As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.
Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive - not at all, in fact - but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.
Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.
Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.
So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.
Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable - something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.
I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.
Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” - right in Lisbon!
I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.
First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.
In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?
BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.
My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one - complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.
I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management - although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed - especially considering the pain and hard work that goes with deploying such systems!
So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.
Hewlett-Packard, who recently announced that it would all but retreat from the identity management sector as an independent vendor, has just announced a partnership with Novell. That will settle the many speculations in the industry. As HP had made a significant investment into identity management products, someone would surely be picking up the pieces. And the winner is: Novell!
From the announcement that was made to the analyst community and the subsequent press release, it is pretty clear that HP is looking for an elegant way to divest itself from its product line. Of course, HP cannot and will not leave existing customers hanging, so the previous announcement from HP was to “not actively pursue new customers” for its identity management software anymore. Another way of putting it - but the message is clear: those products are no longer actively pursued, the key employees have long moved on, such as Greg Whitehead who came to HP from Trustgenix, after it was acquired by HP.
If there is any doubt about the future of HP’s product line: Novell is offering a license credit for current HP Identity Center customers and the press release makes frequent use the word “migration”.
HP and Novell will now jointly develop tools to help their respective teams migrate customers away from Identity Center and towards the Novell product offering.
The win for Novell is obvious: a strong influx of new accounts, plus a strong partnership with a key systems player that has just a few days ago announced its intentions to strike it big with services as well - acquiring EDS. On the other side, what is the win for HP, apart from a honourable exit from its products? Surely, after the acquisition of EDS a likely theory would be that there may be some good deals in the pipeline for HP’s new upscaled services division, working closer with Novell. But even though this may be the case, it is very unlikely that the EDS deal and the Novell partnership have had any effect on each other, and although Identity Management is a hot and growing space, it is just a fraction of what EDS did for its customers.
What will be intereting to see however is if and how Novell will take over some of HP’s IdM estate, and how this would be integrated within Novell’s solutions. For example, the Trustgenix federation software, just to note one example, were superior technology at the time of acquisition and still present a formidable stack for the implementation of federation solutions.
A very interesting detail is however not mentioned in the press release: this special partnership is not exclusive at all. This should perhaps be obvious, because HP partners with other companies who also have a significant identity management offering. Curiously also, the press release was not even published in Germany. Although that may seem as an insignificant detail, it has subtle implications: SAP is very strong in the German Identity Management field through its Netweaver offering, and HP makes a lot of money through its partnership with SAP, and will want to keep its options open.
It will be interesting to see the reaction of HP’s Identity Center customers after this announcement. Some have already moved away from Identity Center, or are in the process of doing so. Novell has a well-rounded offering, but it might not always be the right match for existing HP Identity Center customers. Then again, it is likely that some technology gets transfered or licensed to Novell. For most existing Identity Center customers however this is good news, as it lays out a clear path for transitioning over to a solid product line that is established and actively maintained.
Ping Identity recently announced the availability of Version 5.1 of Ping Federate in their blog. What caught my attention was that Ping has now also finally added a feature I (and others) call “auto-provisioning” or “federated provisioning”. In federated environments, when users from other entities visit your site and gain access to services, it is often necessary to store some local data about these users on your system. In very simple cases, this could be user profile data, such as the colour of the background, but there could be much more information that would need to be stored.
So does this mean that by deploying federated environments, you are getting back to the “silo problem” where you have fragments of identity data floating around? Does this mean that as a service provider you must now store identity information, and accounts, and deal with everything that comes with it - including compliance with complex intermingled laws and directives? Ugh!
Don’t panic. In most cases you don’t have to - this can usually be avoided through proper design of the federation scenario. So should you avoid storing any data about external users coming into your system from federated identity providers? Well, this would be nice, but is not always practical. So you often end up having to store something about a user that “arrives” at your site from elsewhere through a federation (or your support of user centric identities).
So here are my recommendations, in no particular order:
Create those “user entries” on the fly - when someone “flies into” your site for the first time through a trusted federated link or an OpenID sign-on, create the user entry then automatically - if it’s not already there. Why? Because the alternative would be setting up a synchronisation service, and you really want to avoid that unless you really, really, REALLY have to…
Avoid storing “personal” data. This will make you resilient against privacy regulations. OK, or at least not expose you any further to them as you already are
In most cases, you already receive some data about the user together with the sign-on token. Try not to store a copy of that data, but instead just keep the data around for the lifetime of the current session. This might not always be practical or even possible. In that case, if you do store it, make sure you update the information when you receive changed data next time in the token.
Don’t turn the stored data into a “live account” by giving a user the option to store a local password, unless you really have a good reason to do so! (I am actually wondering what would be a good reason to do this and can’t think of any!)
If you follow these recommendations, then you can rest assured that you are not creating user accounts. Instead, you are creating “profile entries”. These are not to be counted as “accounts” or “identities” when the auditors arrive, because the profile entries themselves don’t carry any entitlement per se - you are not authenticating user entries. You are instead just keeping track of, say, a user’s preferences. That is a completely different type of animal.
Another good reason, especially for the first recommendation is that you’ll be saving yourself a lot of maintenance if you provision “on the fly” as opposed to manage synchronisation links (including the headaches that come with it). Again, the world is not perfect, and you may find yourself with your back to the wall surrounded by synchronisation links that all cry for constant love and tending.
I could go on and on, but instead I’ll refer to the presentation “How to efficiently manage external identities” that my colleague Stefan Rohr and I held at EIC 2008. Hmm. Somehow I can’t find the link to it. I guess that’ll have to be added tomorrow.
Obviously these recommendations come from the use cases that I’ve been seen or have even been personally involved in. I’d be really interested in YOUR use cases. Do you agree with my recommendations? Did I perhaps overlook anything, or am I just plainly wrong or “not applicable” in some scenarios? Please let me know by either commenting, or if you prefer, email me.
As I already wrote in my last blog, one of my personal highlights at the European Identity Conference was the discussion that I had with Dale Olds, Jackson Shaw, Kim Cameron and Dave Kearns on the concept of the “Identity Bus” of the future. It’s now online! So here you go, enjoy
We’re obviously just at the very beginning, but hopefully we’ve kicked off a good discussion to be continued via our blogs, papers, etc! I think it is very important that we do this and solve many issues around identity. A new type of identity plumbing, indeed. Let’s keep up the momentum that’s been building over the last few weeks - now is the time to do it
Thanks to my colleagues Bernd and Alexei who’ve been working hard to digitalise and cut the videos that we’ve shot at the European Identity Conference 2008. And of course, a big THANK YOU from my side to Dale, Jackson, Kim and Dave!
The European Identity Conference 2008 closed its doors last Friday, and for me it has been a fantastic event in all aspects. Obviously you should take my comments with a grain of salt as I am working for Kuppinger Cole and am therefore part of the organising team. However, I have never before attended a conference that combined such a breadth of topics, number and quality of speakers and depth. Many conferences are either at the “C*O level” or pure “geek conferences”. At the former, the geeks still intermingle since they are brought to the event to do exactly that, or to showcase their solutions. At the latter, it’s mostly tech-talk, pure and deep. EIC 2008 covered the whole range and therefore appealed to everyone as well as offering unique opportunities to learn more about the topics from other points of view.
The agenda was packed, and including BoFs (bird of feather sessions) many days went straight from 7 in the morning to 7 in the evening. I was actually surprised that so many people actually showed up at 7 AM for the integrated breakfast + BoF sessions. And yes - unfortunately having many tracks going on in parallel can be frustrating for those who are interested in multiple topics at once. But I think the track organisation has been done pretty well after a lot of fine-tuning, and besides - we’d all love to meet for two weeks, but nobody in charge would sign off on the travel request!
The identity federation track that I moderated was packed to the brim. Good to know - we definitely need a larger room for next time! Some people were standing, and we had to open the windows. Conor Cahill kicked off the track to give a overview of the technology within the area. He had a lot of ground to cover, and since the agenda was packed, I joked that he had agreed to speak faster in order to keep the presentation to 30 minutes. In fact that’s exactly what he did - finishing with still 5 minutes left for questions. He just emailed me his presentation and it will go online tomorrow to join all the other presentations already downloadable (those who attended the conference will have received the link). We followed with an experts panel discussing the current state of federation technology and where it’s likely to go, and where new technologies such as information cards will fit in. After that we had two user presentations: Anton Shmagin from the United Nations talked about a unique multi-technology and multi-protocol federated circle of trust in three months and how the organisational, political and of course technical challenges were solved. After that, Brian Puhl spoke about Identity Federation tales from the trenches at Microsoft. Brian is a real barnstormer and his presentations are excellent, funny, insightful and offer many nuggets of information that you wouldn’t get anywhere else. He is in Microsoft’s IT department, and in charge of Microsoft’s internal Active Directory systems. He uses the term “dogfooding” to describe what he is often asked to do - use beta versions coming from devlopment and putting them to production use in such a large environment - and then putting out the fires. I’m sure he has many of the developers’mobile phone numbers on speed dial! After the user presentation we had a vendor panel, which gave everybody the chance to exchange jabs and score points, as well as explain their specific vision and value-add. And we could have gone on, but there were only three hours for the track - hardly enough to “cover it all”. Several presentations on federation were also to be found on some of the other tracks and workshops and usually very well attended - an indicator on how important the topic is.
Conferences give a unique opportunity to meet up with peers, and for me this has been the perfect opportunity to network with users, customers, vendors and experts in the field. One of my personal highlights has been a 45 minute talk with Dave Kearns, Kim Cameron, Jackson Shaw and Dave Olds where we discussed the future “identity bus” concept that Microsoft’s Stuart Kwan introduced at the Directory Expert Conference in March. Following that announcement there’s been quite a bit of speculation of what such an “identity bus” might look like, and what it would replace. In my opinion, this “identity bus” would be the future fundament of identity management, like today’s directory services. Our discussion has been videotaped, and our camera man Bernd almost broke down after carrying that heavy camera on his shoulder once the interview was over.
Joerg also sent me out with Bernd the camera man to do several video interviews with some of the important players in the space. These interviews are currently being converted into streamable format and will be posted on this site “real soon now” (TM). Watch this space
An interesting conversation is taking place within the blogsphere about meta-directories, with Dave Kearns and Kim Cameron on both sides of the argument. This was all inspired by a blog entry on the 4th of March from Jackson Shaw called “You won’t have to kick me around anymore!”. That musing was about HP’s retreat from the identity management market, but makes a statement about meta-directory technology:
Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.
I started in this area in 1993 and some of the same architectures are still out there.
The certainly struck a chord with me when I read it. Dave Kearns picked up the topic in his newsletter when he wrote about Optimal IDM, the new virtual directory kid on the block, and made the case that meta-directories have “finally given way to the virtual directory”. Kim Cameron picked up Dave’s entry and disagreed. Up to now, this has lead to an interesting ping-pong of opinions between Dave and Kim, which has not exactly been easy to follow, not just because new contributions are being made on a daily basis up to now, and also because Kim uses the term “meta-directory” to mean something different than what Dave (and myself included) understand. I am going to take this opportunity to jump into the commotion as well, knife not freshly sharpened, but armour freshly polished!
First of all, to clarify what “meta-directory” means (at least, to me!). I am thinking about “Via” (Kim’s baby, the product that Microsoft acquired in 1999 together with Kim’s company, Zoomit). I’m also thinking about Novell Dir-XML, Siemens DirXmetahub and the Critical Path Meta-Directory Server. Old products, created many years ago. You don’t really see much happening with this technology any more, because it has its share of problems, and unless assisted with other technologies, does not fit well into today’s much more dynamic identity and access models. The only exception to that is probably MIIS, but I’ll get to that in a minute.
The old traditional “meta-directory” technology works by creating one big “centralised directory” (or “metaverse” as it’s known in MS-speak), pulling data from everywhere into that centralised directory and then pushing data out into all directions either. This approach is usually not a good fit by itself, because it has several significant shortcomings. I would not go as far as call the technology “dead” (it’s impossible to ignore the many MIIS installations out there), but I’ll call it something else: “quaint”. Now that word has several meanings according to the dictionary, but I sure don’t mean “marked by skillful design, beauty or elegance”!!!
Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that it was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble (see below).
Some experts in the field still obstinately (in my opinion) push meta-directory technology as the only way to integrate multiple sources of identity information. I think this is very short-sighted. This might have been true in the last century, which is not even that far ago. But in a truly dynamic environment, meta-directory technology and a “synchronisation-only” approach just tends to get into the way. Likewise, the idea that virtual directories by themselves could solve all integration issues is wrong. It’s never been only one or the other, unless you had a specific problem to solve. It’s not synchronisation or virtualisation. You need both, at least if you are in a dynamic identity environment, or have a vision to get there.
So what is the solution for the future? Some people believe that virtual directories will eventually fully supplant meta-directories. Coming from the virtual directory world myself (I worked for Symlabs before joining Kuppinger Cole), I never truly believed that - at least not the virtual directories that were around at that time. Virtual directories and meta-directories could co-exist, and the combination of both had in the past shown great benefits. Think of it as the screwdriver vs. the hammer. Sure, with some brute force you might argue that you can use a hammer to put a screw in, and with some agility you might use a screwdriver to hammer in a nail. But you’re likely to damage something in the way, or at best, not be very practical about it.
I think the future is definitely in the convergence of traditional directory servers, virtual directories and synchronisation solutions to provide rock-solid dynamic directory infrastructure. To a certain extent we can already see this. Maxware (before getting acquired by SAP) and Radiant Logic have already released early, basic versions of synchronisation solutions that harness the power of virtualisation and combine synchronisation with dynamic, abstracted multiple views of data, rather than the static meta-directory approach.
In the future I believe we will see “super-directories” that combine traditional data storage with LDAP access, virtual views and synchronisation features. Some of the players in this space are gearing up to do this already. As synchronisation is usually well-established technology by most of the large players in the identity management space, the missing part is currently still virtualisation, and especially the integration of virtualisation and synchronisation.
Sun and the OpenLDAP foundation, for example, have already added some basic virtualisation features to their directory servers. Oracle has acquired OctetString a while back, and has arguably the most complete, all-around implementation of directory services, synchronisation and virtualisation. Novell, IBM and Microsoft are still lagging behind in this space, with some of the “old guard” defiantly resisting directory virtualisation and hanging on to last century’s belief that synchronisation can solve everything. But there are signs that this resistance is crumbling. It better be. Recently, at DEC2008, Microsoft’s Stuart Kwan presented Microsoft’s vision of a truly dynamic identity infrastructure based on an “identity bus”, where applications could plug in, and “transformers allow us to fold, spindle and mutilate the data in any way we want” - changing internal claims into any other format required by applications. Surely virtualisation is not the only piece that is needed to fulfill such vision, but it is an important (and still missing!) piece. Kim Cameron has not been known to be a big fan of virtual directories - and he still shows some scepticism for the “virtual only” approach, but seems to be warming to virtualisation in combination with synchronisation in one of his recent postings:
So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally - e.g., combine metadirectory and virtual directory functionality.
I pretty much agree with Dave and Jackson in that traditional meta-directory technology just doesn’t cut it anymore, at least by itself, and is at best “quaint”. I very much agree with Kim in what I think is his vision of a future “super directory service” that integrates synchronisation and virtualisation with traditional directory services. Where I completely have to disagree with Kim however, is his use of the term “meta-directory” for this new type of “super-directory” technology. OK, I agree that “super directory” sounds a bit tawdry. A better term should be found. But c’mon Kim, “meta-directory” is sooooo… 20th century
Yesterday, the news hit the wire that Ping Identity had acquired the Sxip Access product line. I’ve written an article on the topic here (you may need to register, but it’s free). When I heard the news, I immediately wrote to Andre and Dick asking them for some more info. Andre got back to me pretty much straight away (thanks, Andre!).
I was curious about the acquisition of the product line - and not the whole company. Many times in this space, whole companies are bought, especially when they are the size of Sxip. Andre confirmed that this had been Ping’s original intent - to acquire Sxip entirely. Ping had been interested mainly in the Sxip Access product line. Dick apparently wanted to keep the company Sxip and Sxipper, and knowing that Ping did not really have a major interest in Sxipper, the deal was for Sxip Access, and not for the whole company.
Since these were the “crown jewels” of Sxip, I am very, very curious what Dick Hardt is up to now. I’ve sent him a couple of emails, but I’m sure that I’m not the only one… I can guess what his Inbox looks like, so it’ll probably take him a bit to get back to me. So for now I can only guess! According to the Sxip press release, the company will now focus on consumer solutions, such as Sxipper. However, Sxipper was basically a freebie. Sxip is a commercial company, and needs to make money. Sxip can make revenue from future versions of Sxipper either through paid support, or by having a “light” and a “commercial” version. Or maybe Sxip will focus more on the consulting side.
I admit, I’m speculating. But I’m sure Dick is up to something, and as soon as I find out, I’ll let you know!
Update
Dick just got back to me and did confirm that in fact he is up to something:
Subject: Re: So what are you up to now?
From: "Dick Hardt" <dick@sxip.com>
Date: Wed, March 12, 2008 4:38 pm
To: "Felix Gaehtgens" <fg@kuppingercole.com>
--------------------------------------------------------------------------
Hi Felix
We are looking at a number of revenue streams from Sxipper including a
PRO version. Right now we are focused on building a great product
that provides value to users and that they will trust. We have a 2.0
release that is imminent.
I will be curiously awaiting what Sxip is going to be cooking next and report in due time. Good luck, Dick (although I don’t think you’ll need it because you seem to be on the right track)!
WEDNESDAY, March 5th. Chicago, seems a tad warmer, but still too cold for my taste!
The last day of the conference was a short one for me - I had to leave around 11:30 to catch my plane. I had a nice long chat with Dieter Schuller from Radiant Logic, who brought me up to par with their vision and technology. In my previous job Dieter and I were competitors, so we had a lot in common and of course knew each others products, but I got a much deeper understanding on Radiant Logic’s vision and approach to virtual directories. As I am currently writing Kuppinger Cole’s technology report on virtual directories (due before the European Identity Congress in April), this came in very handy. DEC 2008 has been an intense, and immensely rewarding experience, and my head is spinning! This has been my first, and certainly won’t be my last!
TUESDAY, March 4th. Chicago, back to freezing temperatures.
Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new - Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.
Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.
Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped - an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.
I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.
Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time - definitely another DEC highlight.
Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!
