Talking Identity

It's been a while since I blogged. Not that there aren't a wealth of topics to talk about, but because work here at Oracle has been keeping me so busy. The time right around a major product release (see my recent post about the release of OIM 9.1) is always busiest for me, because I get so heavily involved in the early planning stages of the next major release. And the next one is going to be a big one. More on that in a later post.

But I couldn't keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM's current offering in the eSSO space - IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix's v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip's reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn't really an upgrade:

"What marketing won't say is that the "upgrade" from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they'll probably offer some tools to "help", but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products."

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn't really have to be that way. Passlogix is also the OEM component in Oracle's E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM's ire). So there is another option available to ITAM ESSO customers - instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM's move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica's U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as "zero-knowledge" proofs for privacy).

In layman's terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek's Microsoft Watch.

It's always a good thing when your work get recognized. Forrester Research has just published a new Forrester Wave ™ Report focused on Identity and Access Management
products.  In this report, Oracle emerges as a clear market leader with a solid
portfolio of integrated products and a "compelling, aggressive strategy" with
application-centric identity.

• Forrester gives Oracle credit for "aggressively building a versatile and well-rounded IAM product line".
• Forrester sees the value that the Oracle IAM suite will bring to Oracle applications in Fusion, as we move IAM "from a security and systems management discipline to one of application architecture and development".
• The most recent acquisitions of Bharosa and Bridgestream seem to have played a role, as Forrester likes the enterprise role management and
  risk-based authentication capabilities that those acquisitions added to our fold.
  

Forrester included six vendors in the assessment, limiting themselves to major vendors that offer a suite of capabilities: BMC Software, CA, IBM, Novell, Oracle, and Sun Microsystems. HP declined to participate due to their recent retrenchment. They used a combination of three data sources to assess the strengths and weaknesses of each solution:

• Hands-on lab evaluations
• Vendor surveys
• Customer reference calls
  

You can download a copy of the report here. A quick snapshot in graphical form is available on page 8 of the report (wish I could post it here).

There has been an interesting discussion going on regarding the fate of metadirectory technology. Dave Kearns talked about it in his newsletter recently (see: Is the metadirectory dead). In it, he quoted Jackson Shaw, who brought it up as context to HP's recent retrenchment:

"Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead."

Kim Cameron questioned this in his response. The flaw in his argument (imo) is in lumping directory and metadirectory technology together. Nobody is saying that the directory is dead. It still is (and will continue to be for the foreseeable future) the best storage mechanism available for identity data. What is being said is that the metadirectory approach of taking directory based storage and adding centralization processes and technology (the synchronization, arbitration and flattening of data inherent to the metadirectory story) doesn't make sense in the brave new world of identity services we are moving towards.

Centralization of data still exists, and will continue to for some time to come. But for a while now, the solution there has been provisioning technology, not metadirectory (see my previous blog post on this topic). Provisioning adds a crucial overlay of policy, controls and process onto the rationalization of identity data (centralization being a byproduct of this).

Where workflow and process are not needed there is no longer a need to centralize, as virtual directory technology provides a scalable, manageable solution far superior to what metadirectory used to provide. Oracle (for one) recognized this a while ago when it bought the technology that became Oracle Virtual Directory.

Virtual directory technology is fast becoming the underpinning of the "identity bus" (as Kim calls it) in an Identity Services based architecture. It provides a services interface that pulls the identity data from where it sits, and transforms it into the claims that the consuming application is interested in. It acts as an abstraction/indirection layer between the identity producer (HR, CRM, Corporate Directory, you name it) and the identity consumer. It also acts as a gatekeeper, ensuring that data use is authorized and policy-compliant. Oracle's efforts at defining the IGF standard is an attempt to add much needed controls into that interaction of producer and consumer, and OVD is on the very frontlines of this effort.

As always, the mantra should always be to choose the right tool that solves you problems. An Enterprise's best bet is to put in place an infrastructure that is a nice blend of provisioning and virtual directory. This infrastructure will continue to evolve as the vision for Application-Centric identity evolves.