My GlueCon Talk on “Federated Provisioning and the Cloud”

Last week I attended GlueCon, a 2-day developer-oriented conference focusing on the technologies that make/will make the cloud go. As usual, Eric Norlin and team did an excellent job curating a conference with lots of interesting content, some of which was quite new to me. And the energy levels were extremely high (I can’t remember the last time I attended a conference where you could gather this kind of schwag).

I was there as part of a strong and vocal contingent of identity folks. It’s important to remember that identity is not just a security concern for the cloud, but a business enabler as well, having the potential to smooth adoption of services and ease integration between different cloud services. In this way, identity really can be the glue for the cloud (or the lube, as Doug Crockford called it, when he loudly rebranded the conference “LoobCon”).

It was pretty cool for me to be part of the “Hacking Identity” session that included Eve Maler talking about UMA, Chris Messina talking about XAuth and Brad Fitzpatrick talking about Webfinger. My topic stuck out a little like a sore thumb in there, because Federated Provisioning hardly has the same potential as a game-changing technology. But as I laid out in my talk, it is very much a concern in the near term for Enterprises that are looking to leverage cloud computing through a re-factoring (as opposed to a re-architecting approach). Below is the deck from my talk.

The content is a little dense to explain adequately in a deck, and since I couldn’t really record the voiceover, I think I am going to explain the content in a series of blog posts. So consider this part 1, the introduction.

Why Federated Provisioning Is Important To The Cloud

A lot of the talk in the new architecture of identity management is about externalizing identity from applications and services. I’ve certainly talked about it a lot on this blog, and it is at the heart of the Service-Oriented Security model that Oracle has been promoting. But for many enterprises, moving to the cloud is all about taking existing applications that they have and moving them to the cloud without re-architecting or re-engineering them, so that they can start getting incremental benefits from the cloud movement. This means that there are going to be a ton of services in the cloud that have their own little identity silos that will need to be managed; in other words, provisioned.

Also, provisioning tools are at the heart of any Enterprise’s identity GRC solution. Enterprise’s have spent a lot of time and money defining policy and workflow based controls that provide them both security and regulatory compliance. And they don’t have the ability to just throw all that out. So being able to continue to leverage those investments in their incremental move to the cloud is also important.

Side Note: I will be speaking at the Burton Catalyst North America conference on the topic of “Beyond SPML: Access Provisioning in a Services World”. That session will explore the next logical step in this discussion – how those policy and workflow based controls can continue to be leveraged, and even enhanced, as you move towards an externalized identity architecture.

And this is where federated provisioning comes in. Because in order to leverage the cloud for these services, the user provisioning of these services has to mimic the dynamic, highly automated nature of the cloud. It has to be built on standards, be light-touch and loosely coupled, and it has to just work (at scale). In a previous set of blog posts, triggered by Ian’s famous “There is no such thing as Federated Provisioning” post, I brought out that there are two kinds of federated provisioningAdvance Provisioning and Just-In-Time Provisioning.

Federated Provisioning - 2 Models

In the following series of posts, we will look at what these two models mean for the cloud, and some possible paths to achieving solutions to the problem.

[Ends Part 1 of 4]