Talking Identity

A colleague of mine forwarded me this Sun blog post by Paul Walker commenting on the rise of Oracle IAM to leadership status. I read it with some amusement, as I remembered my days at Thor when I, a hard-working serf in a startup, would rail (in private, as I didn't have a blog back then) against the big bad companies (Sun, HP, IBM) that would try to muscle us out of deals on viability, after we had painstakingly won the technical evaluation. My colleague, who works on the Oracle Pre-Sales team, must be wondering why he has to work so hard on POCs if Oracle can just get all these deals by giving away the software or making backroom deals.

The post is grossly inaccurate on several counts. For one, Oracle IdM wouldn't be experiencing the phenomenal growth it is if we were giving away the software for free (a dirty word in many quarters). Paul also says "Every day of every week we go head-to-head with Oracle and we never  loose technically". Really, never? That's a bit of an overstatement, isn't it? I have personally been involved in quite a few deals where we (as Thor and later Oracle) won the technical evaluation. And Sun was always part of the competition. Paul thinks that "when it comes to Identity Management they (Oracle) certainly have an advantage in that they own the back-end". If owning the back-end were such an advantage, Microsoft would rule the roost because of AD (uh oh, I'm not starting that whole fracas again), and we would have won no deals as Thor.

Sun has always been our strongest competition in the provisioning space (back since they were just Waveset), and it was always a healthy competition, which is why such a post surprises me. They have a very good product, just like a few other vendors, and each product brings something different to the table, which means that the customers that bought them usually did so because they were a better fit for their needs.

Being big bad Oracle can be an asset in some deals, but it can also be a disadvantage. On a few occasions I have tasted the bitter pill of not getting the deal despite the evaluation win for business/political reasons, a reality that every company has to deal with no matter how big or small they are. But by and large. most enterprises work very hard to try and make the right choice of vendor based on who solves their problems, not backroom politics or a difference in dollar amount. IdM is just too complex to cripple yourself further with bad decisions made for petty reasons. Oracle, Sun and every other IdM vendor is competing in a congested market where the winning formula is value proposition and customer satisfaction. Boutique vendors wouldn't survive, even thrive, in this market if that were not the case. HP would not have exited the market if this wasn't true.

But the post did remind me of something that I do want to touch on, and would definitely play to Oracle's position in the space - the many customers that are looking for deeper integration between ERP and IdM. I'll touch on this in a later post.

The latest to suffer an identity theft breach - the innovative CLEAR system that speeds frequent travelers through airport security by collecting personal data, doing an extensive background check and issuing smart cards. Stolen from a "locked" room in San Francisco  airport was a laptop with the data for 33,000 travelers.

This line from the slashdot report was priceless:

The company has now decided that it might be a good idea to encrypt the data in their systems.

Thanks to oracletechnet for bringing this to my attention.

My colleague Jeff Shukis, who used to be VP of Engineering and Operations at Bridgestream, has started a blog of his own to talk about identity management, role management in particular. In his first post, he has started a deeper dive into the shortcomings of the NIST RBAC standard, an issue that I raised a few weeks ago after the Catalyst conference. I'm glad to see him bring his expertise to bear on this critical area of identity management. Looking forward to some informative posts.

If you subscribe to my blog using RSS, please update your feed reader with my new feed URL. I have been using Feedburner to source my feeds for a month or so now. Besides improving the feed quality a bit, it also insulates you from some changes I may be making to my blog in the upcoming months (like moving to a new blogging platform, or the Oracle Blogs platform going through another rumored upgrade).

The new feed URL is: http://feeds.feedburner.com/TalkingIdentity

Seems like some feed readers don't provide a way to simply update a feed url. You have to unsubscribe from the old and re-subscribe to the new url, unless you want to keep getting duplicate feeds :-)

Thanks again for reading. I'll try to keep it interesting.

I read with great interest Kim Cameron's most recent post about the Beta release of Zermatt, Microsoft's new identity application development framework. It is a step towards the kind of programming framework that I have been talking about and working on with my colleagues at Oracle for a while now. So I am just a little bit jealous that Microsoft beat us to it. But at Oracle, we have a whole different set of challenges that we are dealing with.

Coincidentally, the version we are developing internally is code-named IDx (According to Kim, Microsoft's internal name for Zermatt used to be IDFX). The first version is being built as the underlying platform for Fusion Applications. But my main job on this project is to make sure that it does not end up as an Oracle proprietary framework, and can become a true development platform on which anyone can build identity-enabled applications, running on top of any identity management provider (MS, Oracle, Sun, etc.).

That is a challenging task, and requires a strong standard API as an abstraction between the application and the identity management providers supporting it. One of my hopes for the Burton Groups Identity Services Working Group is that they will help us ratify what this standard interaction needs to be (of course, we are planning on contributing in a major way to the definition of these APIs, and have been working hard on some aspects of these as part of the IGF initiative). Hopefully, we can do the right thing, and justify Pamela's optimism for the future.

Zermatt allows applications to incorporate a claims-based identity model for authentication and authorization. The claims-based model is one that I brought up in my talk at DIDW almost one year ago. Microsoft has published a whitepaper in conjunction with the Beta release, and I'll be taking a look at it to learn and to contrast it with our approach. I'll talk about my thoughts on Zermatt in the upcoming weeks.

UPDATE (August 27, 2008): I have updated the blog post to avoid violating certain copyright issues with Gartner

Gartner has released their latest Magic Quadrant on User Provisioning. It's good to see that we have built on our previous success to emerge as one of the best (if not the best) in the Provisioning industry. I can remember the days at Thor when we would have given up our firstborns to achieve something even close to this kind of recognition.

Good to see that all the hard work at making Oracle Identity Manager easier to use, configure and manage is starting to show dividends. Gartner specifically recognized some of the key improvements we made to the product in the last release: our new Graphical Workflow Designer, the new Connector Installation Wizard, and improvements to our Generic Technology Connector and Reconciliation Manager.

The report also gives props to our strategy of Service-Oriented Security, which is laying the foundation for an identity services based deployment of identity management. The report does seems to assume that our Application-Centric concept is different from SOS, and that we have moved away from it. The truth is that SOS is simply an expansion of our earlier Application-Centric vision, which looks to make it easier for identity-enabled applications to be built by using identity constructs made available in the development environment.

Gartner makes note of the strong competition we will continue to face from Sun, IBM, Novell and a slew of other products. And there is no dearth of recent articles noting the continuing troubles enterprises face in provisioning deployments. So while it feels good to be at the top of the pile, there is still a lot of work to do as we try to keep the momentum going.

You can check out a copy of the report, compliments of Oracle, here.

In response to my post about the lag in OpenID RP adoption, Mark Workel asked the following questions:

1. What are the strategic advantages of becoming an IdP?
2. As a consumer or RP, how do I know if an IdP is reliable?

I don't think I can authoritatively answer these, but I do have some thoughts. And keep in mind that these points apply to any IdP-RP based technology, not just OpenID (think of Facebook Connect opening itself up to be an IdP to other applications).

What are the strategic advantages of becoming an IdP?

Well, for one, you get all the marketing buzz associated with doing something with an emerging, potentially game-changing standard. And marketing buzz is always good, especially when you can get it relatively easily (as Johannes points out).

Secondly, being an IdP allows you to hold onto the all-important identity data that is the fuel of any IdP. This is tied to the continuing value associated with "owning the identity silo". And it gives you a way to even expand that identity database, since you (presumably) have other websites (RPs) redirecting new users wishing to use their services to your sign-up page.

Also, it would appear that becoming an IdP gets you a pass on having to become an RP. The large identity stores to join the foundation board, can all say they did something with OpenID, without having to tackle the difficult and (probably from their point of view) less desirable task of opening their systems up to rely on other parties as RPs.

As a consumer or RP, how do I know if an IdP is reliable?

You don't. That is probably the chief reason why RP adoption is not taking off. As even Scott Kveton over at the OpenID foundation has said:

OpenID has two challenges it faces to increase adoption and use; security and usability

This isn't much of an issue now since the RPs that openly support OpenID (pardon the pun) don't have major security requirements. And the ones that need a little more reliability are going the restricted OpenID Provider route ("log in with your Yahoo ID").

Without the security thing figured out, its going to be hard to figure out whether an IdP is reliable or not (whether you're an RP looking for an IdP to rely on, or a consumer looking to sign up for an OpenID somewhere). Hopefully something like the Identity Assurance Framework will emerge as a way to properly advertise the level of security and reliability a particular IdP provides.

In the same post, Scott says:

security and usability will be key drivers to OpenID adoption moving forward

They'll be more than just drivers. Solving those issues will break the dam that is currently holding widespread adoption back.

The annual Digital ID World conference is coming up (September 8 - 10) in Anaheim. DIDW is usually a blast, as a number of folks from the identity arena show up at the conference to connect, exchange ideas and move the business of identity forward. And this is the first conference I'll be attending in Anaheim, so I welcome the change of venue (I was getting to know some of the bars in San Francisco way too well).

While DIDW (like any conference) tends to have its share of vendor sales pitches, it is always good for a few sessions to inspire me and give my gray cells something to work on. My biggest problem tends to be figuring out how to divide my time, because unlike Burton Catalyst, where I know which track to just plant myself in, every session on the agenda here is related to identity. Looking at this years agenda, I see some interesting sessions planned.

Oracle will obviously have a big presence there. Besides being a Platinum sponsor, there will be a few folks from Oracle speaking:

• Eric Leach will be talking on "Next Generation Access Management Solutions" [Sept 9 from 12:20 - 1:10pm]
• Phil Hunt will be talking about the Identity Governance Framework [Sept 10 from 3 - 3:50pm]

And some of our customers will be on panels discussing lessons learnt in tackling some thorny identity issues:

• Brenda Hughes from Cisco on "Successful Compliance Deployments" [Sept 10 from 11:25am - 12:15pm]
• Vikas Mahajan from AARP and Divya Sundaram from Motorola on "Successful Virtual Directory Deployments" [Sept 10 from 11:25am - 12:15pm]

(Hmm, too bad both the panels are at the same time)

I know a lot of folks that will be making it out to DIDW, so I look forward to some interesting conversations over food and libations (drinks are always a good way to get the tongues wagging). An attempt I made on Twitter at organizing a tweetup at DIDW didn't really take off, probably because it was too early for people's plans to be made. But if you are going to be there, let me know and I would love to meet up. And I will be spending some time at the demogrounds earning my keep, so stop by if you just want to have a chat.