LDAP (Lightweight Directory Access Protocol) is well established. It is the foundation for today’s Directory Services, which support LDAP as a protocol and which usually build their data structure on the associated LDAP schema. There are many interfaces for developers to use LDAP, from the LDAP C API to high-level interfaces for many programming environments.

Even while LDAP is well established, it is somewhat limited. There are several restrictions – two important ones are:

• The structure of LDAP is (more or less) hierarchical. There is one basic structure for containers – and linking leaf objects (think about the association of users and groups) is somewhat limited. That structure is a heritage of X.500, from which LDAP is derived – with LDAP originally being the lightweight version of the DAP (Directory Access Protocol) protocol. X.500 was constructed by telcos for telcos, e.g. with respect to their specific needs of structuring information. However anyone who ever has thought about structuring Novell’s eDirectory or Microsoft’s Active Directory knows that there is frequently more than one hierarchy, for example the location and the organizational structure. The strict hierarchy of LDAP is an inhibitor for several use cases.
• LDAP is still focused on the specific, single directory. It doesn’t address the need of storing parts of the information in fundamentally different stores. But the same piece of information might be found locally on a notebook, in a network directory like Active Directory, in a corporate directory and so on. How to deal with that? How to use the same information across multiple systems, exchange it, associate usage policies, and so on? That is out-of-scope for LDAP.

I could extend the list – but it is not about the limitations of LDAP. LDAP has done a great job for years but there is obviously the need to do the next big step. An interesting foundation for that next big step comes from Kim Cameron, Chief Identity Architect at Microsoft. He has developed a schema which he calls system.identity. There hasn’t been much noise around before. There is a stream from last years Microsoft PDC, there is little information at the MSDN plus a blog post, there is the Keynote from this year’s European Identity Conference. But it is worth to have a look at that. The approach of system.identity is to define a flexible schema for identity-related information which can cover everything – from local devices to enterprise- and internet-style directories, from internal users to customers and device identities, including all the policies. It is, from my perspective, a very good start for the evolution (compatibility to LDAP is covered) well beyond LDAP and today’s directories.

I’ve put the concept under a stress test in a customer workshop these days. The customer is thinking about a corporate directory. Most people there are not directory guys, but enterprise IT architects. And they definitely liked the path system.identity is showing. It covers their needs much better than the LDAP schema. That proved to me that system.identity is not only for the geeks like me but obviously for the real world. Thus: Have a look at it and start thinking beyond LDAP. The concept of system.identity, despite being early stage, is a very good place to start.

There are a lot of talks about making our planet smarter. Despite being far too much fiction, the film “Die Hard 4.0″ has been around some of the potential risks around this. I recently had a very interesting discussion with a forensic/incident expert from the US. We’ve discussed several issues and ended around the idea of this “smarter planet” and the “smart grid” as one of its most prominent elements. Per se, the idea of having a networked infrastructure in many areas, with a high degree of flexibility and increased service availability is as appealing as inevitable – things will go that path.

However the security of that future seems to be somewhat ignored, at least in the public discussion. For sure politicians aren’t interested in the dark site of things as long as the bright side is discussed. They don’t want to be the party poopers. Only if there is an incident, they will claim that they have done everything to avoid it and that everyone else is guilty but not them. Vendors, on the other hand, are mainly interested in driving things forward. Most of the for sure don’t ignore security – but it seems to be more sort of a pain than an opportunity.

Thus, we observe currently the same thing in big like we can see day by day in small: Security is ignored when driving things forward. That is true for a tremendous part of the software which is developed, it is true for new standards in IT (think about web services – security has been missing at the beginning), it is true for so many other areas. And now the same thing seems to happen for all these smart things. But, from my perspective, then these things aren’t really smart.

Just think about the smart grids. This is sort of a massive data retention mechanism, collecting and networking millions of households with the utilities. There are privacy threats – who has used which electric device when? There are new attack surfaces. For sure there are some things going on around security. But from what I observe, security is developing slower than the rest of the things in the smart planet initiatives. It’s sort of a ticking time bomb out there.

What will happen? Security is undervalued. For sure it isn’t ignored but it won’t have the relevance it should have in these projects. People will cheer when there are some results of projects delivered. Security will become a problem. There will be unpleasant discussion about who is guilty or not. Security issues will be patched. To some degree. Wouldn’t it be a better idea to built security into the concepts from scratch? To really have a smarter planet at some point of time?

Sorry for being the party pooper!

In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

• Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
• If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
• The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
• Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology – and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. Salesforce.com is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn’t the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the “externalization” of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can’t afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this – we’re currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).

There is no doubt that the attestation capabilities which can be found in many of today’s IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well:

• Preemptive controls which avoid that there is any access right granted which later on has to be revoked
• Controls in the sense of really managing and not just auditing

That is where active Authorization Management comes into play. In my definition, Authorization Management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be “Entitlement Management”), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles. Better than nothing… In fact, most GRC solutions are limited because the provisioning solutions used are limited as well. There are only few products which can granulary manage entitlements at least for a few target systems.

But at least using higher level policies (and thus rules) and business roles to manage authorizations, e.g. in most cases controlling provisioning systems, is a huge step forward – even more if the GRC system can use the reconciliation capabilities of provisioning solutions to detect issues on the fly and not some weeks or months later when next time going through the attestation process (that might be too late – the money might be at some strange caribeean island at that point of time).

Anyhow, the big gap of provisioning still remains. Provisioning (or GRC) are in control down to the assignment of users to groups/roles/profiles in the target systems. But what these group, roles or profiles are allowed to do is managed by someone else – the operator/administrator of these target systems. You should always keep that in mind, because it is the reason why we will need not only one level of attestation but a multi-layered attestation, starting with the sysadmin who confirms that groups, roles, or profiles still have correct access rights at that level.

There is another interesting aspect of Authorization Management: Dynamic Authorization Management. Most of today’s approaches are static, e.g. they use provisioning tools or own interfaces to statically change mappings of users to groups, profiles, or roles in target systems. But there are many business rules which can’t be enforced statically. Someone might be allowed to do things up to a defined limit. Some data – for example some financial reports – have access restrictions during a quiet period. And so on. That requires authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly.

Today, in most cases companies rely on a single-layer attestation – which isn’t sufficient. They have to move to multi-layered attestation, to static authorization management and to dynamic authorization management. And vendors will have to enhance their products significantly to support every aspect. There is still a long way to go for IAM-GRC vendors, not even talking about extending GRC platforms to SIEM, BSM, and other aspects.

I blogged several times about IaaS (Identity as a Service), last time only some two weeks ago. We will observe a strong increase in that field, the stronger the more people understand that IaaS is mandatory for the cloud. In our upcoming Market Report Cloud Computing 2009 (available starting tomorrow at http://www.kuppingercole.com/reports) we provide, first time ever, a stringent and valid structurization of the cloud market with all its different segments.

IaaS is part of this market, but it is as well a prerequisite for most other aspects of cloud computing. The more services you use in the cloud, the more you need IaaS and GRCaaS (GRC as a Service, just to create a new horrible acronym). How will you become ever compliant if you can’t manage your identities and their access rights consistently in the cloud? That goes well beyond authentication. We will need approaches for a consistent policy management across different cloud services, which again will require new standards, going beyond what federation standards like SAML, authorization standards like XACML and other standards like the IGF (Identity Governance Framework) provide today.

The biggest threat in cloud computing is manageability. And within that field, the biggest threat by far is managing the identities, their authentication, the authorization and all the auditing stuff, to meet the business policies and rules defined within more advanced GRC approaches. Thus, within a cloud strategy the IAM strategy is a vital part, and a prerequisite for every successful move to the cloud. That is true as well when using only a few cloud services (or even only consuming some external web services in SOA applications) as for approaches where everything including IAM and GRC is moved into the cloud.

We strongly recommend to evaluate today’s options for IaaS and their relationship to cloud strategies. By the way: European Identity Conference 2009 will be a great place to learn and discuss about this.

Some days ago, I had a very interesting discussion with John de Santis and some of his colleagues from TriCipher, one of the vendors which provide IaaS (Identity as a Service) solutions, in that case particularly with their MyOneLogin service. That discussion is one in a row of others I had with several of the other vendors in the IaaS space like Multifactor Authentication, Arcot Systems, or Ping Identity, to mention just a few.

On the other hand, my colleague Jörg Resch (currently very active in organizing the European Identity Conference 2009, where we will have, amongst many other topics around thought leadership and best practice for IAM and GRC, definitely much content about IaaS) some weeks ago asked me about my opinion about approaches like Facebook Connect and related standards (Google Friend Connect, Myspace Data Availability) and, as a result, my overall opinion about IaaS. First of all, the positive things with all these initiatives is that they address the lock-in issues in todays social networks, which I’ve discussed more than a year ago in this blog (by the way a discussion we’ve started at our European Identity Conference 2007).

So where is the link between these two discussions? It is all about the way we can and should deal with identities in the future. In business as well as privately. First of all, identity is core to any of these initiatives like cloud computing and SaaS or Enterprise 2.0 or Web 2.0 – even while many people haven’t understood the impact of identity yet. How will you ever fulfill compliance requirements in an IT infrastructure which consists of multiple SaaS services provided by different companies as well as some still existing internal IT services? How is allowed to do what in that environment? Just think about SoD controls across multiple SaaS services… How do we control the way our employees act in the Internet, still representing our company? What about consistency and reliability there? How about the integration of Web 2.0 services into the enterprise, for corporate use – that what sometimes is called Enterprise 2.0 (I use this term here even while most of the 2.0-terms are just ridiculous)?

It is interesting to observe that there are some initiatives and products trying to address at least some of the problems. Vendors start providing strong authentication as a service, sometimes focused on authenticating to SaaS. Social networks start to open up, even while there is a lack of standards. Information cards might become virtual corporate business cards.

Thus, we have some standards (like OpenID, Information Cards and the underlying federation standards, XACML,…), some IaaS services (mainly for authentication and federation and some provisioning), and some proprietary approaches for exchanging information from social networks. Many areas like policy management and auditing aren’t covered yet. And in the area of social networks, there should be one standard, which might make use of Information Cards instead of some vendor implementations. From my perspective, we are still at the very beginning of the IaaS market. We will need to create more standards and implement more use cases. There is a lot of room for vendors and service providers.

From a corporate perspective, we will observe approaches where companies fully rely on IaaS, putting everything into the cloud. There will be companies which use just some cloud services, like federation or strong authentication. And there will be companies which still mainly rely on their own IAM and GRC infrastructure, with the need to integrate that with cloud services they use.

Today, you can’t fully rely on IaaS but enhance your IAM and GRC infrastructure with some very interesting solutions to become more flexible in your move to cloud computing. But you definitely should analyze which opportunities IaaS provides – and how to do IAM and GRC for cloud computing, Enterprise 2.0, Web 2.0 and all these other initiatives.

Not to forget: I’d like to once again ask for your participation in our current surveys. Thanks!

Recently, I had several discussions around terms like Access Management, Authorization, and Entitlements. And I thought about what is in the center – is it the identity or is it access management? Some weeks ago I mentioned in my blog that Hassan Maad, COO of Evidian, has stated that, from his experience, customers understand access while they have difficulties with the term identity. And when I go back some two years, there has been an intensive discussion of the so called “Identity Gang” about the term “identity”.

In fact, the management of access is the core business requirement. That is about authorizing access, it is about being entitled to do something. Thus, access management, authorization management, and entitlement management are terms which are used in the same context, with slight differences between them.

But: It is not only about allowing access, or authorization, or entitling. The questions are: WHO is granted access?  WHO is authorized to do something? WHO has which entitlements? There is always the “who”, the identity. With other words: These concepts are tightly coupled together. Authentication (proving the who) and Authorization (granting or denying access) can’t be separated. Which, by the way, becomes obvious when looking at the concept of federation.

And there are several other import aspects of the identity, including the approach of understanding core business objects as identities (and vice versa).

However, the concept of the identity is more theoretical and more complex than access, authorization, entitlements. Thus, it might be better to talk about “Identity and Access Management” instead of “Identity Management” – especially, because there are some technologies which are more related to identities and others more to access. At least until someone creates a better term which is understood by everyone and which replaces “Identity and Access Management”. GRC isn’t that term. But maybe someone has a good idea!?

Some weeks ago Evidian, one of the European vendors in the Identity Management market, has announced that they are in the lead of an European research program for multi-domain policy management. The program called MULTIPOL is part of ITEA 2 (Information Technology for European Advancement), a set of EU-sponsored initiatives in the IT space.

The focus of MULTIPOL is mainly around multi-domain authorization, e.g. controlling access according to different security policies from different domains. The reason why: There is no internal network with a strong perimeter any more. Networks are becoming increasingly open. While authentication has been solved by approaches like Federation, the handling of policies for access control and thus authorization is still an issue.

We will observe this initiative, with Evidian as lead and ten other major European IT companies as participants. Policy Management beyond the border of one system is still amongst the things which have to be solved.

Some years ago I’ve written an article on policy management, stating that companies aren’t solving the problem but just are moving it to the next level. That was when more and more vendors told me the stories about their policy management capabilities they had built into their products. Usually they’ve built one policy management per product. So, instead of 100 products without policies there were 100 with policies. Different, incompatible ones.

The approach of Evidian is one interesting approach besides others like the idea of claims-based authentication and authorization Microsoft/Kim Cameron have published. Given that Evidian has a long experience especially around managing access, there might be some valuable outcome from this project – despite the fact that it is a EU-sponsored project.

At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.