Tags: Entitlement Management, Gartner IAM Summit, Oracle Identity Management

The deck I presented (with audio) is below. Check it out and leave me your comments.

Tags: Entitlement Management, Identity Services, Security Architecture, Service-Oriented Security

Day 1: A focus on IdM evolution

I don’t know if this was par for the whole conference, but at least in the IdPS track, each half day was devoted to a particular theme. The first half of day 1 was a landscape update as usual, and focused on some of the interesting developments in the space, like Oracle’s pending acquisition of Sun (that’s all I’m going to say on that topic), the integration of DLP (data leakage prevention) with IdM programs, and the emergence of some commercial Identity Oracles.

I especially liked Bob Blakley’s discussion on Identity Services, since it resonated with a lot of what I have been talking about on this blog and the work I have been doing at Oracle. In his talk on the subject, Bob pointed out that cloud-based identity services will challenge the fundamental architectural notions of IdM infrastructure. The large blocks of IdM functionality that we are used to – access management, provisioning etc – will get broken down into smaller, modular pieces – like identity proofing, enrollment, identity risk assessment, breach remediation – that can interplay within enterprise environments as required. This is pushing the market towards smaller, specialist vendors that handle specific services rather than the large IdP that is a one stop shop for all identity needs. And these services have to work in concert with each other to provide the enterprise the value they are looking for. The vendors that have emerged in this space are delivering their services via various deployment models – ranging from on-premise SaaS to cloud-based services – but mostly stick with the per-user/per-transaction billing model. And all of them are going to get a big push when some of the cloud security issues currently holding enterprises back get resolved.

The second half of the day focused on a big part of IdM’s evolution – the mainstreaming of role management and the ascending discussion on the nature of Entitlement Management. Role Management is now widely accepted as an important part of any comprehensive identity management practice, and Kevin Kampman’s talk on the subject highlighted the importance of positioning it as a business problem instead of a technical problem. In discussing the results of a survey Burton conducted with customers that did role management projects, Kevin laid out the premise that the tools are actually secondary when it comes to implementing role management. First and foremost is the need for customers to understand the business processes that impact the design and use of roles, and document the same so that a practice could be built around them.

And as role management has taken hold in the conscious of IdM practitioners everywhere, entitlement management is rearing its head as a disruptive topic. In what was a theme for the conference, Burton laid out a terminology issue that exists around the term “entitlement management”, which is often used to describe tools that deal with runtime evaluation of fine-grained authorization decisions (like what Oracle Entitlement Server does), and neglects the lifecycle management practice around entitlements and their assignments. As customers dig deeper into their role management projects, they are finding that what they really want to do is entitlement management. And the tools to help with the lifecycle side of this equation are just not there.

The day finished at the hospitality suites, where a lot of the evolution being discussed here was on display. There was also a very successful interoperability event demonstrating SSO for cloud-based applications, a first step towards management of the extended cloud-based enterprise by enterprise IdM deployments. All in all, day 1 was quite satisfying. But the best was yet to come.

Tags: Burton Catalyst Conference, Catalyst09, Entitlement Management, Identity Services, Role Management

As an abstract identity construct, entitlements model whatever it is in an actual system that allows a user to do some well defined thing. As such, it is a fine-grained access management construct, so Ian isn’t wrong about that. But I think Ian’s post misses the power of the entitlement construct, which is what entitlement management products aim to surface.

An entitlement could simply be the permission to access a URL (typical web access management scenario). It could be the permission to click on a menu item in an application (typical application functional security scenario). It could be the permission to access a particular data record in the database (typical data security scenario). Each of these taken individually is a pretty big deal in of itself, but can be handled by products or features that are already available today.

But in a service-oriented world, where multiple applications get chained together to perform the functions behind a single action a user can perform, the entitlement becomes a hugely important construct. Currently, this would require ensuring that the permissions within every single component are properly coordinated to allow this flow to go off without a hitch. It becomes a very complicated permission engineering problem to figure out how the ensure that the function will work in all cases necessary.

Entitlements provides an abstraction and layer of indirection that eases the problem, unifying the access control equation. In an entitlement management based architecture each service, every tier within the service, every layer within the application, can refer back to the same entitlement and entitlement policy to determine whether or not to allow the function to proceed.

And to provide this kind of cross-service access control, an Entitlement Management product like Oracle Entitlements Server provides the ability to define powerful entitlement policies based on identity, role and contextual data. And while XACML is a necessary part of the architecture that enables a complex deployment to occur, it is just an enabling tool, not what defines the feature itself. In fact, XACML does bring its own limitations to a run-time environment.

Entitlement Management is a powerful tool that can simplify the mess of permissions and privileges that are strewn all over the enterprise landscape. When applications were silos, it was sufficient to deploy a provisioning system that could handle the provisioning of access into these black boxes. But with applications transforming into services and becoming increasingly interconnected and interdependent, role and entitlement management become critical pieces of enterprise architecture that help provide critical control, predictability and uniformity to the enterprise.

Tags: Entitlement Management, Identity Services, Oracle_IDM, Service-Oriented Security

This year, their session will be focused on the area of entitlement and policy management. If you are going to be at Catalyst, it is a great way to spend a day, listening to representatives from companies like Boeing, Cisco, Micron and The US Army share their
insights, experiences and requirements for standards based policy and
entitlement management.

Unfortunately, I won’t be getting into San Diego in time to attend, but Prateek Mishra from Oracle will be there, and of course, Roger Sullivan will be leading the charge as the host. It’s free to attend, all you have to do is register here. Do it, and let me know what you learn.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Entitlement Management, Identity Services, Project Concordia

Predictions are risky business, especially in the slightly schizophrenic world of IdM. On the one hand, things tend to move way too slowly; on the other hand, things emerge out of nowhere to take center stage. So I tend to shy away from making predictions. But I will talk about what I hope to see happen in the coming year. These are not impractical, fantasy wishes that will require me to find a magic lamp buried in the sand. These are things that have a good chance of happening if we as an industry stay focused.

Integrating Risk Management with Identity Management
Recent events have brought to light the need to build comprehensive integration between risk management and identity management software. Oracle’s acquisition of Bharosa last year was a response to marketplace demand to bring more context into the identity management process. There is a better understanding of the complex heuristics that need to become part of identity management decisions, and how to encapsulate them as workflow and rules. The coming year should bring more tools and more capabilities in these areas.

For the longest time, people would talk about integration in the context of product suites. The focus will now shift to integration in the context of pre-canned and pre-defined solutions and workflows.

Role Management Comes Into Its Own
Over the last couple of years, we have seen Role Management become an established part of identity management. But its real value will be realized when it stops being an explicitly deployed and managed part of IdM (a la access management) looking for consumers, and evolves into a business tool that is deployed within the enterprise context of provisioning, entitlement management and ERP. A number of other folks have already challenged vendors to do this, and hopefully a lot of work going on in this area will come to fruition.

The Evolving Identity Framework
There are a couple of things I hope to see happen this year that will help us move towards our ultimate vision of how identity is used.

• The Identity Services message has been very well received every time I have presented it. In the last year I met a number of individuals, like the folks from the Jericho Forum, the Concordia project, and a number of people at various conferences, who are really committed to changing how Identity becomes part of application development and deployment frameworks. Hopefully the coming year will see some concrete progress made in defining the necessary framework architecture that will enable the externalization of identity from applications
• We have seen everybody and their mother make moves to become OpenID Service Providers, especially the big identity silos. Hopefully this year will see an explosion of services that are OpenID Relying Parties, including some of those same big players. The real adoption of OpenID will come not from the glut of OpenID SP’s, but from the widespread availability of services that accept OpenIDs and do not require registration and username/passwords.
• I also hope to see someone take the Identity Oracle concept and create a viable business out of it. It may not explode right away, but it will start to emerge. It seems obvious that the easiest place for this to happen is in social networking applications like Facebook. They already hold a lot of identity information that they then serve to other applications (those annoying, currently non-critical Facebook apps that clutter everyone’s profile). Putting in place more controls on how my information is shared and with which apps, and then opening the walls to outside applications would be a logical progression in the evolution of identity providers for internet applications. I also hope to see the Identity Governance Framework become part of such a control framework in any Identity Oracle.
  And then hopefully at the start of 2009 I will be commenting on my hopes for the acceptance of internet identity framework tools within the enterprise.

Your Hopes
What are your hopes for the coming year? Leave a comment, or email them to me, so that we can add them to this list. and hopefully take notice.

Tags: Entitlement Management, Facebook, Identity Governance Framework, Identity in Social Networking, Identity Services, IGF, OpenID, Personal Identity Management, Role Management

What caught my eye was this post a while back by Securent CEO Rajiv Gupta, that touches on the type of debate one often sees at the inception of rival approaches to a problem. While the RBAC vs. EM debate does not compare to the aggravating Blu-Ray vs. HD-DVD format war, there are similarities in that both are forcing some consumers into a “wait and see” attitude, and emotions fly high whenever this topic is brought up.

Despite repeated requests in the blogosphere I have resisted the urge to discuss EM’s place in IAM, primarily because I did not feel knowledgeable enough about the space to comment on it (people who know me know that I am cautious to jump into any debate, but once I have an opinion I am in it as much as possible). One gating factor in my involvement and a possible factor in the ongoing debate – the lack of industry agreement on what exactly we mean by the term “Entitlement“.

Vagueness in the definition of a term can be to the advantage of the players in the associated space, as it gives them flexibility to sell into more customer scenarios (something we at Thor saw happening plenty in the provisioning space back in the day). But it also engenders the kind of debate now raging, where there are folks who believe that RBAC and EM are rival methodologies to solving the access control problem (remember when access control simply meant SSO?).

Roles and Entitlements are both abstractions that have been created to make access rights management of identities easier. It would seem to me that the difference between the two is one of perspective. Entitlements often encapsulate into a meaningful singleton the set of privileges (usually across different tiers – UI, business logic, data layer) needed to perform a specific action. So the perspective is that of the application. Of course, that does not prevent anyone from breaking an entitlement down into more atomic pieces, or aggregating entitlements up into higher level entitlements (that may span applications). Roles start from the (very human) need to somehow put a descriptive moniker on an identity’s abilities in context (of the enterprise or the application). They therefore tend to be from the perspective of the identity, and in some sense fulfill a social imperative to quantify a person’s context.

If we buy into this argument (and I am not suggesting we do that just yet), roles and entitlements intersect in the middle. One of the problems that existed in the early days of role management (not that we are in late days right now) is the role explosion problem. This existed primarily because of two reasons – (i) the simplified definition of a role as simply another multi-valued attribute and (ii) the need to map roles to low-level privileges. That is why folks implementing roles would end up with the kind of roles Rajiv refers to in his post – “Sales Manager EMEA“, “Sales Manager Asia Pac” and “Sales Manager EMEA before 5pm“. It also was the reason why roles failed as a business description of the context of an identity, since the constituents of the role were unintelligible. As roles have gotten more sophisticated (supporting attribute-based dynamic membership, relationship-based contextual membership, even session data based membership), they have become more usable as tools in the expression of policy.

And entitlements add an extra layer of indirection, making it possible to reduce the complexity of the role definition itself, while providing manageability around the definition and control of access rights from the application developers and application owners’ perspective.

To try and conflate the two is to miss the point. True scalability in IAM is achieved only by putting a delegated model for administration in place. Roles and entitlements allow you to put the right controls into the hands of the right parties. In a simple world, application owners can define application entitlements, business owners can define roles, and governance folks can define the mapping between the two. Of course, the world is seldom simple, and the administration lines start to blur, leading to notions of application roles (the early precursor to entitlements) and enterprise entitlements. And that is where one wonders how all this comes together.

The primary reason behind the debate is encapsulated in a question asked (quite often now) by our customers and prospects – “Where is the ONE place I can go to and see my access policies from end to end?“. And therein you will find the heart of the problem. As long as there are different components in the solution, it is hard to provide a complete end-to-end view. And that is why I do not expect this debate to die down any time soon.

Of course, my views here could be completely off target. I would love to hear your thoughts on this.

Tags: Access Control Management, Entitlement Management, RBAC, Role Management