Why we need claims in Windows

21.04.2010 by Martin Kuppinger

Microsoft has introduced the concept of claims-based securitywith it’s “Geneva” project. Claims are sort of attributes which are provided by identity providers in the form of tokens and consumed by applications. In fact they are one way to make federation easier and more user centric. “Geneva” provides the tools at all levels to work with claims. The concept of claims is used by some other groups at Microsoft and we probably will see several Microsoft applications with support for claims within the next months.

However, the biggest impact might be on the Windows operating system itself. Claims could make that much more flexible from a security management perspective than today’s mainly ACL-based security model. ACLs are too static and too complex in management to really fulfill the customer needs today. Not only in Windows, but in other operating systems as well. If you think about an operating system which consists of services (Service Providers, Relying Parties) and relies on Identity Providers to provide claims, the entire Security Management can become much more efficient. Based on Policies, using dynamically provided claims. Authorization might be done by the services based on policies and claims or by specialized authorization engines within the operating systems on behalf of the services (the latter not yet being part of “Geneva”).

It is, without any doubt, not that easy to perform such a fundamental change. ACLs are at least somewhat understood, claims are new. There has to be a migration path and compatibility. But if we look at all the options we have, claims appear to be the most promising concept for the future security at the operating system level. One interesting side effect is that the same policies might be applied to other elements in the security infrastructure as well – external access management tools and so on.

Meet me at European Identity Conference 2010 and Cloud 2010 Conference, Munich, May 4th to 7th.


There is more than automation

15.04.2010 by Martin Kuppinger

I’ve done several webinars around changing architectures for Identity Provisioning and Access Governance during the last few months. And new architectural approaches for Provisioning have been an important topic at the EIC for years. I’ve also written a report on Access Governance architectures recently. That is no surprise. Provisioning has to integrate with IT Service Management in some way. It has to support the standard systems where automation is key as well as other systems which either don’t support automation interfaces (unfortunately there are several apps out there which don’t provide integration points, including several important healthcare apps) or where automation is too expensive. Thus, it is not only about connectors. It is about a flexible support for different approaches, from manual workflows to full bi-directional automation.

For the core systems, it definitely makes sense to automate. Many transactions, high risks – these are reasons to invest in direct connectors. But there are many other systems out there which need to be connected as well. Even while there aren’t that many standard interfaces (Web Services, Command Line Interfaces, JDBC/ODBC, LDAP,…) which are commonly used to interact with target systems, the customization and integration is costly anyhow. “Connector fabrics” and other approaches help, but typically organizations end up with some systems which are tightly connected and others which aren’t.

There are many approaches to integrate these systems. There might be specific provisioning tools (FIM/ILM, Quest ARS, and others for Active Directory; SAP NW IDM for SAP;…) in place which can be integrated with other provisioning systems. There might be existing processes based on SRM (Service Request Management) tools. There might be the need for additional manual workflows and some access governance to track whether the manual actions have been performed or not.

With other words: Flexibility is key. Flexibility for architectures, where Identity Provisioning and Access Governance tools are just one element – there might be more than one Provisioning tool, there might be SRM, existing workflows, the integration of Provisioning and Access Governance, interfaces to Enterprise Portals, and so on. And flexibility for connections to systems, by not only relying on automation.

Interestingly, I had some briefings in the last few weeks where vendors – like Courion and Aveksa – highlighted new capabilities which are exactly targeted on this. There are other vendors which started with that before. However, it seems to become a major trend right now – open, flexible architectures for Provisioning and Access Governance. For customers, that means that they have to think a little more about the adequate architecture. On the other hand, that might save them significantly more money by choosing an approach which really fits to what they have.

Hope to see you at EIC 2010 in Munich, May 4th to 7th, 2010.


Services
© 2014 Martin Kuppinger, KuppingerCole