I just got back home from the RSA Conference in San Francisco this week, where the topic of Trust was second only to all things Cloud. While sessions on Identity Management were few and far between, there was lots of interesting news coming out of the conference (like the U-Prove announcement). I tweeted about the announcements that concern Trust Frameworks, a way for one site (Relying Party) to trust the identity, security, and privacy assertions/claims from a different site (Identity Provider) acting on behalf of a user.

The first announcement was on the launch of the Open Identity Exchange (OIX), a (yet another) non-profit organization (coming out of the OpenID Foundation and Information Card Foundation) that is dedicated to building trust in the exchange of online identity credentials across public and private sectors. The second announcement was regarding the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) provisionally approving both OIX and Kantara Initiative as a Trust Framework Provider to certify online identity management providers to U.S. federal standards for identity assurance (read more here).

Trying to digest all of this was a little difficult, so as I was stuck in traffic on my way home from the airport, I found myself riveted by a twitter exchange that was flying fast and furious between Paul Madsen (everyone’s favorite source for biting identity musings) and Brett McDowell (till recently Executive Director of the Kantara Initiative, and now technology evangelist at Paypal, one of the first IdPs certified by OIX – so you can see he has unique insight). I have reproduced it here for everyone’s benefit (with their permission, of course).

paulmadsen ICAM is one federation willing to deal with multiple trust frameworks. Will others?

brettmcdowell @paulmadsen ICAM isn’t actually dealing with multiple trust frameworks. It’s all just NIST SP800-63 w/ various means to prove you comply.

paulmadsen @brettmcdowell ICAM is ‘accepting’ OIX, KI-IAF, InCommon . To me those are all trust frameworks (ie certification programs)

brettmcdowell @paulmadsen ah, but what is a “trust framework”? The criteria for trust itself (M04-04 & 800-63) or the method for demonstrating compliance?

brettmcdowell @paulmadsen P.S., in the Kantara case, IAF has criteria as well, but it’s been “mapped” to prove comparability to US Federal requirements.

paulmadsen Components of a trust framework – policies, accreditation, certification, admin, metadata infrastructure, keg parties….

paulmadsen @brettmcdowell if everybody agrees on 800 63 for the former, trust frameworks are distinguished by the latter

brettmcdowell @paulmadsen IAF/OITF (frameworks) differentiated by criteria, KI/OIX (.org’s who certify) differentiated by due diligence on applicant

paulmadsen @brettmcdowell thus KI (conditionally) approved for up to non-crypto LOA3 …

brettmcdowell @paulmadsen M04-04 & SP800-63 is like the “spec”, IAF is like the SCR, and OIX is a registry of those asserting compliance to the spec

brettmcdowell @paulmadsen “non-crypto” is another misleading term/issue. It rules out “pure PKI” but not “signed” assertions (SAML) or claims (IMI)

paulmadsen @brettmcdowell but IAF is more than an extra level of policy detail on top of 800 63 criteria. And OIX is more than a registry

brettmcdowell @paulmadsen for KI to be approved for AL3 PKI & AL4 in US Gov, it needs to cross-certify with the Federal Bridge

brettmcdowell @paulmadsen re: “but IAF is more than” and “OIX is more than” Paul, cut me some slack, this is Twitter, some nuances are going to be lost!

paulmadsen @brettmcdowell point was less about the ‘crypto’ part, and more that diff frameworks may target different parts of ‘assurance space’

paulmadsen @brettmcdowell that’s why I avoid all subtleties & nuances

brettmcdowell @paulmadsen I wouldn’t draw conclusions (or battle lines) regarding trust frameworks just yet. Remember the OIX RFI dialog w/KI is ongoing

paulmadsen @brettmcdowell as I complained to @ve7jtb , want to see matrix laying out components of a generic framework, specific instances mapped on

brettmcdowell @paulmadsen that sounded like a proposal not a complaint. I accept your matrix proposal. Looking forward to reading it when you finish

And of course, Paul had to have the last word, and it was typically Madsen-istic.

paulmadsen @brettmcdowell you know, my wife made that same interpretation 16 years ago. Must be more precise

Hopefully that exchange was illuminating, and gave you enough pointers to standards and topics that might help deepen your understanding of Trust Frameworks. It certainly has given me a lot to think about. While RSA may have been weak on identity related discussions, these announcements are likely to have a huge impact on the identity landscape going forward.

Tags: Brett McDowell, ICAM, Kantara Initiative, Open Identity Exchange, Paul Madsen, Trust Frameworks, User-Centric Identity

The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

• eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
• As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
• eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
• eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
• Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
• Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.

Tags: Authorization, Burton Catalyst Conference, Catalyst09, Cloud Computing, eBay, Identity Services, Kantara Initiative, Oracle_IDM, Project Concordia