Ben has responded to my response by vigorously defending his stance against the pull movement. His statement that “…this will take more effort than it will return in value” is correct in identifying what enterprises should focus on – a cost-benefit analysis – but not in his estimation of how to do the valuation. I understand the dilemma – we have something that works; why put in this massive effort to change all that?
(Some would argue – vigorously – that what we have actually doesn’t work. That is a battle for a different post.)
Let me be clear here; no one is saying that you need to throw out what you have, stop implementing IdM with the tools out there, and go back to the drawing board. This is about evolving architecture, not a revolution in technology. As I said in my presentation at Catalyst, enterprises will (probably for a long time) be dealing with both the push-based and the pull-based models. But what enterprises need to recognize (a lot of them already do) is that the pull-based model is the way of the future, starting now. And there are good reasons for it (in fact, Ben’s post actually points out scenarios where a pull-based model would be far more precise and cost-effective than a push-based model. And isn’t his last example actually a detective control, not a preventive control?). Enterprises need to start preparing for it now because this is not a transition that can be done overnight. And it is not one they are likely to avoid (or should want to).
- If an enterprise is considering using cloud services, they need to prepare their IdM infrastructure for a pull-based world, because that is where the majority of cloud services will go (just ask Salesforce)
- If a company is offering cloud-based services, they need to be prepared for a pull-based identity model, because that is what major IdPs and enterprises will demand of them (just look at Google Apps Marketplace, or why so many cloud vendors now support SAML and OpenID)
- If an enterprise builds applications in-house, they need to understand and prepare for pull-based identity, because the cost of maintaining their applications in the long run will drop significantly (just look at the work we’re doing with Fusion Applications)
- If an enterprise is looking to get out of the business of managing identity and instead wants to rely on 3rd party service providers (including cloud), then they need to focus on pull-based identity to make this happen (just look at the challenges facing Cloud IdM vendors)
Ideally, your IdM infrastructure should be able to handle both push and pull based models together (no one wants parallel infrastructure). Ben is correct when he says that he
…would rather not see enterprises cobble their identity infrastructures together with a little more than hope, bailing wire, and string. I maintain that enterprises need to build identity on a sustainable, scalable, identity and access management environment that is extensible enough to address potential future identity management models and standards as they arise.
I think where I feel differently from Ben is in how quickly we feel these “potential future identity management models” will be here for enterprises to tackle. I am not talking about some Utopian vision that is built on a foundation of sand here (as Ben seems to think). This is a very real change that is happening today. I have spent time with some very smart enterprise architects and program managers who are in the process of building identity services programs in their companies today that are built on this view. Within Oracle itself, Fusion Applications is a major undertaking that builds on this vision by leveraging identity standards, and the knowledge we gain from the effort is guiding our involvement in driving these standards forward.
Yes, there are unresolved challenges, but all of the identity standards are still evolving (though sometimes slower than we would like). The vision of Service-Oriented Security (which is built around pull-based identity) is a guiding force that is helping create a cohesive vision around which to rationalize the various standards efforts (which all too often have been disjointed), resulting in a better framework to build applications on. And it is well established at this point that application development is all about frameworks now (no one builds applications from the ground up any more).
By the way, I will be doing a live webcast on Service-Oriented Security on August 25 at 2pm ET/11am PT. A lot of what we are talking about here will be discussed during the webcast in far more detail. So register now and we can chat about the challenges and promise of pull during the webcast.