The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management

Application-Centric IdM Goes Mainstream
One of the cool things for Oracle is that Burton has actually identified “Application-Centric Identity Management” as a legitimate methodology in the identity management space (in contrast to System Management methodologies). I have been blogging about this for a while now, as this is the main philosophy at Oracle. Of course, the reason for the elevation from buzzword to legitimate methodology is the wave of application vendors like Oracle, Microsoft and SAP that are entrenched in IAM now, and are working towards the creation of identity as a well-defined aspect of application development in their own applications and in the development environments they provide. This was reflected today when they took the stage in succession to explain their vision and strategy in the IAM space.

Federation Evolving
One of the interesting themes of the first day sessions was an exploration of the relationship between federation and user-centric technologies (like OpenID), and their impact on both consumer and enterprise environments. After starting with a hard look at how traditionally understood federation is doing, the discussion transitioned to the state of progress in user-centric identity technologies (through a characteristically entertaining presentation by Dick Hardt). Burton made the point that loosely coupled identity provider and relying party networks, connected via user-centric technologies like CardSpace and OpenID could change the way enterprises handle the problems that today rely on legally and procedurally heavy federation mechanisms.

The Theme For This Year: Identity Controls
Mike Neuenschwander did not disappoint the crowds yesterday with a hugely entertaining sketch involving Captain Controls, a superhero that I hope will become a recurring character (Go here to see a video of the sketch posted by IdentityWoman Kaliya Hamlin).

Captain Controls challenges Mike

And while it was entertaining, it beautifully illustrated the emergence of the latest buzzword in identity management – Identity Controls. Briefly introduced on Wednesday, the topic was thoroughly explored on Thursday through sessions that took on the emerging technologies in Enterprise Role Management, Entitlement Management (aka Authorization Services) and Identity Audit, a group that Burton has acronymed PPM (Policy and Privilege Management). It represents the next step in the continuous evolution of IAM from an IT concern to a Business concern, and reflects the growing importance of IAM in the area of corporate risk management and governance.

Microsoft and Oracle Get It; SAP Not So Much
The message of Identity Controls was further consolidated in the following presentations by Microsoft, SAP and Oracle. These sessions were revealing in that they showed the maturity of Microsoft and Oracle in the IAM space, while SAP is still trying to catch up. I’m sure this will be dismissed as a biased opinion, but my (some would say surprising) admiration of Microsoft’s new IAM philosopy will hopefully negate that. From the tone and content of the sessions, you could see that there is a huge gap between the deep understanding of IAM that Oracle and Microsoft have, and the early stages SAP finds itself in. SAP did get the GRC market going through the Virsa acquisition and integration, but they only recently seem to have realized the importance of identity in the controls business. It was illuminating that while the Microsoft and Oracle presentations both went into great detail about their vision for identity as an integral component of application architecture, the SAP talk concentrated on what they have learnt from their customers and on touting their recent MaxWare acquisition.

Oracle SVP Thomas Kurian explains Oracle's Application-Centric IdM

The second half of the day concentrates on Identity Services, something all of you know I am passionate about and am helping drive within Oracle. Phil Hunt of Oracle will be on a panel discussing the notion of identity as a service. Should be interesting.

Tags: Application-Centric IdM, Burton Catalyst Conference, BurtonGroupCatalyst07, Identity Controls, Identity Services, Oracle Identity Management, User-Centric Identity