Talking Identity

OpenID Busting Out
The news this week that Google, IBM and Verisign are looking to join the OpenID foundation could prove to be the last piece of the puzzle in the push to make OpenID mainstream. Reaction to the news has been overwhelmingly positive. But I am starting to get bothered by one thing. I recently read Johannes post about Flickr (owned by Yahoo) becoming an OpenID provider. This means that all Flickr users now have OpenIDs.

Isn't the idea behind OpenID to get to the point where I have one identity for the internet. By my reckoning, in a few years, the number of OpenIDs I have will be in the low 30s, since every service I am signed up for wants to be my OpenID provider. It doesn't matter if I only choose to use a few of those, the others are still out there, potentially open to abuse. I can configure whether my email service supports POP3 access or not. Shouldn't I be able to do the same with regards to whether my account is turned into an OpenID?

The Social Graph need Context
Last week, I read with great interest the saga of Scoble's facebook account. That led to a lot of discussion in the blogosphere about who owns the social graph, and how the social graph should be made part of an open initiative, freed from the silos (Facebook, Plaxo, MySpace, ...) in which it is currently "imprisoned". But there was something about this whole dialogue that unnerved me.

And then Burton's Bob Blakely brought his usual rational voice to the discussion. The idea of the open social graph bothered me most because by its very nature it ignores the context within which my graph was created. As Bob points out, the relationships were created within the world of a particular application that supplied context and associated controls for those relationships. I have a social graph in LinkedIn and a social graph in Facebook. Do they overlap? For the most part, no. And I don't want them to overlap either.

The idea that you can take my contact information from Facebook and move it to another application just because we have a relationship in Facebook is a violation of my privacy. It is no different than if people who I gave my business card to in the context of a particular business meeting decided to put all that information into some online application like MySpace. It just feels wrong. Relationship-Centric IdM anyone?

Oracle Hits The Identity and Security Road
And now for some Oracle news. For those interested in finding out more about where we are headed, Oracle is setting out on a 10-city roadshow to discuss key trends in information security, identity management, emerging standards, and technology advancements. Starting at the end of this month, Oracle experts will be joined by leading security analysts Gartner and Burton Group, along with other industry solutions experts. You can find out more about the Information Security Symposium here.

This is the time of year when everyone rolls out their start-of-the-year predictions. You can see a couple of those here and here. I especially loved Anshu Sharma's take on this popular beginning-of-the-year routine.

Predictions are risky business, especially in the slightly schizophrenic world of IdM. On the one hand, things tend to move way too slowly; on the other hand, things emerge out of nowhere to take center stage. So I tend to shy away from making predictions. But I will talk about what I hope to see happen in the coming year. These are not impractical, fantasy wishes that will require me to find a magic lamp buried in the sand. These are things that have a good chance of happening if we as an industry stay focused.

Integrating Risk Management with Identity Management
Recent events have brought to light the need to build comprehensive integration between risk management and identity management software. Oracle's acquisition of Bharosa last year was a response to marketplace demand to bring more context into the identity management process. There is a better understanding of the complex heuristics that need to become part of identity management decisions, and how to encapsulate them as workflow and rules. The coming year should bring more tools and more capabilities in these areas.

For the longest time, people would talk about integration in the context of product suites. The focus will now shift to integration in the context of pre-canned and pre-defined solutions and workflows.

Role Management Comes Into Its Own
Over the last couple of years, we have seen Role Management become an established part of identity management. But its real value will be realized when it stops being an explicitly deployed and managed part of IdM (a la access management) looking for consumers, and evolves into a business tool that is deployed within the enterprise context of provisioning, entitlement management and ERP. A number of other folks have already challenged vendors to do this, and hopefully a lot of work going on in this area will come to fruition.

The Evolving Identity Framework
There are a couple of things I hope to see happen this year that will help us move towards our ultimate vision of how identity is used.

• The Identity Services message has been very well received every time I have presented it. In the last year I met a number of individuals, like the folks from the Jericho Forum, the Concordia project, and a number of people at various conferences, who are really committed to changing how Identity becomes part of application development and deployment frameworks. Hopefully the coming year will see some concrete progress made in defining the necessary framework architecture that will enable the externalization of identity from applications
  
• We have seen everybody and their mother make moves to become OpenID Service Providers, especially the big identity silos. Hopefully this year will see an explosion of services that are OpenID Relying Parties, including some of those same big players. The real adoption of OpenID will come not from the glut of OpenID SP's, but from the widespread availability of services that accept OpenIDs and do not require registration and username/passwords.
• I also hope to see someone take the Identity Oracle concept and create a viable business out of it. It may not explode right away, but it will start to emerge. It seems obvious that the easiest place for this to happen is in social networking applications like Facebook. They already hold a lot of identity information that they then serve to other applications (those annoying, currently non-critical Facebook apps that clutter everyone's profile). Putting in place more controls on how my information is shared and with which apps, and then opening the walls to outside applications would be a logical progression in the evolution of identity providers for internet applications. I also hope to see the Identity Governance Framework become part of such a control framework in any Identity Oracle.
  And then hopefully at the start of 2009 I will be commenting on my hopes for the acceptance of internet identity framework tools within the enterprise.