Talking Identity

Seems like the IDaaS concept (as Forrester has named it) is starting to gain some traction in the identity related discussions out there. First there was the Forrester blog post that I mentioned a few weeks ago. Now, Dave Kearns has talked about the roadmap to identity services in this weeks NetworkWorld Security newsletter. In it, he talks about a possible roadmap that enterprises interested in deploying identity services can follow. The roadmap he outlines sort of goes like this:

Virtualized Identity Store -> Provisioning System -> Role Management -> Entitlement Management -> Context-based Access

So the worst kept secret in IAM history is officially out. Oracle yesterday issued a long-awaited press release announcing the acquisition of Bridgestream in the Role Management space. Of course, if you have been anywhere near an internet-connected computer, you'd have seen everybody and their mother blog about this. And some of the buzz has been quite interesting, which I will touch on in a later post.

To many, an acquisition in the ERM (Enterprise Role Management) space was inevitable. ERM has gone from cutting-edge darling of the analyst crowd to a must-have IAM solution fairly rapidly. I have myself blogged about the importance of roles in any IAM architecture a number of times. By acquiring Bridgestream, Oracle is adding their SmartRoles and SmartRoles Discoverer products to our industry-leading IdM portfolio.

Relationship-based (aka Contextual) Roles
When it first came out, Bridgestream SmartRoles introduced the interesting notion of relationship-based roles to the market. Providing a solution for the top-down approach to role engineering, the product allows customers to model a myriad of entity relationships (between such diverse entities as people, organizations, processes, projects and business resources) in it, and then express roles as a traversal of the generated relationship graph. Of course, this is not to imply that it doesn't handle the more mundane roles we are all accustomed to, which are simply containers of people and privileges. But their ability to model roles on real-world relationships that help solve real world use cases is really what sets them apart from the field. SmartRoles also supports a number of other interesting features, including temporal views of the relationship graph that provides a time sensitive answer to the role membership question.

SmartRoles

SmartRoles Discoverer

Yesterday I got to speak at an interesting conference hosted by the Jericho Forum. I talked about them in a post last week, but after spending some time with executives of the group and listening to them speak at the conference, I have a better understanding of their goals. They are noble goals, and like all things noble, they are going to be hard.

The members of the Jericho Forum are senior information security managers from large organizations like Boeing, ICI and Standard Chartered that have reached the conclusion that the state of security today is fundamentally at odds with the business needs of their organization. Innovation and security have become mutually exclusive, which has resulted in traditional security mechanisms becoming increasingly complex, flawed and vulnerable. The goal of the forum is de-perimeterisation (a lot of speakers stumbled on trying to pronounce that one), which some analysts and press folk have interpreted to mean as the removal of the security perimeter and the death of firewalls. But that is way off-base.

As the forum members are fond of saying, the current idea of concentrating all security at the network perimeter has created an enterprise environment that looks like a single hard shell around a soft chewy center (an analogy that was used so much during the day that I developed a hankering for some Ferrero Rocher). Their idea is to bring security closer to the data and the services it is trying to protect, so that corporate networks can be safely opened up to customers, suppliers, partners and, essentially, the internet. They are looking to influence the development of security standards and produce blueprints for enterprise architectures that will make this possible.

It was in this context that I talked about Identity as a Service. The idea of externalizing identity into a service layer in enterprise architecture seemed to resonate with the group. It makes identity a key security artifact on which to base security decisions wherever they need to be made, making it possible to build security at the network perimeter, at the application perimeter, or even at the data store perimeter. At the same time, it provides centralized management of security policies and scalable management of the massively distributed identity data that is part of this architecture. I was actually able to pull together a slide that mapped the fundamentals of de-perimeterisation to the fundamentals of IDaaS.

It was kind of cool to be part of a speaker lineup that included Bill Cheswick, a firewall pioneer from his days at Bell Labs, and Carl Ellison of Microsoft. The Jericho Forum is quite well known in Europe (where most of their members come from) but is relatively unknown in here in the States, and this conference was a good first step towards introducing them to the US market. They are a good group to get involved with if you are passionate about enterprise architecture. And they make everything that they produce available for free on their website, where you can also get all the presentations that were given yesterday, including mine (I have also provided a direct link to mine on my Speaking Engagements + Media Library page).

A lot of people wait with bated breath for Gartner's Magic Quadrant reports on various technologies to come out. And in a relatively new and evolving space like user provisioning, the report carries even more weight in influencing the consumer base. Gartner just published their report on User Provisioning, and for the second year in a row Oracle (with its Oracle Identity Manager product) is firmly ensconced in the Leaders quadrant.

Gartner Magic Quadrant for User Provisioning, 2H07

You know you are at a good conference any time your keynote address throws up a picture of Neo (from The Matrix) on the screen.

That's exactly what Doc Searls did during a typically humorous and thought-provoking keynote roughly titled "The Decentralization of Identity" (actually re-titled in real time based on Phil Becker's opening keynote) . He used Neo as representative of the consumer community in the marketplace; the ones whose identity are not in their control and who don't have "choice" when it comes to the management and security of their identity data.

If there was one theme to the opening keynote addresses (by Phil Becker, Doc Searls and Kim Cameron), it was that the nature of identity needs to change, freeing it from the silos and walled gardens it is currently imprisoned in. They spoke of the need to redesign our approach to how identity data is used and managed. Doc Searls spoke of the need to get away from the notion of owning someone's (your customers) identity, and moving from CRM systems to something he called VRM (Vendor Relationship Management) systems. As someone in the identity community, I completely understand the sentiment behind that; as a cog in the Oracle juggernaut, I have to be cautious about any cries of "Death to CRM" :-)

Kim Cameron took his discussion of claims-based identity management (authentication and authorization) to the next level. In a headline capturing display, he introduced a term called "Legonics" (fusion of Lego and Electronics) as a new way of building applications by putting together pieces from componentized modules. Sounded an awful lot like a combination of SOA and Identity as a Service to me. But the demonstration on stage of a Lego robot that was controlled by claims illustrated his point quite well.

I am glad that the talk I will be giving tomorrow at DIDW fits in nicely with this emerging conference theme of freeing identity from the application silos it lives in. Building on the session I did at the Jericho Forum, my session on "Externalizing Identity" will present a roadmap to how applications will get re-architected to allows decentralization of identity in the manner that Phil and Doc are referring to. I say roadmap because I believe in transition, not quantum leaps. Enterprises want an approach that leverages the hefty investments they have already made in IdM infrastructure. And the identity equation has too many colliding imperatives for a simple solution (at least today). The real solution will come from a partnership between the IdM vendors, the application vendors and the consumer enterprises, as they all accept that identity is an asset and not a commodity.

If you are Digital ID World, look me up. Or come by my session tomorrow evening at 4pm. It's the last session of the day, so I promise not to make it too heavy. But it should be interesting.