At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term "cloud" been chosen because everything out there is a bit "cloudy" in the sense of "fuzzy"?].

Read the rest of this entry »

Yes, I know - it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

• Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
• Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
• Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

In a, may be, simplistic view on IT there are three important pillars on the IT infrastructure level. Using the - sometimes improper - buzzwords, these are

• Identity (and Access) Management (IAM)
• SOA - in fact more the technologies for business processes and flexible applications, e.g. including BPM (Business Process Management)
• BSM (Business Service Management), or ITSM (IT Service Management), or BTO (Business Technology Optimization), or however you will name what has been systems management and now, with a new layer on top, is something “entirely new”. I would say it claims to be something new but the layer on top is far from being mature.

You might claim that the Enterprise Systems are missing in that list. Yes, they are missing. No, they are in, because SOA or BPM are the way to use these systems in the future - have a look on the strategies of SAP with NetWeaver or Oracle with Fusion.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality - and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed - and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.

I’ve observed an increase in discussion around data leakage prevention - finally. This discussion is overdue, given the fact that data leaks are common in most corporations. Internal documents, eMails, blueprints aren’t under control in most cases.

The need for data leakage prevention automatically leads to two topics: Information Rights Management (IRM) and Identity and Access Management (IAM). Both are tightly coupled. Identity Management is about managing the identities. Access Management is about controlling access, but mainly to defined “information silos”. Information Rights Management is about controlling access to information in the flow. But, in fact, IRM is nothing else than a specific for of Access Management - isn’t it?

If you look at Microsoft’s advances in IRM with Windows Server 2008, the central role Identity Management has for IRM becomes obvious. The most important improvement is the integration of Identity Federation and IRM, with the result of Federated Rights Management Services. This isn’t surprising, because IRM requires the knowledge of the users, groups, and roles which shall have access to information. That is easy within an enterprise, but it becomes a quite complex issue in the communication with more or less tightly coupled business partners. Federation is the obvious answer to this.

Thus, IAM and IRM will grow together over time, with IRM as a specific application of IAM. Companies which face the data leakage problem - virtually every company - have to define their strategy for IRM in the context of IAM. This context is necessary because IRM requires reliable identity information and because IRM is just another form of Access Management. And a major topic at our European Identity Conference.

The good news is that this dependency is seen by some vendors as well. The bad news for Data Leakage Prevention is that there are neither standards nor implementation which will cover the entire breadth of (electronic) corporate information, e.g. from Microsoft Word to CATIA to Lotus Notes. But the growing demand for solutions might change this over the next two or three years.

There is a broad discussion around the use of identity information at StudiVZ these days. They have changed their agreements with their users and will present personalized adverts. That has lead to an intensive discussion in their user community. Another interesting change can be found at Xing since some two weeks: At the starting page you can now directly see not only the number of new contacts of your contacts (like at LinkedIn) but the names of the new contacts.

I personally found that change a little bit to open. For sure you can look up the contact lists of your contacts as long as they aren’t hidden. But there is a difference between acting actively and this new situation where you are passive. I’m not sure whether I like that – and I doubt that other users are convinced of the value of this change.

But, more important than the question whether I will hide my contacts at Xing as a consequence of this change there is another aspect which is common for both described situations: Social networks are at a critical point. And their next steps will influence the future not only of some single social networks but of the approach in general.

Read the rest of this entry »

Recently I complained about the insufficient use of existing technologies. But there are some out there who do a better job. Sailpoint is one of these vendors. They are, together with some few others like Aveksa, in the process of establishing the new market segment of “Identity Risk Management”. That is a discipline within GRC which deals specifically with risks which are in some way or another identity-related - which are most of the risks, by the way. It’s about answering questions like “who is allowed to do what”, but in detail and not only high-level. And with a high degree of automation.

And they do it by using Business Intelligence and Data Warehouse technologies.  Thus, they don’t reinvent something on a lower level but make use of existing technologies. The result is an appealing application which obviously is build on some strong kernel of technology.

Another interesting thing about Sailpoint is that there are several well-known guys from the IAM market - some of the founders and early employees of Waveset are no part of Sailpoint. That obviously means that they understand a lot about Identity Management and that they also understand what the customers need beyond provisioning.

Thus, having a look at companies like Sailpoint and Aveksa and the entire new descipline of Identity Risk Management is a must. And, no surprise: Identity Risk Management will be an important topic at our European Identity Conference 2008.

The topic I discuss probably most often as well with vendors and system integrators as with end users is how to sell IAM. The problem behind this is that IAM is mainly seen as an infrastructure element (which IAM is). The potential business value is often quite unclear, as well as many people just don’t know that they need IAM even because they are using different terms. The CRM don’t see their system in the context of IAM even while it’s the biggest identity store in most companies – just an example.

One thing I’m intensively working on is a business-related argumentation which starts with the business problem and ends with IAM – and not the other way round, like it is done in most cases. The other aspect which came into my mind is to sharpen the relationship between IAM and the CIO’s agenda. The first step in this is to have a look on the CIO agenda – what shall be on that agenda (which are not necessarily the same issues that are on the agenda today).

Read the rest of this entry »