The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

• A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
• Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
• A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.

Tags: Cloud Computing, Cloud Identity Model, Identity Services, OOW09, Oracle OpenWorld, Oracle_IDM

• Session ID: S309525
• Location: Moscone South Room 308
• Date and Time: 10/12/2009 | 11:30am-12:30pm

Below is the abstract for the session, in which I plan on expanding a great deal on the presentation I did in the webinar with KuppingerCole:

Cloud computing is about to revolutionize enterprise IT and architecture. But leading industry analysts see security as a gating factor preventing enterprise adoption of cloud solutions, as enterprises grapple with the unique characteristics of cloud security and the challenges of compliance and governance. This session outlines key identity management considerations for evaluating a move to the cloud. It discusses how enterprises can leverage their existing identity and access management infrastructure and the principles of service-oriented security and standards-based interactions to secure their assets in the cloud. It also looks at the prospects for identity management as a service and how it will affect cloud computing’s future.

As I prepare for my talk, I found myself revisiting some of the previous talks I gave at OpenWorld the last few years. It was very interesting to see how my vision for Identity Services has evolved over that time. I found it a most amusing exercise, so I thought I would extend the courtesy to my readers. To that end, I have uploaded my previous OpenWorld presentations to my Slideshare page (you can also get to them from the links on my Speaking page). I can’t believe I thought the Love Guru angle was a good one to take for a tech talk

If you are going to be attending OpenWorld, you can pre-register for my session using the Schedule Builder tool for OpenWorld attendees. And as always, ping me on email/LinkedIn/Twitter if you want to meet up that week. Look forward to seeing you there.

Tags: Cloud Computing, Identity Services, OpenWorld, Oracle OpenWorld

So what exactly is Identity Assurance? Simplistically, Identity Assurance is the ability to determine, with some level of certainty, that the person (identity) presenting themselves in an identity transaction is who they are claiming to be. The level of certainty one can have about the presented identity is what is referred to as the “Assurance Level”. Identity Proofing is another term that is used in this context (and that I have used in the past), though it is more commonly associated with the verification of ones real world identity during the registration process.

So what are these two initiatives, and how are they related?

Identity Assurance Framework – Think TRUSTe for IdPs

The IAF is coming at the Identity Assurance discussion purely from the authentication angle, especially within federation contexts. It is based, in part, on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework, initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. As such, it attempts to define a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications.

The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are only 4 levels of assurance, Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated – Level 1 through Level 4.

The IAF defines a certification process through which an independent auditor assesses whether the issuers interpretation of Level 1-4 meets a standard assessment criteria established by IAF. So one issuer may have used a RSA SecureID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn’t know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.

The IAF is NOT defining any technology or standard protocols. In this sense, the IAF is trying to set up something analogous to the way TRUSTe verifies and asserts through their web seal that an eCommerce site is trustworthy.

Oracle Identity Assurance Partner Alliance – Tools of the Assurance Trade

Oracle IAPA aims at extending Oracle’s Identity Management Suite with partner technologies that offer capabilities such as identity proofing, internet geolocation, multi-factor authentication, out-of-band authentication, endpoint security and secure remote access. As such, its charter is pretty broad in combating identity fraud and providing context-aware security, and this encompasses identity assurance.

The solutions in the IAPA can provide the underlying mechanism by which an IdP can support the main tenet in the IAF, wherein an assertion can be trusted (at varying levels of assurance) to really belong to the entity represented. The IAPA steps in as a way for Oracle IAM to leverage technologies that enhance an authentication process with additional “challenges” that up-level the authentication assurance to the appropriate level – whether it be by using a biometric challenge, a voice challenge, a knowledge challenge based on external data aggregators, etc. So Oracle IAM + IAPA is positioned nicely to be the execution/implementation arm of an IdPs IAF compliance efforts.

Looking To Tie Them Together

One thing I will be exploring is the possibility of having the IAPA stack go through the Liberty IAF audit process. Then any customer deploying Oracle Access Management in conjunction with one of our partners would immediately know the IAF assurance levels of the authentication tokens being issued. Conversely, a customer that is targeting being able to issue credentials of certain assurance levels will be able to identify the solutions that will meet their need.

Tags: Digital ID World, Identity Assurance, Identity Assurance Framework, Identity Assurance Partner Alliance, Oracle OpenWorld

It was interesting to see the amount of discussion going on around the topic of Identity Services. At DIDW, there were a number of different sessions that looked at different parts of the Identity Services challenge. Kim Cameron talked about claims-based identity transactions in his keynote. All the different discussions on Liberty’s Identity Assurance Framework were trying to deal with improvements needed in the authentication service. Some of the necessary standards discussions came up in the session on “Bootstrapping Identity Protocols”. And of course Jamie Lewis talked about it in his keynote.

At OpenWorld I once again took on the task of trying to illuminate the masses on identity services. It isn’t a topic that usually gets a lot of interest at OpenWorld, since the attendees are mostly interested in figuring out real world implementation issues. So the sessions most attended were the ones that looked at best practices and customer case studies. Also, being scheduled for the first session of the day at 9am didn’t help drive up my attendance numbers.

But I did get a pretty decent crowd, all things considered, and got some good questions and very good feedback and validation on the content of my presentation. I did try to spice it up by throwing in a bit of humor centered around “The Love Guru” (since identity services is all about achieving identity nirvana); not sure if that helped or hurt. I wanted to post the presentation here for all of you, but OOW presentations are paid content controlled by Oracle, so I can’t. But I will be adapting that presentation for some talks I am giving to customers on the topic of Identity Services, and I will post that presentation, along with a discussion of how my architecture has evolved, in an upcoming blog post.

October is looking to be just as busy. Of course there is all the usual stuff going on at Oracle. Tomorrow I’ll be doing a quick dash across the border and back for the second all-day workshop of the ISWG. Then later this month I will be heading to Europe, where I will be meeting with some customers and attending Burton’s European edition of the Catalyst Conference. I will be part of a panel that includes other ISWG members from TD Bank, BT, Credit Suisse, IBM, Sun, Novell and, of course, Burton that will be talking about Identity Services and presenting some of the work we have done in the working group. Catalyst Europe is in Prague, which is a city I absolutely love, so I am pretty excited about that too. Should be a fun month.

Tags: Digital ID World, Identity Services, ISWG, Oracle OpenWorld

Oracle’s big shindig is the place to come to if you want to find out about all that is going on in the world of Oracle. And this year is no different. The conference is bigger than ever (I hear upwards of 43,000 will be attending), and there will be some big announcements at the keynotes. Oracle Identity Management will be well covered at the show, both on the demogrounds and in the many sessions, where IdM got its own track.

Not surprisingly, I will be speaking on the topic of Identity Services. My 3rd session on the topic continues the discussion I started 2 years ago in a session on application-centric identity management. If you are going to be at OpenWorld, then definitely come check out my session, as I delve into the practicalities of building an Identity Services Platform for your enterprise.

Session ID: S298923
Session Title: Building an Identity Services Layer with Oracle Identity Management
Venue: Marriott
Room: Golden Gate C3
Date: Wednesday, 24th September 2008
Start Time: 09:00 am

During the session, I will present how one can go about deploying identity management in a way that enables the development of identity-enabled applications. I will also discuss some of the things I have learnt from participating in Burton Group’s Identity Services Working Group, my many conversations with the identirati at Catalyst and DIDW this year, and from my continued involvement in Project Fusion, which lays down the architecture for the next generation enterprise application. Unfortunately I drew the short straw and got the 9am shift, so there are sure to be people who won’t make it as they recover from their shenanigans the previous night. Hopefully I will still be on East Coast time, and sufficiently caffeinated

And as always, I will be twittering my observations from OpenWorld in real-time, so be sure to follow me for the latest. I hear there will be a number of interesting announcements.

See you in San Francisco.

Tags: Oracle Identity Management, Oracle OpenWorld

As usual, OpenWorld was chaotic, massive and entirely overwhelming. Between the claustrophobia induced by the crowds crossing Howard Street or cramming into keynotes, the rush of standing in front of folks to talk about identity management in fusion architecture, the late, late evenings with customers and co-workers, and almost being trampled by a couple of OpenWorld revelers dancing a wild jig at Lefty O’Douls, it’s been a crazy couple of days. Oh, and the conference has been interesting too.

OpenWorld always has the production values of a rock concert, and one of the interesting things that the organizing team did this year was incorporate a form of user-generated content into the opening for the Keynotes. Before the keynotes would start, a poll or questions would be posted on the giant screens in the keynote hall, and the audience members would be encouraged to send in their responses by text message, with the results being shown on the screen in real-time. While the poll questions elicited some good feedback from the audience, it was interesting to see some of the responses people sent in to questions like “The next killer app would be…“, “What features would you most like to see in Oracle products?” and “What was the first Oracle product you encountered?“. Messages ranged from the humorous to the thought-provoking, with a couple of digs at Larry.

Audience Polls before Keynotes

THE KEYNOTES
All the keynote speakers used their platform to really showcase their products and make some major announcements. The big announcement from Oracle was first made during Charles Phillips keynote on Monday, and then repeated throughout the week – the introduction of Oracle VM, Oracle’s server virtualization software technology (check it out). During his keynote, Charles also talked about Oracle’s growth by acquisition benefiting customers by moving the inter-application integration challenge off the customer’s shoulders and onto Oracle’s plate, delivered through Oracle Application Integration Architecture.

Thomas Kurian used his keynote to explain how Fusion Middleware was going to change how business is delivered by applications on the back of 5 middleware “pillars” – SOA, Enterprise Performance Management (EPM), Enterprise 2.0 technologies (which includes collaboration and communication tools, content management and rich user experience), Security and Identity Management, and Grid Computing.

Larry Ellison used his CEO Keynote to update everyone on Unbreakable Linux (which he launched at last year’s OpenWorld), expand on the launch of Oracle VM, and talk about the first Fusion Application that will be rolling off the production line – Sales Force Automation (SFA). A demo provided a first look at the 3 slick applications that make up SFA: Sales
Prospector, Sales References, and Sales Tools. Interestingly enough (for IdM), SFA incorporates social concepts into its functionality.

Oracle partners that gave keynote addresses this year were AMD, HP, Intel, Dell and Sun. Among the more interesting, Sun announced the launch of their open-source project in Server Virtualization, OpenxVM. AMD, Intel, HP and Dell all announced products focused on enabling greener Data Centers, where power utilization and efficiency are greatly improved.

Charles Phillips giving his Keynote

You can check out webcasts of all the keynotes here.

THE SESSIONS
As so often happens at these events, customer meetings eclipse my ability to attend sessions with any regularity. OpenWorld presents a good opportunity to listen to people from other parts of the company (that I would be hard pressed to find time with) introduce their products and talk about their plans for the same. The rate at which Oracle acquires companies and technologies sometimes means that this is the only way to figure out technologies we have in-house that can help in our development activities. So it was good to be able to go to sessions and learn about Coherence, Hyperion and a few other technologies.

The audience was definitely geared towards the database and applications side of the house. In terms of the topics that I touch on in this blog, interest was high in understanding the value that Oracle’s IAM suite brings to current deployments of Oracle Applications like E-Business Suite, and in understanding where Fusion Applications was going. While the attendance at IdM sessions was not as high, the quality of people in attendance was extremely high, with discussions exploring topics in quite a bit of depth.

IDENTITY SERVICES AT OPENWORLD
My session on “Identity Management in Fusion Architecture” was extremely well received and drew some quality feedback. The folks who showed up were really interested in seeing how the concept of identity will be woven into the fabric of Fusion Applications moving forward. And a number of them gave me some really good real-world information on challenges that they are facing today. A lot of them came to the session not exactly sure what identity even meant in the fusion concept, and left (hopefully) a little clearer on the topic.

I had hoped for a lot more people to come so that I could get some more input, but I’ll be more than happy if folks participate in a discussion via this blog as well. Check out the presentation I gave in my session by downloading it from here.

MESSAGES
Virtualization is hot, and information is more important than ever. Getting applications to work with each other in a seamless manner is the key to business innovation. And the next hot thing in applications is the incorporation of social concepts into their functionality, combining Business Intelligence with Human Intelligence in a way that will make it easier to solve the real challenges enterprise users face every day.

THOUGHTS
As I mentioned above, I had a number of interesting side discussions with customers and prospects at OpenWorld this year. I was really encouraged to finally connect with a customer that had some deep and well thought through needs for deploying enterprise identity services. Most of the customers I know who are thinking of identity services are thinking about it as an enterprise architecture project (because they know it is the right thing to do) without any concrete consumers lined up. This particular customer actually has projects planned that could really use identity services. It led to a very interesting conversation that I found quite stimulating. I will definitely be covering some of my thoughts that came out of this meeting in the coming weeks.

Also, I found a number of people interested in understanding fusion architecture as a way of figuring out how they should go about standardizing their application development efforts. The big thing I saw was that there are a few enterprises out there that want to put an identity services layer in place, and are debating whether to build it themselves or wait till someone in the identity community comes out with something. While I am pretty sure that frameworks like Higgins can help some of these folks, there were a number that talked about Higgins being too low level in the abstraction it offers.

The fact that concepts emerging from the social networking arena are actually being built into the way the next generation of applications will work presents an interesting challenge for identity management. Not only are identity services going to have to scale to a level that supports these kind of interactions in applications, they will also need to have the right controls in place to protect privacy while not preventing the kind of collaboration that social concepts will foster.

Well, looks like we are about ready to land. I will probably post this sometime tonight, with my next post probably focusing on the Gartner summit. But add some comments if you have some thoughts on OpenWorld, Fusion, IdM and the crazy world of Oracle. Oh, and if you were at my session and were one of the people taking photographs of me while I spoke, drop me an email with some of those pictures, will ya? I’d love to see what was drawing so many flashes

Tags: Application-Centric IdM, Fusion Identity Management, Identity Services, Oracle Identity Management, Oracle OpenWorld

Tags: Oracle OpenWorld

In the session, I laid out the initial design of the Identity Services Framework, which Oracle is working on as a manifestation of the ideas behind application-centric IdM. It describes a framework that allows IdM to be deployed as enterprise infrastructure, consumable by applications that are trying to become identity-enabled. I discussed the kind of identity services that comprise the ISF, some of which were not immediately intuitive as services. During the course of the few days at OpenWorld, I had quite a few discussions about the ISF, its complexity, applicability and general viability in the marketplace. I will try to bring some of these ideas to light through some future postings.

Below is the high-level diagram of the ISF, as presented at OpenWorld. As always, click on the image to see a bigger version.

As always, looking forward to talking about this with all of you.

Tags: Application-Centric IdM, Identity Services, Oracle OpenWorld

The keynotes have been interesting and informative. At his keynote today, Larry Ellison announced the availability of Unbreakable Linux from Oracle. He also celebrated the 20th anniversary of Oracle getting listed on the Nasdaq as a public company by ringing the closing bell from the keynote hall. Yesterday, Thomas Kurian gave a really good keynote describing how all of fusion middleware, including identity management, is coming together to help enterprises streamline their business operations. It helped lay the foundation for all the middleware sessions that followed, ranging from discussions on SOA adoption to IdM strategies and best practices.

This morning I participated in a session describing how role management and provisioning, when used together, can help make IdM a manageable, scalable solution for enterprises. What I would have liked to have said was unfortunately way too much to fit into the one hour time slot we were given. Sid Choudhury, a product manager in our IdM team, went on to describe the role management reference architecture that we at Oracle are proposing. This reference architecture builds on some of the concepts that I have touched upon in previous posts, and lays the foundation for what enterprises should be thinking about as they go about planning their role management deployments. The architecture diagram is given below (click on it to see a bigger version).

In a future post, I will discuss some of the questions we received at the end of the session.

Tags: Oracle OpenWorld, Role Management