In his post, Bob talks of Google trying to do social with an eye on the lucrative targeted advertising dollars that Facebook is currently hogging. This is the motive I alluded to at the end of my post as well. But things (appear to) have become a bit clearer here (albeit still speculation). During an interview with NPRs Andy Carvin, Google CEO Eric Schmidt didn’t throw out the usual pro RealName arguments about maintaining civil discourse online and such, but basically talked about Google’s ambition to be an identity service – a platform on which commerce and government services can run. And for such a platform to be widely adopted and billable, the data needs to have a certain fidelity – no different than the kind of identity stores we build within enterprises today.

Google already has such an identity platform – it’s called Google Profiles. If you’ve ever created a GMail account for any reason – as a GMail user, to enable an Android phone, for using Picasa – you have a Google Profile. The problem is that these service-derived profiles are of low value to the user, created only to get on to the desired service, and so they are never maintained and have low data quality. And like in a lot of enterprises that engage in identity administration and provisioning projects, Google has to deal with multiple identities per person that need to be linked and correlated. If doing that is hard in the enterprise space, imagine how hard that is do in the personal space where users not only have no reason to facilitate this, they actively engage in keeping some of these profiles separate and distinct. Just in writing this post I noticed that mine still reflects my Oracle position – unlike my LinkedIn, Twitter and Facebook profiles. The common thread through those three services that I kept up-to-date? They’re social, an extension of me into the online world.

That’s why Google+ is so important to Google’s aspirations for Google Profiles. Google wants to use social as the honeypot that draws in all those users and keeps them highly engaged and motivated to keep their data up-to-date. They see how well this is working for the Facebook identity platform and want to replicate that success. But here’s the disconnect – Facebook got to this spot organically. While Zuckerberg may be a visionary in many aspects, his first priority when building Facebook was to build a social network where people would hang out. As the social engagement increased the number and fidelity of identities in Facebook’s database grew as well, The team then pounced on the opportunity to build a platform out of this. In true engineering-driven style, Google is reverse engineering this – seeing where they want to get to and trying to replicate the same path, but instituting fixes that short circuit what took Facebook years to do. Except that there are no shortcuts.

The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

Do you know what you get if you feed a tribble too much?

Google may think that social is all cute and cuddly, but they may be about to find out that it’s a completely different beast that could clog up their systems. Meanwhile, the battle for our online self-determination will continue. IIW XIII should be a lot of fun.

Tags: Digital Identity, Facebook, Google Plus, Google Profiles, Google+, Identity Services, IIW, NymWars, Privacy, Pseudonymity, Real Names, RealName

I’m not a Lebron James, so I can’t really drag this out for an unnecessary 5 paragraphs (though I do feel like I am joining an All-Star team). So here it is. Starting today, I am going to take my talents (be what they may) to Moonachie NJ and join Identropy.

For a while now I’ve been wanting to get back into startup mode, to really tackle the identity management problem the way I want to. These are interesting times we are living in, as they say, and there is a real opportunity to turn this space on its head. And I’m going to get that chance now, as Chief Architect in a company that has all the necessary elements in place – a crackerjack team, innovative thinking and an unwavering focus on the needs of the customer. They’ve already had one incredible and unique solution – SCUID Operations – come out of that approach, and I’m excited to see what I can bring to the party.

Like I said in my farewell post, the number one thing for me is the team, and Identropy is an incredibly talented and passionate group of individuals working towards one vision. I’ve worked with some of these guys in the past (and didn’t hold it against them when making the decision to join), and have interacted with others over the years in this little community of ours. I’ve always had a deep respect for their expertise and commitment, and love that they’re the kind of people you want to go out and have a beer with at the end of a hard day. The relationships they have built with their customers are enviable by all standards. And they have an open, collaborative culture that should be fun to work in.

I am really looking forward to what we can accomplish together. It should be one hell of a ride. Of course, all my other nonsense – Twitter, this blog, the conference circuit rounds – will continue as before without interruption. I’ve only just scratched the surface of what I’ll be working on, and will definitely be sharing more in the coming weeks. But if you want an in-person take, grab me in Keystone or in San Diego. Be warned though – you may have to be the one buying the round (I am back in startup mode, after all). See you there.

Tags: Cloud Security, Identity Management, Identity Services, Identropy, Identropy Identity Management, Managed Identity Services, Personal, SCUID

For a while now, I (and others) have talked about how Identity is the glue that will tie together the fabric of an increasingly commercialized (read: cloud-ified) IT environment. The offering of features like SSO from inside the corporate environment, an identity hub, lifecycle management of accounts and activity monitoring for compliance and audit purposes is about the potent combination of security, user empowerment, agility and meeting business mandates. A gateway sitting between internal identity management systems and the cloud can provide a powerful command and control center for Corporate IT to manage the application sprawl that they feel is descending on them, while still allowing the enterprise to empower their users with the apps and tools they want.

And if VMWare Horizon App Manager can become the identity platform for the enterprise’s cloud-based infrastructure, then this will also make VMWare’s virtualization technology more easily adoptable (read: attractive) to enterprises as well.

There were already a few players in this space, notably Ping Identity and Okta. Now, as Robert Scoble pointed out, a heavyweight has joined the fight for the hearts and minds of the next generation of Corporate IT. With Google starting to make some moves in this space that are squarely aimed at advancing their mindshare beyond the startups to enterprise level customers, this is going to get really interesting.

Speaking of glue, I’m going to be at Gluecon next week. It will be interesting to see how much identity plays a role in the discussion of whats tying together services in the cloud. At least I hope it will be more than just Paul Madsen pontificating about OAuth. I’ll be there to represent the identirati, but most importantly to learn. Hope to see you there too.

Tags: Cloud Computing, Cloud Security, Enterprise Identity, Gluecon, Horizon App Manager, Identity Hub, Identity Services, SaaS, SSO, TriCipher, VMWare

The deck I presented (with audio) is below. Check it out and leave me your comments.

Tags: Entitlement Management, Identity Services, Security Architecture, Service-Oriented Security

Matt Flynn brought to my attention an article in which Dale Olds talks about the need for hosters (companies that provide the platform on which you deploy your Cloud/SaaS applications) to provide identity services (and as Matt points out, security services in general) as part of their offering.

<Side Note>No, I do not have a vendetta against Novell, though these last few blog posts may make it feel that way. I actually really like the Novell gang – Dale, Ben and Nick Nichols among others – and for the most part completely agree with their views on identity.</Side Note>

Now, I am with Dale for the first half of the article. Developers of these cloud applications just want to focus on the business logic that is at the core of their service, and not have to worry about the plumbing items, which would include identity management. This is fundamental service-oriented security principles at play, and the survey Dale mentions reflects this (I would argue that even the one-third of SaaS vendors that said they want to handle identity themselves are either saying so because they don’t know what’s involved or are just not happy with what they are getting from the platform and embeddable components). A good set of identity services goes a long way in making applications agile and more acceptable/appealing to customers.

But then the article talks about hosters using identity services as a way to make their platform sticky, because if the platform owns the user accounts for the service, then the service will be hooked. I actually envision the opposite of that when I think of identity services in the platform – identity services making it possible for the SaaS vendor to switch between platforms easily. What is being described sounds like an Identity Provider, which is a business service, not a platform service.

What the platform should provide, and what most enterprise customers would want, is an Identity Hub service, as opposed to an Identity Store service. This allows the customer of the SaaS application to plug it into their enterprise identity store (usually a corporate LDAP system, but it could also be their Salesforce user store) and also accept incoming identities over the wire, while still freeing the SaaS vendor from having to manage identities. In this model, the stickiness for the hoster comes not from owning the user accounts, but from the QoS of the identity services they are providing to their customers (the SaaS vendors and their delegated customers). It also doesn’t force a SaaS vendor to be married to one platform.

Now, I am going to be a little presumptuous here. Having spent some time with Dale, and knowing his past work, I think that he believes in the view I am taking as well. The article seems to be discussing the topic of identity services from a particular angle, which is that there is currently a market opportunity for hosters to leverage the lack of good (non-enterprise) Identity Providers to make their platforms more sticky. It is absolutely true that platforms can (and are actively seeking to) make themselves sticky by owning the accounts; Dale points out that this is exactly what Google did by leveraging GMail as the gateway drug (see, I told you the metaphor works). But as Google seeks to penetrate the enterprise market deeper, even they are recognizing the need to support federated identities as a necessary step for viability. (UPDATE: An old blog post of Dale’s actually clarifies this, and in essence agrees with the view point I am stating here – exactly as I thought he would )

Bob Blakley has long mused about what business models would make Identity Oracle’s viable. And the simple truth is that  platform players like Google or Force.com that can leverage an identity-rich business service that they also have are ideally suited to be trusted Identity Providers. But while a big platform player can certainly be a good Identity Provider, not all hosters should need to be Identity Providers to be successful. Instead, standards based identity services would be a great asset for hosters that want to be sticky (by being the best platform to deploy on) without having to take on the onerous task of being an Identity Provider (which has its own challenges) or passing on those responsibilities to their customers (which is what mostly happens today). And it would be an asset for SaaS vendors that want to have the freedom of choice that we all crave, and that want to be able to work with their customers identity infrastructure. As Dale says in the article:

You see, people can move an application from one host to another without much trouble.

Now, isn’t that a good thing, and something that we should be aiming for?

Tags: Cloud Identity Model, Identity Services, SaaS, Service-Oriented Security

In the podcast, we cover

• What are the key security concerns about cloud computing
• How security requirements vary between Private and Public Cloud models
• Key IdM technologies for securing the Cloud
• The relevance of Service-Oriented Security to the Cloud
• Best practices for approach Cloud Security
• Open standards for the Cloud

And if you’re interested in learning more about Oracle security products, sign up for the newly launched Security Inside Out newsletter, focused on identity management and security topics and products.

Tags: Cloud Computing, Identity Services, Podcast, Service-Oriented Security

OK! So being at a conference (Cloud Computing Expo in NYC, where Oracle is making big waves with announcements in the PaaS space) where I had no wi-fi or power meant that I was trying to follow the big xAuth announcement via Twitter on my iPhone over 3G – note exactly the easiest thing. And after participating in a flurry of twittersations yesterday, I spent time this morning catching up on all the first take blog posts on it. It’s clear that the other word that the ‘x’ could stand for would be “xtremely polarizing” (fine, that’s two words, but since when has that been an issue for Colbert on ‘The Word’!).

I like to think I am a realist, and my initial take on the xAuth idea was that it was a good idea necessary to solve the usability issues holding back the widespread adoption of federated consumer authentication. The usability issue in question is the old NASCAR issue (you can read a good overview of the issue here, but the image below speaks a thousand words) which either causes clutter and user headache, or favors the big players in the IdP space.

Faced with this, you can understand why application developers get all clingy about the old “username-password” form – it’s simple and well understood by users, no matter the security and identity management challenges it creates.

To me the solution is conceptually simple: when I land on a page that supports IdP based authentication, there should be a way for the UI to display just the icons for IdPs that I use. This could be based on (1) my previous usage history across the web, (2) an explicit list I have set up somewhere, or (3) preferences I set up on the RP site the first time I went there. Solution (1) obviously has huge privacy implications, and becomes a non-starter in most discussions for that reason. So I was intrigued when it seemed like xAuth might be tackling approach (2).

Since then my enthusiasm has been dampened a bit after digging a little deeper. And the take from folks I trust in such matters has been cautiously pessimistic. The idea of a central service that any RP can ping to find out what IdP choices to display to a user appeals to me, but the big thing missing from xAuth.org (the proposed central service) are the user protections and controls that I feel are necessary.

• First off, participation must be Opt-In, not Opt-Out (there seems to be universal agreement on this, except from the RPs – as Pamela points out).
• Secondly, the setup should be an explicit white list with layers: Here are the 4 IdPs I’d use by default across the web, but here are 2 more I will consider for specific RPs or classes of RPs (which I could select from a pre-defined list of participating RPs at xAuth.org), and so on.
• And finally, this needs to converge with the Identity in the Browser movement, so as to solve the shared computer as well as the privacy issues (pertinent to unintentional information sharing with the RP) that emerge from this model.

I don’t like dismissing any proposal right off the cuff because of flaws that may not have been worked out yet, so I am hopeful that the energy and discussion I am seeing on xAuth right now continues to push it (or a suitable alternative) in the right direction. At least it has the identity community abuzz, and given the hole that this weeks postponement of Catalyst Europe left in our schedules, that’s a good thing.

Tags: Authentication Services, Federated Consumer Authentication, Identity Services, User-Centric Identity, xAuth

But as Mark also points out, “…it (or something like it) is desperately needed“. Because access provisioning is still the most complicated engagement in any identity management project, and the biggest complexity currently comes from the need to develop, customize, deploy and maintain connectors to hundreds, even thousands of systems. The cloud amplifies the issues to emerge, since without standardization, an enterprise simply will not be able scale out to meet the management needs of their environment.

At Oracle, we have been talking about Service-Oriented Security for a while. The idea is simple – all the security functions, which includes identity management, need to take the form of discrete, easy to consume, standardized services that are part of the platform on which applications are built. This has always been an easy concept to understand when discussing certain service categories like authentication. But provisioning has been a tougher nut to crack.

Provisioning systems today add a vital business process layer to your identity management deployment, dealing as they do with the lifecycle management of identities and the orchestration of policies, rules and workflows around that. So even in a future where architectures will rely on the “pull” model (as Bob Blakley has been talking about), there will be a need for the more complex applications to interface with a provisioning service (different from the attribute service use case) to deal with lifecycle management issues around application access. This is where we believe the next iteration of SPML (however radically different it looks) needs to fit in. This idea is illustrated in the figure below.

This is one of the challenges we have been trying to solve as part of our Fusion architecture project. Do we have it solved? Well, we’ve started the journey at least. Asking applications to come around to a new architecture and way of thinking takes time. And we have to remember that there are still a lot of applications that will not be dropping their user tables and identity silos any time soon, so we have to be mindful of accommodating those applications as well.

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Tags: Identity Services, IdM Standards, Provisioning, Service-Oriented Security, SPML

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

• A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
• Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
• A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.

Tags: Cloud Computing, Cloud Identity Model, Identity Services, OOW09, Oracle OpenWorld, Oracle_IDM

• Session ID: S309525
• Location: Moscone South Room 308
• Date and Time: 10/12/2009 | 11:30am-12:30pm

Below is the abstract for the session, in which I plan on expanding a great deal on the presentation I did in the webinar with KuppingerCole:

Cloud computing is about to revolutionize enterprise IT and architecture. But leading industry analysts see security as a gating factor preventing enterprise adoption of cloud solutions, as enterprises grapple with the unique characteristics of cloud security and the challenges of compliance and governance. This session outlines key identity management considerations for evaluating a move to the cloud. It discusses how enterprises can leverage their existing identity and access management infrastructure and the principles of service-oriented security and standards-based interactions to secure their assets in the cloud. It also looks at the prospects for identity management as a service and how it will affect cloud computing’s future.

As I prepare for my talk, I found myself revisiting some of the previous talks I gave at OpenWorld the last few years. It was very interesting to see how my vision for Identity Services has evolved over that time. I found it a most amusing exercise, so I thought I would extend the courtesy to my readers. To that end, I have uploaded my previous OpenWorld presentations to my Slideshare page (you can also get to them from the links on my Speaking page). I can’t believe I thought the Love Guru angle was a good one to take for a tech talk

If you are going to be attending OpenWorld, you can pre-register for my session using the Schedule Builder tool for OpenWorld attendees. And as always, ping me on email/LinkedIn/Twitter if you want to meet up that week. Look forward to seeing you there.

Tags: Cloud Computing, Identity Services, OpenWorld, Oracle OpenWorld