Sun Microsystems has just announced at the annual MySQL Conference that it is adding extended support for MySQL into its Identity Management stack. That’s great, but what does it mean? For one, MySQL is hugely popular – starting off as an embedded open source database, and slowly but surely pushing into the enterprise RDBMS area over the years. Most enterprises use MySQL somewhere – some of them use MySQL strategically (i.e.: if you need a database, consider MySQL as one of the option, or even as the default option).

So what does this have to do with identity management? Most databases are used by applications, and many of these application have some user schema in their databases. This means that identity information is widely dispersed through very many different databases throughout the enterprise, like a mosaic. Identity management over the years has been making the promise to consolidate, bind together and manage identity information, and Sun Microsystems has an extensive identity management offering that does exactly that. Sun’s added support for MySQL with their entire identity stack takes this to a new level by allowing organizations to bind together data regardless of whether it is stored in an classic directory or relational database.

For one, Sun Microsystems has enhanced and strengthened the links between MySQL and the two directory servers: DSEE and OpenDS. DSEE (Directory Server Enterprise Edition) is Sun Microsystems’ flagship directory server that combines essential enterprise features with carrier class scalability. OpenDS started off as a project to be Sun’s next generation directory product line, and is very successful as an embedded directory. In several years, OpenDS is due to replace Sun’s current flagship directory server, DSEE (Directory Server Enterprise Edition).

The enhanced integration brings numerous advantages to both enterprise and telco directory scenarios, and I’ll go through them briefly. Let’s start with the Telcos, as it is always impressive to talk about massive scalability, availability and speed. MySQL can be used as a back-end data store for OpenDS, Sun’s open source directory server. According to an announcement made yesterday, OpenDS Standard edition can be integrated with MySQL Cluster.  When used together, the OpenDS provides the LDAP directory front-end to a rock-solid, clustered relational database. This is really interesting for Telcos, service providers and other very large directory users that need scalability and have very high availability requirements. Using a clustered relational database such as MySQL Cluster as a back-end for OpenDS allows administrators to gain extra flexibility for data management which comes in really handy when the amount of data is massive. It also give more options for providing a on-stop directory service. LDAP Directory servers are typically deployed as a set of equivalent multi-master servers – each “master” managing an autonomous copy of the data set. A replication mechanism is then used to keep all masters in synch. Now add the clustering features, and the resulting mix is like a swiss army knife for those that need the ultimate flexibility and resilience in directory services.

In fact after this integration, OpenDS and OpenLDAP are the only directory servers that allows users to choose either a “traditional” Berkeley DB based embedded backend or a relational database backend to be used. The former is great for enterprises that prefer a maintenance-free zero-administration back-end, and because of this many directory servers have traditionally used Berkeley DB. The latter, using a fully-fledged relational database as a back-end for directory servers opens up many possibilities in terms of data management, but is more difficult to manage. Traditionally, users had to choose a different product depending on whether the priority was ease of maintenance or sophisticated data management features when choosing a directory server. Now OpenDS have a choice with the same product. But not just OpenDS, Sun is actually licensing MySQL cluster as “MySQL Cluster Carrier Grade Edition” to be used either with OpenDS or OpenLDAP. I know quite a few LDAP directory administrators working in large Telcos, and I’m sure they’re thrilled.

On the enterprise side, Sun has added virtual directory features to DSEE to easily link into MySQL databases. This means that data that used to be stashed away in MySQL databases can now be made easily through the LDAP protocol. Being an advanced feature of virtual directory servers, it shows Sun’s  commitment to extend their virtual directory offering.

But MySQL support has not just been enhanced in Sun’s directory servers. Sun Identity Manager can read and provision identity data to and from any MySQL database schema, and can now even use MySQL as its primary internal data repository. Role Manager can use MySQL as its identity warehouse. OpenSSO can also use MySQL as an identity repository. In a way this was to be expected when Sun acquired MySQL a bit more than a year ago – to start building on its acquired RDBMS platform and integrate it with its other offerings, in this case Identity Management. It is actually quite impressive how fast this integration has happened when compared to other vendors who take considerably longer “digesting” acquisitions and combining them to maximise value.

I just came back from this year’s Expert conference, TEC 2009. Last year it was still called the “Directory Expert’s Conference” (DEC). This year the conference has been extended to include training on Microsoft Exchange as well, hence the name change. And of course not to forget that Quest has taken over Netpro – but has this really changed the scope or focus of TEC? Not at all, as was very immediately visible from the start, with a very funny introductory video. It started off just like a very glitzy marketing presentation that turned quickly into a hyperbole of fuzzy marketing buzzwords and photos of smiling executives. The initial bemusement turned into bewilderment, and quickly I could see some rolling eyes and frowns around me, just when the marketing fuzz stopped right in the middle of it, and into the video stepped the image of Gil Kirkpatrick, DEC’s founder and Quest’s Chief Architect who, looking annoyed, asked the marketing voice what all of this was about. Nothing at TEC was going to change from what DEC was – this was no marketing trade show, but rather a place for people to learn and exchange experience about Microsoft products – specifically Active Directory and Exchange. The video then stopped to make place for the real Gil Kirkpatrick coming on stage to a big applause and delivering the welcome speech.

As a sign of the times, the conference was somewhat smaller as last year – the organisers spoke about a difference of about 30% of attendees compared to last year’s DEC. When Gil asked the audience who had to jump through extra hoops to get to TEC, several hands flew up. Those who went however, had an excellent, varied and carefully balanced programme waiting for them. As with all conferences, it can sometimes be a challenge picking a presentation to go to from multiple presentations going on at the same time. I was ver pleasantly surprised to see that some key presentations were given more than once so that I could attend them even though I had missed them the day before. Also, presentations were recorded this time and will soon be made available to attendees which especially for me is an additional value.

The “day before” – i.e. Sunday, several pre-conference workshops had already been given. This was a tough decision for me, as I was torn between going to Laura Hunter’s workshop on ADFS and Bahram Rushenas’s workshop on codeless provisioning with ILM 2. I chose ILM and the workshop turned out to be very informative, as it gave me a very good glimpse into codeless provisioning with ILM. I still felt sad to have missed Laura’s ADFS workshop that has received high praises (which did not surprise me as Laura is an passioned expert on this topic, as well as a gifted speaker). But one can’t have everything!

The second workshop was again on ILM. Dave Lundell, a DEC veteran and one of the most knowledgeable sources on ILM that I have met to date, presented on the topic “Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal”. I knew it was going to be good because I already attended (and raved about) his ILM 2 workshop last year at DEC. This one turned out to be a truly wild ride! Dave and his colleague Brad Turner from Ensynch pushed the envelope by demonstrating what I’ve often heard but never really seen “in action”: that ILM 2 is more than just a provisioning tool, but in fact a whole platform that allows all kinds of lifecycle management for enterprise data. He took an excellent example out of the world of enterprise IT: the management of an OID (Object Identifier) management. Enterprises can receive an OID tree within the “private enterprise” branch by requesting it from IANA. This OID tree can then be used to number enterprise-specific schema extensions, SNMP objects and other things that need an OID and are used within an enterprise. The OID space should be properly managed in order to give it the correct structure and making sure that no OID is assigned twice. This unfortunately is very rarely done in any enterprise – perhaps because of its technical nature and because the negative effects are usually not visible immediately when the OID tree space not managed properly – and there are few who “do it right” and properly manage their OID space. Dave and Brad showed how to implement OID management with ILM 2. This was very interesting because it gave us participants a deep dive into the guts of ILM 2, its data structures and workflow possibilities. It also really pushed ILM 2 to its current limits. Ensynch has written several custom workflows and contributed them via the codeflow web site in order to get around some current limitations in ILM 2. Those guys continue to amaze me.

Of course, the news about Microsoft’s delaying ILM 2′s official release for a whole year put a bit of a damper on the party. Disappointment was tangible from customers and vendors alike. I can certainly understand that although ILM 2′s maturity has evolved since last year, Microsoft wants to play it safe and gain some more experience with deployments, and iron out some kinks that are still present in the current beta version. That however doesn’t help those partners of Microsoft who have made a significant investment for ILM 2′s supposed imminent release. Gemalto for example, was poised for a big launch and threw a big party that, well, was still a great party although with excitement rather muted because the cause for the celebration was gone. Attendees were also very disappointed, many of them having come to TEC specifically for the purpose of sharpening their skills in order to prepare for an imminent deployment of ILM 2.

But back to positive aspects of TEC 2009, which were many – an you obviously can’t blame Quest or TEC for Microsoft delaying ILM 2! The first presentation I went to was Brian Puhl presenting on his experience over the last few years rolling out federation agreements. As one can expect from Brian, it was interesting, funny and thoughtful. Of the lot of information provided I especially liked Brian’s experience with the entirely non-technical problem around creating trust agreements – and the multiple iterations of procedures that Microsoft went through until they had a model that actually works. In the beginning, there was the list of the “10 commandments” – you shall do this, you may not do that, and you must do it like this, and so on. The resulting list was probably bullet proof from the standpoint of mitigating every conceivable risk, but turned out to be so draconic that nobody, not even Microsoft’s departments could comply with it. The next iteration was an extensive questionnaire about the state of security and management of identities that a partner had to fill out. The problem there was that many partners certainly did not want to divulge all this information about their internal controls and security subsystems that they thought were confidential. The next iteration then was a definition of a lowest common denominator “bar” that a partner had to jump over in order to qualify for federation. Three “bars” were defined with diffierent classifications for non-critical, medium-value and high-value and confidentiality content. To qualify, a partner had to vouch that certain criteria were met. Each criteria then had a point score, and the resulting total score would determine which “bar” the customer had reached, and hence qualified for within the federation agreement. This turned out to be very workable.

Another TEC-veteran is Pamela Dingle, formerly of Calgary-based Nulli Secundus Identity Management consultancy. Pamela has just flown the coop and started a company called “Bonzai Identity” with the goal to help enterprises get to grips with identity management by carefully nurturing good practises, aligning business processes, making sure that data is correct, and helping organisations make the “right decisions” over time. She writes that “It is like gardening; you will have much better luck making small adjustments throughout the life of your garden than you will allowing a wilderness to grow and then wading in with a machete”. Her talk at TEC was entitled “A survivalist’s guide to identity management” and focused on the business process shortcomings and warnings signs that can really bog down identity management projects. A great overview and invaluable compilation of experience that can avoid very costly traps and maximise the value of those projects.

TEC is legendary for bringing out the best of Active Directory experts and get not just best practises from the real pros, but also hard-core technical info that you can’t find in other places. There is a gang of “usual suspects” whose presentation I always try to attend because it doesn’t get much better than that when you want to learn about Active Directory and dive deep into the technology. Apart from Brian Puhl, who is responsible for running AD in Microsoft’s IT department, there are Laura Hunter, Joe Kaplan and Dmitri Gavrilov. Interestingly enough, those AD Gurus have become quite turned on by ADFS and federation, and (except for Dmitri) presenting on that topic.

This has been the first time I’ve had the honour to speak at this TEC, and even twice! My first presentation was on the subject of authorisation: once you’ve authenticated the user, then what? How do, can and should applications decide how to allow (authorise) a user to do and see things? It is a subject that I’ve focused on quite a bit over the last months and something that I am dedicating a whole track to on May 6th at our European Identity Conference in Munich. I couldn’t help feeling that this particular presentation was a bit of an “odd one” at TEC, because I unfortunately could not just yet teach people how to use technology to do it: We are still early in the game because big vendors such as Microsoft and Sun have yet to commit to standards in this area, come up with frameworks and stipulate good practises. It’s not completely satisfying when at the end of the presentation you have illustrated the problems and pain, but can’t really point to a solution yet. However I see encouraging signs that vendors are taking this seriously and thinking about ways to tackle these problems. It is not just a lack of technology, but the fact that, well, there certainly is a lack of standardised technology and the current “best practises” that encourage application developers to just hardcode security into their applications just exacerbate the problem. I would obviously like to see more interaction between the vendors instead of everybody just thinking within their own box. At our European Identity Conference I am bringing some of the thought leaders, visionaries and experts together and will try to rally them into working together to find solutions together as an industry.

My second presentation was on the TEC’s equivalent of a “Friday afternoon” – on the last day of the conference shortly before lunch. I was very excited about the topic because I was presenting about “Cool LDAP Innovations”. As TEC is about Active Directory I thought it was important to share a different perspecitve on what is happening outside of AD with other directory servers. Since AD world is essentially closed (you can’t rip out AD from a windows network) there is no competition in this space, and in my opinion very little innovation. Compared to other directory servers, AD and ADAM has fallen behind in technology, so I felt a bit tongue-in-cheek, talking about some cool stuff that other vendors were doing. The evening before I managed to itercept Nathan Muggli and asked him if he’d attend, and he kindly did. I finished early and a lively discussion started. After a few minutes I was delighted to see the whole thing starting to look like a BoF session and I decided to sit down in the middle with the other participants and we continued disussing.

Kevin Kampman from the Burton Group (technically a competitor, but I prefer to see him and his co-workers as distant colleagues) gave a presentation entitled “the case for identity services”. Out of the pain points that he highlighted I could identity the same ones I talked about in the “authorisation” presentation the day before. It’s great when a smart experienced guy like Kevin arrive at the same conclusion – it means that we definitely have a case!

I’ve had to scramble after Kevin’s presentation, grab a quick lunch and then hop into the car to drive back to Los Angeles where I came from this time. I had thought that the drive through the desert would have been more exciting, but I’ve since been told that for things to get spectacular, Death Valley or Arizona would be the best option (both close, but I didn’t have time for the detour). Just having gotten back to Europe this morning, I am still thinking back about this intense and englightening experience and am definitely looking forward to the next one!

I’ve recently been to Sun’s directory labs in the the beautiful city of Grenoble, France to talk about what Sun has in store with their two directory servers: DSEE and OpenDS. I’ve used many predecessors of DSEE (starting with the good old Netscape Directory Server) on several projects over the last decade and used to know it inside out. I’ve grown quite fond of it, and so has everybody else I know who has used the product. I wasn’t exactly sure why Sun embarked on its OpenDS project. Why reinvent from scratch what is already a perfectly great product? This question was on my mind, and I was eager to find out why.

When it comes to directory servers, most analysts like to classify them according to the market segments they address. In no particular order, they are: operating system/network, telco and service provider, enterprise and embedded. When it comes to the operating system/network directory servers, Active Directory rules – not necessarily because it is the best for this purpose (and just to be clear: it’s not bad either!), but – well – it’s so intrinsically linked to Windows that you don’t really have a choice. When Novell Netware was around, NDS and e-Directory was another candidate in that area, but it’s pretty much down to AD at this point in time. It’s in the other segments where it gets really interesting because there is some very active development and strong competition.

The Telco/Service provider directory segment is particularly interesting because only the highest scalable directory servers can even attempt to survive in this area. Sun has been very strong in this area for many years, and for a good reason: experience and continuous improvement. I’ve been involved first hand in several very large deployments of Sun Directory Server 5.0 (I think it was during the time when Sun called it “iPlanet Directory Server”). At that time, in the early years of this millennium, we deployed the server for hosting several hundreds of millions of entries. Yes indeed, about 120 Million entries! This was 2002, and at the time the sheer scale was pushing the envelope quite a bit -  but it didn’t just work, it actually worked quite well! Performance, Multi-master replication, and resilience were absolutely key for these types of installations. And sure – in the early versions of 5.0 there were some kinks that had to be ironed out of the replication protocol, but even then it was quite amazing how scalable the directory was, and how well it could actually be managed with such an impressive number of entries. Over the last 7 years, the directory server evolved even further – multimaster replication is rock solid and Sun has tinkered continously with the software to increase scalability way beyond what was already impressive in 2002. Nowadays, there are quite a few reference customers who run Sun directory server with literally billions of entries (incidentally, many of them in China – why am I not surprised ), and this is considered perfectly normal.

When it comes to reliability, a key to deploying very large directories is redundancy, and the possibility to balance loads and fail over between multiple instances. In the early days, load balancing appliances were used to do this (Alteon was really good at this in its days), but unless those applicances had specialised proxy features to handle the instrinsics of the LDAP protocol, this by itself wasn’t a very good option for large deployments. Sun had acquired a company called Innosoft a decade ago, and with it came a product called “DAR” – Directory Access Router – a fully fledged LDAP proxy. Over the years, Sun has enhanced DAR and bundled its next generation into Directory Server (now known as “DSEE”, Directory Server Enterprise Edition”) at no additional cost. Being an important cornerstone of very large and complex directory deployments, it fits like a glove into the directory service and extends it by offering extensive request routing functionality, high availability and performance features and simple mapping features. Previously, only the CA eTrust directory had these features.

I can talk all day about deploying telco directory services, because I’ve used to do it for a living, and am still fascinated by the sheer volume and raw power involved But there’s another two very glorious aspects of directory services, and they can be found in the enterprise and in the still fairly recent embedded directory segment.

The enterprise directory segment is where most of the innovation is happening. Enterprises are typically not as focused on performance, and often more interested in integration, security and manageability. Integration is a very big topic, because the directory service is a crucial piece in any identity management infrastructure. And we’re usually not talking about “a” directory either – most enterprises have many different directory servers, containing either different user populations, or part of the same users but for different purposes. It is in the integration area where much innovation has happened in the directory area. Is doesn’t surprise me that most enterprise directories nowadays feature simple virtual directory functions. That was not the case five years ago, when I worked for a virtual directory vendor. At that time directory service vendors did not foresee virtualisation features as being an important part of their portfolio – perhaps because some of those vendors were also selling an “identity manager” type provisioning system and thought that any directory integration could be solved by deploying a full-blown provisioning system and brute force copying data around Well, this wasn’t really a feasible solution in all cases, so it is only natural that virtual directory companies such as OctetString and Maxware were acquired, and other vendors are “rolling their own” virtualisation features.

Some of the features that are not obvious, but extremely useful in the enterprise scenario are exactly those that allow a directory server to easily interoperate with provisioning, virtualisation and synchronisation products. Technically, the features in LDAP server that are relevant here are persistent queries, incremental updates and proxy auth. These are low-level features that are absolutely crucial when identity “managers” and provisioning services interface with directory servers.

Some other desired features within the enterprise directory segment are about password services and policies. In the vast list of featureds to be found in most modern directory servers are sophisticated access control lists that are expressive enough to configure a finely grained access control policy for deciding who gets access to what type of information. This used to be very important in the past but is getting less important as access control rules on the directory servers tend to be simpler nowadays, because changes typically ocurr through provisioning systems, and not that much any more directly to the LDAP server. Password policies are also a typical feature used in enterprise directory servers (you know – minimum length, character combination, auto-lockout,auto-expiry, and all those things). And of course, keeping track of when users last logged on – very helpful in order to identity dormant accounts.

Another important detail is also how passwords are stored, and how they can be migrated from one server to the other. As a general rule, it’s always good to offer administrators choice. Obviously passwords need to be well protected. But the approach of some directory vendors (specifically Microsoft and Novell) to “secure” their directories has backfired – the directory servers hoard the passwords and don’t even offer any possibility for administrators to export encrypted password hashes. You may wonder whether this “secure” feature is actually a hidden “lock-in trap”! That has created a secondary market around password “synchronisation solutions” in order to overcome the deficiency in the product itself, where the product’s designers thought they had to be smarter than the poor administrators who actually need to deploy, migrate and maintain them.

Last but not least, let’s not forget about one of the very important aspects of enterprise directory services. They need to be simple to deploy, administer and maintain! In the telco area it may be considered acceptable if the directory administrator team features several fully trained relational database administrators, but in enterprise environments that can be too much overhead. Directory servers that make use of relational databases for storing their directory data, such as Oracle’s OID and IBM’s Tivoli Directory Server can point to the advantages of running a directory services platform on a rock-solid database foundation (in these cases, Oracle and DB2 respectively). But the extra administration overhead can be considerable. CA has traditionally used the Ingres relational database for its eTrust Directory Server, but has now in the latest Version 12 switched to something called “DXgrid” – a revolutionary internal memory-mapped storage that not only offers incredible throughput, but also eliminated a significant portion of administration. Sun has since always used a simpler, but very fast and highly scalable data store for its directory server called BerkeleyDB – the same used also in most installations of OpenLDAP.

After mumbling on for quite a discourse I actually wanted to get to the point of Sun’s OpenDS, and the question that I wrote in the beginning of this entry. Why reinvent from scratch (OpenDS) what is already a perfectly great product (Sun DSEE)? As it turns out, there’s been a new segment for directory server that is steadily growing: the one of embedded directory services. For example, packaged solutions that require a directory server internally. Or “black box” appliances with a provisioning interface that contain – guess what – a directory server. A few years back, it was OpenLDAP that was typically shipped with those solutions, because it was free, open and could be embedded easier than other full-fledged directory server products. Now it is OpenDS that is continuously gaining ground, and for good reason. With its incredibly easy set-up, minimal administration, OpenDS epitomises what an embedded directory stands for. And on top of that, the scalability and performance are world-class. Development on OpenDS is, as the name implies, well – open. The development team features Sun employees and others outside Sun, just like OpenSSO. The release cycle is short and new features list is growing at an incredible rate.

So will OpenDS one day replace DSEE? Most likely. But this is still far in the future – for the next few years Sun is actively investing in DSEE as its flagship directory whilst continuing to nurture OpenDS and offering it as an embedded directory server, as well as to anyone interested in quickly deploying a directory server. Now, when I say “quickly” – I’ve managed to install it, extend the schema and load some data into it in less than fifteen minutes! Now that’s what I would call “quickly”. And once I had it up and running on my slow and overloaded laptop, I ran the “slamd” LDAP benchmark tool against it on the same laptop, and got back thousands of searches per second. Not bad at all! Now that’s what I call innovation in the world of LDAP

I’ll be speaking at TEC on Wednesday the 25th of March, on the topic “Cool LDAP Innovations”. OpenDS will definitely get a mention. On the presentation, I’ll also talk about some other real innovations that happened over the last few years in the directory services area. If you’re there, be sure to drop by!

One and a half weeks ago I was speaking in our Webinar about the Identity Metasystem and Microsoft’s implementation of it (codename “Geneva”). The news was still very fresh – I had just been to Microsoft’s Professional Developer’s Conference and scrambled to get the presentation together. We had almost 100 participants, and many questions were being asked. I slightly overshot the one hour reserved for my Webinar, but even after 70 minutes, the majority of the participants were still online. I then started answering some more questions, but there were still too many of them. If you missed the webinar from last week: it is available here.

Tomorrow, the 13th of November we’re hosting another webinar on the topic, at 10 AM PST/1 PM EST/7 PM CET. I will do this one a bit different, and allocate at least half of the time for questions.

Some of the questions we had last time were:

This seems ok for Consumers, is it relevant for large enterprises?

Absolutely. The Identity Metasystem has several parts, some of them are more relevant for enterprises and other more relevant to consumers. The parts of the Identity Metasystem that are most relevant to enterprises are the whole concepts around claims, trust agreements, secure token services, and of course WS-*. In “Geneva”, the components would be the Framework and the Server.

What about using Claims on non-Microsoft platforms?

An excellent question, and one that definitely warrants a longer explanation than this one here. I am definitely going to talk about this topic some more tomorrow. Microsoft has now with “Geneva” released the first full implementation of the Identity Metasystem. There is no such complete implementation available for Java or for other non-Microsoft systems, but many parts of it already exist on other systems too.

Let me step back for a minute and state that the “Identity Metasystem” is a “system of systems” – it’s a methodology, and uses many building blocks, such as SAML security tokens, WS-* and public key infrastructure. Many, if not most of these building blocks already exist on other systems. Major vendors such as Oracle, Sun and others offer interoperability with the Identity Metasystem, and some aspects of a development framework (albeit proprietary at this point) in their access management products.

Would you include “Geneva” in an Identity Management architecture today?

I would most definitely plan for it in an architecture, and especially make developers aware of the framework. Keep in mind that “Geneva” is still in beta, and the final release will only be next year. But that doesn’t mean that one should hold off including it in the plans, and preparing for it. In fact, for those who really don’t want to wait, Microsoft has a “Technology Adoption Program” that will support users that want to adopt the technology now. Microsoft’s “Geneva” implementation of the Identity Metasystem is all about manageing Identity in an easier and safer way. That will be important in the long run not just for cost savings, but also as one of the key elements in the transition of IT departments from a cost centre to a strategic asset. Does the last sentence sound like just another pompous example of lofty analyst-speak? Think again. The cost of handling identity in today’s enterprise environments are significant. It reminds me of the mid eighties, when most office software (Wordstar, Lotus 1-2-3, and even Microsoft Word in its first incarnations as a MS-DOS program) were shipped with one or two floppy disks full of printer drivers. That’s right – different native printer drivers for each program! How much time was invested by every software vendor to enable the same thing (printing) all over again? How much time was saved when operating systems such as MacOS and Windows (and probably others) implemented a “printing framework” that could just be harnessed by whatever programmer wrote applications for that operating system? The identity metasystem is an important piece in the puzzle to make IT easier and more agile. So I couldn’t think of any reasons not to consider the Identity Metasystem, and “Geneva” on a Windows environment). This is all standards-based, interoperable and open!

What is the timeline for “Geneva”?

According to Microsoft, the RTM (final release) will be available in second half of 2009.

What protocols does “Geneva” use? WS-Trust and SAML 2.0? If both protocols are possible, is claim transformation between those protocols possible?

The current beta release of “Geneva” supports SAML 2.0, but apparently there are some current limitations in the beta that will soon be overcome – I need to confirm this but as far as I remember from PDC, it seemed that the current beta of “Geneva” Server will work as a SAML 2 IdP (Identity Provider), but not yet as a SP (Service Provider) – but again, this is just a temporary limitation in the beta and should be available soon. Claims transformation is one of the key points of “Geneva” server, and yes – the transformation between the protocols is definitely one of the uses foreseen.

What about compatibility of Zermatt now, and “Geneva” framework in the future?

A difficult question to answer. Officially, “Geneva” framework is still in beta. “Zermatt” was release several months ago, so it has even matured a bit before “Geneva” was released. This is the first Geneva beta, not yet architecturally or functionally complete, and Microsoft is seeking directional feedback. Microsoft invites developers, architects and other interested parties to learn about the software, experiment in labs, and send feedback. Having said this, from a protocol standpoint there will be compatibility since the protocols are mature. There may of course be some evolution in the “Geneva” framework that may be backward incompatible. My personal guess is that if at all, they’d be minor. However I think it is likely that the framework will incorporate new functionality. Then again I have no crystal ball, and even if I had, I wouldn’t know how to use it

This has been an intense week at PDC 2008 – the first one ever for me. I’m sure it won’t be my last!

If you’ve followed our Kuppinger Cole news, you may have seen my article about Microsoft’s Geneva announcement. I was very excited about this announcement, because of the importance of the identity metasystem for the future. Microsoft clearly putting its money where its mouth is and fully jumping onto the bandwagon of a fully interoperable, open claims-based identity metasystem. This is not just interesting if you run Microsoft software. This has a profound and positive impact on our industry as a whole.

I am holding a Webinar today (Friday morning in the Americas=afternoon in Europe, Middle East, Africa) to put all of this into what I think is the proper perspective and outlining why I think this is such a big deal, why this is relevent for you and how you can profit from this. You are all cordially invited!

http://www.kuppingercole.com/events/n40030

As the US presidential election is in full swing, I thought it would be a great time to dust off Bill Clinton’s catchy statement from way back when and seize it for my own agenda. As the industry is increasingly focused on the identity metasystem that will delivering identity to applications, and much attention is given to strong authentication, I believe that authorisation is a very much neglected topic. Very unfortunately so.

It appears as if many of us have just about accepted the fact that authorisation is the domain of applications. Large enterprise software suites typically implement their own security infrastructure. Some others outsource this to the underlying operating system, most notably Microsoft Windows. We seem to be content to deliver identity data into applications, and letting them take care of deciding who gets access to what. This I find dangerous, and going down a very wrong path in the long run. Let me explain why.

Doing it over and over again. Is your organisation building custom apps? Every application developer of a custom-built application has to implement access control and authorisation yet again. Most developers are really not that savvy or even passionate about security. After all, software development is mostly about finding new ways to do things, not so much about restricting one to do things (unless you’re writing security software, of course). I find it very scary that in many organisations, access control has been implemented differently many times, by many different teams. How can you be sure that everybody got it right? What’s the sum of all bugs in all of the authorisation code? How much time and money has been spent reinventing and rewriting the same wheel over and over again?

What access management? Controlling access is done in very segregated approaches. It’s not uncommon to find multiple identity “universes” next to each other in isolation. We have managed to apply band-aid to the “identity wound” of having disconnected pieces of identities in different stores through provisioning systems and virtual directories. But the “authorisation wound” is untreated and oozing. Yes, there are a variety of “access managers” and “SOA security” solutions out there. Do they really solve the problem? No, because usually they are too coarsely grained, and therefore only relieve some of the symptoms of weak application security without really curing the underlying problem.

Sleepless nights at audit time? Regulations are getting tougher, and audits are taking much more time and money. Once central security services were in place, their mechanisms would need to be scrutinised just once, and after that it’s just about auditing their use inside the applications. At this time role management software is touted to be the magic bullet, albeit in the form of another band-aid to the “authorisation wound” (as described in the next paragraph).

Incompatible entitlement systems. We are seeing a growth in GRC (Governance, Risk-Management and Compliance) tools that build data warehouses of entitlement information, and then try to make sense of the whole mess. Those entitlements are usually completely different in structure and interpretation, and trying to distill this hodgepodge into higher level business roles is a daunting task that needs continuous readjustments. True, the tools offered by the vendors in this space are getting better and better. But effectively the aim is to bring some order into chaos – to fight the never-ending battle against entropy. On the other hand – just think about it – even if only 50% of the authorisation could be derived from business processes, business roles and other high-level information, that’s already 50% less entitlements that would need to be managed.

Lack of vision and/or willingness of the industry to cooperate. Barring some notable exceptions, the large vendors don’t have a vision for solving authorisation systematically, or are keeping their cards very close to the chest. Oracle is one of the exceptions here, with a mission statement that this is important and needs to be solved. Other vendors have ad-hoc solutions for offering fine-grained authorisation for custom applications, mostly in the form of embeddable entitlement “managers” or agents. Some are having a field day bashing the XACML standard, and whilst they are right in that it does not solve all problems, it certainly addresses quite a few of them. Hey, SAML does not by itself fully secure your web services, but it certainly does its part in the effort. My word processor does not write my reports by itself, but it certainly helps me getting them done.

Service oriented What? In a brave new SOA world, applications are no longer monolithic, but comprised of many services interacting with each other. Identity and access control is an important part of this. Whilst this year has brought us much further in the Identity field with WS-* on the path of becoming mainstream, authorisation is not just a large and ugly pothole on that road, it’s a crater. Unless the industry comes together to adopt an interoperable, standards-based approach to access control,

What now? I may be painting a bleak picture, but it’s not all bad. Several small companies are taking the lead right now to create enterprise-wide access management technology, driven by compliance requirements. Larger vendors are certainly mulling their options. But it’s the time for us in the industry to get cracking, and come up with the methodologies, standards, services, protocols and APIs to solve this once and for all. Until this is done, IT won’t really be dynamic, and many SOA benefits will remain elusive to most of us.

Two weeks ago I was at Digital ID World in Anaheim, CA, followed by a briefing in Redmond. My mind is still returning to this action-packed event every once in a while, and I am still trying to make sense of it all. For me the most interesting aspect of DIDW has certainly been to meet face to face with lots of the usual suspects, some people I “know” virtually, but have never met face to face, and some new acquaintances. Over the next few week, as my busy research agenda allows, I will write up on some of the cool stuff, new technologies and new evolutions of products that I’ve learned about during those three days.

Just thought I’d just pay tribute to some of my experiences during those three days. For me as well as for many others, DIDW started off with a visit to the new “IDTBD” (ID To Be Determined) initiative that the Liberty Alliance sponsored. Bob Blakeley from the Burton group stood in the middle of a fully crowded room (including people standing outside). After a somewhat tedious roll call where everybody present stated why they actually went to this meeting, the discussion came into full swing. The idea behind the “IDTBD” was to provide an infrastructure framework for projects around identity. Instead of every project getting tied down with bureaucracies, legal agreements and organisational matters, IDTBD would provide support and let participants focus on what they can do best. I thought the idea was pretty good, but not everybody thought the same. As organisational matters like these were not my forte, I disappeared after the break, and when I walked past the open door an hour later, I could see that a very small crowd was still in very animated discussion.

I had my fun with Sun that afternoon, evening and night, and honestly, I had a blast. Sun brought me in twice for their Identity Buzz TV show. Daniel Raskin was my host, and we talked about open source within identity management – the specific nuances and what customers can expect from it. We also talked about one of my favourite topics, the identity bus (I did a round-table at our European Identity conference back in May), and in that one I managed to turn it around and have Daniel add his thoughts to the discussion (later on that week, I had the pleasure of meeting again with Stuart Kwan who explained me his vision, but more to that later). It was great to meet Daniel, I only had the virtual pleasure up to that point, and can attest that he is at least as cool and knowledgeable in real life as well. I also had some quality time with Pat Patterson, who I’ve met before, but only shortly between doors, and it was good to catch up. Saachin was there as well and turned on several light bulbs in my head when he talked to me about Sun’s 3 month roadmap for deploying Role Manager within an enterprise. My head was spinning a bit after so much information, and I was really grateful when Saachin’s colleague Neil Gandhi patiently spent a good two hours briefing me and walking me through the product in great detail a day later. As my colleague Sebastian Rohr and other noted, Sun certainly made a killing snapping up Vaau earlier this year, and now I can fully appreciate Sebastian’s enthusiasm.

John Barco very cunningly demonstrated a concept that is likely to pop up in the same basket as identity theft: identity exchange. By wearing Nicholas Crown’s badge around his neck the next day, he had me confused, because I just met both of them in person for the first time the day before. I had some great discussions with both of them later, especially with Nick, whom I talked after the Ping Identity party until the not-so-wee-anymore hours. Oh yes, the Ping party. Aren’t they legendary! As this event was held at the “Blues house”, the “house drink” was a blue liqueur. It did not glow in the dark, but turned out to be somewhat of an acquired taste. Andre Durand’s team were busy making sure that everyone held at least one cup in their hands at all times. I decided to be careful with it. At the party I made some great acquaintances, and ran into Doug Anter from Covisint. In a very forward-looking spirit that is common after successive libations in the later evening, we decided to set up a “breakfast briefing” for 9 AM the next morning. This turned out not to be painful at all (perhaps I can attribute this to my special care with the house drink), but to the contrary highly interesting, as I have an article in preparation on Covisint’s offerings on “Identity as a Service (IaaS)”.

In the same area, I was equally impressed with a briefing that I received earlier from Eric Olden who is the founder and CEO of Symplified. Having founded Securant in 1995 (which he later sold to RSA), he well understands the need, but also the entry barrier for small and medium enterprises when it comes to identity and access management. Symplified provides identity and access management as a service in both directions – incoming and outgoing. On the outgoing side, Symplified can connect an enterprise’s users to internal and external SaaS services (such as Salesforce, Workday, ADP, etc.) with single sign-on. On the incoming side, access to resources is controlled through a proxy layer that is either hosted by Symplified itself, or runs inside an organisation in several form factors: appliance or virtual machine. I think there is a photograph of myself wearing a Symplified T-Shirt towards the end of the Ping party.

Another very interesting briefing I received was from AEP Networks’ J. Alan Bird who is extending identity throughout the network with identity based access control. Their IDpoint solution tags every network packet (actually, the payload within IP packets) from an authenticated client PC with a special token. Specialised identity routers then act like firewalls by checking access against tokens and making access control decisions. A sophisticated auditing and reporting engine is included that can act as a feed to current GRC (Governance, Risk-Management and Compliance) solutions. As identity management has traditionally focused mainly on application security, I think that this pioneering approach offers a significant manageabilility gain and a previously not well-addressed need for extending GRC towards the network layer. I am convinced that this will become an important topic, especially with investments in strategic GRC projects increasing.

Oracle was a main sponsor at Digital ID World, and many of its brightest minds were roaming around. I was particularly happy to finally meet face to face with Nishant Kaushik whose blog I read regularly and recommend (it’s on my blogroll). Same with Clayton Donley, who I’ve seen already seen previously from far away, but have never had the opportunity to shake hands with. I had a great follow-up discussion with Eric Leach on Oracle’s new access management suite (he had briefed me on it a month before). And of course Phil Hunt, whose efforts around the Identity Governance Framework I wrote about previously. When I finally got to meet Dennis MacNeil in person, he gave me some good advise and helped me understand better how the individual pieces fit into Oracle’s strategy.

Understanding that it is impossible to mention everyone and everything that I met and discovered, it is perhaps worth mentioning what I wish I could have done. The time was limited, and unfortunately the exhibition floor closed very promptly, and I just plainly ran out of time. Matt Flynn was there and I shook his hand but had to run off and couldn’t catch up with him anymore. He will not escape me next time (or rather, I will not escape him) I also ran out of time and couldn’t properly catch up with the folks from Optimal IDM anymore, who briefly told me about the new features added to their virtual directory product. Equally with my old colleagues from Symlabs who would have loved to show me the upcoming full virtual tree feature in the next version of their virtual directory. Charles Andres who is now the head of the Information Card Foundation was all over the place but unfortunately so was I (and at the Information Card Foundation’s booth I ran into Axel Nennker, which was really cool). I did not have time for Sailpoint and Novell unfortunately – although I did have a brief chat with Dale Olds and some of the other “Bandits”, but would have loved to spend more time with his colleagues as well. Next time it will be!

I’ve written a short analysis on Microsoft’s new “Zermatt” framework that can went up on our website yesterday. For those who have missed the announcement, Zermatt is a new developer framework from Microsoft that makes it easy for developers to work with claims, and is also a foundation for building secure token services (STS). In the analysis, I also included some of my thoughts on the “claims-based model” in general, and specifically about the lack of an authorisation model. I think this is perhaps the largest gap currently for applications using WS-Trust, WS-Federation and the claims-based model, exacerbated by the fact that Microsoft currently provides no vision how this will be eventually be addressed.

As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.

Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive – not at all, in fact – but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.

Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.

Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.

So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.

Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable – something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.

I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.

Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” – right in Lisbon!

I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.

First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.

In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?

BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.

My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one – complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.

I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management – although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed – especially considering the pain and hard work that goes with deploying such systems!

So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.