I’ve recently been to Sun’s directory labs in the the beautiful city of Grenoble, France to talk about what Sun has in store with their two directory servers: DSEE and OpenDS. I’ve used many predecessors of DSEE (starting with the good old Netscape Directory Server) on several projects over the last decade and used to know it inside out. I’ve grown quite fond of it, and so has everybody else I know who has used the product. I wasn’t exactly sure why Sun embarked on its OpenDS project. Why reinvent from scratch what is already a perfectly great product? This question was on my mind, and I was eager to find out why.

When it comes to directory servers, most analysts like to classify them according to the market segments they address. In no particular order, they are: operating system/network, telco and service provider, enterprise and embedded. When it comes to the operating system/network directory servers, Active Directory rules – not necessarily because it is the best for this purpose (and just to be clear: it’s not bad either!), but – well – it’s so intrinsically linked to Windows that you don’t really have a choice. When Novell Netware was around, NDS and e-Directory was another candidate in that area, but it’s pretty much down to AD at this point in time. It’s in the other segments where it gets really interesting because there is some very active development and strong competition.

The Telco/Service provider directory segment is particularly interesting because only the highest scalable directory servers can even attempt to survive in this area. Sun has been very strong in this area for many years, and for a good reason: experience and continuous improvement. I’ve been involved first hand in several very large deployments of Sun Directory Server 5.0 (I think it was during the time when Sun called it “iPlanet Directory Server”). At that time, in the early years of this millennium, we deployed the server for hosting several hundreds of millions of entries. Yes indeed, about 120 Million entries! This was 2002, and at the time the sheer scale was pushing the envelope quite a bit -  but it didn’t just work, it actually worked quite well! Performance, Multi-master replication, and resilience were absolutely key for these types of installations. And sure – in the early versions of 5.0 there were some kinks that had to be ironed out of the replication protocol, but even then it was quite amazing how scalable the directory was, and how well it could actually be managed with such an impressive number of entries. Over the last 7 years, the directory server evolved even further – multimaster replication is rock solid and Sun has tinkered continously with the software to increase scalability way beyond what was already impressive in 2002. Nowadays, there are quite a few reference customers who run Sun directory server with literally billions of entries (incidentally, many of them in China – why am I not surprised ), and this is considered perfectly normal.

When it comes to reliability, a key to deploying very large directories is redundancy, and the possibility to balance loads and fail over between multiple instances. In the early days, load balancing appliances were used to do this (Alteon was really good at this in its days), but unless those applicances had specialised proxy features to handle the instrinsics of the LDAP protocol, this by itself wasn’t a very good option for large deployments. Sun had acquired a company called Innosoft a decade ago, and with it came a product called “DAR” – Directory Access Router – a fully fledged LDAP proxy. Over the years, Sun has enhanced DAR and bundled its next generation into Directory Server (now known as “DSEE”, Directory Server Enterprise Edition”) at no additional cost. Being an important cornerstone of very large and complex directory deployments, it fits like a glove into the directory service and extends it by offering extensive request routing functionality, high availability and performance features and simple mapping features. Previously, only the CA eTrust directory had these features.

I can talk all day about deploying telco directory services, because I’ve used to do it for a living, and am still fascinated by the sheer volume and raw power involved But there’s another two very glorious aspects of directory services, and they can be found in the enterprise and in the still fairly recent embedded directory segment.

The enterprise directory segment is where most of the innovation is happening. Enterprises are typically not as focused on performance, and often more interested in integration, security and manageability. Integration is a very big topic, because the directory service is a crucial piece in any identity management infrastructure. And we’re usually not talking about “a” directory either – most enterprises have many different directory servers, containing either different user populations, or part of the same users but for different purposes. It is in the integration area where much innovation has happened in the directory area. Is doesn’t surprise me that most enterprise directories nowadays feature simple virtual directory functions. That was not the case five years ago, when I worked for a virtual directory vendor. At that time directory service vendors did not foresee virtualisation features as being an important part of their portfolio – perhaps because some of those vendors were also selling an “identity manager” type provisioning system and thought that any directory integration could be solved by deploying a full-blown provisioning system and brute force copying data around Well, this wasn’t really a feasible solution in all cases, so it is only natural that virtual directory companies such as OctetString and Maxware were acquired, and other vendors are “rolling their own” virtualisation features.

Some of the features that are not obvious, but extremely useful in the enterprise scenario are exactly those that allow a directory server to easily interoperate with provisioning, virtualisation and synchronisation products. Technically, the features in LDAP server that are relevant here are persistent queries, incremental updates and proxy auth. These are low-level features that are absolutely crucial when identity “managers” and provisioning services interface with directory servers.

Some other desired features within the enterprise directory segment are about password services and policies. In the vast list of featureds to be found in most modern directory servers are sophisticated access control lists that are expressive enough to configure a finely grained access control policy for deciding who gets access to what type of information. This used to be very important in the past but is getting less important as access control rules on the directory servers tend to be simpler nowadays, because changes typically ocurr through provisioning systems, and not that much any more directly to the LDAP server. Password policies are also a typical feature used in enterprise directory servers (you know – minimum length, character combination, auto-lockout,auto-expiry, and all those things). And of course, keeping track of when users last logged on – very helpful in order to identity dormant accounts.

Another important detail is also how passwords are stored, and how they can be migrated from one server to the other. As a general rule, it’s always good to offer administrators choice. Obviously passwords need to be well protected. But the approach of some directory vendors (specifically Microsoft and Novell) to “secure” their directories has backfired – the directory servers hoard the passwords and don’t even offer any possibility for administrators to export encrypted password hashes. You may wonder whether this “secure” feature is actually a hidden “lock-in trap”! That has created a secondary market around password “synchronisation solutions” in order to overcome the deficiency in the product itself, where the product’s designers thought they had to be smarter than the poor administrators who actually need to deploy, migrate and maintain them.

Last but not least, let’s not forget about one of the very important aspects of enterprise directory services. They need to be simple to deploy, administer and maintain! In the telco area it may be considered acceptable if the directory administrator team features several fully trained relational database administrators, but in enterprise environments that can be too much overhead. Directory servers that make use of relational databases for storing their directory data, such as Oracle’s OID and IBM’s Tivoli Directory Server can point to the advantages of running a directory services platform on a rock-solid database foundation (in these cases, Oracle and DB2 respectively). But the extra administration overhead can be considerable. CA has traditionally used the Ingres relational database for its eTrust Directory Server, but has now in the latest Version 12 switched to something called “DXgrid” – a revolutionary internal memory-mapped storage that not only offers incredible throughput, but also eliminated a significant portion of administration. Sun has since always used a simpler, but very fast and highly scalable data store for its directory server called BerkeleyDB – the same used also in most installations of OpenLDAP.

After mumbling on for quite a discourse I actually wanted to get to the point of Sun’s OpenDS, and the question that I wrote in the beginning of this entry. Why reinvent from scratch (OpenDS) what is already a perfectly great product (Sun DSEE)? As it turns out, there’s been a new segment for directory server that is steadily growing: the one of embedded directory services. For example, packaged solutions that require a directory server internally. Or “black box” appliances with a provisioning interface that contain – guess what – a directory server. A few years back, it was OpenLDAP that was typically shipped with those solutions, because it was free, open and could be embedded easier than other full-fledged directory server products. Now it is OpenDS that is continuously gaining ground, and for good reason. With its incredibly easy set-up, minimal administration, OpenDS epitomises what an embedded directory stands for. And on top of that, the scalability and performance are world-class. Development on OpenDS is, as the name implies, well – open. The development team features Sun employees and others outside Sun, just like OpenSSO. The release cycle is short and new features list is growing at an incredible rate.

So will OpenDS one day replace DSEE? Most likely. But this is still far in the future – for the next few years Sun is actively investing in DSEE as its flagship directory whilst continuing to nurture OpenDS and offering it as an embedded directory server, as well as to anyone interested in quickly deploying a directory server. Now, when I say “quickly” – I’ve managed to install it, extend the schema and load some data into it in less than fifteen minutes! Now that’s what I would call “quickly”. And once I had it up and running on my slow and overloaded laptop, I ran the “slamd” LDAP benchmark tool against it on the same laptop, and got back thousands of searches per second. Not bad at all! Now that’s what I call innovation in the world of LDAP

I’ll be speaking at TEC on Wednesday the 25th of March, on the topic “Cool LDAP Innovations”. OpenDS will definitely get a mention. On the presentation, I’ll also talk about some other real innovations that happened over the last few years in the directory services area. If you’re there, be sure to drop by!

As the US presidential election is in full swing, I thought it would be a great time to dust off Bill Clinton’s catchy statement from way back when and seize it for my own agenda. As the industry is increasingly focused on the identity metasystem that will delivering identity to applications, and much attention is given to strong authentication, I believe that authorisation is a very much neglected topic. Very unfortunately so.

It appears as if many of us have just about accepted the fact that authorisation is the domain of applications. Large enterprise software suites typically implement their own security infrastructure. Some others outsource this to the underlying operating system, most notably Microsoft Windows. We seem to be content to deliver identity data into applications, and letting them take care of deciding who gets access to what. This I find dangerous, and going down a very wrong path in the long run. Let me explain why.

Doing it over and over again. Is your organisation building custom apps? Every application developer of a custom-built application has to implement access control and authorisation yet again. Most developers are really not that savvy or even passionate about security. After all, software development is mostly about finding new ways to do things, not so much about restricting one to do things (unless you’re writing security software, of course). I find it very scary that in many organisations, access control has been implemented differently many times, by many different teams. How can you be sure that everybody got it right? What’s the sum of all bugs in all of the authorisation code? How much time and money has been spent reinventing and rewriting the same wheel over and over again?

What access management? Controlling access is done in very segregated approaches. It’s not uncommon to find multiple identity “universes” next to each other in isolation. We have managed to apply band-aid to the “identity wound” of having disconnected pieces of identities in different stores through provisioning systems and virtual directories. But the “authorisation wound” is untreated and oozing. Yes, there are a variety of “access managers” and “SOA security” solutions out there. Do they really solve the problem? No, because usually they are too coarsely grained, and therefore only relieve some of the symptoms of weak application security without really curing the underlying problem.

Sleepless nights at audit time? Regulations are getting tougher, and audits are taking much more time and money. Once central security services were in place, their mechanisms would need to be scrutinised just once, and after that it’s just about auditing their use inside the applications. At this time role management software is touted to be the magic bullet, albeit in the form of another band-aid to the “authorisation wound” (as described in the next paragraph).

Incompatible entitlement systems. We are seeing a growth in GRC (Governance, Risk-Management and Compliance) tools that build data warehouses of entitlement information, and then try to make sense of the whole mess. Those entitlements are usually completely different in structure and interpretation, and trying to distill this hodgepodge into higher level business roles is a daunting task that needs continuous readjustments. True, the tools offered by the vendors in this space are getting better and better. But effectively the aim is to bring some order into chaos – to fight the never-ending battle against entropy. On the other hand – just think about it – even if only 50% of the authorisation could be derived from business processes, business roles and other high-level information, that’s already 50% less entitlements that would need to be managed.

Lack of vision and/or willingness of the industry to cooperate. Barring some notable exceptions, the large vendors don’t have a vision for solving authorisation systematically, or are keeping their cards very close to the chest. Oracle is one of the exceptions here, with a mission statement that this is important and needs to be solved. Other vendors have ad-hoc solutions for offering fine-grained authorisation for custom applications, mostly in the form of embeddable entitlement “managers” or agents. Some are having a field day bashing the XACML standard, and whilst they are right in that it does not solve all problems, it certainly addresses quite a few of them. Hey, SAML does not by itself fully secure your web services, but it certainly does its part in the effort. My word processor does not write my reports by itself, but it certainly helps me getting them done.

Service oriented What? In a brave new SOA world, applications are no longer monolithic, but comprised of many services interacting with each other. Identity and access control is an important part of this. Whilst this year has brought us much further in the Identity field with WS-* on the path of becoming mainstream, authorisation is not just a large and ugly pothole on that road, it’s a crater. Unless the industry comes together to adopt an interoperable, standards-based approach to access control,

What now? I may be painting a bleak picture, but it’s not all bad. Several small companies are taking the lead right now to create enterprise-wide access management technology, driven by compliance requirements. Larger vendors are certainly mulling their options. But it’s the time for us in the industry to get cracking, and come up with the methodologies, standards, services, protocols and APIs to solve this once and for all. Until this is done, IT won’t really be dynamic, and many SOA benefits will remain elusive to most of us.

I’ve written a short analysis on Microsoft’s new “Zermatt” framework that can went up on our website yesterday. For those who have missed the announcement, Zermatt is a new developer framework from Microsoft that makes it easy for developers to work with claims, and is also a foundation for building secure token services (STS). In the analysis, I also included some of my thoughts on the “claims-based model” in general, and specifically about the lack of an authorisation model. I think this is perhaps the largest gap currently for applications using WS-Trust, WS-Federation and the claims-based model, exacerbated by the fact that Microsoft currently provides no vision how this will be eventually be addressed.

As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.

Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive – not at all, in fact – but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.

Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.

Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.

So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.

Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable – something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.

I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.

Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” – right in Lisbon!

I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.

First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.

In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?

BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.

My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one – complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.

I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management – although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed – especially considering the pain and hard work that goes with deploying such systems!

So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.

Hewlett-Packard, who recently announced that it would all but retreat from the identity management sector as an independent vendor, has just announced a partnership with Novell. That will settle the many speculations in the industry. As HP had made a significant investment into identity management products, someone would surely be picking up the pieces. And the winner is: Novell!

From the announcement that was made to the analyst community and the subsequent press release, it is pretty clear that HP is looking for an elegant way to divest itself from its product line. Of course, HP cannot and will not leave existing customers hanging, so the previous announcement from HP was to “not actively pursue new customers” for its identity management software anymore. Another way of putting it – but the message is clear: those products are no longer actively pursued, the key employees have long moved on, such as Greg Whitehead who came to HP from Trustgenix, after it was acquired by HP.

If there is any doubt about the future of HP’s product line: Novell is offering a license credit for current HP Identity Center customers and the press release makes frequent use the word “migration”.

HP and Novell will now jointly develop tools to help their respective teams migrate customers away from Identity Center and towards the Novell product offering.

The win for Novell is obvious: a strong influx of new accounts, plus a strong partnership with a key systems player that has just a few days ago announced its intentions to strike it big with services as well – acquiring EDS. On the other side, what is the win for HP, apart from a honourable exit from its products? Surely, after the acquisition of EDS a likely theory would be that there may be some good deals in the pipeline for HP’s new upscaled services division, working closer with Novell. But even though this may be the case, it is very unlikely that the EDS deal and the Novell partnership have had any effect on each other, and although Identity Management is a hot and growing space, it is just a fraction of what EDS did for its customers.

What will be intereting to see however is if and how Novell will take over some of HP’s IdM estate, and how this would be integrated within Novell’s solutions. For example, the Trustgenix federation software, just to note one example, were superior technology at the time of acquisition and still present a formidable stack for the implementation of federation solutions.

A very interesting detail is however not mentioned in the press release: this special partnership is not exclusive at all. This should perhaps be obvious, because HP partners with other companies who also have a significant identity management offering. Curiously also, the press release was not even published in Germany. Although that may seem as an insignificant detail, it has subtle implications: SAP is very strong in the German Identity Management field through its Netweaver offering, and HP makes a lot of money through its partnership with SAP, and will want to keep its options open.

It will be interesting to see the reaction of HP’s Identity Center customers after this announcement. Some have already moved away from Identity Center, or are in the process of doing so. Novell has a well-rounded offering, but it might not always be the right match for existing HP Identity Center customers. Then again, it is likely that some technology gets transfered or licensed to Novell. For most existing Identity Center customers however this is good news, as it lays out a clear path for transitioning over to a solid product line that is established and actively maintained.

WEDNESDAY, March 5th. Chicago, seems a tad warmer, but still too cold for my taste!

The last day of the conference was a short one for me – I had to leave around 11:30 to catch my plane. I had a nice long chat with Dieter Schuller from Radiant Logic, who brought me up to par with their vision and technology. In my previous job Dieter and I were competitors, so we had a lot in common and of course knew each others products, but I got a much deeper understanding on Radiant Logic’s vision and approach to virtual directories. As I am currently writing Kuppinger Cole’s technology report on virtual directories (due before the European Identity Congress in April), this came in very handy. DEC 2008 has been an intense, and immensely rewarding experience, and my head is spinning! This has been my first, and certainly won’t be my last!

It’s been an exciting last week starting off with DEC 2008 in Chicago, and ending with a roller coaster ride into JFK Saturday evening, on the way back to Europe. DEC, as always, is packed with interesting presentations from the best technology experts all around the topic of directories and identity management in the Microsoft technology space. Virtually all of the latest knowledge is packed into three full days, which sometimes unfortunately means that you have to make a very difficult choice of choosing which presentation to go to when some really interesting ones take place at the same time. But that’s unavoidable, unless of course DEC was to be stretched out over two weeks – and I wouldn’t want to know what corporate travel departments would think about that! Luckily, rumour has it that slides to all of the sessions are available for those that went to the conference.

Unfortunately the WLAN card in my (almost) brand new HP collapsed and steadily refused service afterwards, so I was relegated back to the world of wireless-less Internetworking, which proved a challenge due to the business center closing at 7 and the wired connection in my room without a link. Now as I have got it fixed (thanks, HP!) I’m back in business, so here are my two other reports from DEC 2008!

Over the last few weeks, the Liberty Alliance’s IGF caught my attention several times. Fulup Ar Foll and Jason Baragry, both working for Sun Microsystems wrote a paper called “Next Generation of Digital Identity”. About a month ago, HP’s Marco Casassa Mont and Oracle’s Phil Hunt published an article in “Sarbanes-Oxley Compliance Journal” entitled “Identity Governance Framework”. I’ve been wanting to blog about this for several weeks, but kept putting it off. Last week I had the fortune to be briefed by Prateek Mishra, Oracle’s Director of Security Standards, who explained in detail what the IGF was about and clarified some of the questions I still had.

In late 2006, several companies got together and created the Identity Governance Framework (IGF), an initiative of the Liberty alliance. Originally driven by Oracle, other companies in the space quickly joined the effort. The purpose of the IGF is to provide an open architecture that addresses governance of identity related information. This architecture is meant to bridge the gap between regulatory requirements and the lower-level protocols and architecture.

What does this mean and why is it so important? I like examples to understand things, so let’s start with a few of them. For a starter, many enterprises still have private identity data stored in many different data stores. Even though the trend is to minimise the number of “data silos” (places where identity data is stored), the reality is still that data can be found in many places. This creates a problem in our globalising society, where the HR department might be run in one country, and the support desk in another, and a myriad of services being outsourced yet to other locations. How can one ensure that the flow of data is controlled in such a way to ensure that all privacy laws are being complied with? Another example could be a federated environment of several suppliers working together in order to process an order. The order is received by company A, which then sends out several orders for parts to companies B1, B2 and B3, who then ship everything to company C that assembles everything and uses company D to ship out the finalised order to the customer.

In both cases, identity data is transferred and processed. How can the inherent risks associated with the creation, copying, maintenance and use of this data be mitigated? Who has access to what data for which purpose, and under what conditions? Ideally, policies on data usage are created by sources (attribute authorities) and consumers (attribute authorities) of identity data. These policies can then then be used for the implementation and auditing of governance. In other words: if you know what the rules are, express them in a policy, and make sure your policy is watertight when the next audit comes.

Exactly this is what the IGF attempts to create: a standardised mechanism for expression and implementation of these policies. The IGF is working on several standards and components to make this happen. One of them is the CARML protocol. It defines application identity requirements, in other words what type of identity information an application needs, and what that application will do with that information. CARML stands for “Client Attribute Request Markup Language”, and yes you’ve guessed right – it’s XML-based. As stated previously, CARML defines what attributes an application wishes to consume, and the privacy rules of the application: Will the data be persisted (stored) by application? If so, how long? What purpose is it used for? Will it be forwarded? When an application is then made available, administrators can review the CARML file for that application, ensure that privacy constraints are being met, and then connect the application to the respective data stores to make the information available.

On the other side of the spectrum there is AAPML, the “Attribute Authority Policy Markup Language” that describes the constraints on the use of the provided identity information – under what conditions specific pieces of identity data is made available to applications, and how this data may be used, and possibly modified. For example: what part of the users data can be modified by the users directly at a self-service portal? Or: under which condition may a marketing application use a users data, and what type of explicit consent needs to be given by the user? AAPML is proposed as a profile of XACML, the “extensible Access Control Markup Language” so that AAPML policies can be consumed directly by a policy enforcement point (PEP) to enforce access over the requests for identity data.

So now you can probably see where this is going. In one side, you have the applications, and CARML that specifies the identity information that they need. On the other hand you have the identity data sources (attribute providers), and the policies under which they make data available. In the middle, an identity service can broker between both sides. This identity service can read the CARML requirements from the applications, and the AAPML policies from the attribute providers, or use an external identity policy engine that enforces the AAPML policies.

So why another set of protocols? Isn’t this already addressed in some other standards? Liberty’s ID-WSF springs to mind, or SAML 2.0′s AttributeQuery, SPML, or even – to a certain extent – WS-Trusts Security Token Service. However, CARML and AAPML bridge a very important gap that is not addressed anywhere else: not how to request and receive attributes, but to express the need and purpose of identity data, and on the other side the allowed use and conditions for its consumption. IGF’s framework conceptually fits seamlessly into architectures harnessing today’s frameworks and picks up where CardSpace, Higgins, Bandit and WS-Trust, leave off.

In my mind, the IGF makes some very important contributions for important issues that have somehow “fallen through the cracks” in the last few years. The IGF’s standards ensure that privacy requirements can be met and audited against, and facilite the secure and controlled exchange if identity data. This has the potential to fuel adoption of technologies such as federated identity, and open up business opportunities that were up to now constrained by uncertainty about privacy or lack of tangible technology in that area. I will definitely keep the IGF on my radar!