« November 2006 | Main | February 2007 »

December 2006 Archives

December 2, 2006

Moving Towards the ISF: Announcing the Identity Governance Framework

By Nishant Kaushik on December 2, 2006 5:26 PM

This week, Oracle took a long awaited first step towards the realization of the Identity Services Framework that I have been talking about. At the Gartner IAM Summit this week, Oracle announced an open initiative, the Identity Governance Framework (IGF), to address
governance of identity related information across enterprise IT systems. The IGF will enable enterprises to declaratively control how identity related information, including Personally Identifiable Information (PII), access entitlements, attributes, etc. are used, stored, and propagated between their systems.

This is a key part of the ISF. The biggest challenge in IdM is making identity-related data available to the enterprise as a service that is part of the identity infrastructure layer. Without it, the enterprise is forced down traditional paths of trying to consolidate all that identity data in a central directory, or forcing individual applications to maintain their own redundant identity silos. As enterprises become more distributed, and as the definition of identity-related data continues to expand, such approaches are no longer adequate and cannot scale.

The IGF solves this problem by providing a standard way to support access to identity attributes originating from other sources (application-centric stores, departmental information, SAML assertions, InfoCards,...). It's function is give organizations and business managers responsible for the security of identity-related data the ability to define more specifically how and when information may be used on a contextual or transactional basis.

The four key components of the Identity Governance Framework that
vendors and customers can currently review include:

  • Client Attribute Requirement Markup Language (CARML): an
    XML-based declarative contract defined by application developers that
    informs deployment managers and service providers about the attribute
    usage requirements of an application
  • Attribute Authority Policy Markup Language (AAPML): a set of
    policy rules regarding the use of identity-related information from an
    identity source that allow these sources to specify constraints on use
    of provided data by consuming applications
  • CARML API: an Application Programming Interface that makes it
    easier for developers to write applications that consume and use
    identity-related data in a way that conforms to policies set around the
    use of such information
  • Identity Provider Service: a policy-secured service for accessing identity-related data from multiple identity sources.

The essential elements missing were standards that governed how the consumer-provider interactions would take place, and policies that would control them. The initial draft specifications of CARML and AAPML being contributed by Oracle to
the community are an attempt to address that gap. These specifications provide a common framework for defining
usage policies, attribute requirements, and developer APIs pertaining to the
use of identity related information. They fit in nicely with the identity provider service in the ISF, as illustrated below (click on the image for a larger view).


What is even more encouraging is that other leading identity vendors - CA, Layer 7
Technologies, Novell, Ping Identity, Securent and Sun - have
reviewed a draft of the IGF and plan to work with Oracle to develop full
specifications. The industry involvement will be crucial to making this a reality.

There is a lot more information available on this topic, including overview documents, draft specs and examples at http://www.oracle.com/goto/igf. Check it out and send in your comments.

Tags:

| Comments (0) AddThis Social Bookmark Button

December 13, 2006

Postcard from the Gartner IAM Summit

By Nishant Kaushik on December 13, 2006 11:17 AM

2 weeks ago I attended Gartner's first IAM summit. Entering an arena long dominated by Burton and RSA, they nonetheless seemed to have a respectable turnout, even if it was mostly people like me curious to find out what their treatment of the space was going to be. The fact that it was in Vegas was another kind of incentive, with the consequence that I missed a couple of early morning sessions.

The content mostly seemed to be aimed at a crowd more generic than the crowd you would encounter at, say, Catalyst. However, they did have a few interesting sessions. Lawrence Lessig's keynote on the "Future of IDeas" was really interesting, even if his famous presentation style suffered through two projector outages and a light outage. His talk more or less expounded on the notion of needing an identity metasystem for the internet, and the need for us to do something before the government steps in after some kind of internet calamity.

But the session that generated the most discussion between me and my colleagues was Roberta Witty's session on User Provisioning (or UP, as Gartner calls it). While fairly informative for the lay attendee, she made two statements that were a little controversial (at least for us UP geeks).

"Provisioning is an interim solution"
The above is what I actually say an attendee at the session writing in her notebook. In her session, Roberta said that the emergence of Web Services and SOA architectures would mean that the need for provisioning would start to disappear, as soon as 2010. Now, those of us in the provisioning space have long been saying that the emergence (hopefully) of the SPML standard would definitely eliminate costly provisioning connectors. We have also been saying that externalizing identity data, authorization and security will also lead to a lesser need for provisioning in automated, role-based or attribute-based scenarios.

However, the fact is that provisioning systems add a whole business layer on top of IAM (see my previous post: 'Ask Dr. K: The IdM Elevator Pitch') that will not disappear. As long as businesses need operational flexibility and agility, the need to support ad-hoc, request-based access provisioning will not go away, and that is where provisioning systems will continue to play an important role. The compliance benefits from control attestation (in addition to access attestation), SoD enforcement and workflow perspective will continue to require a management layer on top.

"Role Management will become the focal point for Compliance"
The second point she expounded on was her view that role management systems will become the central point of compliance shortly. Her view is based on her opinion that since role mining tools need to have information about access privileges in order to discover privilege patterns as roles, they are ideally placed to do compliance activities like attestation and SoD policy violation detection. Again, the point is a little skewed. And I don't say this because I have a provisioning bias. I am, in fact, also involved heavily in Oracle's role management strategy.

Yes, role management systems (more accurately, role mining systems) have this kind of data in their repositories, but so do provisioning systems. One of the first usages of provisioning systems in compliance-driven enterprise environments is the deployment of reconciliation connectors to pull in the "who has what" information. This includes not just the names of accounts that users have, but fine-grained entitlement information as well. And the capabilities of provisioning systems (well, at least ours) in this area are long established, with a lot of sophistication built into the reconciliation capabilities. Most role mining systems are limited to flat-file based data imports. In fact, some of the bigger role mining products build "integrations" with provisioning systems to obtain the privilege information from the provisioning systems instead of having to go to the target systems themselves. And tout this as key capabilities.

It is also important to keep in mind that BRM systems are just like provisioning systems in that they don't need to pull in all access data into their realm of scope for their operation. It is almost never the case that enterprise roles are defined based on the access that users have in all systems. In fact, it is usually a much smaller set of systems than provisioning systems typically have to deal with. Especially if you want the mining operation to have a chance of succeeding. Provisioning systems are often key to helping the enterprise clean up access privileges in preparation for role mining projects, by providing attestation and "who has what" reporting to enable the removal of unnecessary access. Project managers of IdM deployments know to not go near role mining till access clean up has occurred.

On a happier note...
I will say that I didn't disagree with everything I heard at Gartner. In his keynote, Neil McDonald of Gartner talked about ERP becoming the "new center of gravity for IAM", making ERP players like Oracle very important in the IdM space. Now I can't really disagree with that view, can I?

Tags:

| Comments (0) AddThis Social Bookmark Button

December 15, 2006

How good are our passwords?

By Nishant Kaushik on December 15, 2006 11:25 AM

Wired News (which I read assiduously) had a pretty interesting article in their "Security Matters" section recently that talked about an analysis done of MySpace account passwords ("MySpace Passwords Aren't So Dumb"). It makes for a pretty interesting read, so check it out. While you are at it, check out whether you have a password that falls into the list of "most common passwords". Particularly interesting to me was the following statement:

Another password study in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.
Makes you think, doesn't it? Why is it that corporate passwords are easier than the passwords teens are using to protect their MySpace accounts? Does it point to the perceived value of these accounts to their owners, the lack of a sense of ownership, or the same old issue of "too many passwords"?

It would be interesting to see if there is a similar study on the complexity of SSO passwords. Let me know if you happen to come across one.

Tags:

| Comments (2) AddThis Social Bookmark Button

December 19, 2006

The Gartner Summit was a Good Primer on IAM

By Nishant Kaushik on December 19, 2006 6:56 PM

I usually don't expect too many replies to postcards (real world or blog) that I write, so I was pleasantly surprised to see the discussion my post about the Gartner summit generated. The lively discussions regarding the part roles play in compliance were definitely expected. What I was not expecting were the few emails I received from people asking me if I didn't like the Gartner conference.

Not sure how I managed to get that perception out there. In my post I made no judgments about the conference; I merely made a specific comment regarding its format and content, and touched on a few topics that generated a lot of discussion at the blackjack tables (which was probably good because if I was paying attention to the game, I probably would have lost money).

The perception of a conference can only be judged by what you, the attendee, are looking to get out of it. My
(personal) interest in these conferences is
that of someone trying to gain a deeper understanding of the space, especially its future. From my standpoint, the Gartner Summit concentrated on delivering a good primer in identity management - IAM 101, if you will. So if you were looking for a conference that would help you understand what IAM is, Gartner was the place to be. If you wanted to delve into the weeds and understand, say, the impact the net neutrality debate would have on identity and privacy, you probably weren't going to find any sessions covering that. That was the essence of my comment.

Given that this was Gartner's first conference, I actually think that they did a good thing by going back to basics. More than anything else, the request I get from prospects I am brought into talk with is for an IdM reference architecture. The kind of customer that understands IAM is actually quite rare, and there is a lot of misinformation out there. There are a lot of companies starting projects that are looking for a map to help them navigate the morass we call Identity and Access Management. And a number of them were at this conference. Analysts like Burton and Gartner do a pretty good job of providing just such a sitemap through their research. Gartner brought that same approach to the conference. They did a pretty good job of creating sessions that explained the basics of IAM.

While the conference may not have been as technologically enlightening for us (so-called) identity experts, it hit the mark in terms of its target audience - the customer who wants to understand the solutions available today that can help them solve their needs. Which is, in turn, valuable to me, a member of the IdM vendor and (self-professed) identity geek community, because it helps keep me grounded in reality. It reminds me of the questions people I am creating solutions for are asking and what they actually care about. It was telling that the sessions with the highest turnout were the ones that explored the basic tenets of IAM - role management, provisioning, authentication (and, judging from the talk around the resort, authorization will be joining in soon).

It will be interesting to see how Gartner establishes the identity (pun intended) of this conference among the Catalyst's, DIDW's, RSA's and IIW's of the IdM world. And I expect they will find a place to accommodate some of the more esoteric and cutting-edge discussions that I personally am interested in.

I'm still making sense of all the discussions I got into regarding roles and compliance. As soon as I wrap my head around it, I will bring you into it. Stay tuned.

Tags:

| Comments (0) AddThis Social Bookmark Button

About

Nishant Kaushik

An exploration of the world of Identity Management with me, Nishant Kaushik, architect for IdM products at Oracle. More...

Downloads | Speaking | Contact Me

About December 2006

This page contains all entries posted to Talking Identity in December 2006. They are listed from oldest to newest.

November 2006 is the previous archive.

February 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Archives

Google Search


Only search this blog

Syndication

Subscribe to this blog's RSS feed
subscribe by email Subscribe to this blog by Email

Socialize

View Nishant Kaushik's profile on LinkedIn
Add to Technorati Favorites
twitter_icon.jpg
Powered by
Movable Type Enterprise and Oracle