The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

• eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
• As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
• eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
• eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
• Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
• Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.

Tags: Authorization, Burton Catalyst Conference, Catalyst09, Cloud Computing, eBay, Identity Services, Kantara Initiative, Oracle_IDM, Project Concordia

This year, their session will be focused on the area of entitlement and policy management. If you are going to be at Catalyst, it is a great way to spend a day, listening to representatives from companies like Boeing, Cisco, Micron and The US Army share their
insights, experiences and requirements for standards based policy and
entitlement management.

Unfortunately, I won’t be getting into San Diego in time to attend, but Prateek Mishra from Oracle will be there, and of course, Roger Sullivan will be leading the charge as the host. It’s free to attend, all you have to do is register here. Do it, and let me know what you learn.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, Entitlement Management, Identity Services, Project Concordia

The use cases presented by AOL, Boeing, Govt. of British Columbia, GM and US-GSA were quite detailed and very articulate with regards to the challenges being faced in their deployments. Since the discussion was one of standards and protocols, the discussions focused primarily on the authentication and federation pieces in the identity management puzzle (as those standards are the most evolved in the identity space).

Some common themes emerged in the discussions:

• Usability of the authentication process was identified as an area that is greatly lacking, and potentially needs some work by the standards bodies. The whole idea is to make the life of the end-user easier. Users shouldn’t have to worry about which credential they need to use, but should still have a choice of which credential they want to use.
• Seemingly at opposite ends of the spectrum, incorporation of the device into the authentication process (reliance on OS authentication) and independence from the device (for portability of identity across laptops, cellphones and kiosks) were identified as being key requirements
• Setting up federations still requires too much investment and time, preventing it from being a scalable solution to the single identity problem
• In the context of single sign-on across web applications, the topics of session timeouts and global logout generated much discussion
• Standards are being unevenly implemented by vendors. All cover the basic aspects of the spec, but none implement the whole spec, usually on edge features, which causes confusion, surprises and incompatibility.
• Everyone agreed that the non-technology aspects of federation are more complex than the technical aspects

The AOL use case was very interesting as it was the only one that was purely in the consumer space, and discussed the role their OpenID strategy plays in it. The others had more of an enterprise feel to them. At the same time, enterprises like Boeing and GM stated that they were actively trying to figure out where OpenID would fit into their business model. GM and Boeing both talked to the issues of deploying federation with 1000s of partners, and for a mobile workforce in manufacturing environments where issues of presence and entitlement management are key. The Govt. of British Columbia presented an interesting challenge of creating a federation with both large and small “organizations”, where organizations is a loose term that not only covers businesses but also small proprietorships like doctors offices, where the opportunity to deploy complex software does not exist.

The use case presentations engendered some lively discussions that were both entertaining and thought-provoking. Mike Beach of Boeing (never one to shy away from creating controversy) questioned the need for interoperability, postulating that maybe convergence of the standards is better. That is the essence of the challenge that Project Concordia faces – how to come up with an elegant, usable solution out of the morass of standards that different interests have thrown into the ring.

Tags: Application-Centric IdM, Authentication Management, Burton Catalyst Conference, BurtonGroupCatalyst07, Project Concordia

That is probably how a lot of us in the identity community feel about the topic of interoperability. We have been talking about interoperability for so long, and have seen so many efforts come and go, that we may be feeling a bit jaded despite knowing how crucial it is to the survival of all that we have worked for. However, this year has seen some promising developments that again give us hope. Microsoft announcing the interoperability of CardSpace with OpenID at the RSA Conference was one such development. And more recently, I have come to learn of the Concordia Project, launched by members of the Liberty Alliance.

From their website you get a sense of what they are trying to accomplish:

“The Concordia project is a global initiative designed to drive interoperability across identity protocols in use today. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios, and encouraging and facilitating the creation of protocol solutions in the appropriate “homes” for those technologies.”

Reading more on their wiki, it sounds like a big requirements gathering exercise aimed at documenting real problems that cannot be solved unless protocol interoperability exists. These requirements can then be fed to the appropriate technical group for resolution. The hope is that by focusing on requirement gathering, they can gather good data independent of vendor or protocol bias. Going back to basics is often a good way of avoiding the issues that plagued earlier attempts. Eric Norlin also points out that it is significant that this is the first organization focused on protocol interoperability that Microsoft will be an active participant in.

To take advantage of next week’s Catalyst Conference, the Liberty Alliance is co-sponsoring the Concordia Workshop on June 26 at the San Francisco Hilton (where Catalyst will take place). The workshop will try to define and understand deployer needs with regards to interoperability and harmonization of different identity standards and protocols, through presentations by AOL, Boeing, GM, the Government of British Columbia and the US GSA. Sounds like an interesting opportunity to hear what some of the active consumers of identity technology are trying to do. I will definitely be checking it out to understand more and figure out how the project may be helpful to us as we define the ISF.

Attendance at the workshop is free; you can register and review the agenda at the workshop registration page.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst07, Information Cards, OpenID, Project Concordia