Some days ago, I had a very interesting discussion with John de Santis and some of his colleagues from TriCipher, one of the vendors which provide IaaS (Identity as a Service) solutions, in that case particularly with their MyOneLogin service. That discussion is one in a row of others I had with several of the other vendors in the IaaS space like Multifactor Authentication, Arcot Systems, or Ping Identity, to mention just a few.

On the other hand, my colleague Jörg Resch (currently very active in organizing the European Identity Conference 2009, where we will have, amongst many other topics around thought leadership and best practice for IAM and GRC, definitely much content about IaaS) some weeks ago asked me about my opinion about approaches like Facebook Connect and related standards (Google Friend Connect, Myspace Data Availability) and, as a result, my overall opinion about IaaS. First of all, the positive things with all these initiatives is that they address the lock-in issues in todays social networks, which I’ve discussed more than a year ago in this blog (by the way a discussion we’ve started at our European Identity Conference 2007).

So where is the link between these two discussions? It is all about the way we can and should deal with identities in the future. In business as well as privately. First of all, identity is core to any of these initiatives like cloud computing and SaaS or Enterprise 2.0 or Web 2.0 – even while many people haven’t understood the impact of identity yet. How will you ever fulfill compliance requirements in an IT infrastructure which consists of multiple SaaS services provided by different companies as well as some still existing internal IT services? How is allowed to do what in that environment? Just think about SoD controls across multiple SaaS services… How do we control the way our employees act in the Internet, still representing our company? What about consistency and reliability there? How about the integration of Web 2.0 services into the enterprise, for corporate use – that what sometimes is called Enterprise 2.0 (I use this term here even while most of the 2.0-terms are just ridiculous)?

It is interesting to observe that there are some initiatives and products trying to address at least some of the problems. Vendors start providing strong authentication as a service, sometimes focused on authenticating to SaaS. Social networks start to open up, even while there is a lack of standards. Information cards might become virtual corporate business cards.

Thus, we have some standards (like OpenID, Information Cards and the underlying federation standards, XACML,…), some IaaS services (mainly for authentication and federation and some provisioning), and some proprietary approaches for exchanging information from social networks. Many areas like policy management and auditing aren’t covered yet. And in the area of social networks, there should be one standard, which might make use of Information Cards instead of some vendor implementations. From my perspective, we are still at the very beginning of the IaaS market. We will need to create more standards and implement more use cases. There is a lot of room for vendors and service providers.

From a corporate perspective, we will observe approaches where companies fully rely on IaaS, putting everything into the cloud. There will be companies which use just some cloud services, like federation or strong authentication. And there will be companies which still mainly rely on their own IAM and GRC infrastructure, with the need to integrate that with cloud services they use.

Today, you can’t fully rely on IaaS but enhance your IAM and GRC infrastructure with some very interesting solutions to become more flexible in your move to cloud computing. But you definitely should analyze which opportunities IaaS provides – and how to do IAM and GRC for cloud computing, Enterprise 2.0, Web 2.0 and all these other initiatives.

Not to forget: I’d like to once again ask for your participation in our current surveys. Thanks!

Recently, I had several discussions around terms like Access Management, Authorization, and Entitlements. And I thought about what is in the center – is it the identity or is it access management? Some weeks ago I mentioned in my blog that Hassan Maad, COO of Evidian, has stated that, from his experience, customers understand access while they have difficulties with the term identity. And when I go back some two years, there has been an intensive discussion of the so called “Identity Gang” about the term “identity”.

In fact, the management of access is the core business requirement. That is about authorizing access, it is about being entitled to do something. Thus, access management, authorization management, and entitlement management are terms which are used in the same context, with slight differences between them.

But: It is not only about allowing access, or authorization, or entitling. The questions are: WHO is granted access?  WHO is authorized to do something? WHO has which entitlements? There is always the “who”, the identity. With other words: These concepts are tightly coupled together. Authentication (proving the who) and Authorization (granting or denying access) can’t be separated. Which, by the way, becomes obvious when looking at the concept of federation.

And there are several other import aspects of the identity, including the approach of understanding core business objects as identities (and vice versa).

However, the concept of the identity is more theoretical and more complex than access, authorization, entitlements. Thus, it might be better to talk about “Identity and Access Management” instead of “Identity Management” – especially, because there are some technologies which are more related to identities and others more to access. At least until someone creates a better term which is understood by everyone and which replaces “Identity and Access Management”. GRC isn’t that term. But maybe someone has a good idea!?

Some weeks ago Evidian, one of the European vendors in the Identity Management market, has announced that they are in the lead of an European research program for multi-domain policy management. The program called MULTIPOL is part of ITEA 2 (Information Technology for European Advancement), a set of EU-sponsored initiatives in the IT space.

The focus of MULTIPOL is mainly around multi-domain authorization, e.g. controlling access according to different security policies from different domains. The reason why: There is no internal network with a strong perimeter any more. Networks are becoming increasingly open. While authentication has been solved by approaches like Federation, the handling of policies for access control and thus authorization is still an issue.

We will observe this initiative, with Evidian as lead and ten other major European IT companies as participants. Policy Management beyond the border of one system is still amongst the things which have to be solved.

Some years ago I’ve written an article on policy management, stating that companies aren’t solving the problem but just are moving it to the next level. That was when more and more vendors told me the stories about their policy management capabilities they had built into their products. Usually they’ve built one policy management per product. So, instead of 100 products without policies there were 100 with policies. Different, incompatible ones.

The approach of Evidian is one interesting approach besides others like the idea of claims-based authentication and authorization Microsoft/Kim Cameron have published. Given that Evidian has a long experience especially around managing access, there might be some valuable outcome from this project – despite the fact that it is a EU-sponsored project.

At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term "cloud" been chosen because everything out there is a bit "cloudy" in the sense of "fuzzy"?].

Read the rest of this entry »

Yes, I know – it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

• Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
• Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
• Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

In a, may be, simplistic view on IT there are three important pillars on the IT infrastructure level. Using the – sometimes improper – buzzwords, these are

• Identity (and Access) Management (IAM)
• SOA - in fact more the technologies for business processes and flexible applications, e.g. including BPM (Business Process Management)
• BSM (Business Service Management), or ITSM (IT Service Management), or BTO (Business Technology Optimization), or however you will name what has been systems management and now, with a new layer on top, is something “entirely new”. I would say it claims to be something new but the layer on top is far from being mature.

You might claim that the Enterprise Systems are missing in that list. Yes, they are missing. No, they are in, because SOA or BPM are the way to use these systems in the future – have a look on the strategies of SAP with NetWeaver or Oracle with Fusion.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality – and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed – and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.

I’ve observed an increase in discussion around data leakage prevention – finally. This discussion is overdue, given the fact that data leaks are common in most corporations. Internal documents, eMails, blueprints aren’t under control in most cases.

The need for data leakage prevention automatically leads to two topics: Information Rights Management (IRM) and Identity and Access Management (IAM). Both are tightly coupled. Identity Management is about managing the identities. Access Management is about controlling access, but mainly to defined “information silos”. Information Rights Management is about controlling access to information in the flow. But, in fact, IRM is nothing else than a specific for of Access Management – isn’t it?

If you look at Microsoft’s advances in IRM with Windows Server 2008, the central role Identity Management has for IRM becomes obvious. The most important improvement is the integration of Identity Federation and IRM, with the result of Federated Rights Management Services. This isn’t surprising, because IRM requires the knowledge of the users, groups, and roles which shall have access to information. That is easy within an enterprise, but it becomes a quite complex issue in the communication with more or less tightly coupled business partners. Federation is the obvious answer to this.

Thus, IAM and IRM will grow together over time, with IRM as a specific application of IAM. Companies which face the data leakage problem – virtually every company – have to define their strategy for IRM in the context of IAM. This context is necessary because IRM requires reliable identity information and because IRM is just another form of Access Management. And a major topic at our European Identity Conference.

The good news is that this dependency is seen by some vendors as well. The bad news for Data Leakage Prevention is that there are neither standards nor implementation which will cover the entire breadth of (electronic) corporate information, e.g. from Microsoft Word to CATIA to Lotus Notes. But the growing demand for solutions might change this over the next two or three years.