Burton Catalyst 2009: The Twisted Web We Weave

I’m finally settling back into work after a wonderful week out in sunny San Diego at Burton Group‘s annual Catalyst Conference. And it wasn’t just the weather outside that was wonderful. Inside you could find some thought-provoking sessions, inspiring discussions and great people. It’s given me way too much to blog about, and I hope to be able to put some of it out here. But if you are interested, I have captured my tweet stream from the conference (since Twitter search only goes back a few days), though it can be rough reading. But as Dave Kearns tried to remind us tweeters, we shouldn’t forget the value of a well written blog post (or two).

The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

  • eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
  • As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
  • eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
  • eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
  • Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
  • Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.