Two weeks ago I was at Digital ID World in Anaheim, CA, followed by a briefing in Redmond. My mind is still returning to this action-packed event every once in a while, and I am still trying to make sense of it all. For me the most interesting aspect of DIDW has certainly been to meet face to face with lots of the usual suspects, some people I “know” virtually, but have never met face to face, and some new acquaintances. Over the next few week, as my busy research agenda allows, I will write up on some of the cool stuff, new technologies and new evolutions of products that I’ve learned about during those three days.

Just thought I’d just pay tribute to some of my experiences during those three days. For me as well as for many others, DIDW started off with a visit to the new “IDTBD” (ID To Be Determined) initiative that the Liberty Alliance sponsored. Bob Blakeley from the Burton group stood in the middle of a fully crowded room (including people standing outside). After a somewhat tedious roll call where everybody present stated why they actually went to this meeting, the discussion came into full swing. The idea behind the “IDTBD” was to provide an infrastructure framework for projects around identity. Instead of every project getting tied down with bureaucracies, legal agreements and organisational matters, IDTBD would provide support and let participants focus on what they can do best. I thought the idea was pretty good, but not everybody thought the same. As organisational matters like these were not my forte, I disappeared after the break, and when I walked past the open door an hour later, I could see that a very small crowd was still in very animated discussion.

I had my fun with Sun that afternoon, evening and night, and honestly, I had a blast. Sun brought me in twice for their Identity Buzz TV show. Daniel Raskin was my host, and we talked about open source within identity management – the specific nuances and what customers can expect from it. We also talked about one of my favourite topics, the identity bus (I did a round-table at our European Identity conference back in May), and in that one I managed to turn it around and have Daniel add his thoughts to the discussion (later on that week, I had the pleasure of meeting again with Stuart Kwan who explained me his vision, but more to that later). It was great to meet Daniel, I only had the virtual pleasure up to that point, and can attest that he is at least as cool and knowledgeable in real life as well. I also had some quality time with Pat Patterson, who I’ve met before, but only shortly between doors, and it was good to catch up. Saachin was there as well and turned on several light bulbs in my head when he talked to me about Sun’s 3 month roadmap for deploying Role Manager within an enterprise. My head was spinning a bit after so much information, and I was really grateful when Saachin’s colleague Neil Gandhi patiently spent a good two hours briefing me and walking me through the product in great detail a day later. As my colleague Sebastian Rohr and other noted, Sun certainly made a killing snapping up Vaau earlier this year, and now I can fully appreciate Sebastian’s enthusiasm.

John Barco very cunningly demonstrated a concept that is likely to pop up in the same basket as identity theft: identity exchange. By wearing Nicholas Crown’s badge around his neck the next day, he had me confused, because I just met both of them in person for the first time the day before. I had some great discussions with both of them later, especially with Nick, whom I talked after the Ping Identity party until the not-so-wee-anymore hours. Oh yes, the Ping party. Aren’t they legendary! As this event was held at the “Blues house”, the “house drink” was a blue liqueur. It did not glow in the dark, but turned out to be somewhat of an acquired taste. Andre Durand’s team were busy making sure that everyone held at least one cup in their hands at all times. I decided to be careful with it. At the party I made some great acquaintances, and ran into Doug Anter from Covisint. In a very forward-looking spirit that is common after successive libations in the later evening, we decided to set up a “breakfast briefing” for 9 AM the next morning. This turned out not to be painful at all (perhaps I can attribute this to my special care with the house drink), but to the contrary highly interesting, as I have an article in preparation on Covisint’s offerings on “Identity as a Service (IaaS)”.

In the same area, I was equally impressed with a briefing that I received earlier from Eric Olden who is the founder and CEO of Symplified. Having founded Securant in 1995 (which he later sold to RSA), he well understands the need, but also the entry barrier for small and medium enterprises when it comes to identity and access management. Symplified provides identity and access management as a service in both directions – incoming and outgoing. On the outgoing side, Symplified can connect an enterprise’s users to internal and external SaaS services (such as Salesforce, Workday, ADP, etc.) with single sign-on. On the incoming side, access to resources is controlled through a proxy layer that is either hosted by Symplified itself, or runs inside an organisation in several form factors: appliance or virtual machine. I think there is a photograph of myself wearing a Symplified T-Shirt towards the end of the Ping party.

Another very interesting briefing I received was from AEP Networks’ J. Alan Bird who is extending identity throughout the network with identity based access control. Their IDpoint solution tags every network packet (actually, the payload within IP packets) from an authenticated client PC with a special token. Specialised identity routers then act like firewalls by checking access against tokens and making access control decisions. A sophisticated auditing and reporting engine is included that can act as a feed to current GRC (Governance, Risk-Management and Compliance) solutions. As identity management has traditionally focused mainly on application security, I think that this pioneering approach offers a significant manageabilility gain and a previously not well-addressed need for extending GRC towards the network layer. I am convinced that this will become an important topic, especially with investments in strategic GRC projects increasing.

Oracle was a main sponsor at Digital ID World, and many of its brightest minds were roaming around. I was particularly happy to finally meet face to face with Nishant Kaushik whose blog I read regularly and recommend (it’s on my blogroll). Same with Clayton Donley, who I’ve seen already seen previously from far away, but have never had the opportunity to shake hands with. I had a great follow-up discussion with Eric Leach on Oracle’s new access management suite (he had briefed me on it a month before). And of course Phil Hunt, whose efforts around the Identity Governance Framework I wrote about previously. When I finally got to meet Dennis MacNeil in person, he gave me some good advise and helped me understand better how the individual pieces fit into Oracle’s strategy.

Understanding that it is impossible to mention everyone and everything that I met and discovered, it is perhaps worth mentioning what I wish I could have done. The time was limited, and unfortunately the exhibition floor closed very promptly, and I just plainly ran out of time. Matt Flynn was there and I shook his hand but had to run off and couldn’t catch up with him anymore. He will not escape me next time (or rather, I will not escape him) I also ran out of time and couldn’t properly catch up with the folks from Optimal IDM anymore, who briefly told me about the new features added to their virtual directory product. Equally with my old colleagues from Symlabs who would have loved to show me the upcoming full virtual tree feature in the next version of their virtual directory. Charles Andres who is now the head of the Information Card Foundation was all over the place but unfortunately so was I (and at the Information Card Foundation’s booth I ran into Axel Nennker, which was really cool). I did not have time for Sailpoint and Novell unfortunately – although I did have a brief chat with Dale Olds and some of the other “Bandits”, but would have loved to spend more time with his colleagues as well. Next time it will be!

An interesting conversation is taking place within the blogsphere about meta-directories, with Dave Kearns and Kim Cameron on both sides of the argument. This was all inspired by a blog entry on the 4th of March from Jackson Shaw called “You won’t have to kick me around anymore!”. That musing was about HP’s retreat from the identity management market, but makes a statement about meta-directory technology:

Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

I started in this area in 1993 and some of the same architectures are still out there.

The certainly struck a chord with me when I read it. Dave Kearns picked up the topic in his newsletter when he wrote about Optimal IDM, the new virtual directory kid on the block, and made the case that meta-directories have “finally given way to the virtual directory”. Kim Cameron picked up Dave’s entry and disagreed. Up to now, this has lead to an interesting ping-pong of opinions between Dave and Kim, which has not exactly been easy to follow, not just because new contributions are being made on a daily basis up to now, and also because Kim uses the term “meta-directory” to mean something different than what Dave (and myself included) understand. I am going to take this opportunity to jump into the commotion as well, knife not freshly sharpened, but armour freshly polished!

First of all, to clarify what “meta-directory” means (at least, to me!). I am thinking about “Via” (Kim’s baby, the product that Microsoft acquired in 1999 together with Kim’s company, Zoomit). I’m also thinking about Novell Dir-XML, Siemens DirXmetahub and the Critical Path Meta-Directory Server. Old products, created many years ago. You don’t really see much happening with this technology any more, because it has its share of problems, and unless assisted with other technologies, does not fit well into today’s much more dynamic identity and access models. The only exception to that is probably MIIS, but I’ll get to that in a minute.

The old traditional “meta-directory” technology works by creating one big “centralised directory” (or “metaverse” as it’s known in MS-speak), pulling data from everywhere into that centralised directory and then pushing data out into all directions either. This approach is usually not a good fit by itself, because it has several significant shortcomings. I would not go as far as call the technology “dead” (it’s impossible to ignore the many MIIS installations out there), but I’ll call it something else: “quaint”. Now that word has several meanings according to the dictionary, but I sure don’t mean “marked by skillful design, beauty or elegance”!!!

Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that it was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble (see below).

Some experts in the field still obstinately (in my opinion) push meta-directory technology as the only way to integrate multiple sources of identity information. I think this is very short-sighted. This might have been true in the last century, which is not even that far ago. But in a truly dynamic environment, meta-directory technology and a “synchronisation-only” approach just tends to get into the way. Likewise, the idea that virtual directories by themselves could solve all integration issues is wrong. It’s never been only one or the other, unless you had a specific problem to solve. It’s not synchronisation or virtualisation. You need both, at least if you are in a dynamic identity environment, or have a vision to get there.

So what is the solution for the future? Some people believe that virtual directories will eventually fully supplant meta-directories. Coming from the virtual directory world myself (I worked for Symlabs before joining Kuppinger Cole), I never truly believed that – at least not the virtual directories that were around at that time. Virtual directories and meta-directories could co-exist, and the combination of both had in the past shown great benefits. Think of it as the screwdriver vs. the hammer. Sure, with some brute force you might argue that you can use a hammer to put a screw in, and with some agility you might use a screwdriver to hammer in a nail. But you’re likely to damage something in the way, or at best, not be very practical about it.

I think the future is definitely in the convergence of traditional directory servers, virtual directories and synchronisation solutions to provide rock-solid dynamic directory infrastructure. To a certain extent we can already see this. Maxware (before getting acquired by SAP) and Radiant Logic have already released early, basic versions of synchronisation solutions that harness the power of virtualisation and combine synchronisation with dynamic, abstracted multiple views of data, rather than the static meta-directory approach.

In the future I believe we will see “super-directories” that combine traditional data storage with LDAP access, virtual views and synchronisation features. Some of the players in this space are gearing up to do this already. As synchronisation is usually well-established technology by most of the large players in the identity management space, the missing part is currently still virtualisation, and especially the integration of virtualisation and synchronisation.

Sun and the OpenLDAP foundation, for example, have already added some basic virtualisation features to their directory servers. Oracle has acquired OctetString a while back, and has arguably the most complete, all-around implementation of directory services, synchronisation and virtualisation. Novell, IBM and Microsoft are still lagging behind in this space, with some of the “old guard” defiantly resisting directory virtualisation and hanging on to last century’s belief that synchronisation can solve everything. But there are signs that this resistance is crumbling. It better be. Recently, at DEC2008, Microsoft’s Stuart Kwan presented Microsoft’s vision of a truly dynamic identity infrastructure based on an “identity bus”, where applications could plug in, and “transformers allow us to fold, spindle and mutilate the data in any way we want” – changing internal claims into any other format required by applications. Surely virtualisation is not the only piece that is needed to fulfill such vision, but it is an important (and still missing!) piece. Kim Cameron has not been known to be a big fan of virtual directories – and he still shows some scepticism for the “virtual only” approach, but seems to be warming to virtualisation in combination with synchronisation in one of his recent postings:

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally – e.g., combine metadirectory and virtual directory functionality.

I pretty much agree with Dave and Jackson in that traditional meta-directory technology just doesn’t cut it anymore, at least by itself, and is at best “quaint”. I very much agree with Kim in what I think is his vision of a future “super directory service” that integrates synchronisation and virtualisation with traditional directory services. Where I completely have to disagree with Kim however, is his use of the term “meta-directory” for this new type of “super-directory” technology. OK, I agree that “super directory” sounds a bit tawdry. A better term should be found. But c’mon Kim, “meta-directory” is sooooo… 20th century