My friend Gerry Gebel, long time Burton Group analyst is joining Axiomatics to ramp up the company’s US presence. I received an email from him that started by saying “I thought I would give you a nice surprise on a Saturday morning”… and indeed what a surprise that was!

I can definitely understand Gerry’s choice for Axiomatics. The company is new, up and coming, full of very smart people and way ahead of everyone else in the area of authorisation/access management. Axiomatics comes at the top places in my own personal “favourite innovative companies” list, together with Unbound ID, the latter continuing to amaze me by their determination (and skill!) to redefine directory services from the ground up and “do it properly”. Both Axiomatics and Unbound ID will in the near future surely conquer the Identity Management world as we know it! OK joke aside

Speaking of Axiomatics, the timing (for me, personally) was actually quite interesting, as I have just finished a report on the company’s “Policy Server” and “Policy Auditor”. This is due to come up on our site within the next week. The report focuses on strengths and weaknesses of the products, the contexts in which it is most useful, the areas in which it is way ahead of its competitors and where it still needs to catch up.

I’ve also had the pleasure of doing a few Webinars (here and here) with Axiomatics and also interviewed Babak at last year’s EIC. So congratulations both to Gerry and to Axiomatics, a great team has gotten another great addition!

It’s been a few years since Kim Cameron presented the Identity Metasystem around the concept of “Claims”. If you’ve been following Kuppinger Cole you know how positive we have been about this framework. Years later, Claims are a reality, and there are multiple platforms out there that support using them. We have been advocating the adoption of the Identity Metasystem’s concepts, and whilst not endorsing any particular platform per se, we acknowledge that there are several products out there that support this today. From our customers we often hear questions regarding the feasibility, questions about the approach and of course best practises for implementation. Naturally, there are questions around the software development cycle as well: do applications need to be fundamentally rewritten, or written differently to make good use of the identity metasystem? What should developer keep in mind to make their lives easier? How can applications be written to ease privacy and security?

I’m kicking off this new year with a brand new webinar series where we will focus on practical issues and implementation details. The Identity Metasystem is here today, and it’s here to stay, so let’s take advantage of it and unlock its potential. Without endorsing any product by itself, we’ll be looking at practical implementations – and indeed, products – to see how developers can harness the power of the Identity Metasystem today. Together with implementation tips, these webinars will feature good practises, and our guests are real experts in their particular implementation.

This format of this series is different from our regular webinars – they are not meant for decision makers, but for developers, architects and administrators, and therefore technical in their nature. If you’re interested in the topic and if you don’t mind seeing some tidbits of code thrown in there, then this is definitely for you. We’re extending an open invitation for open source projects and vendors – not to showcase their products – but instead show how developers can use their APIs and services. Of course I have a side agenda here as well What I am hoping is that in the end this will promote interoperability – we’re sure that there are some similarities in APIs and services, and hope that vendors will standardise – as users learn more about about these, they’ll put vendors under pressure to standardise their APIS and services

Our first guests in the first webinar will be Dr. Steffo Weber and Abdi Mohammadi from Sun Microsystems. On Thursday the 14th of January at 17:00 MET (16:00 BST, 11:00 EST, 8:00 PST) they will show how us to harness Sun’s OpenSSO authentication and authorization mechanisms programmatically from any application (web applications, fat clients etc) via the following mechanisms:

- HTTP headers
- REST based web-service
- SOAP based web-service
- OpenSSO’s proprietary SDK

Steffo will demonstrate how to retrieve arbitrary user attributes from within a programme that is almost agnostic when it comes to technical details about the actual access management platform infrastructure (in this case, OpenSSO). Thus, using OpenSSO’s identity services does not require much knowledge about OpenSSO. In fact, it is easier to retrieve information from OpenSSO than e.g. from LDAP. Moreover, it can be used from any framework (Java, .Net, PHP, Ruby on Rails – you name it).

Steffo studied Computing Sciences in Bonn and Dortmund, Germany and holds a Ph.D. in theoretical computer science. He started as a  security specialist at debis IT Security Sevices in 1997. In 2000 he started working for Sun Microsystems, and is an expert on highly scalable web environments, IT security and cryptography as well as identity and access management. Apart from being very knowledgeable in the field he is also an excellent speaker and has presented at our European Identity Conference last year together with his colleague Abdi Mohammadi.

Abdi is a Principal Field Technologist at Sun. With more than 20 years of industry experience, he has been responsible for the architecture, design, end-to-end testing and optimization of Internet facing infrastructures as well as providing business strategy assistance to some of Sun’s largest and most strategic customers. Currently he is focused on directory, access management and messaging solutions at Sun.

On the Webinar that Babak and I did on ABAC and XACML three weeks back, there were quite a few questions that popped up! Unfortunately we did not have time to answer all of them during the webinar, so we promised that we would collect them and answer them afterwards.

BTW today there is another webinar on a related topic: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Q: Please, specify the major difference between role mining (role consolidation based on role attributes) and the privilege giving mining approach?

A: (Babak) Role mining is about finding groups of permissions that can be bundled in terms of roles that can then be assigned to users. The idea of privilege-giving attribute mining is to find those attributes that affect permissions and use them to create access rules. Let’s take an example. In a business application, users may have been assigned permissions to Create and Release Purchase Orders, to Maintain Vendor Master data, Release Requisitions, Register Service Entry and Release etc. In a role mining project doing a bottom-up survey of permissions, an analysis of these permissions and how they are grouped into roles will be made. If a role called Purchasing combines all of the above permissions, we would probably identify a Segregation of Duties violation between the rights to Release Purchase Orders and the right to Maintain Vendor Master Data. As a result we would suggest remodeling of the Purchasing role to avoid the conflict. In a top-down approach, Role mining is about identifying a role in business critical processes that will need to be entitled with certain permissions in order to serve its purpose in that process. Role mining projects are typically about top-down and bottom-up combined, which in the end will lead to considerable efforts to map permissions to roles in such a way that everyone is able to do his or her job without acquiring excessive permissions – quite a daunting task.

An Attribute Mining project would very much like the top-down approach in role mining start with business processes to define which RULES for access can be derived. Examples: Attestation of purchase orders exceeding the amount of $xx, can only be made by users who a) belong to the cost center charged and b) have a management level of 10 or higher. From this rule we can derive that the following attributes are privilege-giving: a) user profile’s cost center assignment, b) users management level, c) purchase orders cost center and d) purchase order’s amount. To verify, these attributes would allow a rule to be formalized like this: If user.costcenter = purchaseorder.costcenter and user.managementlevel>=10 and purchase.amount<=$xx then permit else deny.

Q: Tell me more / define better what you mean when you talk about a missing context of the RBACs model?

A: (Babak) What we argue is that RBAC is a static model which makes it difficult to capture the context that may affect an access decision.  If we try to capture the context for an access in terms of roles then we will easily get a role explosion. We may for instance need to differentiate permissions depending on time of day – some users have access only during normal business hours whereas others have 7*24 access. This could lead to the creation of two roles, one for normal business hours, one for extended access. Add other context-related conditions such as remote login, authentication strength, line encryption etc. and we end up with the need to capture very many different roles. It is worth noting that normal ERP systems typically need to handle very large numbers of roles (thousands) internally to capture all their user permissions. If a combined role structure from multiple ERP systems must be established with contextual aspects included, role explosion issues simply become unmanageable.

Q:  I didn’t quite get the difference between attribute based access control and rule based access control. can you elaborate?

A: (Felix) In a nutshell, the main difference between ABAC and RBAC is that RBAC revolves around the concept of the role. ABAC can use any attributes (including the role) so it is much more flexible.

A:  (Babak) Attribute based access control is not in conflict with rule based access control. Rule based access control is about creating rules defining access permissions, but if these rules are based on attributes then we have a type of attribute-based access control.

Q: I understood there exists a better way in comparison to the RBAC model, but a language is not enough at all. You need a product which combines both. Is this the message you want to send out here?

A: (Babak) Well, the purpose of the workshop is to present the concept of ABAC and how it solves some of the common and well-known issues with RBAC. But you are right that we also need products to support this new approach. Axiomatics has a complete product suite to support xacml policy life cycle management 360. Most vendors of business applications and IAM products also have more or less elaborate support for XACML built-in.

Q: Is there a defined migration path from an established RBAC model to an ABAC model?

A: The OASIS XACML committee has released an XACML Profile for Role Based Access Control (RBAC) which can be used as a basis for migration projects. That said, one naturally needs to be aware of the constraints given by the architecture of legacy systems – “converting” an existing RBAC-based business application to an ABAC-based model may require a considerable effort. In some instances it may be more attractive to implement connectors that can provision attribute-based rules from a Policy Administration Point to application specific rule configurations which in turn may be RBAC based.

Q: How do you manage attribute based access to multiple resource? Traditionally, privilege attributes are bundled into roles and are assigned to users. If you have many attributes that control access to resources, doesn’t that increase administrative burden?

A: No, as we said in the presentation it will most likely be much less number of attributes needed to define access permissions than the number of roles. This is because we will define access rules based on the attributes rather than representing different set of permissions in terms of roles.

Q: Sounds like this method will have significant application impact – can you respond to this concern?

A: Yes, we believe that many applications will in the future implement the XACML request-response protocol. Already today, most large vendors of Identity & Access Management products or applications that handle business critical data have some sort of “XACML story”.

Q: Does ABAC related to Claim Based Authentication? Are they like corresponding concepts?

A: (Babak) Yes, one way to see claims is as provisioning of attributes to the access control system, so these are definitely complementary technologies.

A: (Felix) Authentication and authorisation are two different concepts, but of course they are related: authentication tells us who the user is, and then authorisation tells us whether the user is allowed to do something. The concept of Claim-based authentication is based on the fact that a “Claim” will already deliver attributes to an application. What happens then? These attributes could be made available to the authorisation engine.

Q: Are there any good resources and real world examples to get started with ABAC?

A:  (Babak) Well a good place to start with is the XACML TC page. Axiomatics has also a very informative website (www.axiomatics.com) with all introductory information regarding ABAC and XACML.

A: (Felix) We also have recently released a XACML Technology report that is available from our web site.

Q: RBAC seems after implementation quite static in maintenance ABAC seems intensive in maintenance, since attribute values vary over time (daily, hourly etc) would it not make maintenance costs more expensive and more complex?

A: (Babak) Well this is really the other way around. The idea is not to change the time attribute manually but to fetch the data from the right attribute source which is perhaps a clock.

A: (Felix) To add to Babak’s point there: ABAC will make use of information that already exists in an enterprise. The initial maintenance cost would be to deliver those attributes to the policy decision engine. And for that, good technology such as virtual directories already exist.

Under immense pressure from users and developers, Google has recently announced some changes to Android Market. But this may turn not be enough. Even though sales for mobile phones with Google’s Android operating system are ramping up, developers find it hard to make money on that platform. A recent bombshell was a blog post from Larva Labs towards the end of August. Larva Labs’ average income for all Android paid applications was only $62.39 per day – and that included games that are ranked #5 and #12 in the Android Market. This is a tiny figure when compared to Apple’s App Store, where a #5 position earns around $3500 a day according to sales figures from app vendors.

If developers cannot make a profit from their Android offerings, they will turn away from the platform. As of today, the Google Android Market forums are full of gripes from android developers trying to sell their software. A common complaint is about the way that applications are displayed in the Android Market. Up to now, developers could not post screen shots and were limited to a 325 character description of their program. Google has since announced that this limitation would be lifted in version 1.6 of the Android platform, which has been released recently.

Another frequent complaint is that Android users from many countries cannot buy applications at all. Users from other countries cannot even access free applications through the Android Market. Nor can developers in many countries sell their applications – instead, they are forced to hold them back or offer them for free. The only “supported” countries for paid applications are Austria, France, Germany, Netherlands, Spain, US, and UK and (since very recently) Italy. Users from those countries can buy applications, and developers from those countries (plus Japan) can sell applications.

That leaves many users and developers standing in the rain. Google is aware of the problem and states that it is “working hard” on this issue, but users are not convinced. Some of them are livid: “Who is sleeping behind his desk [at Google]” an angry Swiss user demands to know who has bought an Android handset just to find out that he cannot buy applications. Others are clueless: “Nokia doesn’t restrict countries with Ovistore [the equivalent of the Android Market for Nokia's phones]. This is so unlike Google. Why are they punishing us for investing into their platform?” asks a Swedish game developer.

In the last two months, only one new “supported country” for paid applications has been added: Italy. This slow pace is hurting Google’s image in many countries, as handsets are being offered in countries but users effectively shut out of the Android market. But an even more serious side effect is starting to show: piracy. As users have no way to legally buy applications that they want, some are turning to illegal Android distribution sites, which are proliferating on the Internet.

The discussion forums are buzzing with developers complaining to be shut out. Others (from “supported” countries) are offering to resell applications from those that are shut out of the Market because of their location. Alternative distribution channels are also under discussion, but many developers believe that these pale in comparison with native market applications such as Apple’s App Store that come with the handsets.

But Google is aware of the problem. When asked, a Google spokesperson replied: “We’ll add support for additional countries in the coming months, but we have nothing to announce at this time”. Until then, many developers will need to make a difficult decision on whether they can make money on the Android platform.

Please join me tomorrow for a free Webinar on the topic “Beyond Role Based Access Control – the ABAC Approach“.

Many – if not most – organisations are not getting as much value as they thought from RBAC (role based access control). In fact, many RBAC projects start with high expectations, but quickly get bogged down due to many issues and problems. Eventually it turns out that the initial expectations were too ambitious. But why? Is RBAC making promises that are difficult to keep?

Many in the industry (Babak and myself included) think that this is due to the fact that the real world just happens to be too complex to model efficiently with RBAC. This means that organisations must be realistic about what they can achieve with RBAC, and mitigate some of its shortcomings. But isn’t there a better way? There certainly is, and that’s what we’ll be speaking about tomorrow. There’s nothing wrong about roles per se, but we need to add more context to them. Then finally, we can reap the full benefits of agile access management, reach and even surpass the value that was expected from troubled RBAC projects.

I am delighted to speak again on a Webinar with Babak Sadighi, CEO and one of the founders of Axiomatics. Babak and his colleagues are an extremely smart bunch of people who are very passionate about access control. They have researched the topic for many years. I’ve interviewed Babak at the last European Identity Conference, which you can see here. So if you’re interested in access and role management, please join us tomorrow, I promise that you will not be disappointed

A good year ago, Microsoft acquired an innovative company called U-Prove. That company, founded by visionary Stephan Brandt, had come up with a privacy-enabling technology that effectively allows users to safely transmit the minimum required information about themselves when required to – and for those receiving the information, a proof that the information is valid. For example: if a country issued a digital identification card, and a service provider would need to check whether the holder over 18 years of age, the technology would allow to do just that – instead of having to transmit a full data set, including the age of birth. The technology works through a complex set of encryption and signing rules and is a win-win for both users who need to provide information as well as those taking it (also called “relying parties in geek speak”). With the acquisition of U-Prove, Microsoft now owns all of the rights to the technology – and more importantly, the associated patents with it. Stephan Brandt is now part of Microsoft’s identity team, filled with top-notch brilliant minds such as Dick Hardt, Ariel Gordon, Mark Wahl, Kim Cameron and numerous others.

Privacy advocates should (and are) happy about this technology because it effectively allows consumers to protect their information, instead of forcing them to give up unnecessary information to transact business. How many times have we needed to give up personal information for some type of service without any real need for this information? For example, if you’re not shipping anything to me… what’s the point of providing my home or address? If you are legally required to verify that I’m over 18 (or 21), why would you really need to know my credit card details and my home address? If you need to know that I am a customer of one of your partner banks, why would you also need to know my bank account number? Minimum disclosure makes transactions possible with exactly the right fit of personal details being exchanged. For those enterprises taking the data, this is also a very positive thing. Instead of having to “coax” unnecessary information out of potential customers, they can instead make a clear case of what information they do require for fulfilling the transaction, and will ultimately find consumers more willing to do business with them.

So all of this is really great. And what’s even better, Microsoft’s chief identity architect, Kim Cameron has promised not to “hoard” this technology for Microsoft’s own products, but to actually contribute it to society in order to make the Internet a better place. But more than one year down the line, Microsoft has not made a single statement about what will happen to U-Prove: minimum disclosure about its minimum disclose technology (pun intended!). In a post that I made a year ago, I tried making the point that this technology is so incredibly important for the future of the Internet, that Microsoft should announce its plans what do with the technology (and the patents associated for it).

Kim’s response was that Microsoft had no intentions of “hoarding” the technology for its own purposes. He highlighted however that it would take time to do this – time for Microsoft’s lawyers, executives and technologists to irk out the details of doing this.

Well – it’s been a year, and the only “minimum disclosure” that we can see is Microsoft’s unwillingness to talk about it. The debate is heating up around the world about different governments’ proposals for electronic passports and ID cards. Combined with the growing dangers of identity theft and continued news about spectacular leaks and thefts of personal information, this would really make our days. Unless you’re a spammer or identity thief of course.

So it’s about time Microsoft started making some statements to reassure all of us what is going to happen with the U-Prove technology, and – more importantly – with the patents. Microsoft has been reinventing itself and making a continuous effort to turn from the “bad guys of identity” a decade (in the old Hailstorm days with Microsoft Passport) into the “good guys” of identity with its open approach to identity and privacy protection and standardisation. At Kuppinger Cole we have loudly applauded the Identity Metasystem and Infocards as a ground-breaking innovation that we believe will transform the way we use the Internet in the years to come. Now is the time to really start off the transformative wave of innovation that comes when we finally address the dire need for privacy protection. Microsoft has the key in its hands, or rather, locked in a drawer. C’mon guys, when will that drawer finally be opened?

I was delighted when I saw that LDAPcon is happening again this year. I went to the first event in Cologne, Germany 2007, and was very impressed. When you have the “creme de la creme” from the LDAP community talking about their favourite topic, you’re guaranteed an interesting and exhiliarating time – assuming that LDAP and directories are your thing.

I still remember last time how Howard Chu gave us a musical demonstration of how a well-performing directory should perform – on the violin! I don’t think anybody forgot that. We also got a very good overview of the different open source projects around directories, and about how to make good use of some of the LDAP extensions.

This time, we’ll also have two action-packed days, and the call for papers is open. I encourage everybody to share their best practises, vision and thought and make this an unforgettable event as well. I’ll be submitting for sure

LDAPcon takes place in Portland and starts on September 20, a day before LinuxCon. The second day will be shared with LinuxCon, it seems. Might as well stay for LinuxCon as well! This is a good event not just for directory vendors and project maintainers, but especially also for those who deploy and run LDAP directories in challenging environments, and those who develop software that talks to LDAP servers. Kudos to the Symas guys for helping organise it (and they are just helping to organise it – it’s not at all an OpenLDAP conference, if that what you’re thinking). I’m definitely looking forward to it!

BTW I just saw that Ludo wrote about it as well, and even posted some photos from the 2007 event.

I recently received a press release from UnboundID announcing the availability of a new “synchronization server”. This software keeps two LDAP servers in sync (as the name suggests) – bidirectionally. In theory very useful, and it’s free too. But there’s a small trick: the synchronization server supports both Sun’s DSEE (Directory Server Enterprise Edition) and the new Unbound ID Directory Server. In the release, Unbound ID makes no secret of what this software should be used for: to migrate away from Sun’s directory toward Unbound ID’s competing solution.

UnboundID is a start-up based out of Austin, TX. It was founded by several ex-Sun employees, including Neil Wilson, author of the “slamd” load generation engine, and formerly one of the key people behind Sun’s OpenDS. I have already raved about their new LDAP SDK for Java, in my opinion the finest and most complete LDAP development kit for any language ever written.

The company is going after the very lucrative Telco and large service provider market, and launched a frontal attack on Sun Microsystems, who is the market leader in that space. UnboundID is offering a 30-40% reduction in yearly maintenance costs if customers switch from DSEE to their solution. Of course there is the usual fine print, and this offer is limited to medium-sized directories with less than two million entries. Why should Sun customers switch from DSEE to UnboundID Directory? According to UnboundID, their server is faster, has less footprint and is supported on a wider platform range.

It is not really obvious to me however why Telcos and large service providers would want to switch. For one, DSEE has been the de-facto market leader for massive-scale directory services, and customer satisfaction is high (not just if you believe the marketing – I’ve personally heard the same from Telcos using the product). A directory server running in a Telco is an absolutely super-critical component, and ripping it out and replacing it is akin to heart surgery. DSEE is very mature after having been around for many years and the kinks have been ironed out in many very large deployments a long time ago already (in fact, I was in one of those deployments in 2002 – that was fun). UnboundID would obviously need to make a very good case and give organisations a high level of assurance for them to switch over. The Telco sector is much more innovative than others, and tends to be on the bleeding edge of technology – but even so, there is a reluctance to switch from a very mature product that “just works” to a brand-new product.

That’s why UnboundID offers the “synchronization server” in order to try to entice organisations to run both directory servers next to each other for a longer period – to evaluate and eventually become comfortable enough with the UnboundID server to make the switch. It seems that the “synchronization server” has been written specifically for this purpose.

Which, personally speaking, I think is a bit of a pity, but hopefully UnboundID will realise the immense value that this synchronisation server could have once they’ve gotten over their frontal attack on Sun. A generic synchronization server that would keep multiple directories from multiple vendors synchronised is a fantastic value proposition, and I’m sure many organisations would jump at it. Especially when it comes from such brilliant minds like Neil Wilson’s who is known for his awesome LDAP stuff.

Sun Microsystems has just announced at the annual MySQL Conference that it is adding extended support for MySQL into its Identity Management stack. That’s great, but what does it mean? For one, MySQL is hugely popular – starting off as an embedded open source database, and slowly but surely pushing into the enterprise RDBMS area over the years. Most enterprises use MySQL somewhere – some of them use MySQL strategically (i.e.: if you need a database, consider MySQL as one of the option, or even as the default option).

So what does this have to do with identity management? Most databases are used by applications, and many of these application have some user schema in their databases. This means that identity information is widely dispersed through very many different databases throughout the enterprise, like a mosaic. Identity management over the years has been making the promise to consolidate, bind together and manage identity information, and Sun Microsystems has an extensive identity management offering that does exactly that. Sun’s added support for MySQL with their entire identity stack takes this to a new level by allowing organizations to bind together data regardless of whether it is stored in an classic directory or relational database.

For one, Sun Microsystems has enhanced and strengthened the links between MySQL and the two directory servers: DSEE and OpenDS. DSEE (Directory Server Enterprise Edition) is Sun Microsystems’ flagship directory server that combines essential enterprise features with carrier class scalability. OpenDS started off as a project to be Sun’s next generation directory product line, and is very successful as an embedded directory. In several years, OpenDS is due to replace Sun’s current flagship directory server, DSEE (Directory Server Enterprise Edition).

The enhanced integration brings numerous advantages to both enterprise and telco directory scenarios, and I’ll go through them briefly. Let’s start with the Telcos, as it is always impressive to talk about massive scalability, availability and speed. MySQL can be used as a back-end data store for OpenDS, Sun’s open source directory server. According to an announcement made yesterday, OpenDS Standard edition can be integrated with MySQL Cluster.  When used together, the OpenDS provides the LDAP directory front-end to a rock-solid, clustered relational database. This is really interesting for Telcos, service providers and other very large directory users that need scalability and have very high availability requirements. Using a clustered relational database such as MySQL Cluster as a back-end for OpenDS allows administrators to gain extra flexibility for data management which comes in really handy when the amount of data is massive. It also give more options for providing a on-stop directory service. LDAP Directory servers are typically deployed as a set of equivalent multi-master servers – each “master” managing an autonomous copy of the data set. A replication mechanism is then used to keep all masters in synch. Now add the clustering features, and the resulting mix is like a swiss army knife for those that need the ultimate flexibility and resilience in directory services.

In fact after this integration, OpenDS and OpenLDAP are the only directory servers that allows users to choose either a “traditional” Berkeley DB based embedded backend or a relational database backend to be used. The former is great for enterprises that prefer a maintenance-free zero-administration back-end, and because of this many directory servers have traditionally used Berkeley DB. The latter, using a fully-fledged relational database as a back-end for directory servers opens up many possibilities in terms of data management, but is more difficult to manage. Traditionally, users had to choose a different product depending on whether the priority was ease of maintenance or sophisticated data management features when choosing a directory server. Now OpenDS have a choice with the same product. But not just OpenDS, Sun is actually licensing MySQL cluster as “MySQL Cluster Carrier Grade Edition” to be used either with OpenDS or OpenLDAP. I know quite a few LDAP directory administrators working in large Telcos, and I’m sure they’re thrilled.

On the enterprise side, Sun has added virtual directory features to DSEE to easily link into MySQL databases. This means that data that used to be stashed away in MySQL databases can now be made easily through the LDAP protocol. Being an advanced feature of virtual directory servers, it shows Sun’s  commitment to extend their virtual directory offering.

But MySQL support has not just been enhanced in Sun’s directory servers. Sun Identity Manager can read and provision identity data to and from any MySQL database schema, and can now even use MySQL as its primary internal data repository. Role Manager can use MySQL as its identity warehouse. OpenSSO can also use MySQL as an identity repository. In a way this was to be expected when Sun acquired MySQL a bit more than a year ago – to start building on its acquired RDBMS platform and integrate it with its other offerings, in this case Identity Management. It is actually quite impressive how fast this integration has happened when compared to other vendors who take considerably longer “digesting” acquisitions and combining them to maximise value.

I just came back from this year’s Expert conference, TEC 2009. Last year it was still called the “Directory Expert’s Conference” (DEC). This year the conference has been extended to include training on Microsoft Exchange as well, hence the name change. And of course not to forget that Quest has taken over Netpro – but has this really changed the scope or focus of TEC? Not at all, as was very immediately visible from the start, with a very funny introductory video. It started off just like a very glitzy marketing presentation that turned quickly into a hyperbole of fuzzy marketing buzzwords and photos of smiling executives. The initial bemusement turned into bewilderment, and quickly I could see some rolling eyes and frowns around me, just when the marketing fuzz stopped right in the middle of it, and into the video stepped the image of Gil Kirkpatrick, DEC’s founder and Quest’s Chief Architect who, looking annoyed, asked the marketing voice what all of this was about. Nothing at TEC was going to change from what DEC was – this was no marketing trade show, but rather a place for people to learn and exchange experience about Microsoft products – specifically Active Directory and Exchange. The video then stopped to make place for the real Gil Kirkpatrick coming on stage to a big applause and delivering the welcome speech.

As a sign of the times, the conference was somewhat smaller as last year – the organisers spoke about a difference of about 30% of attendees compared to last year’s DEC. When Gil asked the audience who had to jump through extra hoops to get to TEC, several hands flew up. Those who went however, had an excellent, varied and carefully balanced programme waiting for them. As with all conferences, it can sometimes be a challenge picking a presentation to go to from multiple presentations going on at the same time. I was ver pleasantly surprised to see that some key presentations were given more than once so that I could attend them even though I had missed them the day before. Also, presentations were recorded this time and will soon be made available to attendees which especially for me is an additional value.

The “day before” – i.e. Sunday, several pre-conference workshops had already been given. This was a tough decision for me, as I was torn between going to Laura Hunter’s workshop on ADFS and Bahram Rushenas’s workshop on codeless provisioning with ILM 2. I chose ILM and the workshop turned out to be very informative, as it gave me a very good glimpse into codeless provisioning with ILM. I still felt sad to have missed Laura’s ADFS workshop that has received high praises (which did not surprise me as Laura is an passioned expert on this topic, as well as a gifted speaker). But one can’t have everything!

The second workshop was again on ILM. Dave Lundell, a DEC veteran and one of the most knowledgeable sources on ILM that I have met to date, presented on the topic “Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal”. I knew it was going to be good because I already attended (and raved about) his ILM 2 workshop last year at DEC. This one turned out to be a truly wild ride! Dave and his colleague Brad Turner from Ensynch pushed the envelope by demonstrating what I’ve often heard but never really seen “in action”: that ILM 2 is more than just a provisioning tool, but in fact a whole platform that allows all kinds of lifecycle management for enterprise data. He took an excellent example out of the world of enterprise IT: the management of an OID (Object Identifier) management. Enterprises can receive an OID tree within the “private enterprise” branch by requesting it from IANA. This OID tree can then be used to number enterprise-specific schema extensions, SNMP objects and other things that need an OID and are used within an enterprise. The OID space should be properly managed in order to give it the correct structure and making sure that no OID is assigned twice. This unfortunately is very rarely done in any enterprise – perhaps because of its technical nature and because the negative effects are usually not visible immediately when the OID tree space not managed properly – and there are few who “do it right” and properly manage their OID space. Dave and Brad showed how to implement OID management with ILM 2. This was very interesting because it gave us participants a deep dive into the guts of ILM 2, its data structures and workflow possibilities. It also really pushed ILM 2 to its current limits. Ensynch has written several custom workflows and contributed them via the codeflow web site in order to get around some current limitations in ILM 2. Those guys continue to amaze me.

Of course, the news about Microsoft’s delaying ILM 2’s official release for a whole year put a bit of a damper on the party. Disappointment was tangible from customers and vendors alike. I can certainly understand that although ILM 2’s maturity has evolved since last year, Microsoft wants to play it safe and gain some more experience with deployments, and iron out some kinks that are still present in the current beta version. That however doesn’t help those partners of Microsoft who have made a significant investment for ILM 2’s supposed imminent release. Gemalto for example, was poised for a big launch and threw a big party that, well, was still a great party although with excitement rather muted because the cause for the celebration was gone. Attendees were also very disappointed, many of them having come to TEC specifically for the purpose of sharpening their skills in order to prepare for an imminent deployment of ILM 2.

But back to positive aspects of TEC 2009, which were many – an you obviously can’t blame Quest or TEC for Microsoft delaying ILM 2! The first presentation I went to was Brian Puhl presenting on his experience over the last few years rolling out federation agreements. As one can expect from Brian, it was interesting, funny and thoughtful. Of the lot of information provided I especially liked Brian’s experience with the entirely non-technical problem around creating trust agreements – and the multiple iterations of procedures that Microsoft went through until they had a model that actually works. In the beginning, there was the list of the “10 commandments” – you shall do this, you may not do that, and you must do it like this, and so on. The resulting list was probably bullet proof from the standpoint of mitigating every conceivable risk, but turned out to be so draconic that nobody, not even Microsoft’s departments could comply with it. The next iteration was an extensive questionnaire about the state of security and management of identities that a partner had to fill out. The problem there was that many partners certainly did not want to divulge all this information about their internal controls and security subsystems that they thought were confidential. The next iteration then was a definition of a lowest common denominator “bar” that a partner had to jump over in order to qualify for federation. Three “bars” were defined with diffierent classifications for non-critical, medium-value and high-value and confidentiality content. To qualify, a partner had to vouch that certain criteria were met. Each criteria then had a point score, and the resulting total score would determine which “bar” the customer had reached, and hence qualified for within the federation agreement. This turned out to be very workable.

Another TEC-veteran is Pamela Dingle, formerly of Calgary-based Nulli Secundus Identity Management consultancy. Pamela has just flown the coop and started a company called “Bonzai Identity” with the goal to help enterprises get to grips with identity management by carefully nurturing good practises, aligning business processes, making sure that data is correct, and helping organisations make the “right decisions” over time. She writes that “It is like gardening; you will have much better luck making small adjustments throughout the life of your garden than you will allowing a wilderness to grow and then wading in with a machete”. Her talk at TEC was entitled “A survivalist’s guide to identity management” and focused on the business process shortcomings and warnings signs that can really bog down identity management projects. A great overview and invaluable compilation of experience that can avoid very costly traps and maximise the value of those projects.

TEC is legendary for bringing out the best of Active Directory experts and get not just best practises from the real pros, but also hard-core technical info that you can’t find in other places. There is a gang of “usual suspects” whose presentation I always try to attend because it doesn’t get much better than that when you want to learn about Active Directory and dive deep into the technology. Apart from Brian Puhl, who is responsible for running AD in Microsoft’s IT department, there are Laura Hunter, Joe Kaplan and Dmitri Gavrilov. Interestingly enough, those AD Gurus have become quite turned on by ADFS and federation, and (except for Dmitri) presenting on that topic.

This has been the first time I’ve had the honour to speak at this TEC, and even twice! My first presentation was on the subject of authorisation: once you’ve authenticated the user, then what? How do, can and should applications decide how to allow (authorise) a user to do and see things? It is a subject that I’ve focused on quite a bit over the last months and something that I am dedicating a whole track to on May 6th at our European Identity Conference in Munich. I couldn’t help feeling that this particular presentation was a bit of an “odd one” at TEC, because I unfortunately could not just yet teach people how to use technology to do it: We are still early in the game because big vendors such as Microsoft and Sun have yet to commit to standards in this area, come up with frameworks and stipulate good practises. It’s not completely satisfying when at the end of the presentation you have illustrated the problems and pain, but can’t really point to a solution yet. However I see encouraging signs that vendors are taking this seriously and thinking about ways to tackle these problems. It is not just a lack of technology, but the fact that, well, there certainly is a lack of standardised technology and the current “best practises” that encourage application developers to just hardcode security into their applications just exacerbate the problem. I would obviously like to see more interaction between the vendors instead of everybody just thinking within their own box. At our European Identity Conference I am bringing some of the thought leaders, visionaries and experts together and will try to rally them into working together to find solutions together as an industry.

My second presentation was on the TEC’s equivalent of a “Friday afternoon” – on the last day of the conference shortly before lunch. I was very excited about the topic because I was presenting about “Cool LDAP Innovations”. As TEC is about Active Directory I thought it was important to share a different perspecitve on what is happening outside of AD with other directory servers. Since AD world is essentially closed (you can’t rip out AD from a windows network) there is no competition in this space, and in my opinion very little innovation. Compared to other directory servers, AD and ADAM has fallen behind in technology, so I felt a bit tongue-in-cheek, talking about some cool stuff that other vendors were doing. The evening before I managed to itercept Nathan Muggli and asked him if he’d attend, and he kindly did. I finished early and a lively discussion started. After a few minutes I was delighted to see the whole thing starting to look like a BoF session and I decided to sit down in the middle with the other participants and we continued disussing.

Kevin Kampman from the Burton Group (technically a competitor, but I prefer to see him and his co-workers as distant colleagues) gave a presentation entitled “the case for identity services”. Out of the pain points that he highlighted I could identity the same ones I talked about in the “authorisation” presentation the day before. It’s great when a smart experienced guy like Kevin arrive at the same conclusion – it means that we definitely have a case!

I’ve had to scramble after Kevin’s presentation, grab a quick lunch and then hop into the car to drive back to Los Angeles where I came from this time. I had thought that the drive through the desert would have been more exciting, but I’ve since been told that for things to get spectacular, Death Valley or Arizona would be the best option (both close, but I didn’t have time for the detour). Just having gotten back to Europe this morning, I am still thinking back about this intense and englightening experience and am definitely looking forward to the next one!