Last week I was in Munich for the annual European Identity Conference organized by the good folks at Kuppinger Cole. The agenda was jam packed with interesting topics, and I had the opportunity to be on 3 different (albeit consecutive) panels. I’m still digesting all that I heard and the wonderful conversations I had at the conference with folks like Dale Olds, Pam Dingle, Gerry Gebel and many others. But in the meantime, I thought I’d share some early thoughts from the panels I was on.
I wasn’t quite sure what the first panel, “The Next Step of User Provisioning: Identity GRC as a Natural Evolution” was going to be about. On the surface, I thought it was a fairly obvious discussion topic, since the Oracle Identity Manager product has pretty much seen this evolution in it’s lifetime, where provisioning deployments went from being about IT efficiency to supporting compliance activities like attestation and reporting. Heck, back in the Thor days, we had an offering called Xellerate Audit and Compliance Manager that supported the model of building up the “Who-has-What” identity warehouse first so you could roll out attestion and compliance reporting before embarking on an automated provisioning and de-provisioning path. But our moderator John Hermans (KPMG) really wanted to make the panel interesting, challenging me and the other folks on the panel to a discussion on the value and effectiveness of Identity GRC projects. I think the point that came across consistently was the fact that the new Identity Governance products (like OIA) have evolved as business tools, not IT tools, serving as a way to give enterprises greater visibility into the state and risk of their identity environments. Beyond that, the panel is kind of a blur.
My next panel – on “Private, Hybrid, Public – Which Cloud for What?” – was a far more tame affair by contrast. And the main point I made on the panel was that the choice between the different cloud models is being guided right now by the one word that distinguishes these models from the customer perspective – Control. With a private cloud, an enterprise feels like it has more control over the infrastructure and the risks associated with it, because they have visibility into how it operates and what it is built on. Public clouds today are more opaque than transparent when it comes to their inner workings, and this is a function of the lack of standardization in the identity, security and audit functionality that the cloud services are built on. This divorces the policies and controls that enterprises have developed over the last many years from the cloud services, making it nearly impossible for the more risk-averse enterprises to consider these as viable options. This point came across repeatedly during the conference as I talked to customers and enterprises considering cloud services. Maybe it is a function of the data privacy and protection environment in Europe, but there was far greater mindshare for the idea of building identity services in a private cloud, which you could then connect via federation and service-oriented security to public cloud services. No matter which cloud system you go for, you need to be assured that it is secure and easy to use, this is where cloud managed services come in useful for businesses who need to stay connected with their employees, and know that business is running smoothly.
My last panel on “What the Identity Industry should do to Improve Security for the Cloud” really focused on the idea of standards and adoption of development frameworks for consistent identity inclusion into applications and platforms. And it built on the discussion from my previous panel, as we discussed why it was that cloud vendors have not been able to create more transparency into their offerings. One of the points I focused on was that it isn’t really the cloud vendors fault that they are more opaque than transparent. Often, they can’t provide more visibility because they themselves don’t have that information. And this is a function of how these cloud services are being built, and the lack of tooling they need. We need to make it easier and more transparent for developers to build identity-aware applications. It was very interesting to hear Dr. Barbara Mandl of Daimler talk about their adoption of cloud services as an outgrowth of their adoption of the ASP vision from years ago. The result is that they had put in place a development framework for their applications that was serving them well in adopting cloud services. But she also made the point that the standards are just not mature enough or standardized enough to make this seamless and pain-free, even in areas where we (the identity industry) think we did a good job, like SAML.
A lot of what I said on the panels came together rather nicely in an interview I gave later that day to Felix Gaehtgens of Kuppinger Cole, where we discussed the challenges in identity-enabling the cloud environment, and what Oracle’s approach to this is, both from an identity management perspective and from a platform perspective. Check out the video if you have some time.