Beyond SPML: Access Provisioning in a Services World

Another Burton Group Catalyst conference has come to a close, and as always it was a treasure trove of stories, ideas and conversations. Which is why it was great to have the uncertainty around the conference laid to rest when it was announced that it will be back next year (July 26-29 in San Diego, mark your calendars). I spent most of my time in the identity management and privacy track, with some forays into social media and cloud tracks. I will try to write up some of the more interesting things I heard over the next few posts, but you can definitely check out my tweetstream and the conference tweetstream for an unstructured view.

On Wednesday, I gave a talk entitled “Beyond SPML: Access Provisioning in a Services World” which built on my Gluecon talk and work with Fusion architecture to provide a vision for the future of provisioning. The central thesis is that as we move from Push to Pull models in Identity, provisioning becomes a key component in making sure that policy and process controls are still enforced. But this requires a fundamental evolution in application and middleware architecture towards services-oriented security and externalized identity. SOA (Service Oriented Architecture) software testing refers to testing of SOA architectural style in which the application components are designed to communicate via communication protocols usually over a network. According to this article from Parasoft, SOA testing can mitigate the cost of re-work by proactively adjusting your library of tests as services change. SOA tests can transform your functional testing artifacts into security tests and load testing, to increase re-usability and save time.

I was extremely gratified to receive lots of positive validation and feedback about the vision I expressed in my presentation. And it really fit in with the theme flowing through the presentations in the provisioning section, which was focused on moving to a more streamlined, manageable, scalable provisioning future. It also echoed sentiment that provisioning is a multi-faceted problem with different interaction points and flows and will therefore require a combination of standards rather than just one standard. This was really driven home by the extremely interactive SPML SIG meeting that I participated in (organized by Mark Diodati) where there was generally agreement that SPML needs to get really focused on specific use cases rather than trying to be all things to all possibilities.

I am looking for input, so check out the deck and leave me comments on this post. I will definitely be building on the ideas in there with our identity management team to move the vision of service-oriented security forward. But for it to be useful, it has to resonate with the IdM and application development communities. And that’s where we all have to work together in making this a reality.