I’ve written a short analysis on Microsoft’s new “Zermatt” framework that can went up on our website yesterday. For those who have missed the announcement, Zermatt is a new developer framework from Microsoft that makes it easy for developers to work with claims, and is also a foundation for building secure token services (STS). In the analysis, I also included some of my thoughts on the “claims-based model” in general, and specifically about the lack of an authorisation model. I think this is perhaps the largest gap currently for applications using WS-Trust, WS-Federation and the claims-based model, exacerbated by the fact that Microsoft currently provides no vision how this will be eventually be addressed.

As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.

Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive - not at all, in fact - but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.

Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.

Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.

So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.

Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable - something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.

I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.

Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” - right in Lisbon!

I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.

First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.

In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?

BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.

My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one - complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.

I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management - although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed - especially considering the pain and hard work that goes with deploying such systems!

So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.

Hewlett-Packard, who recently announced that it would all but retreat from the identity management sector as an independent vendor, has just announced a partnership with Novell. That will settle the many speculations in the industry. As HP had made a significant investment into identity management products, someone would surely be picking up the pieces. And the winner is: Novell!

From the announcement that was made to the analyst community and the subsequent press release, it is pretty clear that HP is looking for an elegant way to divest itself from its product line. Of course, HP cannot and will not leave existing customers hanging, so the previous announcement from HP was to “not actively pursue new customers” for its identity management software anymore. Another way of putting it - but the message is clear: those products are no longer actively pursued, the key employees have long moved on, such as Greg Whitehead who came to HP from Trustgenix, after it was acquired by HP.

If there is any doubt about the future of HP’s product line: Novell is offering a license credit for current HP Identity Center customers and the press release makes frequent use the word “migration”.

HP and Novell will now jointly develop tools to help their respective teams migrate customers away from Identity Center and towards the Novell product offering.

The win for Novell is obvious: a strong influx of new accounts, plus a strong partnership with a key systems player that has just a few days ago announced its intentions to strike it big with services as well - acquiring EDS. On the other side, what is the win for HP, apart from a honourable exit from its products? Surely, after the acquisition of EDS a likely theory would be that there may be some good deals in the pipeline for HP’s new upscaled services division, working closer with Novell. But even though this may be the case, it is very unlikely that the EDS deal and the Novell partnership have had any effect on each other, and although Identity Management is a hot and growing space, it is just a fraction of what EDS did for its customers.

What will be intereting to see however is if and how Novell will take over some of HP’s IdM estate, and how this would be integrated within Novell’s solutions. For example, the Trustgenix federation software, just to note one example, were superior technology at the time of acquisition and still present a formidable stack for the implementation of federation solutions.

A very interesting detail is however not mentioned in the press release: this special partnership is not exclusive at all. This should perhaps be obvious, because HP partners with other companies who also have a significant identity management offering. Curiously also, the press release was not even published in Germany. Although that may seem as an insignificant detail, it has subtle implications: SAP is very strong in the German Identity Management field through its Netweaver offering, and HP makes a lot of money through its partnership with SAP, and will want to keep its options open.

It will be interesting to see the reaction of HP’s Identity Center customers after this announcement. Some have already moved away from Identity Center, or are in the process of doing so. Novell has a well-rounded offering, but it might not always be the right match for existing HP Identity Center customers. Then again, it is likely that some technology gets transfered or licensed to Novell. For most existing Identity Center customers however this is good news, as it lays out a clear path for transitioning over to a solid product line that is established and actively maintained.

WEDNESDAY, March 5th. Chicago, seems a tad warmer, but still too cold for my taste!

The last day of the conference was a short one for me - I had to leave around 11:30 to catch my plane. I had a nice long chat with Dieter Schuller from Radiant Logic, who brought me up to par with their vision and technology. In my previous job Dieter and I were competitors, so we had a lot in common and of course knew each others products, but I got a much deeper understanding on Radiant Logic’s vision and approach to virtual directories. As I am currently writing Kuppinger Cole’s technology report on virtual directories (due before the European Identity Congress in April), this came in very handy. DEC 2008 has been an intense, and immensely rewarding experience, and my head is spinning! This has been my first, and certainly won’t be my last!

It’s been an exciting last week starting off with DEC 2008 in Chicago, and ending with a roller coaster ride into JFK Saturday evening, on the way back to Europe. DEC, as always, is packed with interesting presentations from the best technology experts all around the topic of directories and identity management in the Microsoft technology space. Virtually all of the latest knowledge is packed into three full days, which sometimes unfortunately means that you have to make a very difficult choice of choosing which presentation to go to when some really interesting ones take place at the same time. But that’s unavoidable, unless of course DEC was to be stretched out over two weeks - and I wouldn’t want to know what corporate travel departments would think about that! Luckily, rumour has it that slides to all of the sessions are available for those that went to the conference.

Unfortunately the WLAN card in my (almost) brand new HP collapsed and steadily refused service afterwards, so I was relegated back to the world of wireless-less Internetworking, which proved a challenge due to the business center closing at 7 and the wired connection in my room without a link. Now as I have got it fixed (thanks, HP!) I’m back in business, so here are my two other reports from DEC 2008!

Over the last few weeks, the Liberty Alliance’s IGF caught my attention several times. Fulup Ar Foll and Jason Baragry, both working for Sun Microsystems wrote a paper called “Next Generation of Digital Identity”. About a month ago, HP’s Marco Casassa Mont and Oracle’s Phil Hunt published an article in “Sarbanes-Oxley Compliance Journal” entitled “Identity Governance Framework”. I’ve been wanting to blog about this for several weeks, but kept putting it off. Last week I had the fortune to be briefed by Prateek Mishra, Oracle’s Director of Security Standards, who explained in detail what the IGF was about and clarified some of the questions I still had.

In late 2006, several companies got together and created the Identity Governance Framework (IGF), an initiative of the Liberty alliance. Originally driven by Oracle, other companies in the space quickly joined the effort. The purpose of the IGF is to provide an open architecture that addresses governance of identity related information. This architecture is meant to bridge the gap between regulatory requirements and the lower-level protocols and architecture.

What does this mean and why is it so important? I like examples to understand things, so let’s start with a few of them. For a starter, many enterprises still have private identity data stored in many different data stores. Even though the trend is to minimise the number of “data silos” (places where identity data is stored), the reality is still that data can be found in many places. This creates a problem in our globalising society, where the HR department might be run in one country, and the support desk in another, and a myriad of services being outsourced yet to other locations. How can one ensure that the flow of data is controlled in such a way to ensure that all privacy laws are being complied with? Another example could be a federated environment of several suppliers working together in order to process an order. The order is received by company A, which then sends out several orders for parts to companies B1, B2 and B3, who then ship everything to company C that assembles everything and uses company D to ship out the finalised order to the customer.

In both cases, identity data is transferred and processed. How can the inherent risks associated with the creation, copying, maintenance and use of this data be mitigated? Who has access to what data for which purpose, and under what conditions? Ideally, policies on data usage are created by sources (attribute authorities) and consumers (attribute authorities) of identity data. These policies can then then be used for the implementation and auditing of governance. In other words: if you know what the rules are, express them in a policy, and make sure your policy is watertight when the next audit comes.

Exactly this is what the IGF attempts to create: a standardised mechanism for expression and implementation of these policies. The IGF is working on several standards and components to make this happen. One of them is the CARML protocol. It defines application identity requirements, in other words what type of identity information an application needs, and what that application will do with that information. CARML stands for “Client Attribute Request Markup Language”, and yes you’ve guessed right - it’s XML-based. As stated previously, CARML defines what attributes an application wishes to consume, and the privacy rules of the application: Will the data be persisted (stored) by application? If so, how long? What purpose is it used for? Will it be forwarded? When an application is then made available, administrators can review the CARML file for that application, ensure that privacy constraints are being met, and then connect the application to the respective data stores to make the information available.

On the other side of the spectrum there is AAPML, the “Attribute Authority Policy Markup Language” that describes the constraints on the use of the provided identity information - under what conditions specific pieces of identity data is made available to applications, and how this data may be used, and possibly modified. For example: what part of the users data can be modified by the users directly at a self-service portal? Or: under which condition may a marketing application use a users data, and what type of explicit consent needs to be given by the user? AAPML is proposed as a profile of XACML, the “extensible Access Control Markup Language” so that AAPML policies can be consumed directly by a policy enforcement point (PEP) to enforce access over the requests for identity data.

So now you can probably see where this is going. In one side, you have the applications, and CARML that specifies the identity information that they need. On the other hand you have the identity data sources (attribute providers), and the policies under which they make data available. In the middle, an identity service can broker between both sides. This identity service can read the CARML requirements from the applications, and the AAPML policies from the attribute providers, or use an external identity policy engine that enforces the AAPML policies.

So why another set of protocols? Isn’t this already addressed in some other standards? Liberty’s ID-WSF springs to mind, or SAML 2.0’s AttributeQuery, SPML, or even - to a certain extent - WS-Trusts Security Token Service. However, CARML and AAPML bridge a very important gap that is not addressed anywhere else: not how to request and receive attributes, but to express the need and purpose of identity data, and on the other side the allowed use and conditions for its consumption. IGF’s framework conceptually fits seamlessly into architectures harnessing today’s frameworks and picks up where CardSpace, Higgins, Bandit and WS-Trust, leave off.

In my mind, the IGF makes some very important contributions for important issues that have somehow “fallen through the cracks” in the last few years. The IGF’s standards ensure that privacy requirements can be met and audited against, and facilite the secure and controlled exchange if identity data. This has the potential to fuel adoption of technologies such as federated identity, and open up business opportunities that were up to now constrained by uncertainty about privacy or lack of tangible technology in that area. I will definitely keep the IGF on my radar!