More Consolidation for the API Economy

24.04.2013 by Craig Burton

CA Technologies acquires Layer 7, MuleSoft acquires Programmable Web, 3Scale gets funding

It is clear that the API Economy is kicking into gear in a big way. Last week, Intel announced its acquisition of Mashery, this week, CA Technologies announced its acquisition of Layer7 , MuleSoft announced its acquisition of ProgrammableWeb and 3Scale closed a round of funding for 4.2M.

Money is flooding into the API Economy as the importance of APIs only heightens. Expect this trend to continue.

The upside of this flurry of activity is the focus being given to the API Economy.

But here is my assessment.

CA’s acquisition of Layer7 doesn’t necessarily bode well for Layer7 or its customers. CA as a large vendor will probably take longer than Layer 7 would do independently for defining and delivering on the roadmap, but they might put far more power behind such roadmap and its execution. Layer7 needs an upgrade and needs to move to the cloud. CA has a clear Cloud strategy it executes on – look at IAM and Service Management where a large portion of the products is available as cloud service; there is a strong potential for CA putting far more pressure behind the required move of Layer 7 to the cloud. Let’s see what happens there.

MuleSoft’s acquisition of ProgammableWeb is a little weird. John Musser is an independent well-spoken representative of the API Economy. MuleSoft has an agenda with its own platform. Does MuleSoft let Musser continue to be an independent spokesperson? Where does this lead to? All answers unknown.

3Scale gets a round of funding for 4.2M. It plans to add more extensions to the product and grow its international distribution with the funds.

Lots of activity here. Curious to see what happens next.

However, one thing is clear: The API Economy is going mainstream.


Intel Announces Mashery Acquisition

23.04.2013 by Craig Burton

From partnership to acquisition Let there be no confusion. Intel is a hardware company. It makes microchips. This is its core business. History shows that companies do best when they stick to their roots. There are exceptions. At the same time, Intel has always dabbled in software at some level. Mostly in products that support the chip architecture. Compilers, development tools and debuggers. From time to time, however, Intel ventures into the software business with more serious intentions. Back in 1991, Intel acquired LAN Systems in attempt to get more serious into the LAN utility business. This direction was later abandoned and Intel went back to its knitting as a chip vendor. Recently, Intel has started again to be serious about being in the software business. Its most serious foray was with the purchase of McAfee in 2010 to the tune of some 7.6 billion. A pretty serious commitment. We wrote recently about Intel’s intent to be a serious player in the Identity Management business with its composite platform Expressway API management. With that approach, Intel was clear that it had an “investment” in Mashery that would remain an arm’s length relationship best supporting the customer and allowing maximum flexibility for Mashery. In general, I like this approach better than an acquisition. Acquisitions by big companies of little companies are don’t always turn out for the best for anyone. Since then, it is clear that Intel management has shifted its view and thinks that outright ownership of Mashery is a better plan. While we agree that outright ownership can mean more control and management of direction, it can also mean the marginalization of and independent group that could possibly act more dynamically on its own. It is still too early to tell exactly how this will turn out for Intel and its customers, it will be important to watch and see how the organization is integrated into the company.


Posted in API Economy, Identity Management | Comments Off

Another Case for IDMaaS

17.04.2013 by Craig Burton

Identity Management is a universal problem

When I pay my electric bill I usually just call the power company and give them my credit card. This month I decided that I should go set up auto payments on the web site and be done with it. So I opened the power company web site and attempted to login. Clearly the site recognized me, the login name I usually use was being recognized, but I just could not remember my password. I tried all of the normal passwords I use and none of them were working.

So I attempted to retrieve my password, it gave me an option of having the password reset sent to my email address or answering secret questions. I opted to have it sent to my email address. I waited. Nothing showed up in my email box. I looked in the spam folder, still nothing. I went back to the web site and this time I opted for being asked the secret question…..”What is your favorite color”. Oh man, I don’t know. Depends on my mood and what day it is. I don’t remember what I put in there for my favorite color. Ok. Let’s try “Blue.” Good, that worked. Wow. I am in. Hey. This isn’t my account? WTF?

Now I know there are two other Craig Burton’s living in Utah. Apparently I have just accessed the electricity billing account of one of them by guessing both the user name and secret question. And the secret question was “blue?”

Off the top of my head I would say the Electric Company has a severe security leak in it.

Of course I didn’t do anything to this account. I could see that his email address was just sent another request to change the name and password. I hope he did that.

This was an ugly incident that could have been much uglier if I was malicious.

Here is my point, a uniform cloud-based Identity management system could be used to prevent this kind of thing. As it stands, every single web site has its own set of code used to prevent inappropriate access. A scenario bound to create the blatant hole I ran into.

Of course the other side of the coin is that if the cloud-based identity management system had a hole in it, everybody would have the hole. Then again, the fix would fix everybody. Trade-offs but I still think the cloud-based Identity Management as a Service is where we are headed in the future.


Posted in Identity Management | Comments Off

It Takes a Community to Manage an API Ecosystem

28.11.2012 by Craig Burton

Intro

Starting at the EIC 2012 I have been talking and presenting a lot about The API Economy. The API Economy has become a strategic topic for organizations. As one can expect with a hot topic, there are many opinions and views on the matter. Therefore there a many comments, blog posts and articles written about The API Economy.

Needless to say it is tough to keep track of everything being said or to track any given thread. I should start off by saying the questions asked by this blog post are appropriate and need to be answered.

The DataBanker thread

An interesting thread that I have been following for a while has inspired me to make a few comments about exactly what I mean by an API and to add additional data about the actual API numbers.

The people over at DataBanker published a piece in Sept. entitled “Personal Identity in the Cloud. What’s a Programmer to Do?

The author then goes on to cite the numbers I have used in several presentations to derive the actual number of APIs that we are looking at dealing with over the next five years. First he questions the accuracy of the numbers and their implications.

“I have to admit, the statistics from the Apple announcement, especially when combined with the view from Cisco, definitely make one stop and think. But Craig Burton’s blog post has apocalyptic overtones that I don’t think are accurate.”

Next he starts to ask questions about what I actually mean when referring and API.

“When Craig Burton refers to “20+ billion APIs all needing distinct identities”, what I believe he is actually referring to is interconnections and not discrete APIs.”

And finally the author states that the Identity Ecosystem being established by NSTIC will be used to address the problems brought on by The API Economy.

“Managing identity – entity or personal – within the Cloud certainly has some unique challenges. Fortunately, there are substantial communities such as the NSTIC Identity Ecosystem and projectVRM that are focused on defining standards for creating, validating, managing, and transacting trusted identities as well as looking at the broader issue of how individuals can control and assert their identity and preferences when engaging products, services, and vendors within this expanding internet of things. Multiple solutions will likely be proposed, developed, will co-exist, and eventually consolidate based on the collective wisdom and adoption of the cloud community. That community – or ecosystem – is really the key.”

So let me address each of these in turn.

The Apple and Cisco numbers and their apocalyptic overtones

First off, let me say that the numbers I quote from the iPhone5 announcement — while a little overwhelming — are very conservative. Mary Meeker — partner with Kleiner Perkins, Caufield and Byers — recently gave a talk about the growth of the device market. In that talk, she pointed out that the Android Phone is ramping up 6 times faster than the iPhone.

“By the end of 2013, Meeker expects there to be 160 million Android devices, 100 million Windows devices, and 80 million iOS devices shipped per quarter.”

If you can believe the first axiom of the The API Economy — Everything and Everyone will be API Enabled — the significance of this additional research on the numbers of devices being shipped is non-trivial. The current methods being used to provision and manage the identities associated with these devices are broken and cannot scale to address the issue. Call that Apocalyptic if you want, but ignoring the facts do not make them go away.

Interconnections not APIs

As I pointed out earlier DataBanker then supposes that what I mean 26+ billion APIs is referring to “interconnections and not discrete APIs.”

I am actually referring to a conservative number of discrete APIs. Here is how APIs work. Every API must have a unique identity. Not necessarily unique functionality, but a unique ID.

But DataBanker did find the missing information in my numbers. I didn’t include relationships and interconnections. I didn’t include them in the equation because I wanted to keep things somewhat simple. Fact is, each interconnection and relationship also needs an API and a unique ID. Thus the number of actual APIs we are looking at are 3 to 5 times bigger than the numbers I outlined originally.

NSTIC Identity Ecosystem will address the problem — NOT

Here is where DataBanker and I start to agree — at least sort of.

It will take a community to address The API Economy explosion in identities management requirements. Further the NSTIC and ProjectVRM communities can help, but neither of these in their current state address the matter. For more information about what NSTIC is in this context, read this blog post.

The Ecosystem required to address billions of Identities and APIs is one that can be automated. Programmed. In order to address a programmable web, we need a programmable ecosystem to accompany it.

We are calling this ecosystem Identity Management as a Service.

Summary

I continue to stand by my numbers and projections of the implications being brought on by the API Economy. I see that in the near future, everything and everyone will be API enabled.

I also see a great number of people and organizations that do understand this issue and are moving forward with intention to address it and to succeed with the API Economy.

Links

http://blogs.kuppingercole.com/burton/2012/09/21/salesforce-identity/

http://blogs.kuppingercole.com/burton/2012/06/05/microsoft-is-finally-being-relevant/

http://blogs.kuppingercole.com/burton/2012/06/21/making-good-on-the-promise-of-idmaas/

http://blogs.kuppingercole.com/burton/2012/06/06/what-i-would-like-to-see-first-from-idmaas/

http://www.id-conf.com/sessions/1001

http://blogs.kuppingercole.com/burton/2012/09/21/salesforce-identity/

http://techcrunch.com/2012/11/05/mary-meeker-internet-trends/

http://databanker.com/2012/09/20/personal-identity-in-the-cloud-whats-a-programmer-to-do/

http://slashdot.org/topic/cloud/rise-of-the-api-economy-in-the-cloud/


NSTIC Update

24.09.2012 by Craig Burton

National Institute of Standards and Technology awards $9M to support trusted identity initiative

Introduction

On September 20, 2012, the National Institute of Standards and Technology (NIST) announced more than 9 million USD dollars of grant awards in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).

The grants were awarded to five consortiums. All of the big. All of them representing different views and technologies with strong focus on identity, security, and trust.

NSTIC Background

While many identity and security professionals are familiar with the Obama administrations NSTIC program, many international professionals are not. In order to address all of KuppingerCole’s constituents, some background information is useful.

The impetus for the NSTIC policy move by the Obama Administration is part of the Cyberspace Policy Review published in June 2009. The administration appointed Howard Schmidtin a new Cyber Security Coordinator position. Schmidt is a well-known security expert and is experienced in international security policies and technologies.

On Tuesday, December 22, 2009, Schmidt was named as the United States’ top computer security advisor to President Barack Obama. Previously, Schmidt served as a cyber-adviser in President George W. Bush’s White House and has served as chief security strategist for the US CERT Partners Program for the National Cyber Security Division through Carnegie Mellon University, in support of the Department of Homeland Security. He has served as vice president and chief information security officer and chief security strategist for eBay.

Prior to joining the Obama Administration, Schmidt served as President of the Information Security Forum and President and CEO of R & H Security Consulting LLC, which he founded in May 2005.He was also the international president of the Information Systems Security Association and a board member of the Finnish security company Codenomicon, the American security company Fortify Software, and the International Information Systems Security Certification Consortium,commonly known as (ISC)². In October 2008 he was named one of the 50 most influential people in business IT by readers and editors of Baseline Magazine.

Source: Wikipedia

Under Schmidt’s direction and managed by NIST, the first draft of NSTIC was published in draft form in June of 2010. The draft received much criticism for the lack of privacy protection for individuals and the size of the role played by the government. A final draft was rewritten and published in May of 2011. In the final draft, the role of the government was reduced and privacy issues were addressed.

The stated objectives of the NSTIC initiative are:

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups and public-sector agencies. The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation.
“Increasing confidence in online transactions fosters innovation and economic growth,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “These investments in the development of identity solutions will help protect our citizens from identity theft and other types of fraud, while helping our businesses, especially small businesses, reduce their costs.”
NSTIC envisions an “Identity Ecosystem” in which technologies, policies and consensus-based standards support greater trust and security when individuals, businesses and other organizations conduct sensitive transactions online.
The pilots span multiple sectors, including health care, online media, retail, banking, higher education, and state and local government and will test and demonstrate new solutions, models or frameworks that do not exist in the marketplace today.

The Announcement

As expected, NIST picked big consortiums with big ideas for identity and trust across a broad spectrum on technologies and market segments. Here is what the basics are about its choices for the consortiums:

“These five pilots take the vision and principles embodied in the NSTIC and translate them directly into solutions that will be deployed into the marketplace,” said Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST. “By clearly aligning with core NSTIC guiding principles and directly addressing known barriers to the adoption of the Identity Ecosystem, the pilot projects will both promote innovation in online identity management and inform the important work of the Identity Ecosystem Steering Group.”

The grantees of the pilot awards are:

The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
Criterion Systems (Va.): $1,977,732
The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
Daon, Inc. (Va.): $1,821,520
The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
Resilient Network Systems, Inc. (Calif.): $1,999,371
The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.
In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
University Corporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2′s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2′s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.

High Level Analysis

In terms of government initiatives, NSTIC has been moving at lightning speed. Jeremy Grant has been a proactive advocate of the initiative and is articulate and capable leader. It shows from the choices of these consortiums and their constituents.

At the same time—9 million dollars spread across five initiatives; each with many mouths to feed—does not go very far and can be used up very quickly. It will be interesting to see how far each will proceed over the next twelve months. I chose 12 months because I can’t see how the money awarded to each group will last much longer than that.

Each group will need to put a plan together and execute in that time frame if they are to survive.

Over the next short period, we will take a closer look at each initiative, what their respective architectures look like, and what the specific objectives are in their roles in the identity ecosystem outlined my NIST.

Of course, I will be paying special attention to what each consortium has planned as an API Economy strategy. Each will need to have a solid API design that gives all of the other groups API access to all of the services through both the Web Services legacy (SOAP) and the emerging API Economy imperative (RESTful).

If each group does not have a solid SOAP/RESTful API strategy, they simply will not succeed—either individually or as a whole.

I know it sounds strange coming from me that an organization should continue embracing the SOAP legacy, but there are just too many government and non-profit organizations that cannot afford to jump to the real world quickly and must continue carrying the burden of the past. So it is sometimes.

Of course there are many more issues involved with success of this initiative beyond APIs, these issues will be covered more in depth in subsequent KuppingerCole reports and activities at the EIC Conference in May 2013.

Nonetheless, we see this movement by the NIST of granting these award as positive and will have reverberating impact on the Identity community—across the glove—for the good for some time to come.


Salesforce Identity

21.09.2012 by Craig Burton

Identity Management as a Service (IdMaaS) gets a new 500lb guerilla

Introduction

When I first heard of Salesforce’s Identity announcements this week at Dreamforce, I was reminded of the old joke “Q:Where does a 500lb. gorilla sit? A: Anywhere he wants.”

Salesforce Identity makes Salesforce the new 500lb gorilla in the Digital Identity jungle.

Announcement Details

You can read the basic details of the announcement on Chuck Mortimore’s blog. Here is a quick summary:

What is Salesforce Identity?

Salesforce Identity provides Identity and Access Management (IAM) services for Web and mobile applications, delivered through the simplicity, transparency, and trust of the Salesforce Platform.

  • For users, Salesforce Identity means no more frustration juggling passwords for each application. Login once and seamlessly access all your applications and data using Single Sign-On from a single, social Identity.
  • Administrators gain control and flexibility over access to applications by automating identity and access management processes through the simplicity you’ve come to expect from Salesforce.
  • CIOs can leverage existing authentication investments, while gaining control and peace-of-mind over your cloud investments via centralized reporting and deprovisioning.
  • Developers can build Web, mobile or tablet applications on the Salesforce Platform or on any third-party platform through simple standards based integration.
  • ISVs can tap into the power and distribution of AppExchange and Login with Salesforce regardless of where their app runs, be that Force.com, Heroku, mobile, or any other cloud.

High Level Analysis

I find is so fascinating that the laggard in joining the Cloud Computing parade—Microsoft—was the first to announce an IdMaaS initiative in a very low key understated way. And that the leader in the SaaS movement—Salesforce—shouts its IdMaaS strategy from the rooftops at its mainstream technology conference with Marc Benioff leading as the main spokesperson. It so underlines how clueless Steve Ballmer is to the issues facing Microsoft and its customers.

Identity, and solving the problem of Identity in a Cambrian Explosion of Everything is job 1.

  • There are some people at Microsoft that know this. This does not include Steve Ballmer.
  • As of today, everybody at Salesforce knows it and can’t avoid it. Marc Benioff made the announcement and outlined the vision for Identity in Salesforce’s future.

Putting it another way, the Computing Troika—Cloud Computing, Mobile Computing, and Social Computing—have forced to surface the issue of digital identity being the keystone technology issue for everything.

Without a tractable implementation of identity for the entire industry to use—think IdMaaS—all entrances to the future of computing collapse—the identity keystone holds it all together.

With Salesforce entering the IdMaaS business with its substantial vision, leadership and technology resources cannot help but have a positive effect for everyone in the long term.

Of course we will have to wait and see exactly what Salesforce delivers in the initial IdMaaS implementation, but Chuck Mortimore has an impeccable track record and knows his stuff.

I am impressed and will follow up after more information is available.


SAML is Dead! Long Live SAML!

19.09.2012 by Craig Burton

Answers to the unanswered questions from the webinar

Introduction

Last Friday on Sept. 14, Pamela Dingle—Sr. Technical Architect from Ping Identity Corp.—and I conducted a free webinar about the much ballyhooed demise of SAML.

You can view the webinar in its entirety on the KuppingerCole website.

To us, the best measurement of interest in any given webinar is the drop off rate. Just how many people drop off during the presentation? We were very pleased in the interest of the topic for the number of attendees and for that fact that no one dropped off from the presentation and Q&A.

However, we did not have the time to answer all of the questions presented. The following is a sequence of questions and answers that were left open.

It could be a little disorienting to read this Q&A if you didn’t attend the webinar, I recommend watching the webinar first to avoid any confusion or misunderstanding.

Webinar Questions and Answers

Q: Since the organizations are still not migrated entirely to API, i.e. still we have web browser based applications. So my question is instead of implementing different solutions one for browser based applications and one for API. Do you suggest a common way to support both the users? Thanks

A: Using APIs does not preclude using the browser to access the information and resources provided by the API. In fact, using the browser for API access is quite common. The sub context of this presentation is that it is not limited to the request-response browser model that we know and love for traditional applications. We are now moving beyond the model to an interactive model.

Q: As a follow up these companies could help us “leap frog” to newer protocols very quickly much like some countries skip the notion of “land line” because it’s easier to deploy cellular.

A: Great metaphor. Indeed the combination of RESTful API interface (HTTP), OAuth, JSON, UMA, SCIM, and webhooks are the technologies that I think are the leapfrog technologies.

Q: Many companies are outsourcing IT functions to outside providers, at what point do we just take this to the n-th degree and just let an org like Google or Apple handle identity for us? Is that too scary?

A: I think the answer lies in a simple question, is it the vendor that manages your identity your customer, or are you their customer. If the answer is the latter, it is very scary indeed. As long as we have the expectation of having Identity Management be free, and act as customers of the vendors that provide that service, they will be monetizing our identities to pay for the service. It will be up to the corporation or individual to choose which direction to take.

Q: What about devices not directly linked to people? I.e. do you have numbers that include the Internet of Things?

A: I tried to keep the numbers focused and understandable. Including inanimate and non-digitized items just increases the whole argument. Look for more info on numbers in future conversations.

Q: Have you considered the impact of the availability of global identities on the problem you sketched?

A: I don’t think the availability of a global identity reduces any of the issues in the arguments. Global identities—assuming it will ever happen—just compounds the problem.

Q: Ok, Craig, how do you deal w/ 2.8B identities – who numbers them? Who vets them? What fraud is possible? What is the metasystem – and does it really matter whether it is OAuth/SAML/OpenID?

A: This is a multipart question and I will answer them in turn. First off it is 28 billion and not 2.8. 1). Different organizations—both open and private—will number these entities. 2). Some of them will be vetted and some not. This becomes a big problem we are still grappling with, especially when no single Identity Provider can even be considered to be the validation resource for even a fraction of the entities we are talking about. Look for more information on Trust Frameworks to understand more on this topic. 3). Yes, fraud is possible. Fraud will always be an issue. It needs to be minimized. I think we are on an encouraging course to resolve these matters. 4). The only Metasystem proposed so far is the Identity Management as a Service architecture being designed by Kim Cameron at Microsoft in the form of Azure Active Directory. 5). Finally, in the end the protocols won’t matter just as the argument of CSMA vs Token Ring no longer matters. We will simply moved up the stack. It gets a little more complicated at this level because there are no more layers in the stack to move up to. This is all layer 7 stuff. Layer 7.5?

Q: Will you to be talking about this at IIW 15?

A: I am registered for IIW 15 and plan to attend. I will coordinate with Pamela to see if we can repeat this session during the conference.

Q: Just want to echo Pam’s point that the combinatorial explosion is over estimate. Not all users & devices will connect to all services. The real world ecosystems sees users congregate in niches.

A: I think the combinatorial explosion is an underestimate. Pam’s soft pedaling of the numbers are still staggering. If you recall, she thought that most organizations could look at the provisioning of devices in the 1000s or 10s of thousands. OK. To date, anything over 150 starts to create huge administrative overhead. This is not going to go away or be minimalized by downplaying what has already happened. 400M iOS devices alone. The numbers are staggering.

Conclusion

Thanks for the great questions and participation. I look forward to seeing people at IIW. I encourage anyone who attended this conference to attend IIW and the EIC next May in Munich.


Making Good on the Promise of IdMaaS

21.06.2012 by Craig Burton

As a follow up to Microsoft’s announcement of IdMaaS, the company announced the — to be soon delivered — developer preview for Windows Azure Active Directory (WAAD). As John Shewchuk puts it:

The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology.

Together, the existing and new capabilities mean a developer can easily create applications that offer an experience that is connected with other directory-integrated applications. Users get SSO across third-party and Microsoft applications, and information such as organizational contacts, groups, and roles is shared across the applications. From an administrative perspective, Windows Azure Active Directory provides a foundation to manage the life cycle of identities and policy across applications.

In the Windows Azure Active Directory developer preview, we added a new way for applications to easily connect to the directory through the use of REST/HTTP interfaces.

An authorized application can operate on information in Windows Azure Active Directory through a URL such as:

https://directory.windows.net/contoso.com/Users(‘Ed@Contoso.com’)

Such a URL provides direct access to objects in the directory. For example, an HTTP GET to this URL will provide the following JSON response (abbreviated for readability):

{ “d”:  {
 "Manager": { "uri":"https://directory.windows.net/contoso.com/Users('User...')/Manager" },
 "MemberOf": { "uri":"https://directory.windows.net/contoso.com/Users('User...')/MemberOf" },
 "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19",
 "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19",
 "ObjectType": "User",
 "AccountEnabled": true,
 "DisplayName": "Ed Blanton",
 "GivenName": "Ed",
 "Surname": "Blanton",
 "UserPrincipalName": Ed@contoso.com,
 "Mail": Ed@contoso.com,
 "JobTitle": "Vice President",
 "Department": "Operations",
 "TelephoneNumber": "4258828080",
 "Mobile": "2069417891",
 "StreetAddress": "One Main Street",
 "PhysicalDeliveryOfficeName": "Building 2",
 "City": "Redmond",
 "State": "WA",
 "Country": "US",
 "PostalCode": "98007" } 
}

Having a shared directory that enables this integration provides many benefits to developers, administrators, and users. If an application integrates with a shared directory just once—for one corporate customer, for example—in most respects no additional work needs to be done to have that integration apply to other organizations that use Windows Azure Active Directory. For an independent software vendor (ISV), this is a big change from the situation where each time a new customer acquires an application a custom integration needs to be done with the customer’s directory. With the addition of Facebook, Google, and the Microsoft account services, that one integration potentially brings a billion or more identities into the mix. The increase in the scope of applicability is profound. (Highlighting is mine).

Now that’s What I’m Talking About

There is still a lot to consider in what an IdMaaS system should actually do, but my position is that just the little bit of code reference shown here is a huge leap for usability and simplicity for all of us. I am very encouraged. This would be a major indicator that Microsoft is on the right leadership track to not only providing a specification for an industry design for IdMaaS, but also is on well on its way to delivering a product that will show us all how this is supposed to work.

Bravo!

The article goes on to make commitments on support for OAuth, Open ID Connect, and SAML/P. No mention of JSON Path support but I will get back to you about that. My guess is that if Microsoft is supporting JSON, JSON Path is also going to be supported. Otherwise it just wouldn’t make sense.

JSON and JSON Path

The API Economy is being fueled by the huge trend of accessibility of organization’s core competence through APIs. Almost all of the API development occurring in this trend are based of a RESTful API design with data being encoded in JSON (JavaScript Object Notation).  While JSON is not a new specification by any means, it is only in the last 5 years that JSON has emerged as the preferred — in lieu of XML — data format. We see this trend only becoming stronger.

JSON Path is to JSON what XPath is to XML. The following table shows a simple comparison between XPath and JSONPath.

xPath

JSONPath

Description

/

$

the root object/element
.

@

the current object/element
/

. or [ ]

child operator
..

n/a

parent operator
//

..

recursive descent
*

*

wildcard
@

n/a

attribute access. JSON structures don’t have attributes
[ ]

[ ]

subscript operator. XPath uses it to iterate over element collections and predicates. For JSON it is the native array operator.

|

[,]

Union operator in XPath results in a combination of node sets. JSONPath allows alternate names or array indices as a set.

n/a

[start:end:step] array slice operator

[ ]

?()

applies a filter (script) expression
n/a () script expression
() n/a grouping in XPath

Summary

As an industry, we are completely underwater in getting our arms around a workable — distributed and multi-centered identity management metasystem — that can even come close to addressing the issues that are already upon us. This includes the Consumerization of IT and its subsequent Identity explosion. Let alone the rise of the API Economy. No other vendor has come close to articulating a vision that can get us out of the predicament we are already in. There is no turning back.

Because of the lack leadership (the crew that killed off Information Cards)  in the past at Microsoft about its future in Identity Management, I had completely written Microsoft off as being relevant. I would have never expected Microsoft to gain its footing, do an about face, and head in the right direction. Clearly the new leadership has a vision that is ambitious and in alignment with what is needed. Shifting with this much spot on thinking in the time frame we are talking about (a little over 18 months) is tantamount to turning an aircraft carrier 180 degrees in a swimming pool.

I am stunned, pleased and can’t wait to see what happens next.

Reference Links

Identity Management as a Service — Original blog post by Kim Cameron

Reimagining Active Directory for the Social Enterprise (Part 1) — John Shewchuk’s post about Windows Azure Directory

Microsoft is Finally Being Relevant — My response to the announcement of IdMaaS

Reimagining Active Directory for the Social Enterprise (Part 2) — Shewchuk’s follow up post

The API Economy — KuppingerCole publication


Freedom of Choice != Your Choice of Captor

10.06.2012 by Craig Burton

Earlier this week I posted a first-look analysis of Microsoft’s Cloud-based Identity Metasystem (IDMaaS).In that analysis I stated:

Microsoft is not only doing something innovative — but profoundly innovative.

On June 7, Nishant Kaushik (Chief Architect at Identropy) wrote on his blog (How Do Governance Controls fit into IDMaaS?):

I’ll be honest, I’m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build/attach other Azure applications to that differentfrom Oracle saying that deploying a Fusion Application will include an OUD based identity store that the enterprise can also use for other applications?

I’m not going to address the question about governance controls as I think Dave Kearns — my colleague at KuppingerCole — addressed this matter nicely already.

Why is Microsoft’s Vision of IDMaaS so Profoundly Innovative?

Nishant must not have read my post very carefully. In my explanation of why Microsoft’s vision for IDMaaS is so profound, he failed to notice that I never once mentioned WAAD (Windows Azure Active Directory) or Office 365. There is a reason for that. I am not applauding Microsoft’s — or any other vendor’s — implementation of IDMaaS.

What is so profound about this announcement is that Microsoft is following Kim Cameron’s directives for building a Common Identity Framework for the planet, not just for a vendor.

In 2009 Kim Cameron, Reinhard Posch and Kai Rannenberg wrote Proposal for a Common Identity Framework: A User-Centric Identity Metasystem.

In section 5.4 of that document, the authors spell out the requirement for customer Freedom of Choice.

Freedom of Choice

Freedom of choice for both users and relying parties refers to choice of service operators they may wish to use as well as to the interoperability of the respective systems.

This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece. I posit that the Microsoft vision is so profound because it is built on a definition of Freedom of Choice that fits the above description and not where the customer is free to choose a particular captor.

And so I state again:

Freedom of Choice != Your Choice of Captor

Microsoft’s vision has changed the playing field. Any vendor building IDMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone — but mostly the customer.


LinkedIn Hacked—More Reason for IdM in the Cloud

07.06.2012 by Craig Burton

On June 6, 2012 LinkedIn was hacked and user accounts — names and passwords — were compromised.

linkedin-11369628

Follow LinkedIn’s advice on addressing the matter.

There are just two things I want to say about this.

1. Service Providers should build hardened systems up-front

Any service provider that has a security architecture that stores names and passwords on a server somewhere has an unacceptable system design.

There is simply NO excuse for letting this happen — EVER.

LinkedIn management is acting like hashing and salting passwords is some new thing that they are all over as a result of the compromise.

This is silly, hashing and salting should have happened in the first place, not as an afterthought.

2. One More Reason for IDMaaS

If LinkedIn was using IDMaaS for its Identity Management instead of its own “yet-another-funky-id-system” — it would not be standing knee deep in PR feces with egg on its face.

This is because the designers of IDMaaS services are specialized in Identity and security. That is all they do. No social connecting, no email or friending. Just managing Identity in the cloud.

Specialized core services for all of your systems design in the cloud fits in with best practices of good systems design. It is just too expensive and hard for every company to have the required expertise to design hardened systems in today’s IT environment.

Summary

The sooner we can start building on an Identity Metasystem design, the better.

Even scarier than LinkedIn being hacked — you can almost guarantee that many other cloud-based services you are using have a similar “yet-another-funky-id-system” design for IdM.

Scarier still — these systems probably won’t get fixed until they are compromised.


Services
© 2014 Craig Burton, KuppingerCole