Two weeks ago I was at Digital ID World in Anaheim, CA, followed by a briefing in Redmond. My mind is still returning to this action-packed event every once in a while, and I am still trying to make sense of it all. For me the most interesting aspect of DIDW has certainly been to meet face to face with lots of the usual suspects, some people I “know” virtually, but have never met face to face, and some new acquaintances. Over the next few week, as my busy research agenda allows, I will write up on some of the cool stuff, new technologies and new evolutions of products that I’ve learned about during those three days.

Just thought I’d just pay tribute to some of my experiences during those three days. For me as well as for many others, DIDW started off with a visit to the new “IDTBD” (ID To Be Determined) initiative that the Liberty Alliance sponsored. Bob Blakeley from the Burton group stood in the middle of a fully crowded room (including people standing outside). After a somewhat tedious roll call where everybody present stated why they actually went to this meeting, the discussion came into full swing. The idea behind the “IDTBD” was to provide an infrastructure framework for projects around identity. Instead of every project getting tied down with bureaucracies, legal agreements and organisational matters, IDTBD would provide support and let participants focus on what they can do best. I thought the idea was pretty good, but not everybody thought the same. As organisational matters like these were not my forte, I disappeared after the break, and when I walked past the open door an hour later, I could see that a very small crowd was still in very animated discussion.

I had my fun with Sun that afternoon, evening and night, and honestly, I had a blast. Sun brought me in twice for their Identity Buzz TV show. Daniel Raskin was my host, and we talked about open source within identity management – the specific nuances and what customers can expect from it. We also talked about one of my favourite topics, the identity bus (I did a round-table at our European Identity conference back in May), and in that one I managed to turn it around and have Daniel add his thoughts to the discussion (later on that week, I had the pleasure of meeting again with Stuart Kwan who explained me his vision, but more to that later). It was great to meet Daniel, I only had the virtual pleasure up to that point, and can attest that he is at least as cool and knowledgeable in real life as well. I also had some quality time with Pat Patterson, who I’ve met before, but only shortly between doors, and it was good to catch up. Saachin was there as well and turned on several light bulbs in my head when he talked to me about Sun’s 3 month roadmap for deploying Role Manager within an enterprise. My head was spinning a bit after so much information, and I was really grateful when Saachin’s colleague Neil Gandhi patiently spent a good two hours briefing me and walking me through the product in great detail a day later. As my colleague Sebastian Rohr and other noted, Sun certainly made a killing snapping up Vaau earlier this year, and now I can fully appreciate Sebastian’s enthusiasm.

John Barco very cunningly demonstrated a concept that is likely to pop up in the same basket as identity theft: identity exchange. By wearing Nicholas Crown’s badge around his neck the next day, he had me confused, because I just met both of them in person for the first time the day before. I had some great discussions with both of them later, especially with Nick, whom I talked after the Ping Identity party until the not-so-wee-anymore hours. Oh yes, the Ping party. Aren’t they legendary! As this event was held at the “Blues house”, the “house drink” was a blue liqueur. It did not glow in the dark, but turned out to be somewhat of an acquired taste. Andre Durand’s team were busy making sure that everyone held at least one cup in their hands at all times. I decided to be careful with it. At the party I made some great acquaintances, and ran into Doug Anter from Covisint. In a very forward-looking spirit that is common after successive libations in the later evening, we decided to set up a “breakfast briefing” for 9 AM the next morning. This turned out not to be painful at all (perhaps I can attribute this to my special care with the house drink), but to the contrary highly interesting, as I have an article in preparation on Covisint’s offerings on “Identity as a Service (IaaS)”.

In the same area, I was equally impressed with a briefing that I received earlier from Eric Olden who is the founder and CEO of Symplified. Having founded Securant in 1995 (which he later sold to RSA), he well understands the need, but also the entry barrier for small and medium enterprises when it comes to identity and access management. Symplified provides identity and access management as a service in both directions – incoming and outgoing. On the outgoing side, Symplified can connect an enterprise’s users to internal and external SaaS services (such as Salesforce, Workday, ADP, etc.) with single sign-on. On the incoming side, access to resources is controlled through a proxy layer that is either hosted by Symplified itself, or runs inside an organisation in several form factors: appliance or virtual machine. I think there is a photograph of myself wearing a Symplified T-Shirt towards the end of the Ping party.

Another very interesting briefing I received was from AEP Networks’ J. Alan Bird who is extending identity throughout the network with identity based access control. Their IDpoint solution tags every network packet (actually, the payload within IP packets) from an authenticated client PC with a special token. Specialised identity routers then act like firewalls by checking access against tokens and making access control decisions. A sophisticated auditing and reporting engine is included that can act as a feed to current GRC (Governance, Risk-Management and Compliance) solutions. As identity management has traditionally focused mainly on application security, I think that this pioneering approach offers a significant manageabilility gain and a previously not well-addressed need for extending GRC towards the network layer. I am convinced that this will become an important topic, especially with investments in strategic GRC projects increasing.

Oracle was a main sponsor at Digital ID World, and many of its brightest minds were roaming around. I was particularly happy to finally meet face to face with Nishant Kaushik whose blog I read regularly and recommend (it’s on my blogroll). Same with Clayton Donley, who I’ve seen already seen previously from far away, but have never had the opportunity to shake hands with. I had a great follow-up discussion with Eric Leach on Oracle’s new access management suite (he had briefed me on it a month before). And of course Phil Hunt, whose efforts around the Identity Governance Framework I wrote about previously. When I finally got to meet Dennis MacNeil in person, he gave me some good advise and helped me understand better how the individual pieces fit into Oracle’s strategy.

Understanding that it is impossible to mention everyone and everything that I met and discovered, it is perhaps worth mentioning what I wish I could have done. The time was limited, and unfortunately the exhibition floor closed very promptly, and I just plainly ran out of time. Matt Flynn was there and I shook his hand but had to run off and couldn’t catch up with him anymore. He will not escape me next time (or rather, I will not escape him) I also ran out of time and couldn’t properly catch up with the folks from Optimal IDM anymore, who briefly told me about the new features added to their virtual directory product. Equally with my old colleagues from Symlabs who would have loved to show me the upcoming full virtual tree feature in the next version of their virtual directory. Charles Andres who is now the head of the Information Card Foundation was all over the place but unfortunately so was I (and at the Information Card Foundation’s booth I ran into Axel Nennker, which was really cool). I did not have time for Sailpoint and Novell unfortunately – although I did have a brief chat with Dale Olds and some of the other “Bandits”, but would have loved to spend more time with his colleagues as well. Next time it will be!

Over the last few weeks, the Liberty Alliance’s IGF caught my attention several times. Fulup Ar Foll and Jason Baragry, both working for Sun Microsystems wrote a paper called “Next Generation of Digital Identity”. About a month ago, HP’s Marco Casassa Mont and Oracle’s Phil Hunt published an article in “Sarbanes-Oxley Compliance Journal” entitled “Identity Governance Framework”. I’ve been wanting to blog about this for several weeks, but kept putting it off. Last week I had the fortune to be briefed by Prateek Mishra, Oracle’s Director of Security Standards, who explained in detail what the IGF was about and clarified some of the questions I still had.

In late 2006, several companies got together and created the Identity Governance Framework (IGF), an initiative of the Liberty alliance. Originally driven by Oracle, other companies in the space quickly joined the effort. The purpose of the IGF is to provide an open architecture that addresses governance of identity related information. This architecture is meant to bridge the gap between regulatory requirements and the lower-level protocols and architecture.

What does this mean and why is it so important? I like examples to understand things, so let’s start with a few of them. For a starter, many enterprises still have private identity data stored in many different data stores. Even though the trend is to minimise the number of “data silos” (places where identity data is stored), the reality is still that data can be found in many places. This creates a problem in our globalising society, where the HR department might be run in one country, and the support desk in another, and a myriad of services being outsourced yet to other locations. How can one ensure that the flow of data is controlled in such a way to ensure that all privacy laws are being complied with? Another example could be a federated environment of several suppliers working together in order to process an order. The order is received by company A, which then sends out several orders for parts to companies B1, B2 and B3, who then ship everything to company C that assembles everything and uses company D to ship out the finalised order to the customer.

In both cases, identity data is transferred and processed. How can the inherent risks associated with the creation, copying, maintenance and use of this data be mitigated? Who has access to what data for which purpose, and under what conditions? Ideally, policies on data usage are created by sources (attribute authorities) and consumers (attribute authorities) of identity data. These policies can then then be used for the implementation and auditing of governance. In other words: if you know what the rules are, express them in a policy, and make sure your policy is watertight when the next audit comes.

Exactly this is what the IGF attempts to create: a standardised mechanism for expression and implementation of these policies. The IGF is working on several standards and components to make this happen. One of them is the CARML protocol. It defines application identity requirements, in other words what type of identity information an application needs, and what that application will do with that information. CARML stands for “Client Attribute Request Markup Language”, and yes you’ve guessed right – it’s XML-based. As stated previously, CARML defines what attributes an application wishes to consume, and the privacy rules of the application: Will the data be persisted (stored) by application? If so, how long? What purpose is it used for? Will it be forwarded? When an application is then made available, administrators can review the CARML file for that application, ensure that privacy constraints are being met, and then connect the application to the respective data stores to make the information available.

On the other side of the spectrum there is AAPML, the “Attribute Authority Policy Markup Language” that describes the constraints on the use of the provided identity information – under what conditions specific pieces of identity data is made available to applications, and how this data may be used, and possibly modified. For example: what part of the users data can be modified by the users directly at a self-service portal? Or: under which condition may a marketing application use a users data, and what type of explicit consent needs to be given by the user? AAPML is proposed as a profile of XACML, the “extensible Access Control Markup Language” so that AAPML policies can be consumed directly by a policy enforcement point (PEP) to enforce access over the requests for identity data.

So now you can probably see where this is going. In one side, you have the applications, and CARML that specifies the identity information that they need. On the other hand you have the identity data sources (attribute providers), and the policies under which they make data available. In the middle, an identity service can broker between both sides. This identity service can read the CARML requirements from the applications, and the AAPML policies from the attribute providers, or use an external identity policy engine that enforces the AAPML policies.

So why another set of protocols? Isn’t this already addressed in some other standards? Liberty’s ID-WSF springs to mind, or SAML 2.0’s AttributeQuery, SPML, or even – to a certain extent – WS-Trusts Security Token Service. However, CARML and AAPML bridge a very important gap that is not addressed anywhere else: not how to request and receive attributes, but to express the need and purpose of identity data, and on the other side the allowed use and conditions for its consumption. IGF’s framework conceptually fits seamlessly into architectures harnessing today’s frameworks and picks up where CardSpace, Higgins, Bandit and WS-Trust, leave off.

In my mind, the IGF makes some very important contributions for important issues that have somehow “fallen through the cracks” in the last few years. The IGF’s standards ensure that privacy requirements can be met and audited against, and facilite the secure and controlled exchange if identity data. This has the potential to fuel adoption of technologies such as federated identity, and open up business opportunities that were up to now constrained by uncertainty about privacy or lack of tangible technology in that area. I will definitely keep the IGF on my radar!