Talking Identity

As usual, it has taken a while for me to resurface from my latest
conference stint. Not because I overextended myself while in Vegas for
Collaborate. That only warrants a few days. No, the real reason is that
being offline from work for just a few days means loads of catching up
to do. And there is a lot of work going on in the IdM team, especially
related to Fusion, which was all the talk at
Collaborate.

Discussions on Identity at
Collaborate
Not suprisingly for a user group conference, the
overwhelming majority of questions I fielded at Collaborate pertained
to how IdM fits into the Fusion vision for applications. People from
various strata of the applications universe were trying to understand
this at a very basic level. But what complicated the discussions was
the fact that people are still not clear on what we mean when we talk
about "Identity". In fact, I even got someone asking me if identity
management was similar to UDDI! While I certainly wasn't expecting
people at the conference to have a deep understanding of identity
management, that one threw me for a loop.

The
Challenge
Recently, Johannes Ernst asked members of the
Internet Identity Workshop how they would explain to an identity
neophyte and non-technologist "why identity is important". The spirited
discussion led to the rather generic, but all-important, conclusion
that identity provides context that enables you and your consumers to
do business the way you want to. Doing business the way you want
encompasses issues of trust, transparency, convenience, security,
privacy and community. As context changes based on the business domain
you are talking about, so does the definition of
identity.

Our Focus: Enterprise
Identity
The focus of our group has been on that specific
version of digital identity that we refer to as Enterprise Identity.
Enterprise Identity covers those aspects of your digital representation
within the enterprise environment that the enterprise needs to manage
or delegate management of. So in that context, Enterprise Identity
covers personally identifiable information (PII), roles, relationships,
accounts and related access, physical assets and
privileges/entitlements. The diagram below illustrates this basic
definition (click on it for a larger view).

Identity in Fusion
One of the
things that constantly comes up in any discussion of Fusion is a debate
around where identity data ends and application data begins. PII and
some aspects of roles and relationships today reside most commonly
within the domain of HR applications. On the other hand, application
environments like retail applications consider this application data.
Entitlement management has traditionally been within the application
domain. And we know how much of a mess any discussion of roles ends up
being.

In a SOA-based enterprise architecture, this
kind of ambiguity is a recipe for chaos. And as identity has become an
important component of application business logic, businesses are being
forced to empower end-users via self-service and delegated
administration capabilities to make their architectures scalable and
practical. This requires the view of "one identity" for a user in
Fusion, so that users have one place to go in order to manage their
identity in the enterprise. That is the central idea behind the
campaign for "identity as a service" and its inclusion into Fusion
architecture via a middleware service called Fusion Identity
Management. This was what I introduced in my session at Collaborate,
and if you missed it, well, there's always OpenWorld
:)

In the meantime, it would be interesting to hear
from people in the applications community what they feel identity
management in Fusion means to them. So start sending me those comments
and emails.

What exactly do we mean when we say Identity as a Service? Recent discussions have made me realize that not everyone has the exact same definition of this term, and it can cause a great deal of confusion when discussing the subject.

Identity as a Service refers to the notion of making identity management capabilities available as an infrastructure service to all applications in a SOA environment. This enables enterprises to make identity a transparent, ubiquitous part of their applications (in this context, it is important to remember what we mean by identity; see my previous post), while maintaining consistency in the 4 A's of identity management - Authentication, Authorization, Administration and Auditing.



Identity as a Service enables the creation of an Enterprise Identity Layer that is the platform on which all identity-enabled enterprise applications are built. This is especially interesting for us at Oracle in the context of Fusion, where the vision is for customer to have a unified, seamless and intuitive way for managing identities in their entire Fusion deployment.

So What Does It Entail?
Oracle is hard at work trying to define the identity services that are needed for creating a true enterprise identity layer. There are some really good identity framework projects out there (Higgins, Bandit, OSIS) that focus on the core identity services needed for any identity-enabled application on the web - identity attribute sources, authentication (with identity selectors) and RBAC. These frameworks focus on the delivery of user-centric identity technologies and methodologies. But enterprise environments are far more complex and regulated, so the identity services needed are consequently greater in number, and more sophisticated. Below is the high level straw man we started our project with. It identifies what we believe are the services that an Enterprise Identity Layer needs to offer to the applications environment (click it to see a bigger view).



A Different Definition
Some folks I talked to at Collaborate pointed out that one of the reasons for their confusion has been the emergence of another definition for Identity as a Service. This definition comes to us courtesy the world of Software as a Service. Wikipedia defines Software as a Service (SaaS) as a software application delivery model where a software vendor develops a web-native software application and hosts and operates (either independently or through a third-party) the application for use by its customers over the Internet. Customers pay not for owning the software itself but for using it. They use it through an API accessible over the Web and often written using Web Services or REST. (You can read the rest of the Wikipedia article here).

In the SaaS context, Identity as a Service actually is used to describe a hosted identity management offering, very similar to hosted HR offerings (in fact, there are companies looking to provide the natural convergence of the two as a single offering). This is a natural outgrowth of the emergence of identity service, in that it requires the enablement of web services by the host that expose identity management capabilities to their customers. Fischer International is a vendor that has really latched on to this definition in a big way (I think they have trademarked the acronym IaaS).

Whatever term we standardize on (Identity as a Service, Identity Fabric, Identity Layer), the move towards the delivery of identity capabilities as services in a SOA environment is the real story here. At Oracle we are working with our customers to define the Identity Services Framework that we believe is needed in enterprise environments. As always, your participation and input is welcome.

Second Life is an Internet-based virtual world developed by Linden Labs. It uses advanced virtual world technology to create what is, in essence, a highly sophisticated social networking application. Users of the system, called "Residents", can explore, meet one another, socialize, participate in individual and group activities, create and trade items (virtual property) and services. Today, Second Life is home to half a million residents, and everyone from Duran Duran and Wells Fargo Bank to the Department of Homeland Security has funded real estate here.

Why am I talking about this on my blog? Well, in a recent statement on their official blog, Linden Labs announced that it will be introducing an age and identity verification system. Residents will have to provide proof of identity (driver's license, passport or ID card) that asserts their identity as well as their legal participation in SL as an adult (above 18). SL states that

"The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so."

Yet More Proof (as if we needed it)
Well, if there ever was a shining example of why we need an identity layer for the internet, this is it. Linden Labs has made the decision that the existing information they have (credit card and Paypal accounts of residents) is not enough. They need full-fledged identity verification (including age information), presumably to protect themselves in an attempt to prevent cases of child abuse in their online world. But to provide sensitive PII credentials like a driver's license or passport? Concerns of identity theft are springing up all over (see Mitch Wagner's blog post on the subject).

The Theory
I would venture that most of the people accessing SL are sophisticated web users that have online banking accounts. My bank already took all the same information (driver's license, passport) when I opened my account with them. Wouldn't it be great if our banks could issue a signed identity assertion that I could take to SL that informs them of my being of legal adult age? I could access a special SL webpage using my bank issued InfoCard, that allows SL to link up my account information to the fact that my bank asserted that I am legally an adult. And I don't have to worry about who might receive the scan or jpg I upload of my most sensitive documents.

Similar Experiences Across The Web
I recently had the same experience at iStockPhoto, where I was trying to sign up as a user allowed to sell photographs I took. The "application" required me to upload a digital image of my drivers license and upload it to their website. This was a simple identity verification process that took on larger significance for me, because I had no way of gauging how well iStockPhoto would protect my information. I don't know if the image will be securely destroyed once age is verified, if it will be kept on a server (the backup DVD of which may end up falling out the back of a Fedex van somewhere), or who has access to see that image.

In the identity management community, it has long been understood that the most important, and difficult, part of the self-registration process is the identity verification process. Most websites never really require anything more than an email address that they know you own (verified through a simple email-based verification method). But as child protection regulations force more and more online sites to take the sort of step SL is taking, the issue of identity verification will become an even greater challenge. The only way to avoid the next wave of identity theft and phishing attacks is to get an identity layer in place, and motivate the right identity providers. The last part is probably key, as without incentive, no worthwhile identity provider (like banks) will be willing to take on the liability. SL states that

"Premium Second Life Residents will have access to the identity verification system for a nominal Linden Dollar fee as part of their subscription. Free-account owners (Basic membership) can pay a larger Linden Dollar fee for the service, can upgrade to Premium to access the system, or simply decline to verify their age and continue enjoying Second Life without access to adult content."

Maybe banks can charge their customers a nominal fee everytime their identity is verified somewhere using a bank issued identity selector (not that I am saying I want this model).

I can just see the email landing in my inbox one day. "Dear Second Life Resident, it has come to our attention that we do not have your age verification on file. Please click on this link to ..."

Interesting Reads: FIPS 201 Standard on Personal Identity Verification