I’m not going to recap all the interesting sessions that I attended. If you followed my twitter postings (and a big “Hi and Thank You” to everyone who tripled my following last week by connecting, including some folks who signed up for Twitter just to follow me), you got a sense of what was being talked about, and my thoughts on the same. For some great reporting on the key sessions, read Mark Dixon’s blog postings (this post is a map to the various posts he has written covering the conference).

I’ll simply present what I saw as the theme of the conference: Reality Hits The World Of Identity. People are realizing that the only way this identity stuff is going to work is if the online experience and constructs mirror how we operate in the real world. And this opens up a whole set of new areas to explore.

You Complete Me
A key realization that is taking hold is that relationships must be made a key part of the fabric of identity, and that relationships can form the trust basis for identity related transactions. While I don’t completely agree with Jamie’s assertion that a lot of work in the real world happens before any contracts are drawn up (no contractor can even begin work for Oracle until a contract is signed; similarly I can’t work for Oracle and get access to systems till an employment agreement is in place), I do recognize that the value proposition of transactions is a continuum, along which are different levels that require different levels of assurance. Assurance can be built up over time as a function of relationships (user is related to this company, user has X friends, user is certified by this identity provider, etc). Eve Maler gave a very interesting talk on how relationships can be nurtured and made available in the online world, and connected it to some of the work being done on R-Cards and Project VRM.

I Need An Authority Figure
Another sign that real world concepts are seeping into the online world was the increased discussion on the topic of Identity Proofing, and the externalization of Authoritative Identity Providers. Just like in the real world, companies are realizing that in order to scale  and distribute liability, they would like someone else to be responsible for vetting identity data and providing a validated, trustworthy identity into their environments. This is the first sign of a legitimate market emerging for the Identity Oracle that Bob Blakely has defined, and that I have discussed so often in the context of Identity Services. The Liberty Alliance has jumped in here to help out by proposing an Identity Assurance Framework (our old friend Frank Villavicencio is co-chair of the effort) that can define a trust language in this context. And everyone knows that I consider the work being done on the IGF a critical part of such an infrastructure.

I Got Your GRC Right Here (Not!)
Burton decided to take the IAM vendors to task for using GRC as a crutch to sell all manner of products. Referring to GRC as a four letter word, Bob attempted to blow up the myths surrounding GRC and posited that all the bluster around GRC has made companies lose sight of what they really need to address. He stated that each discipline conflated within GRC should be looked at independently by businesses with regards to its objectives, and that tools and processes should be put in place that address the specific needs identified. The message was clear – there is no such thing as a GRC product; instead there are a multitude of products that provide tools for addressing specific problems that fall under one of these disciplines, and enterprises should take a fresh look at what GRC means to them and how to approach it.

For me, the highlight of the conference was the talk by Nick Leeson, the securities trader who brought down Barings Bank. Not a technical talk at all, his explanation of how his actions exploited failings in the areas of governance and compliance drove home the point about process and tools being complementary parts of the puzzle.

The rest of the conference had some interesting announcements and decent discussions on the usual topics of Authentication, Provisioning and Role Management. I did what little I could to break the monotony and generate some controversy, but I’ll cover all of these in my upcoming posts.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, GRC, Identity Assurance Framework, Identity Governance Framework, Identity Oracle, Identity Proofing, IGF, Nick Leeson, Relationship Management

Kim Cameron read the article and the following blog posts about it, and equated the Identity Oracle to a Claims Transformer in his post about the article. Bob corrected everyone’s understanding on the definition of the Identity Oracle in a blog post called, bluntly enough, “What the Identity Oracle Isn’t“.

Identity Oracle as Business Service
Bob points out that the Identity Oracle is not a technology but rather a business service that other identity-based online services can subscribe to in order to get the identity data that they need. I tend to think of it as a Visa or Mastercard service for my identity data. Individuals (or anyone/anything with an online identity) can sign up for the Identity Oracle to be their agent in online transactions with identity-based services. An important part of Bob’s thesis is that the Identity Oracle’s business be restricted to this act, completely divorced from the consuming services, so that it’s core business model makes it sole guardian for the identities it is charged with, inherently making it good at protecting our data and our privacy.

I was in the middle of writing this post when I saw Dave Kearns blog an endorsement of Bob’s sentiments in his post on the topic. In it, he does allude to the need for an underlying infrastructure to deliver such a business, which is exactly what I am talking about.

Identity Oracle for SOA?
Bob makes an extremely good point in his post that we must not reduce all discussion on IdM to ones of technology. And since naming issues have always been a problem in the identity community, I am going to move swiftly to delineate the Identity Oracle business service that Bob is talking about from the technology component I introduced in my talk at DIDW (you can download the presentation from my media library).

This technology component starts as an Identity Provider, able to retrieve identity data from the multiple authoritative sources that exist for that data. But it goes well beyond this basic notion of the IdP that we are all familiar with in the federation construct. It adds the following necessary features to its capabilities:

• Support identity data stores and user-centric identity tokens as identity data sources in online environments
• Support for both definitive (date of birth) and derived (over 21, legal age, can buy alcohol) identity data
• Provide a declarative Governance Model for how identity data is made available and consumed (fits in well with the IGF concept being discussed)
  • Support for Identity Data Discovery by consuming parties (again, subject to the governance model)
  • Support for providing Usage Constraints on the Identity Data to consuming parties
  • Support for Privacy, Regulations, Compliance constraints
• Pub/Sub Models to support caching and cache invalidation of Identity Data in consuming services
• Schema Mapping from source schema to consumer schema (because lets face it, a universal identity schema will NEVER happen)
• An easy-to-use Online Service by which the identity owners (the person whose identity is being hosted, the administrator for the application that is contributing some identity information) can manage the governance, privacy and consumer rules for the identity data they have rights to manage
• A Claims-Based API for application and service integration
• Other fancy features like a translation layer

The Identity Oracle/Provider for SOA

The guiding principle for this technology component is the Principle of Least Knowledge (every identity consumer operates on a need-to-know basis). This component is an important part of the Identity Services architecture, providing the technical underpinnings of the kind of business solution that Bob is referring to. However, it is not as easy to develop as Dave and Bob seem to think (I have had way too many customers talk to me about this), and it is not restricted to the Identity Oracle use case.

The need for this technology is evident in todays discussions about how identity (as a functional component) can be incorporated into SOA models for application design. Externalizing identity from application design is a necessary first step to get to the point where services can rely on things like an Identity Oracle for their data. And as we have seen in other areas like federation, it is entirely possible that the first experiments and breakthroughs will occur in internal environments before the idea is expanded to the wider net environment.

What’s in a name? A lot (I think)
In my presentation, I had tried to distinguish this technology component from federation Identity Providers (which have their own connotation and baggage) by calling it an Identity Oracle. Now I know better . We all know that naming issues have caused a lot of trouble for all of us in identity management. So. if we are not to call this technology component an Identity Oracle, then what do we call it? Contextual Identity Provider? Identity Vault? Identity Brain? Identity Provider for SOA? Suggestions are welcome, so send me your comments.

Tags: Identity Hub, Identity Oracle, Identity Services, Personal Identity Management, User-Centric Identity