I wasn’t quite sure what the first panel, “The Next Step of User Provisioning: Identity GRC as a Natural Evolution” was going to be about. On the surface, I thought it was a fairly obvious discussion topic, since the Oracle Identity Manager product has pretty much seen this evolution in it’s lifetime, where provisioning deployments went from being about IT efficiency to supporting compliance activities like attestation and reporting. Heck, back in the Thor days, we had an offering called Xellerate Audit and Compliance Manager that supported the model of building up the “Who-has-What” identity warehouse first so you could roll out attestion and compliance reporting before embarking on an automated provisioning and de-provisioning path. But our moderator John Hermans (KPMG) really wanted to make the panel interesting, challenging me and the other folks on the panel to a discussion on the value and effectiveness of Identity GRC projects. I think the point that came across consistently was the fact that the new Identity Governance products (like OIA) have evolved as business tools, not IT tools, serving as a way to give enterprises greater visibility into the state and risk of their identity environments. Beyond that, the panel is kind of a blur.

My next panel – on “Private, Hybrid, Public – Which Cloud for What?” – was a far more tame affair by contrast. And the main point I made on the panel was that the choice between the different cloud models is being guided right now by the one word that distinguishes these models from the customer perspective – Control. With a private cloud, an enterprise feels like it has more control over the infrastructure and the risks associated with it, because they have visibility into how it operates and what it is built on. Public clouds today are more opaque than transparent when it comes to their inner workings, and this is a function of the lack of standardization in the identity, security and audit functionality that the cloud services are built on. This divorces the policies and controls that enterprises have developed over the last many years from the cloud services, making it nearly impossible for the more risk-averse enterprises to consider these as viable options. This point came across repeatedly during the conference as I talked to customers and enterprises considering cloud services. Maybe it is a function of the data privacy and protection environment in Europe, but there was far greater mindshare for the idea of building identity services in a private cloud, which you could then connect via federation and service-oriented security to public cloud services.

My last panel on “What the Identity Industry should do to Improve Security for the Cloud” really focused on the idea of standards and adoption of development frameworks for consistent identity inclusion into applications and platforms. And it built on the discussion from my previous panel, as we discussed why it was that cloud vendors have not been able to create more transparency into their offerings. One of the points I focused on was that it isn’t really the cloud vendors fault that they are more opaque than transparent. Often, they can’t provide more visibility because they themselves don’t have that information. And this is a function of how these cloud services are being built, and the lack of tooling they need. We need to make it easier and more transparent for developers to build identity-aware applications. It was very interesting to hear Dr. Barbara Mandl of Daimler talk about their adoption of cloud services as an outgrowth of their adoption of the ASP vision from years ago. The result is that they had put in place a development framework for their applications that was serving them well in adopting cloud services. But she also made the point that the standards are just not mature enough or standardized enough to make this seamless and pain-free, even in areas where we (the identity industry) think we did a good job, like SAML.

A lot of what I said on the panels came together rather nicely in an interview I gave later that day to Felix Gaehtgens of Kuppinger Cole, where we discussed the challenges in identity-enabling the cloud environment, and what Oracle’s approach to this is, both from an identity management perspective and from a platform perspective. Check out the video if you have some time.

Tags: Cloud Computing, EIC10, EIC2010, European Identity Conference, Identity Governance, Identity GRC, IdM Standards

• The Next Step of User Provisioning: Identity GRC as a Natural Evolution
  • 10:30-11:30
  • Room: Galaxis
• Private, Hybrid, Public – Which Cloud for What?
  • 11:30-12:30
  • Room: Helios
• What the Identity Industry Should do to Improve Security for the Cloud
  • 14:00-15:00
  • Room: Helios

And Oracle VP of Product Management John Aisien will be giving a keynote as well on Wednesday on “Extending the Principles of Service-Oriented Security to Cloud Computing”.

So if you see me around the conference, or in the Expo area (where you can also meet the fine folks from our Oracle EMEA team), be sure to stop me for a quick chat. Unless you see me dashing down the hall from Galaxis to Helios, in which case don’t bother unless you want to get bowled over.

Tags: Cloud Computing, European Identity Conference, Identity Governance, Identity GRC, IdM Standards

First up is the European Identity Conference in Munich from May 4-7. Kuppinger Cole does a good job putting together an interesting agenda with a broad array of speakers and a lot of local perspective, something those of us from across the pond don’t always get the opportunity to share. I’m lucky enough to be slated for 2 panels, one on Identity GRC as an evolution of User Provisioning, and the other on the need for Identity Standards as the foundation for Cloud Security. The Cloud theme is pervasive, especially since this is co-located with the Cloud 2010 conference.

The middle of the month brings us the 1H edition of Internet Identity Workshop (May 17-19 at the Computer History Museum in MountainView, CA). This is always a great place to exchange ideas and really plug into some of the brainpower that exists in our industry. I’m really hoping I can figure out a way to spend some time there and keep my finger on the pulse of the user-centric identity community.

At the end of the month (May 26-27 in Denver, CO) is Gluecon, a conference organized by our old friend Eric Norlin, that is focused on “the bits and pieces, APIs and meta-data, standards and connectors that will help us to glue together the varying applications of a post-cloud world.” Looking at the agenda, you can see that it is far more technical than your usual industry conference, and it has a great lineup of speakers. I will be speaking on the topic of Federated Provisioning, an often forgotten but critical component of security in your cloud environment. Hurry up and register, because early-bird registration ends this Friday — and you can use code spkr12 for an extra 10% off.

Here’s hoping I can get through May gathering some inspiration and without getting exhausted. Should be very interesting.

(UPDATE: Details added to my Speaking page)

Tags: Cloud Computing, European Identity Conference, Federated Provisioning, Gluecon, Identity Governance, Identity GRC, IdM Standards, IIW, Internet Identity Workshop

But as Mark also points out, “…it (or something like it) is desperately needed“. Because access provisioning is still the most complicated engagement in any identity management project, and the biggest complexity currently comes from the need to develop, customize, deploy and maintain connectors to hundreds, even thousands of systems. The cloud amplifies the issues to emerge, since without standardization, an enterprise simply will not be able scale out to meet the management needs of their environment.

At Oracle, we have been talking about Service-Oriented Security for a while. The idea is simple – all the security functions, which includes identity management, need to take the form of discrete, easy to consume, standardized services that are part of the platform on which applications are built. This has always been an easy concept to understand when discussing certain service categories like authentication. But provisioning has been a tougher nut to crack.

Provisioning systems today add a vital business process layer to your identity management deployment, dealing as they do with the lifecycle management of identities and the orchestration of policies, rules and workflows around that. So even in a future where architectures will rely on the “pull” model (as Bob Blakley has been talking about), there will be a need for the more complex applications to interface with a provisioning service (different from the attribute service use case) to deal with lifecycle management issues around application access. This is where we believe the next iteration of SPML (however radically different it looks) needs to fit in. This idea is illustrated in the figure below.

This is one of the challenges we have been trying to solve as part of our Fusion architecture project. Do we have it solved? Well, we’ve started the journey at least. Asking applications to come around to a new architecture and way of thinking takes time. And we have to remember that there are still a lot of applications that will not be dropping their user tables and identity silos any time soon, so we have to be mindful of accommodating those applications as well.

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Tags: Identity Services, IdM Standards, Provisioning, Service-Oriented Security, SPML