Friday Jul 31, 2009

Top Ten Catalyst Takeaways

It has been a great few days in San Diego attending the Burton Group Catalyst Conference.  It is always refreshing and invigorating to hear what others have to say, both in formal sessions and in ad hoc conversations.  I previously posted the key points for the sessions I attended on Day 1, Day 2 and Day 3.

Here is my list of the most important ideas or concepts I gleaned from the conference.
  1. The biggest challenges facing the Identity Management industry are business issues, rather than technology.
  2. Much more discussion focused on the process of Identity Management than the tools of Identity Management. 
  3. Discussions about user-centric or user-controlled Identity were focused more on what the practical business models might be, rather than on enabling technology.
  4. The quest for business efficiency has perhaps overtaken regulatory compliance as the most important driver for Identity Management.
  5. Role management, while still having challenges, is very much in the mainstream of implementation and use.
  6. Federation has become a forgone conclusion, rather than a theoretical exercise.
  7. Entitlement management is gaining traction, but still needs much much work.
  8. Several Identity Services companies are emerging as recognition is growing that Identity as a service is critical to cloud computing.
  9. Privacy has emerged as a leading topic in its own right, rather than a subordinate topic within discussions of security and Identity Management.
  10. The terminology used within the Identity Management market is still not precise, particularly in areas such as role management and entitlements management.
I'd be happy to discuss any or all of these in more detail.  Please drop me a line and let's talk.

Thanks for stopping by.

Technorati Tags: , , , , ,

Catalyst Conference, Day 3 (Friday, July 31)

This morning's Privacy Track was the most intellectually stimulating set of sessions for me in the Catalyst Conference.  The blend of theoretical background and practical application of privacy principles was a good combination.  I certainly don't consider myself a privacy expert, so I learned much and and gained valuable perspective, both the point of view as an Identity Management practitioner and as a person who values personal privacy. Hats off to Burton Group for assembling an excellent set of speakers.

Here are the high points for me:

Privacy: Principles Yield Practice
Bob Blakley (Burton Group)
  1. Privacy is not about data, it is about people
  2. Protecting privacy means putting oneself in the place of another and understand the consequences of your actions
  3. Privacy means different things in different contexts
  4. Privacy principles:
    1. accountability
    2. transparency
    3. meaningful choice
    4. minimal collection and disclosure
    5. constrained use
    6. data quality and accuracy
    7. validated access
    8. security
  5. Put principles into context - then derive set of rules
  6. IdM systems have much personal data in them.  Are we protecting the dignity of the people I know things about?

Privacy Issues Related to Healthcare and Identity
Speaker: David Miller (Covisint)
  1. IAM is not a security thing.  It is a privacy thing.
  2. Security is about keeping people out; privacy is about letting the right people in.
  3. Electronic Medical Records (EMR) are being dictated by legislation, but have challenges to overcome, including:
    1. authentication
    2. authorization
    3. data exists in many places
    4. patient access to records depends on many factors
    5. many organizations want access to information
    6. regulatory issues
    7. legal/tort issues
  4. One solution is a central Health Information Exchange (HIE).
  5. Several different organizations at the national, state and health care organization level approach HIE's differently.

Privacy - how to have a productive multi-stakeholder discussion
Robin Wilton (Future Identity Ltd.)
  1. Privacy is usually a multi-stakeholder discussion
  2. It is difficult for stakeholders to articulate their view of privacy problems in a way that other stakeholders understand
  3. Use the "Onion Model" to explore and use levels of importance of personal information
  4. Use the "Ladder Model" to facilitate different viewpoints about privacy
  5. We are doing all this technical interaction in online networking as if it works the same way as face to face interaction, but it does not.
  6. "Privacy management" implies being aware of relationships and contexts, and acting accordingly.
  7. Technology is not an automatic answer to privacy.

A Dual Mission: Identity Management and Privacy Protection in the Federal Government

Bob Mocny, Director, DHS-VISIT Program - Department of Homeland Security
  1. Identity management is critical to national security
  2. US VISIT - check credentials for visitors into
  3. 100 million biometric records used for authentication, 200K transactions/day - largest in the world
  4. Built privacy into architecture of system
  5. Secure facilities and networks are in place to protect privacy
  6. Redress process to correct personal information in the system is essential
  7. No more important condition between the government and the people it protects than trust
  8. US VISIT built trust into the biometric system

Joint Q&A
Bob Blakley (Burton Group)
Bob Mocny (Department of Homeland Security)
Robin Wilton (Future Identity Ltd)
David Miller (Covisint)
  1. Privacy-enhancing governance is difficult (e.g. if you request that your PII be deleted from a list, is your PII still on the audit trail?)
  2. Much explicit effort and systems are necessary to avoid unitended consequences of amassing large amounts of personal information.
  3. People who have grown upon in a hyper-connected, pervasive-surveillance world have tend to have different perspectives of privacy than older people for whom personal information was secret by default.

Partnering via Privacy
Ian Glazer (Burton Group)
  1. Increased regulatory action, higher penalties, more people looking at privacy - all increase the attention companies must focus on privacy.
  2. Increased reliance on partners requires companies to understand privacy practices of partners.
  3. Preform Privacy Impact Assessments (PIA) to determine where we are, how we got here, and how changes can impact risks.
  4. PIA - opportunity to look at mission goals, design goals and privacy principles - are they in alignment?
  5. Reduce privacy risk by "cleaning your basement"
    1. Scary basements (something might be illegal)
    2. Messy basements (policy in place, but not well-applied)
  6. Procurement process is the best place to ask tough questions about partner privacy practices.

The Watchmen: UCLA & Georgetown Protect and Defend Privacy and Data Security
Heidi Wachs (Georgetown University)
  1. Although Georgetown University and UCLA have significant differences in size, organization and operational practices for privacy policy, the incident response process is quite similar
  2. Both suffered significant privacy breaches
  3. Response depends on what data is actually "acquired" vs. how much was "exposed"
  4. Privacy breaches triggered much public press and discussion
  5. New policies implemented quickly as a result of the breach have been difficult to implement

How Google Protects the Privacy of Our Users

Shuman Ghosemajumder (Google)
  1. Google global design principles: transparency, choice, security.
  2. End to end security is an essential part of every Google Service.
  3. Google Latitude: make privacy choices very visible and easily assessible, with opt-out at multiple levels.
  4. Street view: blur faces and license plates automatically, but allow individuals to request blurring if automated process fails.
  5. Interest base advertising: give users control over categories and opt out at different levels of granularity.
  6. Gmail: contextual ads caused concern - because of its proximity to and dependence on personal email.
  7. Data retention: Google anonymizes IP addresses in logs after 9 months.
  8. Google chose paradigm of "opt-in after the fact", rather than offering "opt-in beforehand" to not disrupt the user experience or advertising ecosystem.

Technorati Tags: , , , , , ,

Thursday Jul 30, 2009

Contrast in Characters - Rapper and Prophet

For a guy whose theatrical credits are limited to an obscure high school play and boy scout skits, this week has been a high point in playing the part of interesting characters.

Last Saturday, I led a Pioneer Day celebration parade dressed as Brigham Young, the Mormon Prophet.  Wednesday night, I dressed the part of a 1980's rapper in the Sun Microsystems Catalyst Conference hospitality suite.  Thanks to Ian Glazer for the rapper photo and to my wife Claudia for the photo of Brigham on a horse.

Great times!

Technorati Tags: , , , ,

Catalyst Conference, Day 2 (Thursday, July 30)

Day two of the Catalyst Conference was also packed with good information.   Key points from sessions I attended are included below. 

Please let me know if you would like to discuss any of these topics.

Maximum Value for Minimum Investment: Getting the Most from Your IdM Infrastructure
Mark Diodati (Burton Group)
  1. Mid tier vendors growing organically with integrated administration.
  2. Just because one product in a suite fits your needs doesn't guarantee that the other products in the suite fits your needs.
  3. Microsoft typically not considered a full IdM vendor, but because Microsoft owns desktop and defacto workflow engine (Exchange) they have a strong potential.
  4. Identity services may enable integration of multiple Identity silos - entitlement management, WAM, Provisioning, eSSO ...
  5. LDAP has emerged as the default protocol of Identity services - the center of the IdM universe.
  6. Coexistence of AD, Sun DS, OID, etc., will be with us for a long time.
  7. What next? Assess where you are. Play to your strengths. Invest in initiatives that deliver value quickly.
  8. Align ERP and IdM stgrategies.

Identity Management: Making It Pay Off at Allstate Insurance

Eric Leighninger (Allstate Insurance)
  1. Key goal: manage identities for people, applications and platforms, with digital personae for each.
  2. Establish service catalog from which people can request services.
  3. Make enterprise directory single source of record - although subordinate directories are used.
  4. Built integrated Identity system that addresses internal and customer-facing needs.
  5. Started within the enterprise - then worked outward to customers.
  6. Identity-based encryption key mangement services will allow them to manage keys as efficiently as users.
  7. Will need to consider virtual directory because identity repository environment is getting more complex.

Small Identity Management Project, Big Returns: One Bank’s ESSO Experience
Steven Craige (Bank of the West)
  1. Justification for ESSO: reduce time and expense on password change.
  2. Goal: single ID with single password.
  3. At two year mark, password changes down 33% - all savings may not be attributable to ESSO.
  4. ROI target: 48 months.
  5. Difficult to get business groups to move apps to ESSO.
  6. Getting senior management's support is essential.
  7. Decide what you want to achieve and what you can afford.
  8. Chose ESSO as first step - other IdM projects may follow.

Leveraging Active Directory to Improve UNIX Identity Management
Mark Diodati (Burton Group)
  1. Companies want centralized policy management of unix and windows systems via windows group policy
  2. The market is converging for privileged account management, AD Bridge and Unix Security products
  3. Explosive growth in this market is driven by heightened focus by auditors and demand for improving Unix security
  4. Efficiency is a major driver: cost reduction, enhanced productivity, sign-on reduction
  5. Can a robust IdM system be effectively deployed without securing the operating system first?

Case Study: Bridging the Gap between Active Directory and Non-Windows Systems and Servers
John Matthew (NBC Universal)
  1. After failing SOX audits for Unix account management, they found that password policy was not enforced, poor account managment, poor change management and widespread use of resource accounts.
  2. Considered off the shelf, open source or "roll your own" options.
  3. They chose open source technology (Likewise) because the software was free, but they could buy support.
  4. The Likewise product was augmented with a database to keep track of relevant data and scripting to automate repetive processes and wiki to report status.
  5. Integrated with IdM system. Workflow manages AD to handle group membership for SOX compliance.
  6. Small team (2 guys) did most of the implementation.

Using Identity Virtualization to Mitigate Risk at Sony Pictures Entertainment
Kunal Mittal (Sony Pictures)
  1. Business drivers for Virtual Directory: single place to manage and report on Identities, improve data quality, reduce cost of providing Identity services and simplify integration with multiple systems.
  2. Technical drivers: provide common view of identity data across different systems, support transition to SOA, offer Identity services to extend to enterprise and SaaS applications.
  3. Privacy policy can be enforced at VDS level.
  4. The system was implemented by a small team in less than four months.

See no Evil, Hear no Evil, Speak no Evil - Identity Governance
Chris Howard (Burton Group)
  1. Tough year - economically, psychologically.
  2. Companies are re-imagining their business models.
  3. The corporate institution is profoundly dysfunctional in many ways, especially for society's purposes, but also for capitalism.
  4. The corporate institution is ripe for reinvention.
  5. Simplification is a myth: large organizations are complex, IT systems are complex and transparency requires simplicity.
  6. Simplicity is managed complexity.
  7. Obfuscation is borne of complexity.  Some obfuscation is intentional, but most is unintentional. Obfuscation in IT is not a surprise.
  8. Forces impacting enterprise IT Externalization (e.g. cloud, outsourcing), Democratization ( how I choose to work) and Consumerization (multiple devices and freedom of choice).
  9. Remediating the existing IT environment doesn't automatically reinvent the corporation.

The “3 Rs of IdM”: Roles, Risk and Regulatory Compliance
David Griffeth, VP Enterprise Identity Management - RBS Citizens Bank
  1. Automated provisioning doesn't equal Identity management
  2. Main goals - definition and maintenance of roles and certification of access
  3. Involve both system owners and department managers in role defintion
  4. Value of roles: access certifications are simpler, compliance is easier, drastic reduction in risk, entire account lifecycle is properly controlled
  5. Document roles to enable easy understanding

Making IdM Infrastructure More Transparent
Gerry Gebel (Burton Group)
Mike Rollings (Burton Group)
  1. Governance is not possible without transparency.
  2. An access and identity governance layer is emerging as distinct from the run time IdM infrastructure services layer.
  3. Governance enables a closed loop, including: configure policy, assign privileges, monitor activity, certify environment, determine access.
  4. Complexity is the enemy of transparency and friend of the status quo.
  5. Several customers are still building their own provisioning systems, based on workflow systems already in place, to work the way their business works.
  6. Use business intelligence tools to provide functionality and interface more in line with business person's perspective.

Security and Governance as Competitive Advantage for SaaS
Tim Madewell (Innotas)
  1. Governance is Visibility, Control, Reliability and Predictability.
  2. Governance for operations is part of the service in the SaaS model.

Vendor Lightning Round - 2
Tom Smith, CEO - Conformity
  1. SaaS management solution
  2. centralized  administration, usage analytics and reporting, workflow and process integration
Venkat Raghavan, Director Product Management, Security, Risk and Compliance - IBM
  1. IBM Tivoli Securty: delivering on IBM Secuirty Strategy
  2. identity and access assurance, data and application security, security management for System z
Andy Han, VP & GM, Products - NextLabs
  1. NextLabs product suite 4.5
  2. data security in collaborative environments - protecting data on the move
Ulrich Lang, CEO - ObjectSecurity
  1. application security policy automation
  2. development tool suite add-on
Rohit Gupta, Sr. Director, Product Management - Oracle
  1. Service-Oriented Security for Application developers
  2. Oracle/Sun will be best IdM system in the world
Jackson Shaw, Quest
  1. OneIdentitySolution
  2. simplify identity infrastructure around AD
Dieter Shuler, Radiant Logic
  1. VDS context edition
  2. VDS is abstraction layer between inflexible data stores and appls that want to consume that data
Technorati Tags: , , , , ,

Catalyst Conference, Day 1 (Wednesday, July 29)

I have thoroughly enjoyed this week at the Burton Group Catalyst Conference in San Diego, California.  It has been good to take the pulse of the Identity Industry, re-connect with old friends and meet new people.  I would have enjoyed attending the Cloud Computing or Mobility tracks this year, but stayed with my old standby, the Identity track.  Key points I gleaned from the sessions I attended are included below.  If you would like to review my complete notes on any session or discuss any of these topics, please send me a comment.

Thanks for stopping by.

2009: Upheaval In The Identity Market
Bob Blakley (Burton Group)
  1. The expanding identity universe is changing in three dimensions:
    1. scale - moving both to small (SaaS, SMB) and massive (consumers, social networks)
    2. control - moving from centralized to distributed (de-perimeterization, outsourcing)
    3. focus - moving from business to individual
  2. An infrastructure is evolving that will allow us to transform from being just an "account" in a system to being a "person" in a world where physical and virtual worlds are no longer distinct.

Identity Management: No Time Like the Present
Lori Rowland (Burton Group)
Bob Blakley (Burton Group)
Mark Diodati (Burton Group)
Gerry Gebel (Burton Group)
Ian Glazer (Burton Group)
Kevin Kampman (Burton Group)
  1. Much more focus on efficiency, short ROI and accelerated time to value.
  2. Strong market for IdM during tough economic times; pent up demand will probably fuel growth when economy recovers because organizations have discovered new requirements as they use IdM systems.
  3. Oracle acquisition of Sun is strongly impacting the industry.
  4. Oracle will probably not abandon the Sun user base.
  5. Need to re-define or clarify IdM terms, such as provisioning, roles, entitlement managment and privilege user/account management.  These terms have grown to mean too many things or are ill-defined in the industry.
  6. SPML is re-emerging as a potentially important standard.
  7. Identity and access governance may emerge as an architectural layer distinct from provisioning and role management.
  8. The uptake on role management is tremendous.
  9. Federation will be default protocol for cloud computing.
  10. Interoperability and integration continue to be large challenges.

Two Billionths of a Second after the Big Bang - Where Is Consumer Identity?
Michael Barrett (PayPal)
  1. Many consumers have too many online identities to effectively manage.
  2. Consumer Internet interactions are repetitive, frustrating and littered with outdated info.
  3. Super scale: billions of Internet users; millions of relying parties.
  4. Effective consumer-managed Internet Identity infrastructure is needed.
  5. We don't have a "network effect in action" for consumer Identity, and we need one.
  6. The problem not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants.
  7. A fourth role in the Internet Identity process may be the "assertion provider" or "attribute broker" (e.g. credit bureaus).
  8. PayPal may be interested in being an IdP; other candidates include eBay, Google, Facebook, Microsoft.

The Identity Services Market
Bob Blakley (Burton Group)
  1. The value proposition for cloud computing is not lower cost, but time to value.
  2. Independent service vendors can provide slices of Identity functionality - customers design how they are packaged together.
  3. The market is building with small firms offering discrete billable units in areas such as vetting, provisioning, logon, risk scoring and user experience augmentation.
  4. Azigo and Kynetics are examples of enabling users to be "recognized", rather than "interrogated".
  5. The "pay as you go" aspect of services will force people to explictly focus on business value, not just technology.

Externalizing Authorization in a large scale Software-as-a-Service Environment
Steve Merritt (Hoover's, Inc.)
  1. Hoover's need was driven by complex needs for delivering business information to users, based on subscriptions.
  2. Requirements included
    1. fine grained control
    2. flexible - different types of objects, apps
    3. complex entitlements
    4. dynamic groups
    5. centralized administration
    6. easy application integration - easy to use API or standard protocol
    7. scalable
    8. multitenant
    9. integration with enterprise IdM solutions
  3. Evaluated build vs. buy.
  4. Selected Ccisco Enterprise Policy Manager (formerly Securent).
  5. Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure.

The Age of  Identity Oracles
Mary Ruddy (Meristic, Inc.)
Ron Carpinella (Equifax)
Tom Oscherwitz (ID Analytics)
Rick Rubin (OneHealthPort)
Denise Tayloe (CEO, Privo)
  1. "Identity Oracles" deliver value individual companies can't provide for themselves.
  2. Achieving critical mass and establishing defacto community standards are essential to adoption.
  3. To build critical mass, it can be helpful to bring large group up to a low level of security, rather than a few people to high level of security.
  4. These markets will see more government regulation unless the industry can demonstrate it can self-regulate.
  5. Many solutions failed because they don't walk line between assurance and usability.

Roles: The Real, the Imaginary, and the Broken
Kevin Kampman (Burton Group)
  1. Speaking as voice from the customer, based on feedback from customers.
  2. Vendor products tend to be focused on a particular aspect, but not the whole space.
  3. Tools tend to be oriented toward technologists, not the business community.
  4. Efficiency and compliance are still major drivers.
  5. Governance of role management initiatives is essential - usually in concert with overall Identity Mangement governance.
  6. Execution is a classic project management challenge: identify scope, manage priorities, establish metrics, recognize challenges.
  7. Many people, from business and technology viewpoints, must work together effectively to achieve success.
  8. Roles brings value to downstream processes like provisioning and entitlement management.
  9. To start, pick well-understood domains, with fairly stable populations, where there is a real problem to be solved.
  10. Quality data is critical - you must be able to rely on it.

Empower the Business with Identity Management
Robert Amos (NuStar Energy)
  1. Funded project based on efficiency for HR department.
  2. Managers and role owners must agree to new process.
  3. Work with simple role structure first.

Role Management - Leveraging the Investment

Paul Rarey (Safeway, Inc)
  1. Focus on highest value: using 25 roles addressed 60% of the problem.
  2. Choose roles by focusing on high volume of people change and malleability of business process.
  3. The identity warehouse, which holds trusted and aligned Identity data from multiple sources, provides the foundation.
  4. Roles support more than RBAC; they support good decision making: is right person in the right place doing the right thing?

The Intersection of Roles and Entitlement Management
Kevin Kampman (Burton Group)
Alice Wang (Burton Group)
  1. Assigning entitlements directly to users doesn't scale, lacks flexibility, is not agile and increases compliance risk.
  2. Policy: glue that binds roles to, or divorces roles from, entitlements.
  3. XACML is a reference model for separating authorization processing out of application, but is not the only one.
  4. Bottom line goal for entitlement management: control access efficiently, with clarity, in compliance with regulations.
  5. Roles facilitate meaningful conversations between different consituencies.
  6. Roles are off to the races ... entitlement management is learning to walk.
  7. How many roles are effective? It comes back to how many to manage effectively.
  8. A role/rule based system is a good way to balance the problem of too many roles.

Role Management Evolution
Ed Coyne (SAIC, Veteran's Health Administration)
Alan O'Connor (RTI International)
Paul Rarey (Safeway, Inc)
Robert Amos (NuStar Energy)
David Laurance (JPM Chase)
Kevin Kampman (Burton Group)
  1. NIST is preparing to update a 2002 study on economic returns to IT and business from using role based access technologies and methods to look at where wins have occurred and economic benefit can be improved.
  2. Roles can be used as organizing principle for defining, provisioning and interpreting user access and related information.
  3. To effectively define roles, we must talk in the context of business process and workflow.
  4. The term "role" has come to have several different meanings in different contexts.
  5. Standards may be helpful for RBAC systems to interoperate.

Technorati Tags: , , , , ,


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« July 2016