Yes, I know – Information Cards (or Infocards) and their incarnation in Microsoft Windows CardSpace have been around for a while. But it was mainly the inner circle of Identity Management (and especially of user-centric Identity Management) who was really aware of this. With the recent announcement of the Information Card Foundation (ICF), Microsoft and others are trying to improve the visibility of Information Cards as a core element of Identity Management in the so called cloud.

There has been some discussion around the announcement in blogs and forums in the Internet. One of the most interesting aspects discussed is the necessity to educate the broader public about the concepts and value of Information Cards and the entire “Identity Management for the cloud” (aka user-centric Identity Management, aka Identity 2.0). That must be a main target of ICF, but as well of all the other players in this emerging market.

First of all, I’m convinced that Information Cards as well as OpenID will become central standards in the Internet and for Identity Management. Given that at least OpenID isn’t that far away from reaching the critical mass and that Microsoft Vista adoption (which makes it easier to use CardSpace) is happening pretty fast, as well as some important Open Source initiatives working on these topics, that might happen earlier than most expect today.

Nevertheless it is important to explain the concepts for everyone – and to address the privacy and security concerns many will have. There are so many things which can be done using these technologies, from Single Sign-On and Profile Management in the web up to Corporate Business Cards. But they require an accepted concept.

Thus, the idea of ICF is great, when it goes beyond technical discussions around use cases and implementations issues and really focuses on education as well. On the other hand the member list of ICF proves that there is strong interest and support in the industry for Information Cards. You can bet that no one is in there who doesn’t expect that the use of Information Cards won’t support his business – otherwise they wouldn’t invest time and money into ICF.

ICF is a great thing from my perspective. It will drive Information Cards forward – and thus the Identity Management for the cloud.

Context-based authentication and authorization is one of the topics which have the potenzial to become the next hype. I’ve posted twice on this subject, here and here and we had, led by Dave Kearns, a lot of discussions around this at our EIC 2008. I’m convinced that the topic will become even more important at next year’s EIC.

Besides the ones which are obvious players in that future market segment like the risk-based authentication vendors (Arcot, Entrust, Oracle, RSA and some others) there are some other categories of vendors which offer even today at least some context-based authentication and authorization. One of them is Citrix. Given the number of installations of the Citrix Access Gateway they might even be sort of the leader in that market.

You might argue: A SSL Gateway is not a solution for context-based authentication and authorization. Yes - and no. No because a SSL Gateway without additional components is just a SSL Gateway. Yes, if you combine a Citrix Access Gateway with other things. At an Citrix Analyst Briefing yesterday, a Swiss bank talked about their approach for controlling access of remote workers. They use the Citrix Access Gateway together with many other Citrix technologies and with a NAP (Network Access Protection) tool from EPA factory.

Read the rest of this entry »

These days I’ve read some entries in the Beteo blog, a blog provided by a swiss software and consulting company which is somewhere in between SOA and BSM - or BTO, the term they tend to use due to some affinity to HP. The interesting thing is that Beteo not only claims but proves that Service Management principles and tools which are commonly used more in the IT Infrastructure Management can be applied to the field of Software Change Management as well. Beteo, a company I’m in contact with since they’ve been founded (and I have been in contact even with their predecessor), uses this concept with success especially in SAP environments.

That leads to the obvious conclusion: There should be a much more common service understanding. There should be one BSM approach on the upper layer. BSM, as real business service management, should really address the business aspects like

• Defining services from a business point of view - like “manage a contract” including storage, access rights,…
• Mapping these business services to IT services
• Manage these services from a business perspective, e.g. accounting, controlling (do we need these services really?),…

The next layer are IT services, e.g. the more technical services IT provides to deliver a business service. These services can be managed with ITIL principles and - at least to some degree - with today’s so called BSM tools.

Whether the mapping of IT services to the IT implementations of business processes is part of the IT service layer or the business service layer is a matter of definition. I tend to place the description of business process at the business service layer and the implementation of business processes in IT - and thus, the relationship of these processes with IT services - at the IT services layer.

Anyhow, there is a layer below for the different types of IT services. Today, BSM focuses mainly on IT infrastructure services and provides mainly an ITISM (IT Infrastructure Service Management) - and not an ITSM (IT Service Management) or a real BSM (Business Service Management).

Besides the IT Infrastructure Services we have IT Application Services. These services tend to be more granular, down to web services and so on.

But regardless of the service you talk about: Each service can be managed with the same principles - and ITIL (and ISO 20000) is a good point to start if you focus on the principles for managing services. You can define, implement, run, optimize any type of service. Whether you look on high level business services or on low level application services, the way you should handle services is, from a conceptual view, the same. The business aspects like service accounting and controlling can be applied as well on every level.

Given that, a unified view on services and their management would bring a lot of benefits to IT - the reuse of management software, improvements in that software when the experiences of infrastructure and software change management are combined and influence the tools, the capability for an overall auditing and accounting of services, a consistent authorization management for services, their management and their use.

But that would mean that the siloes at the vendor side (where software management is in most cases another division than infrastructure management) disappear as well as the siloes in today’s IT organizations are opened for more cooperation.

At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.

SaaS is becoming more and more popular, especially in the US. In Europe the growth is much slower, but that is no surprise – Europe is usually some 12 to 36 months behind the US in adopting new technologies.

But there is one thing to be considered regarding SaaS – most of the SaaS offerings are more or less unmanageable. The interfaces for identity management, event management and logging and other necessary functionalities are missing. Defined APIs for controlling and integrating the SaaS applications into the existing own IT infrastructure are missing in most cases – or they are so weak that they aren’t useful.

Even more, it is virtually impossible to get the own data back in an useful format. SaaS vendors seem to consider that every information which someone stores in their SaaS application is their data – but it is the data of the SaaS customer. This is some form of aggressive lock-in.

How weak the APIs of SaaS providers are today is visible when you look at approaches like myOneLogin (which is very interesting) – only three of roundabout 60 supported SaaS applications support federation. And virtually none supports an efficient approach for provisioning users from your own directories to the SaaS application. Or have you ever asked your SaaS provider about SPML (Service Provisioning Markup Language) support? The answer probably has been something like “SPML what???”.

The missing support for standards or at least a comprehensive set of APIs for accessing, integrating and managing SaaS is, from my perspective, the biggest risk for SaaS. At some point of time the customers will ask for these features. The vendors which still believe that the world ends at their own perimeter and who claim that every data which someone enters into their SaaS application belongs to them will be shaken out of the market.  For good reason.

Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time. IRM is about protecting the information directly, through signatures, encryption and a direct assignment of rights. These rights describe who is allowed to do what with that piece of information.

There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM. Another reason are the somewhat limited implementations. Most of them are fine for a limited set of applications and environments. Microsoft’s Windows Rights Management Services are great for Windows and Office. They even work in a B2B environment with some trust between the partners. But they are mainly for Microsoft apps. How about CAD and blueprints? How about the other office apps? And all the other types of documents, starting from XML documents, which are sent and stored? There are some other solutions, but most of them are either from pretty small vendors or very limited in scope.

But the most important reason is, in my opinion, that the relevance of Information Rights Management isn’t fully understood. Even when I talk with IAM responsible, IRM seems to be amongst the best hidden secrets. But access control which is limited to data in a silo like a file server or a document management system isn’t sufficient. Data is read and used by users, attached to mails, transferred via FTP – the perfect way to bypass most security concepts [I had a very interesting conversation with Taher Elgamal from Tumbleweed some days ago – Taher has been responsible for “inventing” SSL at Netscape, and it is definitely worth to have a look at Tumbleweed’s approaches to minimize FTP risk] and so on.

But if you look on it the other way round, everything is fine. IRM works as well for data which is stored in silos. With other words: If you use IRM for any type of information there is no necessity anymore for the classical access control approaches. The best way to protect information is to do it directly at the level of the information – and not at the level of one of these many systems which might change, transport or store the information. Given that, it is really time for an industry-wide initiative for IRM standards which work on every platform and with every type of information and every application.

Some time ago, as a result of some of the fundamental reorganizations Siemens had to do within the last two years ago, the department responsible for the DirX solutions has been moved into the healthcare unit of Siemens. That was a somewhat unusual place for an identity management product unit. Now, Siemens is reorganizing again. Besides three core areas (Industry, Healthcare, Energy) there will be several cross-sector activities. One of these is Siemens IT Solutions and Services.

Within the Siemens IT Solutions and Services (SIS) there will be a unit “Identity Management and Biometrics” in which Siemens bundles its DirX and Biometrics activities.SIS will offer complete solutions including Smartcards, PKIs and security consulting around the products of this unit. Besides this the unit will work with VARs and plans to enlarge its set of partners beyond Siemens Enterprise Communications and some few other partners they currently have. There are also plans to extend the IAM portfolio through partnerships.

Even while we have to wait how well the new structure works, how successful SIS is in selling IAM projects up to a complete outsourcing and how the partner landscape around DirX will change – Siemens is now in an obviously much better position again. The new organizational structure is by far more logical than the placement in the healthcare department has ever been. We will observe how the new structure works in reality. But Siemens should be considered as a strong vendor again, even if you might haven’t done this for some time.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term "cloud" been chosen because everything out there is a bit "cloudy" in the sense of "fuzzy"?].

Read the rest of this entry »

Key Risk Indicators (KRIs) are metrics for Risk. Most of the metrics discussed today focus on either pure business aspects or, with IT and Identity Risk Management, on technical aspects. How long does it take to provision accounts in different systems? How many orphaned accounts do you have in different directories? …

But: There is another layer of KRIs which has to be monitored. For example: How long does it take until an organizational change is known to the provisioning system? The provisioning process might be extremly fast - if it isn’t started, it is still far too slow.

Thus, I propose to define four layers of KRIs:

• Business KRIs
• Business-IT KRIs which measure the interaction of Business and IT
• High level IT KRIs like the orphaned accounts or the performance of provisioning processes
• System level IT KRIs for specific aspects of the single systems

That maps perfectly to my three layer view of Identity Management, with the GRC layer (Business to IT), the provisioning layer (High level IT), and the system level. KRIs on different levels can be combined for a complete view on risks. That is inevitable because, like mentioned above, there might be a low risk on one level but the overall risk might be still high.

In general, using KRIs is an interesting approach not only to know about risks but to measure and improve your organization - and not only IT.

I have a personal history in the areas of personalization and profiling. And there might be some good chance for these ideas to become reality now - in the context of Infocards and to the sake of VRM (Vendor Relationship Management).

The threat in personalization and profiling is to know what the person really wants (personalization) or is/has (profiling). The one who knows best is the person itself.

(Managed) infocards can transport virtually everything. They might provide profile information for personalization. A trusted identity provider might offer a service which stores profile information it retrieves from the users and provides it in a controlled way (the basic idea of user-centrism) to web sites which shall provide a personalized experience to the user.

Bring in things like U-prove and that site doesn’t need to know the exact data but can “ask” the Identity Provider about relevant aspects and retrieve a yes/no decision. For sure the service provider/relying party in that equation will know some things but the amount of this knowledge can be limited - and thus privacy can be maximized.

I’m convinced that there is a business model for Identity Providers. Users might pay for a trustworthy handling of privacy information. Relying parties might pay for the ability to personalize information. There might also be approaches where the service is for free but the privacy is limited - the relying party might pay more if she learns more about the user. Both approaches might work.

VRM fits perfectly into this. It is the use of these approaches for vendor relationships, providing information for buying decisions via Infocards. For me, VRM, infocards and technologies like U-Prove are the pieces of a puzzle which, when ready, shows personalization and profiling as the picture.