So what exactly is Identity Assurance? Simplistically, Identity Assurance is the ability to determine, with some level of certainty, that the person (identity) presenting themselves in an identity transaction is who they are claiming to be. The level of certainty one can have about the presented identity is what is referred to as the “Assurance Level”. Identity Proofing is another term that is used in this context (and that I have used in the past), though it is more commonly associated with the verification of ones real world identity during the registration process.

So what are these two initiatives, and how are they related?

Identity Assurance Framework – Think TRUSTe for IdPs

The IAF is coming at the Identity Assurance discussion purely from the authentication angle, especially within federation contexts. It is based, in part, on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework, initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. As such, it attempts to define a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications.

The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are only 4 levels of assurance, Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated – Level 1 through Level 4.

The IAF defines a certification process through which an independent auditor assesses whether the issuers interpretation of Level 1-4 meets a standard assessment criteria established by IAF. So one issuer may have used a RSA SecureID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn’t know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.

The IAF is NOT defining any technology or standard protocols. In this sense, the IAF is trying to set up something analogous to the way TRUSTe verifies and asserts through their web seal that an eCommerce site is trustworthy.

Oracle Identity Assurance Partner Alliance – Tools of the Assurance Trade

Oracle IAPA aims at extending Oracle’s Identity Management Suite with partner technologies that offer capabilities such as identity proofing, internet geolocation, multi-factor authentication, out-of-band authentication, endpoint security and secure remote access. As such, its charter is pretty broad in combating identity fraud and providing context-aware security, and this encompasses identity assurance.

The solutions in the IAPA can provide the underlying mechanism by which an IdP can support the main tenet in the IAF, wherein an assertion can be trusted (at varying levels of assurance) to really belong to the entity represented. The IAPA steps in as a way for Oracle IAM to leverage technologies that enhance an authentication process with additional “challenges” that up-level the authentication assurance to the appropriate level – whether it be by using a biometric challenge, a voice challenge, a knowledge challenge based on external data aggregators, etc. So Oracle IAM + IAPA is positioned nicely to be the execution/implementation arm of an IdPs IAF compliance efforts.

Looking To Tie Them Together

One thing I will be exploring is the possibility of having the IAPA stack go through the Liberty IAF audit process. Then any customer deploying Oracle Access Management in conjunction with one of our partners would immediately know the IAF assurance levels of the authentication tokens being issued. Conversely, a customer that is targeting being able to issue credentials of certain assurance levels will be able to identify the solutions that will meet their need.

Tags: Digital ID World, Identity Assurance, Identity Assurance Framework, Identity Assurance Partner Alliance, Oracle OpenWorld

It was interesting to see the amount of discussion going on around the topic of Identity Services. At DIDW, there were a number of different sessions that looked at different parts of the Identity Services challenge. Kim Cameron talked about claims-based identity transactions in his keynote. All the different discussions on Liberty’s Identity Assurance Framework were trying to deal with improvements needed in the authentication service. Some of the necessary standards discussions came up in the session on “Bootstrapping Identity Protocols”. And of course Jamie Lewis talked about it in his keynote.

At OpenWorld I once again took on the task of trying to illuminate the masses on identity services. It isn’t a topic that usually gets a lot of interest at OpenWorld, since the attendees are mostly interested in figuring out real world implementation issues. So the sessions most attended were the ones that looked at best practices and customer case studies. Also, being scheduled for the first session of the day at 9am didn’t help drive up my attendance numbers.

But I did get a pretty decent crowd, all things considered, and got some good questions and very good feedback and validation on the content of my presentation. I did try to spice it up by throwing in a bit of humor centered around “The Love Guru” (since identity services is all about achieving identity nirvana); not sure if that helped or hurt. I wanted to post the presentation here for all of you, but OOW presentations are paid content controlled by Oracle, so I can’t. But I will be adapting that presentation for some talks I am giving to customers on the topic of Identity Services, and I will post that presentation, along with a discussion of how my architecture has evolved, in an upcoming blog post.

October is looking to be just as busy. Of course there is all the usual stuff going on at Oracle. Tomorrow I’ll be doing a quick dash across the border and back for the second all-day workshop of the ISWG. Then later this month I will be heading to Europe, where I will be meeting with some customers and attending Burton’s European edition of the Catalyst Conference. I will be part of a panel that includes other ISWG members from TD Bank, BT, Credit Suisse, IBM, Sun, Novell and, of course, Burton that will be talking about Identity Services and presenting some of the work we have done in the working group. Catalyst Europe is in Prague, which is a city I absolutely love, so I am pretty excited about that too. Should be a fun month.

Tags: Digital ID World, Identity Services, ISWG, Oracle OpenWorld

I felt a little bit like the blind men examining the elephant, except that I could see a little bit. So while everything being talked about looked and felt like different things addressing unique problems, I could also see a little of how they interconnect and relate as part of a larger, more cohesive whole. This was especially true of the sessions on the Identity Assurance Framework, Identity Protocols, Identity Services and VRM, and my conversations with Kim Cameron, Doc Searls and Bob Blakely, among others.

The remainder of my week is being spent at Oracle HQ, so I will be pretty busy in meetings. I will therefore post more detailed thoughts on specific topics that came up in the sessions at a later time. In the meantime, you can check out the real-time stream of consciousness thoughts I had at DIDW by clicking this link to read my Twitter posts from the conference.

Tags: Digital ID World, Identity Assurance Framework, Identity Services

Also, I will be connecting with a number of folks who are coming out to DIDW, both one-on-one and in some interesting group settings. Matt Flynn has organized a blogger meet, which I look forward to, since my attempt at a Tweetup sort of fell flat. Should be interesting. Again, grab me if you see me at the opening reception or at the demogrounds, or while I am rushing from one session to another, if you want to chat.

Continuing something I started as an experiment at Burton Catalyst, I will be twittering extensively during the conference, sharing what I am hearing, my thoughts and the experiences of DIDW (provided I can snag a power outlet and/or AT&T 3G can avoid going down again). Be sure to follow me at http://www.twitter.com/NishantK if you are interested in my perspective on the proceedings.

Tags: Compliance, Digital ID World

While DIDW (like any conference) tends to have its share of vendor sales pitches, it is always good for a few sessions to inspire me and give my gray cells something to work on. My biggest problem tends to be figuring out how to divide my time, because unlike Burton Catalyst, where I know which track to just plant myself in, every session on the agenda here is related to identity. Looking at this years agenda, I see some interesting sessions planned.

Oracle will obviously have a big presence there. Besides being a Platinum sponsor, there will be a few folks from Oracle speaking:

• Eric Leach will be talking on “Next Generation Access Management Solutions” [Sept 9 from 12:20 - 1:10pm]
• Phil Hunt will be talking about the Identity Governance Framework [Sept 10 from 3 - 3:50pm]

And some of our customers will be on panels discussing lessons learnt in tackling some thorny identity issues:

• Brenda Hughes from Cisco on “Successful Compliance Deployments” [Sept 10 from 11:25am - 12:15pm]
• Vikas Mahajan from AARP and Divya Sundaram from Motorola on “Successful Virtual Directory Deployments” [Sept 10 from 11:25am - 12:15pm]

(Hmm, too bad both the panels are at the same time)

I know a lot of folks that will be making it out to DIDW, so I look forward to some interesting conversations over food and libations (drinks are always a good way to get the tongues wagging). An attempt I made on Twitter at organizing a tweetup at DIDW didn’t really take off, probably because it was too early for people’s plans to be made. But if you are going to be there, let me know and I would love to meet up. And I will be spending some time at the demogrounds earning my keep, so stop by if you just want to have a chat.

Tags: Digital ID World, Identity Governance Framework

I mentioned in my last post that the theme to emerge from the first three keynotes was that the nature of identity is about to change. The rest of the conference was a continued emphasis on this idea, and on the topic of identity as a service. And the sessions drawing big crowds were the ones that talked more about emerging identity technologies and architectures.

What of OpenID?
The session ‘Understanding OpenID and the Early Implementations‘ by David Recordon (SixApart) and Eve Maler (Sun) drew a pretty big crowd. Interest in understanding the value of OpenID was high (something the OpenID crowd has not been able to articulate clearly beyond the simple positioning as “SSO for the Web“, leading to some interesting discussions by Bob Blakely, Stefan Brands and David Recordon). Folks were especially interested to hear what Eve had to say, in light of the effort Sun made to issue all employees an OpenID. To be honest, it was a little disappointing. If I remember correctly, she said that uptake has been low. This could partly be because Sun did not create any value for the Sun issued OpenIDs by incorporating it into the work life of a Sun employee. None of Sun’s community sites (like those for open source projects) accept these OpenID’s for authentication, and it cannot be used at Sun partners or service providers either. In fact, it seems like it is mostly a curiosity, evident when she pointed out that the highest usage of these OpenIDs seems to be at a British gambling website. Oh well, it is still early, and hopefully some of the debate in the community will get us further along.

Microsoft makes a Services play
The talk ‘SOA and Identity with BizTalk Services‘ turned out to be a disappointing follow-up to Kim Cameron’s keynote. What I took away from the session was that Microsoft is taking the features they have in BizTalk Server, and rolling out hosted services on top of that. Maybe I am wrong and there is more to it. But with the demoware breaking a couple of times, poor Justin Smith had to resort to a couple of “I think you get the picture” statements to make whatever point he was trying to make.

British Columbia presents the Next Identity Architecture
Ian Bailey, Director of Application Architecture for the Province of British Columbia, gave a very interesting presentation on their undertaking to design an identity management architecture that will deliver what they call “Citizen-Centric Identity Services”. The solution he presented in his talk ‘A Claims Based Architecture for British Columbia‘, was quite interesting to hear. The content of the session has evolved from the presentation he gave previously at another conference, and included much more detail with regards to the identity services needed to make it practical. Their architecture document can be found here and makes for very interesting reading. His session was quite inspiring to me actually, as it gave me an answer (not necessarily the answer) for one of the areas of my presentation that I was having the most trouble with.

Identity Services
That part was the discussion of the API layer needed in any identity services framework. As I pointed out in my talk on ‘Externalizing Identity‘ (you can download the presentation here), the primary purpose of creating identity services is to make it available to application developers so that they can make identity a part of their business logic without having to build the necessary infrastructure. And the API they must code against must be simple enough to use easily, and abstract enough that it has no dependency on the underlying service providing product. Developers cannot code to XML-based standards, and so the idea of a claims-based API seems brilliant in its simplicity. Not sure if it is do-able just yet, but it is worth looking into.

Those familiar with my previous talks and blog posts about identity as a service will note that my architecture for the identity services layer has evolved over time, and has changed quite a bit even from my talk at the Jericho Forum not even a month ago. One of the key changes was the transformation of the “Identity Provider” service into an “Identity Oracle” service. It took a while, but I was finally able to articulate in detail the necessary features of this service that justify renaming it to the term that Bob Blakely (of Burton) introduced at last years Catalyst (or was it 2 years ago?). The feedback I got on the idea of a productized Identity Oracle, and the session in general, was quite interesting and encouraging. So send me your thoughts as well.

For those that are interested, I know that the DIDW folks recorded the audio of the session. I’ll try and make that available here if allowed. If you went to DIDW, you can access it from the post-conference website.

Tags: Application-Centric IdM, Digital ID World, Identity Services, OpenID, Personal Identity Management, User-Centric Identity

That’s exactly what Doc Searls did during a typically humorous and thought-provoking keynote roughly titled “The Decentralization of Identity” (actually re-titled in real time based on Phil Becker’s opening keynote) . He used Neo as representative of the consumer community in the marketplace; the ones whose identity are not in their control and who don’t have “choice” when it comes to the management and security of their identity data.

If there was one theme to the opening keynote addresses (by Phil Becker, Doc Searls and Kim Cameron), it was that the nature of identity needs to change, freeing it from the silos and walled gardens it is currently imprisoned in. They spoke of the need to redesign our approach to how identity data is used and managed. Doc Searls spoke of the need to get away from the notion of owning someone’s (your customers) identity, and moving from CRM systems to something he called VRM (Vendor Relationship Management) systems. As someone in the identity community, I completely understand the sentiment behind that; as a cog in the Oracle juggernaut, I have to be cautious about any cries of “Death to CRM”

Kim Cameron took his discussion of claims-based identity management (authentication and authorization) to the next level. In a headline capturing display, he introduced a term called “Legonics” (fusion of Lego and Electronics) as a new way of building applications by putting together pieces from componentized modules. Sounded an awful lot like a combination of SOA and Identity as a Service to me. But the demonstration on stage of a Lego robot that was controlled by claims illustrated his point quite well.

I am glad that the talk I will be giving tomorrow at DIDW fits in nicely with this emerging conference theme of freeing identity from the application silos it lives in. Building on the session I did at the Jericho Forum, my session on “Externalizing Identity” will present a roadmap to how applications will get re-architected to allows decentralization of identity in the manner that Phil and Doc are referring to. I say roadmap because I believe in transition, not quantum leaps. Enterprises want an approach that leverages the hefty investments they have already made in IdM infrastructure. And the identity equation has too many colliding imperatives for a simple solution (at least today). The real solution will come from a partnership between the IdM vendors, the application vendors and the consumer enterprises, as they all accept that identity is an asset and not a commodity.

If you are Digital ID World, look me up. Or come by my session tomorrow evening at 4pm. It’s the last session of the day, so I promise not to make it too heavy. But it should be interesting.

Tags: Application-Centric IdM, Digital ID World, Identity Services, User-Centric Identity

In his article, Phil argues that current identity management projects preach centralization of identity data in an effort to gain centralized management and control. The fluid nature of identity, and the way in which its daily management is distributed (delegated) among different entities in an enterprise, means that centralization efforts will be doomed to suffer from ineffectiveness and failure since they are in essence at odds with the realities of the business.

I agree with Phil on this point when one considers centralization of identity data for operational purposes. However, I will draw a distinction between centralization and aggregation of identity data. Centralization tries to promote a reference model, fundamentally changing the operation of distributed enterprise. Aggregration is not as invasive, and is more an ETL operation aimed at creating a centralized view of the enterprise.

Aggregation of data is necessary when considered for specific type of management applications that need centralized infrastructure. Two big use cases very popular right now are driven by compliance needs – attestation (aka recertification), which I have touched upon in previous posts, and enterprise-wide SoD (separation of duties) enforcement.

A complex application like attestation cannot succeed in a virtualized environment. There are technical reasons for this – the ability to pull up the distributed data when needed in a form is not practical, no matter how advanced virtualization gets. There are also business reasons for this – attestation requires temporal integrity of the data, which cannot be guaranteed in a distributed environment. So data aggregation will occur. Enterprise-wide SoD, which crosses a lot of the boundaries that the distributed environment has, also requires some measure of aggregation in order to be practically achievable.

Phil says “The shift from a directory-centric view of identity management to a
provisioning-centric view of identity management is the first step down
this road”. Provisioning systems provide a single, standardized mechanism by which the flow of identity data into the enterprise starts.

Tags: Digital ID World, Identity Fallacies