Talking Identity

My DIDW just got a lot more interesting

2008-09-06T01:56:52Z

This week I was invited to join Brenda Hughes from Cisco on next weeks DIDW panel discussing "Lessons learned from Successful Compliance Deployments". My hope is to share some of the insight I obtained from watching (at uncomfortably close quarters, from a vendor perspective) a number of our customers go through the process of deploying identity management to solve some of their main compliance issues. Obviously, compliance has been the big story in IdM the last few years, and most companies still have a long way to go. But the nature of the discussion seems to be changing a bit, as compliance itself is de-mystified. Come by for what is sure to be an interesting conversation.

Also, I will be connecting with a number of folks who are coming out to DIDW, both one-on-one and in some interesting group settings. Matt Flynn has organized a blogger meet, which I look forward to, since my attempt at a Tweetup sort of fell flat. Should be interesting. Again, grab me if you see me at the opening reception or at the demogrounds, or while I am rushing from one session to another, if you want to chat.

Continuing something I started as an experiment at Burton Catalyst, I will be twittering extensively during the conference, sharing what I am hearing, my thoughts and the experiences of DIDW (provided I can snag a power outlet and/or AT&T 3G can avoid going down again). Be sure to follow me at http://www.twitter.com/NishantK if you are interested in my perspective on the proceedings.

Does 'User-Centric' also mean 'User-Burdened'?

2008-09-02T16:14:36Z

Dave Kearns recently took on the topic of how user-centric and enterprise-centric identity could possibly co-exist in his articles for the Network World Identity Management Newsletter. In his first post, he discussed what the difference between the two is - the need in the Enterprise scenario to have all identity-related transactions tied together from an audit perspective, contrasted with the need in the User-Centric (or personal) scenario to have no ability to tie together the various transactions a person can enter into. In his follow-up post, he discussed how the two, given these diametrically opposite requirements, could co-exist.

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier - an email address - is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It's an interesting problem that I think needs to be addressed by the identity community, because if it isn't, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

It's that DIDW time of the year

2008-08-28T17:26:36Z

The annual Digital ID World conference is coming up (September 8 - 10) in Anaheim. DIDW is usually a blast, as a number of folks from the identity arena show up at the conference to connect, exchange ideas and move the business of identity forward. And this is the first conference I'll be attending in Anaheim, so I welcome the change of venue (I was getting to know some of the bars in San Francisco way too well).

While DIDW (like any conference) tends to have its share of vendor sales pitches, it is always good for a few sessions to inspire me and give my gray cells something to work on. My biggest problem tends to be figuring out how to divide my time, because unlike Burton Catalyst, where I know which track to just plant myself in, every session on the agenda here is related to identity. Looking at this years agenda, I see some interesting sessions planned.

Oracle will obviously have a big presence there. Besides being a Platinum sponsor, there will be a few folks from Oracle speaking:

Eric Leach will be talking on "Next Generation Access Management Solutions" [Sept 9 from 12:20 - 1:10pm]
Phil Hunt will be talking about the Identity Governance Framework [Sept 10 from 3 - 3:50pm]

And some of our customers will be on panels discussing lessons learnt in tackling some thorny identity issues:

Brenda Hughes from Cisco on "Successful Compliance Deployments" [Sept 10 from 11:25am - 12:15pm]
Vikas Mahajan from AARP and Divya Sundaram from Motorola on "Successful Virtual Directory Deployments" [Sept 10 from 11:25am - 12:15pm]

(Hmm, too bad both the panels are at the same time)

I know a lot of folks that will be making it out to DIDW, so I look forward to some interesting conversations over food and libations (drinks are always a good way to get the tongues wagging). An attempt I made on Twitter at organizing a tweetup at DIDW didn't really take off, probably because it was too early for people's plans to be made. But if you are going to be there, let me know and I would love to meet up. And I will be spending some time at the demogrounds earning my keep, so stop by if you just want to have a chat.

A little more on OpenID adoption

2008-08-25T22:42:29Z

In response to my post about the lag in OpenID RP adoption, Mark Workel asked the following questions:

1. What are the strategic advantages of becoming an IdP?
2. As a consumer or RP, how do I know if an IdP is reliable?

I don't think I can authoritatively answer these, but I do have some thoughts. And keep in mind that these points apply to any IdP-RP based technology, not just OpenID (think of Facebook Connect opening itself up to be an IdP to other applications).

What are the strategic advantages of becoming an IdP?

Well, for one, you get all the marketing buzz associated with doing something with an emerging, potentially game-changing standard. And marketing buzz is always good, especially when you can get it relatively easily (as Johannes points out).

Secondly, being an IdP allows you to hold onto the all-important identity data that is the fuel of any IdP. This is tied to the continuing value associated with "owning the identity silo". And it gives you a way to even expand that identity database, since you (presumably) have other websites (RPs) redirecting new users wishing to use their services to your sign-up page.

Also, it would appear that becoming an IdP gets you a pass on having to become an RP. The large identity stores to join the foundation board, can all say they did something with OpenID, without having to tackle the difficult and (probably from their point of view) less desirable task of opening their systems up to rely on other parties as RPs.

As a consumer or RP, how do I know if an IdP is reliable?

You don't. That is probably the chief reason why RP adoption is not taking off. As even Scott Kveton over at the OpenID foundation has said:

OpenID has two challenges it faces to increase adoption and use; security and usability

This isn't much of an issue now since the RPs that openly support OpenID (pardon the pun) don't have major security requirements. And the ones that need a little more reliability are going the restricted OpenID Provider route ("log in with your Yahoo ID").

Without the security thing figured out, its going to be hard to figure out whether an IdP is reliable or not (whether you're an RP looking for an IdP to rely on, or a consumer looking to sign up for an OpenID somewhere). Hopefully something like the Identity Assurance Framework will emerge as a way to properly advertise the level of security and reliability a particular IdP provides.

In the same post, Scott says:

security and usability will be key drivers to OpenID adoption moving forward

They'll be more than just drivers. Solving those issues will break the dam that is currently holding widespread adoption back.

We're Number 1! We're Number 1!

2008-08-22T19:40:59Z

UPDATE (August 27, 2008): I have updated the blog post to avoid violating certain copyright issues with Gartner

Gartner has released their latest Magic Quadrant on User Provisioning. It's good to see that we have built on our previous success to emerge as one of the best (if not the best) in the Provisioning industry. I can remember the days at Thor when we would have given up our firstborns to achieve something even close to this kind of recognition.

Good to see that all the hard work at making Oracle Identity Manager easier to use, configure and manage is starting to show dividends. Gartner specifically recognized some of the key improvements we made to the product in the last release: our new Graphical Workflow Designer, the new Connector Installation Wizard, and improvements to our Generic Technology Connector and Reconciliation Manager.

The report also gives props to our strategy of Service-Oriented Security, which is laying the foundation for an identity services based deployment of identity management. The report does seems to assume that our Application-Centric concept is different from SOS, and that we have moved away from it. The truth is that SOS is simply an expansion of our earlier Application-Centric vision, which looks to make it easier for identity-enabled applications to be built by using identity constructs made available in the development environment.

Gartner makes note of the strong competition we will continue to face from Sun, IBM, Novell and a slew of other products. And there is no dearth of recent articles noting the continuing troubles enterprises face in provisioning deployments. So while it feels good to be at the top of the pile, there is still a lot of work to do as we try to keep the momentum going.

You can check out a copy of the report, compliments of Oracle, here.

The Frameworks are Coming

2008-08-11T19:40:05Z

I read with great interest Kim Cameron's most recent post about the Beta release of Zermatt, Microsoft's new identity application development framework. It is a step towards the kind of programming framework that I have been talking about and working on with my colleagues at Oracle for a while now. So I am just a little bit jealous that Microsoft beat us to it. But at Oracle, we have a whole different set of challenges that we are dealing with.

Coincidentally, the version we are developing internally is code-named IDx (According to Kim, Microsoft's internal name for Zermatt used to be IDFX). The first version is being built as the underlying platform for Fusion Applications. But my main job on this project is to make sure that it does not end up as an Oracle proprietary framework, and can become a true development platform on which anyone can build identity-enabled applications, running on top of any identity management provider (MS, Oracle, Sun, etc.).

That is a challenging task, and requires a strong standard API as an abstraction between the application and the identity management providers supporting it. One of my hopes for the Burton Groups Identity Services Working Group is that they will help us ratify what this standard interaction needs to be (of course, we are planning on contributing in a major way to the definition of these APIs, and have been working hard on some aspects of these as part of the IGF initiative). Hopefully, we can do the right thing, and justify Pamela's optimism for the future.

Zermatt allows applications to incorporate a claims-based identity model for authentication and authorization. The claims-based model is one that I brought up in my talk at DIDW almost one year ago. Microsoft has published a whitepaper in conjunction with the Beta release, and I'll be taking a look at it to learn and to contrast it with our approach. I'll talk about my thoughts on Zermatt in the upcoming weeks.

Please Update to My New RSS Feed

2008-08-08T16:32:26Z

If you subscribe to my blog using RSS, please update your feed reader with my new feed URL. I have been using Feedburner to source my feeds for a month or so now. Besides improving the feed quality a bit, it also insulates you from some changes I may be making to my blog in the upcoming months (like moving to a new blogging platform, or the Oracle Blogs platform going through another rumored upgrade).

The new feed URL is: http://feeds.feedburner.com/TalkingIdentity

Seems like some feed readers don't provide a way to simply update a feed url. You have to unsubscribe from the old and re-subscribe to the new url, unless you want to keep getting duplicate feeds :-)

Thanks again for reading. I'll try to keep it interesting.

Welcoming Jeff Shukis to the Oracle Blogs network

2008-08-06T15:46:01Z

My colleague Jeff Shukis, who used to be VP of Engineering and Operations at Bridgestream, has started a blog of his own to talk about identity management, role management in particular. In his first post, he has started a deeper dive into the shortcomings of the NIST RBAC standard, an issue that I raised a few weeks ago after the Catalyst conference. I'm glad to see him bring his expertise to bear on this critical area of identity management. Looking forward to some informative posts.

If you can't trust Airport Security, who can you trust?

2008-08-06T01:06:41Z

The latest to suffer an identity theft breach - the innovative CLEAR system that speeds frequent travelers through airport security by collecting personal data, doing an extensive background check and issuing smart cards. Stolen from a "locked" room in San Francisco airport was a laptop with the data for 33,000 travelers.

This line from the slashdot report was priceless:

The company has now decided that it might be a good idea to encrypt the data in their systems.

Thanks to oracletechnet for bringing this to my attention.

Whoa! Talk about trying to spread FUD

2008-08-04T22:36:08Z

A colleague of mine forwarded me this Sun blog post by Paul Walker commenting on the rise of Oracle IAM to leadership status. I read it with some amusement, as I remembered my days at Thor when I, a hard-working serf in a startup, would rail (in private, as I didn't have a blog back then) against the big bad companies (Sun, HP, IBM) that would try to muscle us out of deals on viability, after we had painstakingly won the technical evaluation. My colleague, who works on the Oracle Pre-Sales team, must be wondering why he has to work so hard on POCs if Oracle can just get all these deals by giving away the software or making backroom deals.

The post is grossly inaccurate on several counts. For one, Oracle IdM wouldn't be experiencing the phenomenal growth it is if we were giving away the software for free (a dirty word in many quarters). Paul also says "Every day of every week we go head-to-head with Oracle and we never loose technically". Really, never? That's a bit of an overstatement, isn't it? I have personally been involved in quite a few deals where we (as Thor and later Oracle) won the technical evaluation. And Sun was always part of the competition. Paul thinks that "when it comes to Identity Management they (Oracle) certainly have an advantage in that they own the back-end". If owning the back-end were such an advantage, Microsoft would rule the roost because of AD (uh oh, I'm not starting that whole fracas again), and we would have won no deals as Thor.

Sun has always been our strongest competition in the provisioning space (back since they were just Waveset), and it was always a healthy competition, which is why such a post surprises me. They have a very good product, just like a few other vendors, and each product brings something different to the table, which means that the customers that bought them usually did so because they were a better fit for their needs.

Being big bad Oracle can be an asset in some deals, but it can also be a disadvantage. On a few occasions I have tasted the bitter pill of not getting the deal despite the evaluation win for business/political reasons, a reality that every company has to deal with no matter how big or small they are. But by and large. most enterprises work very hard to try and make the right choice of vendor based on who solves their problems, not backroom politics or a difference in dollar amount. IdM is just too complex to cripple yourself further with bad decisions made for petty reasons. Oracle, Sun and every other IdM vendor is competing in a congested market where the winning formula is value proposition and customer satisfaction. Boutique vendors wouldn't survive, even thrive, in this market if that were not the case. HP would not have exited the market if this wasn't true.

But the post did remind me of something that I do want to touch on, and would definitely play to Oracle's position in the space - the many customers that are looking for deeper integration between ERP and IdM. I'll touch on this in a later post.

Johannes talks about the OpenID RP "Problem"

2008-07-30T20:37:45Z

Johannes Ernst has responded to my post on what I view as a problem for OpenID - the proliferation of OpenID Providers without the emergence of Relying Parties that use them. First of all, let me state for the record that I am a big fan of OpenID, and in no way view this problem as being one that will cause OpenID to "die out", as Johannes seems to think. I actually think OpenID will become part of the solution to our current internet problems of credential blowup, and look forward to that becoming reality. But, like Johannes, I want that day to arrive sooner rather than later. And anything that I see causing that to get pushed out a few more years concerns me. The intent of my post was to elicit just such a response from someone involved with OpenID like Johannes, and then dig a little deeper to figure out what needs to happen next.

Now, in his post, Johannes points out the reality of OpenID adoption - that it is a classic chicken-and-egg problem. As he points out, becoming an OpenID Provider is quite easy and relatively harmless (though reliability concerns do enter the picture), and mainly strategic in nature. On the other hand, becoming an OpenID RP has many more considerations and is far more operational, and therefore risky, in nature. By the very necessity of its invention, OpenID has to achieve critical mass in certain classes of IdP before it can be poked and tested to make sure that it is safe and reliable enough to support RPs. The adoption curve for any technology usually follows this kind of path, and so it is with OpenID. Today the RPs are mostly blog commenting systems and simpler, less sensitive services. Tomorrow, you could be using OpenID to authenticate to your online banking account. But there is a lot to be solved and proven along the path from point A to point B.

So if this path is exactly as it should be, what is there to be concerned about? Well, I guess I should have been more explicit in my last post. The thing that worries me is that the thinking seems to be that there is a lot more value in "owning the silo" - in other words, being an IdP than an RP. So even if the OpenID industry does all the right things, will we ever get to the point where the number of OpenIDs a person has is a manageable number (the true intent of OpenID)? The way that the heavy hitters are rolling out their OpenID Providers leads me to wonder if the "exclusive" arrangements that are starting to pop up in RPs are going to become the norm, forcing users to maintain OpenIDs with a large number of Providers.

Obviously John Q. Public knows little, if anything, about OpenID. So expecting them to understand the message "Log in with your OpenID" on a website is irrational. The solution right now seems to have become websites displaying the message "Log in with your Yahoo ID" (which behind the scenes converts it into the requisite OpenID). This is a neat trick, but creates exclusive IdP-RP relationships that (in some sense) violate the spirit of OpenID. And given that these same heavy hitters now own many of the web properties that I would expect to be RPs (why is FlickR an IdP and not an RP?) makes me wonder if true OpenID adoption is getting pushed out by a few years, effectively postponing the work that needs to be done to make the OpenID system more robust in nature.

Maybe I'm being too pessimistic about all this. But as of today, I have accounts in about 60 different places that I actively use, and only 3 of them are an OpenID RP. I want to move on to the next level, and am wondering what needs to happen to precipitate that.

The Optimist is feeling a little pessimistic

2008-07-25T21:14:48Z

Seems like the recent Catalyst conference led the Eternal Optimist, Pam Dingle, to question how we are doing as an industry. It is true that a lot of the messaging has shifted from what enterprises need to accomplish based on their unique needs to "check-off the list" buzzwords like GRC (which Bob Blakely called a "four letter word"), RBAC and User-Centric.

Pam's definition about why Enterprises should invest in identity is not new, nor has it never been said before. But it seems like periodically, people need to reiterate the message to remind people that they should keep their eye on the ball. Too many times, the people going into identity projects do so because of a corporate mandate, with little understanding of why exactly they need to do it, or what the needs are that they are trying to address.

But I don't quite share Pam's pessimism expressed in the second half of her post. When she asks

The really interesting question will be whether or not the big vendors will ever start enabling truly integrated provisioning and SSO support for the full range of their products.

I think she asks a question that many have been asking, and some of us are starting to work on. The key word here is "work", because the vision for standardized identity services is still just that - a vision. Reality is that there are a number of enterprises out there that are implementing identity services strategies on their own, but there is no concrete way for COTS and SaaS applications to rely on identity services for these critical functions. Even Oracle's work in this area (which I have been blogging about for a while) is proprietary at this point, and very much driven by the vision for Fusion Applications that is articulated in Pamela's hope for stack offerings with an "integral adherence to an identity vision, instead of bolted-on adherence". This is one of the main reasons why I have joined the Identity Services Working Group that the Burton Group is running, to work with the community on defining the missing pieces that can make identity services a cohesive solution that all applications can be built on.

OpenIDs problems don't seem to be going away

2008-07-21T22:52:27Z

I got news today that MySpace is joining the OpenID revolution. This supposedly brings the number of OpenID-enabled accounts to over half a billion. Maybe it looks like good news for OpenID, but isn't this actually a problem? Isn't the intent of OpenID to reduce the number of logins we have? Why am I moving from having 50 username-password credentials to 30 OpenIDs instead of 5?

I wanted to go on a rant, but I see that Adam DuVander over at monkey_bites beat me to it with a much more eloquent one than I could have come up with. I found this part especially priceless:

But Yahoo stopped short — they aren’t letting people use their non-Yahoo (Open)IDs to log in to Yahoo. That’s not OpenID support. That’s essentially Passport 2.0.

Is AD really the dominant Identity Store out there?

2008-07-16T15:44:37Z

James McGovern has challenged my position that applications should not be written to go directly against AD. And he got the backing of Jackson Shaw in this argument. James says:

If pretty much every Fortune 500 enterprise has Active Directory, why should any of them consider yet another product?

Martin (no last name) left a comment on my post that included the following point:

AD is the directory in just about every organization running Windows. Let me see. What does that work out to be? 99% of them out there?

Here is my point. Martin says "AD is the directory...". I say that "AD is a directory...", and that too because Windows forced it on those enterprises, not because of their Identity Management needs. Yes, almost all the Fortune 500 have AD, but are they using it as an Identity Store, or as a Windows Account Store (which is very different)?

Obviously our opinions are shaped by our experiences. My experiences, coming from the provisioning world, would be different from James or Jackson's. In a lot of the projects we were involved in, AD was a downstream repository, a target of the provisioning system and not the source of identity data. That was usually an HR system or, more often, a Sun directory. Most of the time, the provisioning system would push the bare minimum attributes to AD to enable the Windows environment to work.

In a few deployments, we actually were responsible for populating a directory with identity data so it could act as an identity store for other applications. Most of the time, that directory was a Sun directory. So while AD may be more widely deployed, I would contend that based on my small but relevant sample size, Sun is dominant in the Identity Store business. And that is really what we are talking about here - what should applications be going to for their identity data. Sure, AD being more widely deployed positions it to be used as an identity store, but that is seldom the case, primarily because AD administrators often closely guard their environments and do not want it overloaded with data or consuming applications.

Again, when James asks about practical futures, my hope is that the future eliminates all such arguments about directories and metadirectories by having applications code against Identity Services APIs, like the IGF APIs or the Higgins IdAS APIs. James asked what we at Oracle are doing to help application developers. Clayton mentioned our work on the IGF, and the APIs that are being defined as part of it that eliminate the need for application developers to have to worry about LDAP, instead providing simple APIs that use a provider model to get the data from where it needs to. And I have joined the Burton Groups Identity Services Working Group (now that it is open to vendors), where I hope to work with the community to help advance the concepts and reality of Identity Services. Hopefully, soon, this will be a question that nobody will need to ask any more.

By the way, why is it that architectural purists don't ask when Microsoft will make it possible for Windows environments to work against any directory and not just AD, but Oracle Applications must support directories other than OID? In the end, both Microsoft and Oracle are wrong to push proprietary stores into deployments, contributing to the mess we have.

Delving deeper into Relationship-based RBAC

2008-07-11T22:04:03Z

Ian Glazer thinks that I have opened Pandora's box by talking about the need to bring context and intent into the area of RBAC by using relationships (one of many ways to express context). I think it's a topic ripe for some discussion, so I'm glad to be the one taking the lid off.

Mat Hamlin left an interesting comment on my previous post, in which he tried to understand what exactly I was trying to say. He asks:

In your scenario, is Patient Y in a particular Role that has a relationship with the Attending Doctor Role? Or is it attribute based? Role to Role relationships could be modeled, but real-time, logic based Role to attribute (or individual) relationships fall outside Role definition, IMO.

There are too many scenarios pertaining to the relationship of the two individuals (and the surrounding conditions). What if Doctor X is not allowed to treat infants, and Patient Y is an infant. Or what if Doctor X is a contractor and is not allowed to treat patients with a certain insurance? Or has this patient ever reported a complaint against this doctor? What if this data changes often?

Let me explain how relationship-based roles are defined, and how they address the scenario I posed in my previous post.

When discussing Relationship-based RBAC, one will usually find that, by necessity, the access control policies are defined by people different from the people who will manage relationships. Thus, the admitting nurse or the triage desk may create an "Assigned Doctor" relationship between Dr. X and Patient Y when Patient Y is admitted. These people, working the front line, are unaware (as they should be) of access control issues and needs. Their job is to simply find a doctor to assign the patient to. They are usually the ones making decisions about the creation of the relationship based on things like whether the patient is an infant, what specialization the doctor has, etc.

The folks designing the access control policies in the back-end systems want to set up a policy that defines what the doctor assigned to a patient has access to in the system - charts, history, personal information, etc. So they define an access control policy that states that anybody in the "Attending Doctor" role has access to resources "Charts", "History", "Personal Information", etc.

The real meat is in defining the "Attending Doctor" role, and how it is used in the system. A relationship-based role is a new kind of structure, different from statically defined roles, or dynamically-defined (Attribute-based) roles that we see commonly in systems today. Most roles simply have a member concept, and an authorization decision based on a role simply looks to see if the interacting user is a member of the authorized role. However, a relationship-based role has a member relationship concept, with each relationship having two end-points. So in Relationship-based RBAC, the authorization decision is based on looking at the member relationship of the role, and determining if the interacting user is one end of the relationship, while the protected resource is connected to the other end of the relationship.

Thus, you can have 100s of doctors connected to 1000s of patients using the "Assigned Doctor" relationship, but 1 "Attending Doctor" role that knows how to handle those many 1000s of relationships in its authorization context.

This is a very powerful concept, especially as social graphs start making their way into enterprise application contexts. So we are going to see more need for systems that handle this kind of need.