swiss cheese.

Those that feel this is promotion for our ORM (formerly Bridgestream) product should know that it is not, since the relationship-based roles concept that they created has so far been limited to approval use cases, and has not made its way into any access control discussions. One reason I feel this isn’t happening is because it seems no one has figured out how to express this in an XACML policy, which can easily handle ABAC, but not Relationship-based RBAC. This led to the next controversial question I asked at Catalyst, which I will bring up in a later post.

I’d love to hear other perspectives on this, so leave me some comments.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, NIST RBAC, RBAC, Relationship-Based RBAC, Role Management

Information Cards gets its own Foundation

Nishant Kaushik — Sat, 05 Jul 2008 02:13:11 +0000

One of the big announcements at Catalyst that I twittered about was the formation of the Information Card Foundation (take that, OpenID). The purpose of the non-profit foundation is to promote the use of information cards as a secure way to present personal identity information on the web. The foundation has a power-packed set of companies as steering members (Oracle is in there along with Google, Novell, Paypal, Equifax and, of course, Microsoft) and a great Board providing direction with people like Kim Cameron, Pamela Dingle, Patrick Harding, Ben Laurie and Drummond Reed (among others) leading the way.

Information Cards try to mirror the familiar, real-world experience of presenting cards to prove identity and provide information in the online world, and aims to do so in a safe, secure manner that is resistant to phishing, pharming and MITM attacks. Despite having been put into the wild a few years ago, and despite the tireless efforts of people like Kim Cameron and Pam Dingle to make it accessible, there are scant few web sites (of any note, anyway) that actually allow people to use information cards. The ICF (much like the OpenID foundation, which also kicked into high gear a few months ago) is looking to put some weight behind the effort to evangelize the technology and expand its adoption in the marketplace. As it states on the ICF Web site, the foundations purpose is to

Advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

It will be very interesting to see how the ICF goes about doing this, and when results will start to show. But this is undoubtedly the beginning of something big. For all of us.

Links:

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Information Card Foundation, Information Cards, OpenID, Personal Identity Management, User-Centric Identity

The Real World: Catalyst Conference Edition

Nishant Kaushik — Thu, 03 Jul 2008 03:05:19 +0000

Another Catalyst conference has come and gone, leaving us with a lot of material to chew on and ponder. Burton always forces us to think about what we are doing, especially those of us that have products to deliver. And it’s always interesting to see all the new companies that are popping up in the space (Lori’s slide this year showing all the identity management companies looked like it needed a magnifying glass to read).

I’m not going to recap all the interesting sessions that I attended. If you followed my twitter postings (and a big “Hi and Thank You” to everyone who tripled my following last week by connecting, including some folks who signed up for Twitter just to follow me), you got a sense of what was being talked about, and my thoughts on the same. For some great reporting on the key sessions, read Mark Dixon’s blog postings (this post is a map to the various posts he has written covering the conference).

I’ll simply present what I saw as the theme of the conference: Reality Hits The World Of Identity. People are realizing that the only way this identity stuff is going to work is if the online experience and constructs mirror how we operate in the real world. And this opens up a whole set of new areas to explore.

You Complete Me
A key realization that is taking hold is that relationships must be made a key part of the fabric of identity, and that relationships can form the trust basis for identity related transactions. While I don’t completely agree with Jamie’s assertion that a lot of work in the real world happens before any contracts are drawn up (no contractor can even begin work for Oracle until a contract is signed; similarly I can’t work for Oracle and get access to systems till an employment agreement is in place), I do recognize that the value proposition of transactions is a continuum, along which are different levels that require different levels of assurance. Assurance can be built up over time as a function of relationships (user is related to this company, user has X friends, user is certified by this identity provider, etc). Eve Maler gave a very interesting talk on how relationships can be nurtured and made available in the online world, and connected it to some of the work being done on R-Cards and Project VRM.

I Need An Authority Figure
Another sign that real world concepts are seeping into the online world was the increased discussion on the topic of Identity Proofing, and the externalization of Authoritative Identity Providers. Just like in the real world, companies are realizing that in order to scale and distribute liability, they would like someone else to be responsible for vetting identity data and providing a validated, trustworthy identity into their environments. This is the first sign of a legitimate market emerging for the Identity Oracle that Bob Blakely has defined, and that I have discussed so often in the context of Identity Services. The Liberty Alliance has jumped in here to help out by proposing an Identity Assurance Framework (our old friend Frank Villavicencio is co-chair of the effort) that can define a trust language in this context. And everyone knows that I consider the work being done on the IGF a critical part of such an infrastructure.

I Got Your GRC Right Here (Not!)
Burton decided to take the IAM vendors to task for using GRC as a crutch to sell all manner of products. Referring to GRC as a four letter word, Bob attempted to blow up the myths surrounding GRC and posited that all the bluster around GRC has made companies lose sight of what they really need to address. He stated that each discipline conflated within GRC should be looked at independently by businesses with regards to its objectives, and that tools and processes should be put in place that address the specific needs identified. The message was clear – there is no such thing as a GRC product; instead there are a multitude of products that provide tools for addressing specific problems that fall under one of these disciplines, and enterprises should take a fresh look at what GRC means to them and how to approach it.

For me, the highlight of the conference was the talk by Nick Leeson, the securities trader who brought down Barings Bank. Not a technical talk at all, his explanation of how his actions exploited failings in the areas of governance and compliance drove home the point about process and tools being complementary parts of the puzzle.

The rest of the conference had some interesting announcements and decent discussions on the usual topics of Authentication, Provisioning and Role Management. I did what little I could to break the monotony and generate some controversy, but I’ll cover all of these in my upcoming posts.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, GRC, Identity Assurance Framework, Identity Governance Framework, Identity Oracle, Identity Proofing, IGF, Nick Leeson, Relationship Management

Follow me at Catalyst

Nishant Kaushik — Thu, 19 Jun 2008 22:05:55 +0000

I’ll be at the Catalyst conference next week, looking to share and learn. I expect Catalyst to be the usual source of inspiration, news and ideas. And I look forward to meeting up with fellow identirati like Ian, Mark and of course, the good folks from Burton.

Unfortunately, a quirk of timing means that a long awaited upgrade of the Oracle blogs system is also taking place next week, freezing all of our blogs. Those that follow my blog know that the current system leaves something to be desired in terms of features and stability. And the commenting system was totally unhelpful in enabling any kind of conversation with my readers. While I welcome the upgrade, I hate the fact that I won’t be able to post during the week.

I will post some wrap-up posts the week after Catalyst, summarizing my experiences and thoughts. But if you are really interested in keeping up with my Catalyst experience, there is an option. I use Twitter, that quirky micro-blogging platform that is all the rage, fairly regularly. And I plan on posting fairly regularly from San Diego. To make things easier, I will be prefacing all my Catalyst related postings with “BurtonCatalyst08:” (unless Burton has something else going). So If you are on Twitter, you can choose to follow me and keep up with the going-ons. If you don’t want to sign up for yet another social whatever, then you can subscribe to an RSS feed of my twitter postings here.

If you plan on being at Catalyst and want to meet up, either email me or join us at the Oracle Hospitality Suite on the evening of June 25th (Wednesday). I’ll be around. And the following sessions might be of interest to you if you want to learn more about Oracle Identity Management:

Role Management and Provisioning: Coexistence or Convergence? A Roundtable discussion including Oracle’s Jeff Shukis – Thurs at 4.10pm
Selecting and Implementing a COTS-based IdM Solution at Boeing: A Case Study – Thurs at 5.20pm

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08

Concordia tackles Entitlements and Policy Management

Nishant Kaushik — Wed, 11 Jun 2008 01:49:21 +0000

Burton Group’s Catalyst Conference is coming up at the end of the month, which means that the work going on in the identity management world kicked up a few notches last month. One of the things that is becoming a fixture at Catalyst is a meeting of the folks involved in Project Concordia. Anyone who reads my blog knows that I am a big supporter of their efforts to bring real-world use cases to bear on the creation of practical solutions.

This year, their session will be focused on the area of entitlement and policy management. If you are going to be at Catalyst, it is a great way to spend a day, listening to representatives from companies like Boeing, Cisco, Micron and The US Army share their
insights, experiences and requirements for standards based policy and
entitlement management.

Unfortunately, I won’t be getting into San Diego in time to attend, but Prateek Mishra from Oracle will be there, and of course, Roger Sullivan will be leading the charge as the host. It’s free to attend, all you have to do is register here. Do it, and let me know what you learn.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Entitlement Management, Identity Services, Project Concordia