Talking Identity

I have been neglecting this blog for a while, and it took an event of historic importance to pull me out of my reverie and back into the blogosphere. No, I am not talking of the arrival on this earth of Suri Cruise. It was the eagerly anticipated publication of Gartner's magic quadrant on User Provisioning (or UP as it is called in the report).

OK, so maybe it isn't quite so earth-shattering an event, but for some of us at Thor, the waiting had turned into our own little episode of "Waiting for Godot", complete with conspiracy theories and other shenanigans. And the naming of Oracle as a "leader" in the space made the wait all the more worthwhile (though bittersweet, cause we sure could have used this while we were still Thor). It makes for an interesting read, so check it out.

Some things I found really interesting were:

• A pointed acknowledgement of the politics that goes into provisioning projects, which can be extremely painful (wanna see my scars?)
  
• An interesting division of approaches into middleware and access management approaches, with Microsoft the lone (major) advocate of the latter
  
• The lack of any "visionaries" in the quadrant (I may have something to say about that!)
  
• Microsoft being categorized as a niche player (imagine that!), probably because of their approach
  
• Their statement that Oracle's IAM road map "looks the best of all vendors" (go team)

In the coming weeks I will devote some posts to talking about some of the topics and perspectives that Gartner had in their paper.

Gartner's MQ report on provisioning calls out the different approach that Microsoft has taken to the provisioning space. Termed the "enterprise access management" approach, it essentially advocates the externalized authn and authzn model that requires less pushing of data into target system repositories, and more pulling of data by the target systems from MIIS at runtime.

The Microsoft approach to provisioning has essentially evolved (not too far though) from the metadirectory roots of MIIS. In that vein, it misses some critical realities of enterprise provisioning today:

1. An externalized approach is essentially invasive to existing applications, requiring them to change their operational model significantly
   
2. Commercial applications are unlikely to adopt an externalized model any time soon
   
3. Legacy applications, especially mainframe-based applications, that are frequently the target of phase 2 provisioning deployments, are never going to evolve to such a model

External authn and authzn models are going to become increasingly popular, especially as standards in the space become widely accepted. This will lead to some of the above realities fading away into the history books (albeit a long time from now). Any application development that enterprises embark on today should look at the externalized model as giving them tighter administrative control over their applications and enterprise. However, the middleware approach to provisioning will not disappear; rather the IdM system of the future will be a hybrid (integrated?) version of provisioning and authn/authzn engine.

Why? Both Microsoft and Gartner ("... the middleware approach, which addresses the management of the complex authentication environment ...") overlook an often-missed aspect of provisioning - that its coverage extends beyond mere authn and authzn data to operational data as well. Frequently, it is also about taking decisions and setting values of attributes that are calculated based on the data available to the provisioning system. This can be illustrated with a simple example involving one of Microsoft's own systems - MS Exchange. Very frequently, based on some real complex decision criteria, the provisioning system is not only responsible for determining who gets an exchange account, but which server they get their account on. This is especially important in financial institutions where the existence of "chinese walls" are mandated. The argument extends to various other applications, including custom applications that invariably have an underlying database configuration that needs management during the provisioning process.

And lets not forget all the cool Audit and Compliance features you get with the more traditional provisioning tools, that an externalized model simply would not support.

As Gartner pointed out, when implemented correctly, the access management approach can be a lower cost alternative. That is the reason it is often viewed as being geared more towards the SMB market. However, one thing to remember is that SMB customers are more likely to have deployed COTS applications that do not support externalized security controls. So, unless you are a small shop that has been able to restrict their critical infrastructure to a Microsoft stack, it is unlikely to be a viable option for some time to come. 

Architecturally, the approach Microsoft is advocating is a nice clean one, and is definitely being considered in enterprises for their new application development projects. And it is an approach that is central to the "Application-Centric" message that we at Oracle are adopting as part of the hybrid, open future I mentioned above. This is a big part of making enterprise-class IdM a reality for all, especially the SMB market, and delivering a more scalable architecture infrastructure that enterprise architects have been craving for. I, for one, look forward to having some fun taking it from vision to reality.

The topic of role management is always an interesting one to debate. Everyone's take seems to be slightly different; so much so that if you listen to enough people, you end up trying to rationalize a rather broad spectrum. I recently spent some time having a rather animated discussion on the topic with someone who has a need in the area of role management. He runs the IdM projects for one of our bigger customers, and with the stabilization of their initial provisioning deployment, their thoughts have now turned to role-enabling their processes.

The debate we were having was around the definition of role management, and what exactly it was that his team needed to implement. As we argued, I started to see interesting parallels between the evolution of role management and user management. It took some time to establish that user management was the sum of its parts - access management, provisioning, reconciliation, etc. Until then, every vendor that specialized in one discipline argued vociferously for their cause. Role management seems to be much in that stage, with the different vendors arguing that their approach to role management is truly the way.

The reality, of course, is that role management is a complex problem, and as such, requires multiple facets to define a complete solution. The way we see it, role management can be broadly divided into the following disciplines:

• Role Definition
• Mining
  
• Engineering
• Role Lifecycle Management
  
• Administration
• Run-Time Provider

The definition is further muddied by the fact that these disciplines utilize different approaches to the role problem - top-down vs. bottom-up, forensic vs. administrative, reality vs. vision. What is not lost is that each contributes value to the ultimate exercise of trying to move away from dealing with individuals when it comes to policy definition and enforcement, and creating a more manageable infrastructure by dealing with abstractions that make sense to the business. Future posts will tackle each of these aspects of role management, reflecting the evolution of our own offering in the space.



Click here for a larger view of the anatomy of Role Management

As for me and my debate partner, we finished our meal agreeing that the entire solution is needed for a truly successful deployment, but not entirely agreeing on which part they needed to tackle first. Stay tuned for more on how we solve this fundamental problem.