Some weeks ago Evidian, one of the European vendors in the Identity Management market, has announced that they are in the lead of an European research program for multi-domain policy management. The program called MULTIPOL is part of ITEA 2 (Information Technology for European Advancement), a set of EU-sponsored initiatives in the IT space.

The focus of MULTIPOL is mainly around multi-domain authorization, e.g. controlling access according to different security policies from different domains. The reason why: There is no internal network with a strong perimeter any more. Networks are becoming increasingly open. While authentication has been solved by approaches like Federation, the handling of policies for access control and thus authorization is still an issue.

We will observe this initiative, with Evidian as lead and ten other major European IT companies as participants. Policy Management beyond the border of one system is still amongst the things which have to be solved.

Some years ago I’ve written an article on policy management, stating that companies aren’t solving the problem but just are moving it to the next level. That was when more and more vendors told me the stories about their policy management capabilities they had built into their products. Usually they’ve built one policy management per product. So, instead of 100 products without policies there were 100 with policies. Different, incompatible ones.

The approach of Evidian is one interesting approach besides others like the idea of claims-based authentication and authorization Microsoft/Kim Cameron have published. Given that Evidian has a long experience especially around managing access, there might be some valuable outcome from this project - despite the fact that it is a EU-sponsored project.

This morning I was working on some slides for a sales training I will do for a vendor these days. When clicking through my slides I found some older slide I have used some three years ago the first time. It was about the sometimes different understanding customers and vendors might have of the same terms - or the missing understanding of terms by the customers.Terms like Meta Directory, Federation, Virtual Directory, Reconciliation, and so on.

In this context, a conversation I recently had with Hassan Maad, COO of Evidian (one of the definitely underestimated vendors in the market), some weeks ago. He said that from his experience the term “access” is much more meaningful to the customer than “identity”. He is right - everyone can imagine what we are talking about when we talk about “access”. “Identity”, on the other hand, is a more fuzzy term.

Another recent experience was about the way vendors are selling there tools. In a current strategic consulting project, I had a discussion with the customer about the evaluation of tools. The customer had had several sales presentations from different vendors. When comparing the customers rating of the vendors with our view, there were in some two cases really big differences. The reason for this: The sales people had used their common, typical terms, didn’t focus on the needs of the customer and, in one case, focused on an architectural approach which the vendor has significantly changed over the last two or three years. Looks like the sales guys once have learned some USPs (unique selling propositions) which appeared to be “unique”, but not necessarily “selling”. While the vendor adopted his product, the sales guys are still using these old Non-USPs instead of telling the new story.

There is something common within these obversations: In every case it is about hitting or missing the expectations of the customer. It is very easy to loose in using terms which the customer either doesn’t understand or misinterprets. It is as well very easy to loose pitches in telling the wrong story, either an ancient one or one that misses the expectations of the customer.

Thus, it might be a good idea for the entire industry to rethink their wording. Take “reconciliation” - not that easy to understand, especially for people whose native language isn’t English. Or “entitlement management”: I’ve never met anyone who understood that without further explanation. Not that bad for us analysts, because explaining things is part of our business.

And, if your job is about selling Identity and Access Management or GRC (Governance, Risk Management, Compliance), it is always a good idea to first think about the “customer customer” (whom are you talking with - and which are his obvious business needs?), the industry (not every industry has the same requirements), and to talk about the requirements of the customer first before talking about your solution. Listen, than talk. And talk in a language everyone can understand - or shortly explain the specific terms you can’t avoid.

Some time ago HP decided to stop the further development and sales of their IAM products, even while they will support existing customers. Since then, Novell announced an agreement with HP with a special cross-upgrade offer. And, since then, there are a lot of rumours about other partnerships in the market. What is the reason for this?

To understand this one first has to first understand the structures of HP. HP is a pretty big and diversified company. There is the consumer business, there are printers. In the enterprise IT area, we still have three different divisions:

• Software (by far the smallest division)
• Hardware
• Services (consulting, integration,…)

These divisions have different strategies. And they have different partner strategies. The agreement between Novell and HP is from the software division. The services have, also depending on the regions, sometimes another view. Thus, none of the partnership announcements of HP around IAM should be overestimated.

From my perspective, it is much more important for existing HP customers to rethink the IAM strategy. Will you use HP software - and until when? And what are your vision, your strategy, your operational requirements for IAM? Thus - which way will you go? Which software vendor fits best? Which integrators suite best for your targets? Given the fact, that IAM becomes more and more business driven, integrated into the GRC and/or BSM context, you should first redefine and update your IAM strategy and afterwards select the best vendors and partners for you. That might be Novell, Oracle, or someone else.

And you can bet on that your IAM strategy has to be updated compared to what you had in mind some years ago when deciding for the HP solution - because there has been a lot of progress in IAM since then.

The costs of software licenses are a small percentage of the overall costs of IAM projects. Thus, these costs have to be considered but aren’t the main criterion for a decision. The main criterion is that what you’re doing there fits to your IT strategy and is aligned to the business requirements.

One thing to add: HP isn’t out of IAM - at least not the services division. Again - there are several divisions at HP doing their one thing, and HP still provides and will continue to provide services for IAM, based on software of other vendors.

My colleague Felix Gaehtgens recently has blogged about his discussion with Tom Bishop, CTO at BMC, about the BMC strategy for IAM. His findings are very consistent with the blog of Tom Bishop which was published some weeks later and appears to be some indirect response to Felix.

It is obvious that many BMC customers are insecure about BMC’s strategy for IAM. There have been several changes, as well in BMC’s organization as in the way BMC is adressing this market. BMC has moved the development of the IAM functionality to India, where they are developing as well other major parts of their products. Some people from the IAM team - as well from the product as the sales/marketing side - in North America and EMEA have left BMC, including Jeff Bohren, one of the guys behind SPML. Even while BMC states that there are more people involved in IAM activities than before, there are some still some open questions left.

BMC’s explanation on this is that they have been re-focusing their IAM strategy, positioning IAM as part of their BSM strategy. Within this, they are focusing on access (control) and provisioning. With other words: Topics like Web Access Management, Identity Federation, Virtual Directory Services and so on aren’t in the scope of BMC any more. BMC doesn’t see, to quote on this, “a necessity for diving deeper into this”.

Thus, there will be a successor to Control-SA which will be part of the BSM offering, while still being sold separately. There is a clear statement that for features beyond the core provisioning the full BSM platform of BMC will be required in the future. BMC is focusing on the integration of IAM in that platform. Thus, the admin console’s interface is re-written and standard functionalities will be provided more and more by the BSM platform. There will be several enhancements in the next release, especially around user self-services which fits in this picture with IAM built around the service desk.

Without telling everything which will be in our upcoming vendor report on BMC (with IAM focus, an overall vendor report following later this year) there are some obviuos strengths as well as shortcomings with this approach.

Like Felix has pointed out, BMC won’t become a full service vendor in the IAM market. The optimal use of BMC’s IAM offerings will require the full BSM platform with the CMDB, service desk and so on. Persons, roles, and entitlements will be managed starting at the CMDB level. However, BMC seems to be not fully convinced of this strategy - they’ve mentioned that they are still looking on how customers are accepting this. Control-SA customers can use the basic features but there will be a new layer on top for managing processes. So even while BMC claims that provisioning can be used without other features (of additional BMC products) that will be a pretty limited form of provisioning, especially when comparing it with the features offered by leading provisioning products in the market which go well beyond core provisioning.

On the other hand BMC is still investing in it’s IAM products - that’s the good news. BMC seems to be even more interested and active in IAM than before. And there are obviuos advantages of integrating IAM with BSM. A huge number of Service Desk tickets is IAM related, around passwords, user and access management.

But first of all, BSM (Business Service Management) is not only a CMDB and a Service Desk but a concept which goes well beyond this.

And even when you follow BMC’s arguments: There are not only internal users. How about the partners and the customers? How do they fit into this picture? Especially, when federation is not on the list of topics. I don’t know the answer. Interestingly I had a discussion with several CISOs of leading European companies and one of the biggest threats they are facing is around the on- and off-boarding of companies (partners, acquisitions,…) as well as persons.

Besides this, I believe in a model where IAM is more sort a parallel pillar of the entire IT strategy and environment to BSM than a subset of BSM - while Service Desks and CMDBs are a subset of BSM…

My advice is: Have a look on what BMC is doing. They are investing in IAM again - the good news. And, for Remedy and Atrium customers: They will provide integration of IAM into the BSM approach of BMC. On the other hand that implies a growing dependency of IAM features from the BSM infrastructure, something you have to be aware of. And, in any case: Define your BSM strategy as a BSM strategy (and not a CMDB or ITIL or ITSM or Service Desk strategy) before, as well as you should define your IAM strategy with focus on all identities (e.g. also external identities), the new threats of using and managing cloud services, of user-centric approaches and so on. Do it in the context of GRC and SOA security. Than you can decide on which products from which vendor you should use.

Today I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity Conference 2009 where I had a discussion with Paul Heiden of BHOLD Company about GRC. Paul claimed that GRC is just dealing with FUD (fear, uncertainty, doubt) and that there is no real business value in this.

So - is the market for GRC solutions (Governance, Risk Management, Compliance) dead before it really blossomed?

Yes, if GRC is limited to auditing, with focus on some dashboards and some information extraction for auditors.

No, if GRC is understood as something which goes well beyond this and isn’t limited to a narrow one-way-road. And that is how we understand the GRC market and how we have defined this market segment in our GRC Market Report 2008.

There are some real value propositions for GRC solutions, beyond “avoiding penalties” as the classical negative inhibitor:

• On the lowest level, one standardized approach to GRC issues tends to be more efficient than many point solutions.
• Much more important is the ability to not only audit but control - Enterprise Authorization Management (or Entitlement Management) is one of the key elements of GRC solutions, providing business control for the access to IT resources.
• This is, by the way, much more efficient than the granular, isolated management of access controls on lower levels. A relatively small number of business roles and rules usually covers a significant part of all access controls on lower levels in the infrastructure, down to the system level. These lower level controls can be derived, with some added exceptions.
• The probably most important aspect is that GRC done right enables a more efficient management, focused on exceptions. Defining and measuring risks provides this ability.

From our view, GRC has to be understood as an initiative which is at the core of Business-IT alignment. GRC has the potential to fulfill these (today in most cases unfulfilled) promises of building a link between business and IT.

These days I received an invitation from an IT vendors to visit an ECM (Enterprise Content Management) event. The keywords were Governance and Compliance. And the title of the keynote presentation suggested that ECM will solve every threat in these areas companies are facing today. Interestingly but not surprisingly, I have received invitations like that from other vendors – claiming to solve all these issues with other solutions in the fields of IAM (Identity and Access Management), BSM (Business Service Management), or with solutions focused on specific types of business applications like SAP or Oracle Applications.

Interestingly there are very few covering the area of SOA, another of these three letter abbreviations, which might be the fourth field of fulfilling everything a company might require in GRC- or not.

Every one of these companies is providing to GRC – but none of it will ever be able to fulfill all requirements, at least as long as it doesn’t provide offerings for BSM, ECM, IAM, and SOA, for business applications, and for the consulting on methodologies on the Business as well as the IT level. Maybe IBM might at some point of time be the one to deliver – but in the areas of integration as well as solutions specific to the leading business applications there will be gaps at least for a very long time.

With other words: Everyone is promising great things, no one is really delivering.

When you have a look on this issue from a customer perspective, it becomes obvious that there is a strong need to first define a corporate GRC strategy, derive an IT GRC strategy and then to implement it, combining solutions from different vendors for different parts of the problem. Non-strategic GRC investments have to be avoided – they are costly. If there is no overall strategy you will end up with many small, not integrated pieces instead of a GRC solution which really can support your business requirements.

By the way: To support your initiatives in the field of GRC we are now offering “GRC ratings” for vendors, clearly showing in which areas of the big picture of GRC they can deliver today, in which areas they might deliver in the future – and how mature we rate their offerings.

A short note at the end: Someone asked me about the relationship of GRC and ECM. ECM is, besides other functions, about archiving information. And there are many legal requirements for archiving business-relevant information. Thus, ECM is a part of the overall GRC theme.

I’ve written a short analysis on Microsoft’s new “Zermatt” framework that can went up on our website yesterday. For those who have missed the announcement, Zermatt is a new developer framework from Microsoft that makes it easy for developers to work with claims, and is also a foundation for building secure token services (STS). In the analysis, I also included some of my thoughts on the “claims-based model” in general, and specifically about the lack of an authorisation model. I think this is perhaps the largest gap currently for applications using WS-Trust, WS-Federation and the claims-based model, exacerbated by the fact that Microsoft currently provides no vision how this will be eventually be addressed.

As the Gurus of User-Centric ID Management have discussed here and here, the idea of using CardSpace and special “Managed Cards”, issued through the use of the Microsoft Acrtive Directory, InfoCards could actually become sort of an authentication token not only for your self, but for you being am employee of said issuer of the respective InfoCard. As managed Infocards are designed to be used as sort of community/customer ID, why not use it to verify if somebody IS actually working for the company he claims to work for.

Impersonation still is a threat today. I experienced this during the Microsoft Security Tour that I recently attended in Hanau, Germany. One of the main reasons was, that my successor with the position as Chief Security Advisor, Michael Kranawetter, was about to present CardSpace to the mainly developer-oriented audience. After sharing a coffee or two, Michael stepped up to the stage and prepared for his presentation.

The big surprise came without a single bit of a warning: Michael greeted the audience and said: “Welcome to this session, my name is Sebastian Rohr, and I am the Chief Security Advisor for Microsoft Germany!” Well, there was only one guy in the audience who got puzzled besides myself, my friend Stefan, sitting right next to me! Michael easily showed, that in todays business you should not trust everybody who is wearing a “speaker” badge one should ask for proof of the claims stated.

Anyway, back to the point: using a “Business InfoCard” issued by your employer does not only make it easier to access, say, the company online-store and authenticate yourself. It can also be used in B2B situations, where you hand over your card and your communication partner can easily check that your name, title and affiliation are, in fact, valid. In addition, corporate information such as tax ID, location of the company and the official (and pretty up-to-date!) info on board members and the Chairman could be included. Nice!

Sitting over a nice glass of wine, one could drift off and, as thoughts come and go, get creative. Be it the impact of the heavy Merlot or too much sunshine: IF we have an established technology that offers easy issuing and management of credentials, spiced with corporate information and used in an interoperable environment that supports easy “online check” if the information presented is still valid… and all this cross-company…with an extensible range of re-use… wouldn`t THAT be the dream of all those PKI guys?

Lets face it: PKI has been struggeling all these years to become and remain an important part of the IT infrastructure of all large organziation. Sometimes the struggeling lead to the “near-death”, sometimes PKI managers still hunt for the killer-app that will put their technology investment to use. Even IF the PKI was put to good internal use, leveraging it outside the company was rarely successful. Now, using the above mentioned managed Business Cards, we would really be able to do all the things we failed to achieve with using x509 certificates - well, besides encrypted email maybe!

I am really looking forward to your replies, either to be sure that it WAS too much sun and Merlot, or to kick-off a new thread on mis-using user-centric ID management in the enterprise ID management space!

Yes, I know – Information Cards (or Infocards) and their incarnation in Microsoft Windows CardSpace have been around for a while. But it was mainly the inner circle of Identity Management (and especially of user-centric Identity Management) who was really aware of this. With the recent announcement of the Information Card Foundation (ICF), Microsoft and others are trying to improve the visibility of Information Cards as a core element of Identity Management in the so called cloud.

There has been some discussion around the announcement in blogs and forums in the Internet. One of the most interesting aspects discussed is the necessity to educate the broader public about the concepts and value of Information Cards and the entire “Identity Management for the cloud” (aka user-centric Identity Management, aka Identity 2.0). That must be a main target of ICF, but as well of all the other players in this emerging market.

First of all, I’m convinced that Information Cards as well as OpenID will become central standards in the Internet and for Identity Management. Given that at least OpenID isn’t that far away from reaching the critical mass and that Microsoft Vista adoption (which makes it easier to use CardSpace) is happening pretty fast, as well as some important Open Source initiatives working on these topics, that might happen earlier than most expect today.

Nevertheless it is important to explain the concepts for everyone – and to address the privacy and security concerns many will have. There are so many things which can be done using these technologies, from Single Sign-On and Profile Management in the web up to Corporate Business Cards. But they require an accepted concept.

Thus, the idea of ICF is great, when it goes beyond technical discussions around use cases and implementations issues and really focuses on education as well. On the other hand the member list of ICF proves that there is strong interest and support in the industry for Information Cards. You can bet that no one is in there who doesn’t expect that the use of Information Cards won’t support his business – otherwise they wouldn’t invest time and money into ICF.

ICF is a great thing from my perspective. It will drive Information Cards forward – and thus the Identity Management for the cloud.

As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.

Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive - not at all, in fact - but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.

Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.

Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.

So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.

Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable - something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.

Context-based authentication and authorization is one of the topics which have the potenzial to become the next hype. I’ve posted twice on this subject, here and here and we had, led by Dave Kearns, a lot of discussions around this at our EIC 2008. I’m convinced that the topic will become even more important at next year’s EIC.

Besides the ones which are obvious players in that future market segment like the risk-based authentication vendors (Arcot, Entrust, Oracle, RSA and some others) there are some other categories of vendors which offer even today at least some context-based authentication and authorization. One of them is Citrix. Given the number of installations of the Citrix Access Gateway they might even be sort of the leader in that market.

You might argue: A SSL Gateway is not a solution for context-based authentication and authorization. Yes - and no. No because a SSL Gateway without additional components is just a SSL Gateway. Yes, if you combine a Citrix Access Gateway with other things. At an Citrix Analyst Briefing yesterday, a Swiss bank talked about their approach for controlling access of remote workers. They use the Citrix Access Gateway together with many other Citrix technologies and with a NAP (Network Access Protection) tool from EPA factory.

This tool provides some information about the state of the clients. There is also some information about the device which is used and there might be some derived location information. That information about the context in which a user is acting is used at the Citrix Access Gateway. Policies control whether - and with which authentication requirements - authentication is done and what the user is authorized to do.

In the result this is nothing else than context-based authentication and authorization.

For sure there are shortcomings. You need tools from at least two vendors, even more for additional authentication technologies. It requires a Citrix environment (which is nothing bad - but not everyone has one). The location detection is probably not the best you could imagine. Some other factors which are relevant for context-based decisions like fraud analysis information aren’t included. Data from physical access control systems isn’t used. There might be a much more granular authorization. Currently it is decided whether someone is allowed to access an application or not - there might be a deeper integration with the applications.

It is not yet the perfect solution for context-based authentication and authorization. But it is a step in the right direction, combining Citrix’ access strategy with additional tools. The solution proves, by the way, that many vendors might deliver solutions for context-based authentication and authorization for corporate users with a limited effort, providing a higher level of security and reducing IT risks to the customers.

I’m convinced that there will be several types of technical solutions for context-based authentication and authorization, targeting the online business, remote workers, and other requirements. There are several places to integrate with - Web Access Management tools, SSO tools, and Access Gateways. I expect more solutions to show up in the context-based authentication/authorization market within the next 12 to 18 months, even while some of the won’t be defined as “context-based” but as “risk-based”, “physiscal/logical convergence” or “location-aware”. But over time there will be a market segment for these context-based solutions where all the vendors will position themselves, with more flexible solutions and a tight integration of the requirement components.

These days I’ve read some entries in the Beteo blog, a blog provided by a swiss software and consulting company which is somewhere in between SOA and BSM - or BTO, the term they tend to use due to some affinity to HP. The interesting thing is that Beteo not only claims but proves that Service Management principles and tools which are commonly used more in the IT Infrastructure Management can be applied to the field of Software Change Management as well. Beteo, a company I’m in contact with since they’ve been founded (and I have been in contact even with their predecessor), uses this concept with success especially in SAP environments.

That leads to the obvious conclusion: There should be a much more common service understanding. There should be one BSM approach on the upper layer. BSM, as real business service management, should really address the business aspects like

• Defining services from a business point of view - like “manage a contract” including storage, access rights,…
• Mapping these business services to IT services
• Manage these services from a business perspective, e.g. accounting, controlling (do we need these services really?),…

The next layer are IT services, e.g. the more technical services IT provides to deliver a business service. These services can be managed with ITIL principles and - at least to some degree - with today’s so called BSM tools.

Whether the mapping of IT services to the IT implementations of business processes is part of the IT service layer or the business service layer is a matter of definition. I tend to place the description of business process at the business service layer and the implementation of business processes in IT - and thus, the relationship of these processes with IT services - at the IT services layer.

Anyhow, there is a layer below for the different types of IT services. Today, BSM focuses mainly on IT infrastructure services and provides mainly an ITISM (IT Infrastructure Service Management) - and not an ITSM (IT Service Management) or a real BSM (Business Service Management).

Besides the IT Infrastructure Services we have IT Application Services. These services tend to be more granular, down to web services and so on.

But regardless of the service you talk about: Each service can be managed with the same principles - and ITIL (and ISO 20000) is a good point to start if you focus on the principles for managing services. You can define, implement, run, optimize any type of service. Whether you look on high level business services or on low level application services, the way you should handle services is, from a conceptual view, the same. The business aspects like service accounting and controlling can be applied as well on every level.

Given that, a unified view on services and their management would bring a lot of benefits to IT - the reuse of management software, improvements in that software when the experiences of infrastructure and software change management are combined and influence the tools, the capability for an overall auditing and accounting of services, a consistent authorization management for services, their management and their use.

But that would mean that the siloes at the vendor side (where software management is in most cases another division than infrastructure management) disappear as well as the siloes in today’s IT organizations are opened for more cooperation.

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.

I´m definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release, issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think.

The press release says, that two students of said faculty “broke” Microsoft´s CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session between a user authenticated with an InformationCard and Microsoft´s InfoCard sandbox in manipulating a DNS server. Reading through the description of this “attack” shows, that the sophisticated part of their work was to manually change the DNS settings of their client computer in a way, that it resolved webadresses through an internal DNS service within their institute (where they have admin access to) which they had manipulated before in adding a round robin entry for the sandbox server, redirecting every second client request to an evil system, which then stole the session token.

So, what are the learnings from this intended act of creative distruction? Yes, once again we learn (what we have known for decades now), that without a proper client certificate, man-in-the-middle-attacks are possible, independently from the authentication methods and tools used, and that SSL/TLS provide means to avoid the risk of such attacks, as well independently from the authentication methods and tools in place.

It is great that University Bochum is teaching their students how these things work and eventually, we may have a generation of well educated IT experts knowing how to make corporate IT infrastructures and the Internet more secure. Maybe, they should add some HTML training courses to their timetable as well. If you look at this description of a “hacker course” that university is offering, some nice error messages coming from malformed HTML are displayed, like this one:

System Message: WARNING/2 (<string>, line 11)
Block quote ends without a blank line; unexpected unindent.

But what is the message behind that press release saying that University Bochum students broke “Microsoft´s Identity Metasystem CardSpace”? Just to feed some outdated opinion about Microsoft producing error-prawn and insecure Software? To my opinion, this is not enough for some productive discussion on how to increase security.

At EIC 2008 I’ve presented our view on the relationship of GRC and IAM as well as our definition of the GRC market, the core results of our GRC market report 2008. Basically, the generic GRC tools we see emerging in the market are becoming more and more the business layer above the classical core IAM tools, e.g. provisioning, self service and some other feature areas.

I’ve been talking with a lot of users within the last few weeks. And what I’ve learned has proven that statement. The most important driver for IAM projects today is the need for defined, auditable processes around user and authorization lifecycle management. And that is about Governance, Risk Management, and Compliance.

To fulfill these requirements, you need a strong IAM foundation. But without a level above for a business-controlled authorization management, for layered attestation from the system up to the business level, for the management of business roles and for a business-centric auditing that won’t fulfill the needs.

Given this it is no surprise that several vendors either integrate more and more of these features in their IAM products, some of them on a high level (Völcker), while others have acquired specialized vendors in both areas (Oracle, SAP, Sun).

Today it is not necessary to buy the IAM and the GRC products from the same vendor, especially because the GRC solutions are in their early stage. And due to the fact that IAM tools always will focus more on the IT level whilst GRC focuses on the business level I’m not sure whether they shall be really integrated. But one thing is sure: You will need both levels of tools to fully support the business requirements which are driving IAM today.

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008. Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase.

I think it was Kevin who mentionned one important difference: Privacy and data protection for employees seem to be stronger regulated here in Europe than it is in the US. This may be true, although they don´t really play a role in reality, as recent espionage cases like the one within Deutsche Telekom impressively show.

I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.

Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” - right in Lisbon!

I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.

First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.

In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?

BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.

My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one - complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.

I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management - although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed - especially considering the pain and hard work that goes with deploying such systems!

So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.

SaaS is becoming more and more popular, especially in the US. In Europe the growth is much slower, but that is no surprise – Europe is usually some 12 to 36 months behind the US in adopting new technologies.

But there is one thing to be considered regarding SaaS – most of the SaaS offerings are more or less unmanageable. The interfaces for identity management, event management and logging and other necessary functionalities are missing. Defined APIs for controlling and integrating the SaaS applications into the existing own IT infrastructure are missing in most cases – or they are so weak that they aren’t useful.

Even more, it is virtually impossible to get the own data back in an useful format. SaaS vendors seem to consider that every information which someone stores in their SaaS application is their data – but it is the data of the SaaS customer. This is some form of aggressive lock-in.

How weak the APIs of SaaS providers are today is visible when you look at approaches like myOneLogin (which is very interesting) – only three of roundabout 60 supported SaaS applications support federation. And virtually none supports an efficient approach for provisioning users from your own directories to the SaaS application. Or have you ever asked your SaaS provider about SPML (Service Provisioning Markup Language) support? The answer probably has been something like “SPML what???”.

The missing support for standards or at least a comprehensive set of APIs for accessing, integrating and managing SaaS is, from my perspective, the biggest risk for SaaS. At some point of time the customers will ask for these features. The vendors which still believe that the world ends at their own perimeter and who claim that every data which someone enters into their SaaS application belongs to them will be shaken out of the market.  For good reason.

Have you ever been to SAPPHIRE?

No?

You should!

Despite my young age, I guess here is where you find how the spirit of the IT industry might have been in “those days”, where multi-million dollar Mainframe deals were made. At least, that is the impression you get when you stroll around.
I have been to quite some trade fairs, special meetings and vendor events - all with a rather impressive set of “supporting events” and executive receptions. But recent years have shown a decrease in the investments vendors were willing to spend on these little extras. Looks like SAP still has got some budget to spend…

But let us get back to business - executive business, this is!
When it comes to providing strategic business perspective, coming here as manager or executive you get what you expect: visionary statements, large audience keynotes and a nice overall setup. From a technology perspective though, it is quite surprising that one can only get their hands on a small number of technically versed representatives who are able to show a little more than flashing slides and animated demo screen-shots. Well, one could argue that this is not TechEd, which will take place in autumn here in Berlin and were I will definitly attend also, and one must consider the “business oriented” approach of SAPPHIRE. Point taken, rest assured! But I was NOT talking about a nuts&bolts session on how to configure x and get y out of that interface. I was merely looking for people to tell me just a little bit more about what became of MaxWare, were GRC overall will be going and what the combined strategy for managing identities within (and beyond) SAP will be. I will take those questions home with me, unfortunately…

Given that, I made best out of a session with one of the solution marketing guys, who assured to me that the IP as well as the human resources of the MaxWare acquisition were secured and the now joint teams from Netweaver IdM and MaxWare are working hard to push the integration depth. Nice - and from my point of view obvious - information: SAP will not push their newly acquired IAM technology as an independent offering but will concentrate on delivering added value to existing SAP-centric customers. I will definitly catch up him to extend our late-evening discussions at the Hamburger Bahnhof. Thanks again for the insights!

On a completely different note, the RIM partnership seems to kick-in pretty nicely with a “mobilized” SAP CRM and Blackberry integration, which the RIM representative dared to demonstrate live during the keynote (something which I would not have dared, given my recent experience with reliability of the 3G network connectivity - especially with a few thousand people around you all carrying a mobile phone!)

I will get back to you all with more gossip tomorrow, with news on the Zucchero live perfomance (see budget joking above!) and a special feedback from the Business Objects keynote of CEO, Mr. Schwartz!

Hewlett-Packard, who recently announced that it would all but retreat from the identity management sector as an independent vendor, has just announced a partnership with Novell. That will settle the many speculations in the industry. As HP had made a significant investment into identity management products, someone would surely be picking up the pieces. And the winner is: Novell!

From the announcement that was made to the analyst community and the subsequent press release, it is pretty clear that HP is looking for an elegant way to divest itself from its product line. Of course, HP cannot and will not leave existing customers hanging, so the previous announcement from HP was to “not actively pursue new customers” for its identity management software anymore. Another way of putting it - but the message is clear: those products are no longer actively pursued, the key employees have long moved on, such as Greg Whitehead who came to HP from Trustgenix, after it was acquired by HP.

If there is any doubt about the future of HP’s product line: Novell is offering a license credit for current HP Identity Center customers and the press release makes frequent use the word “migration”.

HP and Novell will now jointly develop tools to help their respective teams migrate customers away from Identity Center and towards the Novell product offering.

The win for Novell is obvious: a strong influx of new accounts, plus a strong partnership with a key systems player that has just a few days ago announced its intentions to strike it big with services as well - acquiring EDS. On the other side, what is the win for HP, apart from a honourable exit from its products? Surely, after the acquisition of EDS a likely theory would be that there may be some good deals in the pipeline for HP’s new upscaled services division, working closer with Novell. But even though this may be the case, it is very unlikely that the EDS deal and the Novell partnership have had any effect on each other, and although Identity Management is a hot and growing space, it is just a fraction of what EDS did for its customers.

What will be intereting to see however is if and how Novell will take over some of HP’s IdM estate, and how this would be integrated within Novell’s solutions. For example, the Trustgenix federation software, just to note one example, were superior technology at the time of acquisition and still present a formidable stack for the implementation of federation solutions.

A very interesting detail is however not mentioned in the press release: this special partnership is not exclusive at all. This should perhaps be obvious, because HP partners with other companies who also have a significant identity management offering. Curiously also, the press release was not even published in Germany. Although that may seem as an insignificant detail, it has subtle implications: SAP is very strong in the German Identity Management field through its Netweaver offering, and HP makes a lot of money through its partnership with SAP, and will want to keep its options open.

It will be interesting to see the reaction of HP’s Identity Center customers after this announcement. Some have already moved away from Identity Center, or are in the process of doing so. Novell has a well-rounded offering, but it might not always be the right match for existing HP Identity Center customers. Then again, it is likely that some technology gets transfered or licensed to Novell. For most existing Identity Center customers however this is good news, as it lays out a clear path for transitioning over to a solid product line that is established and actively maintained.

Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time. IRM is about protecting the information directly, through signatures, encryption and a direct assignment of rights. These rights describe who is allowed to do what with that piece of information.

There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM. Another reason are the somewhat limited implementations. Most of them are fine for a limited set of applications and environments. Microsoft’s Windows Rights Management Services are great for Windows and Office. They even work in a B2B environment with some trust between the partners. But they are mainly for Microsoft apps. How about CAD and blueprints? How about the other office apps? And all the other types of documents, starting from XML documents, which are sent and stored? There are some other solutions, but most of them are either from pretty small vendors or very limited in scope.

But the most important reason is, in my opinion, that the relevance of Information Rights Management isn’t fully understood. Even when I talk with IAM responsible, IRM seems to be amongst the best hidden secrets. But access control which is limited to data in a silo like a file server or a document management system isn’t sufficient. Data is read and used by users, attached to mails, transferred via FTP – the perfect way to bypass most security concepts [I had a very interesting conversation with Taher Elgamal from Tumbleweed some days ago – Taher has been responsible for “inventing” SSL at Netscape, and it is definitely worth to have a look at Tumbleweed’s approaches to minimize FTP risk] and so on.

But if you look on it the other way round, everything is fine. IRM works as well for data which is stored in silos. With other words: If you use IRM for any type of information there is no necessity anymore for the classical access control approaches. The best way to protect information is to do it directly at the level of the information – and not at the level of one of these many systems which might change, transport or store the information. Given that, it is really time for an industry-wide initiative for IRM standards which work on every platform and with every type of information and every application.

Some time ago, as a result of some of the fundamental reorganizations Siemens had to do within the last two years ago, the department responsible for the DirX solutions has been moved into the healthcare unit of Siemens. That was a somewhat unusual place for an identity management product unit. Now, Siemens is reorganizing again. Besides three core areas (Industry, Healthcare, Energy) there will be several cross-sector activities. One of these is Siemens IT Solutions and Services.

Within the Siemens IT Solutions and Services (SIS) there will be a unit “Identity Management and Biometrics” in which Siemens bundles its DirX and Biometrics activities.SIS will offer complete solutions including Smartcards, PKIs and security consulting around the products of this unit. Besides this the unit will work with VARs and plans to enlarge its set of partners beyond Siemens Enterprise Communications and some few other partners they currently have. There are also plans to extend the IAM portfolio through partnerships.

Even while we have to wait how well the new structure works, how successful SIS is in selling IAM projects up to a complete outsourcing and how the partner landscape around DirX will change – Siemens is now in an obviously much better position again. The new organizational structure is by far more logical than the placement in the healthcare department has ever been. We will observe how the new structure works in reality. But Siemens should be considered as a strong vendor again, even if you might haven’t done this for some time.

Ping Identity recently announced the availability of Version 5.1 of Ping Federate in their blog. What caught my attention was that Ping has now also finally added a feature I (and others) call “auto-provisioning” or “federated provisioning”. In federated environments, when users from other entities visit your site and gain access to services, it is often necessary to store some local data about these users on your system. In very simple cases, this could be user profile data, such as the colour of the background, but there could be much more information that would need to be stored.

So does this mean that by deploying federated environments, you are getting back to the “silo problem” where you have fragments of identity data floating around? Does this mean that as a service provider you must now store identity information, and accounts, and deal with everything that comes with it - including compliance with complex intermingled laws and directives? Ugh!

Don’t panic. In most cases you don’t have to - this can usually be avoided through proper design of the federation scenario. So should you avoid storing any data about external users coming into your system from federated identity providers? Well, this would be nice, but is not always practical. So you often end up having to store something about a user that “arrives” at your site from elsewhere through a federation (or your support of user centric identities).

So here are my recommendations, in no particular order:

• Create those “user entries” on the fly - when someone “flies into” your site for the first time through a trusted federated link or an OpenID sign-on, create the user entry then automatically - if it’s not already there. Why? Because the alternative would be setting up a synchronisation service, and you really want to avoid that unless you really, really, REALLY have to…
• Avoid storing “personal” data. This will make you resilient against privacy regulations. OK, or at least not expose you any further to them as you already are
• In most cases, you already receive some data about the user together with the sign-on token. Try not to store a copy of that data, but instead just keep the data around for the lifetime of the current session. This might not always be practical or even possible. In that case, if you do store it, make sure you update the information when you receive changed data next time in the token.
• Don’t turn the stored data into a “live account” by giving a user the option to store a local password, unless you really have a good reason to do so! (I am actually wondering what would be a good reason to do this and can’t think of any!)

If you follow these recommendations, then you can rest assured that you are not creating user accounts. Instead, you are creating “profile entries”. These are not to be counted as “accounts” or “identities” when the auditors arrive, because the profile entries themselves don’t carry any entitlement per se - you are not authenticating user entries. You are instead just keeping track of, say, a user’s preferences. That is a completely different type of animal.

Another good reason, especially for the first recommendation is that you’ll be saving yourself a lot of maintenance if you provision “on the fly” as opposed to manage synchronisation links (including the headaches that come with it). Again, the world is not perfect, and you may find yourself with your back to the wall surrounded by synchronisation links that all cry for constant love and tending.

I could go on and on, but instead I’ll refer to the presentation “How to efficiently manage external identities” that my colleague Stefan Rohr and I held at EIC 2008. Hmm. Somehow I can’t find the link to it. I guess that’ll have to be added tomorrow.

Obviously these recommendations come from the use cases that I’ve been seen or have even been personally involved in. I’d be really interested in YOUR use cases. Do you agree with my recommendations? Did I perhaps overlook anything, or am I just plainly wrong or “not applicable” in some scenarios? Please let me know by either commenting, or if you prefer, email me.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term "cloud" been chosen because everything out there is a bit "cloudy" in the sense of "fuzzy"?].

Yes, there are many. There are OpenID providers, there are some providers in the Infocard business, there are all these online providers and so on. But right now there is no trusted identity provider for the real online business, neither in the Identity 2.0 space nor in the area of business applications which are delivered as SaaS.

Covisint is probably the one which is closest to filling this gap, at least in some industries like automotive and healthcare. Their approach is to act as identity broker between suppliers and manufacturers or between different parties in the healthcare market.

Verisign is adressing this segment as well with their VIP strategy (Verisign Identity Protection), but from a technical perspective they have some way to go to support things like Infocards or SaaS authentication. [By the way: For sure, in the SaaS market there is as well the need that SaaS providers fully support federation and open up their apps for an easier external management.] Arcot Systems might become a player in that market as well, given their current business, the technology and the experiences they have.

But: Who will be *the* Identity Provider? It might be one of the companies I’ve mentioned. The online providers probably won’t fill the gap. It probably won’t be Google or some other big player - the trust problem there is the same like with Microsoft Passport some years ago. It might be Telcos or postal services for their regional markets. It might be the credit card organizations. Or it might be someone new in that market, who appears at some point of time, tells the best story and finds the grail. I personally believe that the leading trusted identity provider for business transactions might be sort of the next Amazon or Google - someone who becomes really big. Thus, it is time to start the quest for the grail. There are several players which might participate in that quest. Some have started, some think about it and some still don’t know that there will be a quest.

Let’s wait and see who is successful in that quest. Oh, you might argue that the idea of such a big identity provider is contradictory to the Identity 2.0 ideas. First of all, it is not contradictory to the needs of SaaS business. And with respect to Identity 2.0 - when it comes to transactions and not only interactions, you need someone to rely on. That might be some strong players, like in the credit card space. But it won’t be many because you won’t trust too many different parties for your transactions.

As I already wrote in my last blog, one of my personal highlights at the European Identity Conference was the discussion that I had with Dale Olds, Jackson Shaw, Kim Cameron and Dave Kearns on the concept of the “Identity Bus” of the future. It’s now online! So here you go, enjoy

We’re obviously just at the very beginning, but hopefully we’ve kicked off a good discussion to be continued via our blogs, papers, etc! I think it is very important that we do this and solve many issues around identity. A new type of identity plumbing, indeed. Let’s keep up the momentum that’s been building over the last few weeks - now is the time to do it

Thanks to my colleagues Bernd and Alexei who’ve been working hard to digitalise and cut the videos that we’ve shot at the European Identity Conference 2008. And of course, a big THANK YOU from my side to Dale, Jackson, Kim and Dave!

The European Identity Conference 2008 closed its doors last Friday, and for me it has been a fantastic event in all aspects. Obviously you should take my comments with a grain of salt as I am working for Kuppinger Cole and am therefore part of the organising team. However, I have never before attended a conference that combined such a breadth of topics, number and quality of speakers and depth. Many conferences are either at the “C*O level” or pure “geek conferences”. At the former, the geeks still intermingle since they are brought to the event to do exactly that, or to showcase their solutions. At the latter, it’s mostly tech-talk, pure and deep. EIC 2008 covered the whole range and therefore appealed to everyone as well as offering unique opportunities to learn more about the topics from other points of view.

The agenda was packed, and including BoFs (bird of feather sessions) many days went straight from 7 in the morning to 7 in the evening. I was actually surprised that so many people actually showed up at 7 AM for the integrated breakfast + BoF sessions. And yes - unfortunately having many tracks going on in parallel can be frustrating for those who are interested in multiple topics at once. But I think the track organisation has been done pretty well after a lot of fine-tuning, and besides - we’d all love to meet for two weeks, but nobody in charge would sign off on the travel request!

The identity federation track that I moderated was packed to the brim. Good to know - we definitely need a larger room for next time! Some people were standing, and we had to open the windows. Conor Cahill kicked off the track to give a overview of the technology within the area. He had a lot of ground to cover, and since the agenda was packed, I joked that he had agreed to speak faster in order to keep the presentation to 30 minutes. In fact that’s exactly what he did - finishing with still 5 minutes left for questions. He just emailed me his presentation and it will go online tomorrow to join all the other presentations already downloadable (those who attended the conference will have received the link). We followed with an experts panel discussing the current state of federation technology and where it’s likely to go, and where new technologies such as information cards will fit in. After that we had two user presentations: Anton Shmagin from the United Nations talked about a unique multi-technology and multi-protocol federated circle of trust in three months and how the organisational, political and of course technical challenges were solved. After that, Brian Puhl spoke about Identity Federation tales from the trenches at Microsoft. Brian is a real barnstormer and his presentations are excellent, funny, insightful and offer many nuggets of information that you wouldn’t get anywhere else. He is in Microsoft’s IT department, and in charge of Microsoft’s internal Active Directory systems. He uses the term “dogfooding” to describe what he is often asked to do - use beta versions coming from devlopment and putting them to production use in such a large environment - and then putting out the fires. I’m sure he has many of the developers’mobile phone numbers on speed dial! After the user presentation we had a vendor panel, which gave everybody the chance to exchange jabs and score points, as well as explain their specific vision and value-add. And we could have gone on, but there were only three hours for the track - hardly enough to “cover it all”. Several presentations on federation were also to be found on some of the other tracks and workshops and usually very well attended - an indicator on how important the topic is.

Conferences give a unique opportunity to meet up with peers, and for me this has been the perfect opportunity to network with users, customers, vendors and experts in the field. One of my personal highlights has been a 45 minute talk with Dave Kearns, Kim Cameron, Jackson Shaw and Dave Olds where we discussed the future “identity bus” concept that Microsoft’s Stuart Kwan introduced at the Directory Expert Conference in March. Following that announcement there’s been quite a bit of speculation of what such an “identity bus” might look like, and what it would replace. In my opinion, this “identity bus” would be the future fundament of identity management, like today’s directory services. Our discussion has been videotaped, and our camera man Bernd almost broke down after carrying that heavy camera on his shoulder once the interview was over.

Joerg also sent me out with Bernd the camera man to do several video interviews with some of the important players in the space. These interviews are currently being converted into streamable format and will be posted on this site “real soon now” (TM). Watch this space

Key Risk Indicators (KRIs) are metrics for Risk. Most of the metrics discussed today focus on either pure business aspects or, with IT and Identity Risk Management, on technical aspects. How long does it take to provision accounts in different systems? How many orphaned accounts do you have in different directories? …

But: There is another layer of KRIs which has to be monitored. For example: How long does it take until an organizational change is known to the provisioning system? The provisioning process might be extremly fast - if it isn’t started, it is still far too slow.

Thus, I propose to define four layers of KRIs:

• Business KRIs
• Business-IT KRIs which measure the interaction of Business and IT
• High level IT KRIs like the orphaned accounts or the performance of provisioning processes
• System level IT KRIs for specific aspects of the single systems

That maps perfectly to my three layer view of Identity Management, with the GRC layer (Business to IT), the provisioning layer (High level IT), and the system level. KRIs on different levels can be combined for a complete view on risks. That is inevitable because, like mentioned above, there might be a low risk on one level but the overall risk might be still high.

In general, using KRIs is an interesting approach not only to know about risks but to measure and improve your organization - and not only IT.

Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit - do I hear a muffled sobbing, or - is it somebody screaming loud and running away in pain?

The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights - and especially restrictions! - may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go:
imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany.
Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like - could and would this be done by internal resources?
I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills!
With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the “external editor” model. So far - so good!
Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps - the way through the HR hiring process - will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers.
In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or - even worse - that guy would need administrative access to some production machines!
Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources - thus making exceptions the norm.
Really sounds like a nightmare huh?
Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session “Managing External Identities”!
Looking forward to meet you in Munich and find ways to wake up from that nightmare!

An interesting conversation is taking place within the blogsphere about meta-directories, with Dave Kearns and Kim Cameron on both sides of the argument. This was all inspired by a blog entry on the 4th of March from Jackson Shaw called “You won’t have to kick me around anymore!”. That musing was about HP’s retreat from the identity management market, but makes a statement about meta-directory technology:

Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

I started in this area in 1993 and some of the same architectures are still out there.

The certainly struck a chord with me when I read it. Dave Kearns picked up the topic in his newsletter when he wrote about Optimal IDM, the new virtual directory kid on the block, and made the case that meta-directories have “finally given way to the virtual directory”. Kim Cameron picked up Dave’s entry and disagreed. Up to now, this has lead to an interesting ping-pong of opinions between Dave and Kim, which has not exactly been easy to follow, not just because new contributions are being made on a daily basis up to now, and also because Kim uses the term “meta-directory” to mean something different than what Dave (and myself included) understand. I am going to take this opportunity to jump into the commotion as well, knife not freshly sharpened, but armour freshly polished!

First of all, to clarify what “meta-directory” means (at least, to me!). I am thinking about “Via” (Kim’s baby, the product that Microsoft acquired in 1999 together with Kim’s company, Zoomit). I’m also thinking about Novell Dir-XML, Siemens DirXmetahub and the Critical Path Meta-Directory Server. Old products, created many years ago. You don’t really see much happening with this technology any more, because it has its share of problems, and unless assisted with other technologies, does not fit well into today’s much more dynamic identity and access models. The only exception to that is probably MIIS, but I’ll get to that in a minute.

The old traditional “meta-directory” technology works by creating one big “centralised directory” (or “metaverse” as it’s known in MS-speak), pulling data from everywhere into that centralised directory and then pushing data out into all directions either. This approach is usually not a good fit by itself, because it has several significant shortcomings. I would not go as far as call the technology “dead” (it’s impossible to ignore the many MIIS installations out there), but I’ll call it something else: “quaint”. Now that word has several meanings according to the dictionary, but I sure don’t mean “marked by skillful design, beauty or elegance”!!!

Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that it was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble (see below).

Some experts in the field still obstinately (in my opinion) push meta-directory technology as the only way to integrate multiple sources of identity information. I think this is very short-sighted. This might have been true in the last century, which is not even that far ago. But in a truly dynamic environment, meta-directory technology and a “synchronisation-only” approach just tends to get into the way. Likewise, the idea that virtual directories by themselves could solve all integration issues is wrong. It’s never been only one or the other, unless you had a specific problem to solve. It’s not synchronisation or virtualisation. You need both, at least if you are in a dynamic identity environment, or have a vision to get there.

So what is the solution for the future? Some people believe that virtual directories will eventually fully supplant meta-directories. Coming from the virtual directory world myself (I worked for Symlabs before joining Kuppinger Cole), I never truly believed that - at least not the virtual directories that were around at that time. Virtual directories and meta-directories could co-exist, and the combination of both had in the past shown great benefits. Think of it as the screwdriver vs. the hammer. Sure, with some brute force you might argue that you can use a hammer to put a screw in, and with some agility you might use a screwdriver to hammer in a nail. But you’re likely to damage something in the way, or at best, not be very practical about it.

I think the future is definitely in the convergence of traditional directory servers, virtual directories and synchronisation solutions to provide rock-solid dynamic directory infrastructure. To a certain extent we can already see this. Maxware (before getting acquired by SAP) and Radiant Logic have already released early, basic versions of synchronisation solutions that harness the power of virtualisation and combine synchronisation with dynamic, abstracted multiple views of data, rather than the static meta-directory approach.

In the future I believe we will see “super-directories” that combine traditional data storage with LDAP access, virtual views and synchronisation features. Some of the players in this space are gearing up to do this already. As synchronisation is usually well-established technology by most of the large players in the identity management space, the missing part is currently still virtualisation, and especially the integration of virtualisation and synchronisation.

Sun and the OpenLDAP foundation, for example, have already added some basic virtualisation features to their directory servers. Oracle has acquired OctetString a while back, and has arguably the most complete, all-around implementation of directory services, synchronisation and virtualisation. Novell, IBM and Microsoft are still lagging behind in this space, with some of the “old guard” defiantly resisting directory virtualisation and hanging on to last century’s belief that synchronisation can solve everything. But there are signs that this resistance is crumbling. It better be. Recently, at DEC2008, Microsoft’s Stuart Kwan presented Microsoft’s vision of a truly dynamic identity infrastructure based on an “identity bus”, where applications could plug in, and “transformers allow us to fold, spindle and mutilate the data in any way we want” - changing internal claims into any other format required by applications. Surely virtualisation is not the only piece that is needed to fulfill such vision, but it is an important (and still missing!) piece. Kim Cameron has not been known to be a big fan of virtual directories - and he still shows some scepticism for the “virtual only” approach, but seems to be warming to virtualisation in combination with synchronisation in one of his recent postings:

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally - e.g., combine metadirectory and virtual directory functionality.

I pretty much agree with Dave and Jackson in that traditional meta-directory technology just doesn’t cut it anymore, at least by itself, and is at best “quaint”. I very much agree with Kim in what I think is his vision of a future “super directory service” that integrates synchronisation and virtualisation with traditional directory services. Where I completely have to disagree with Kim however, is his use of the term “meta-directory” for this new type of “super-directory” technology. OK, I agree that “super directory” sounds a bit tawdry. A better term should be found. But c’mon Kim, “meta-directory” is sooooo… 20th century

Yesterday, the news hit the wire that Ping Identity had acquired the Sxip Access product line. I’ve written an article on the topic here (you may need to register, but it’s free). When I heard the news, I immediately wrote to Andre and Dick asking them for some more info. Andre got back to me pretty much straight away (thanks, Andre!).

I was curious about the acquisition of the product line - and not the whole company. Many times in this space, whole companies are bought, especially when they are the size of Sxip. Andre confirmed that this had been Ping’s original intent - to acquire Sxip entirely. Ping had been interested mainly in the Sxip Access product line. Dick apparently wanted to keep the company Sxip and Sxipper, and knowing that Ping did not really have a major interest in Sxipper, the deal was for Sxip Access, and not for the whole company.

Since these were the “crown jewels” of Sxip, I am very, very curious what Dick Hardt is up to now. I’ve sent him a couple of emails, but I’m sure that I’m not the only one… I can guess what his Inbox looks like, so it’ll probably take him a bit to get back to me. So for now I can only guess! According to the Sxip press release, the company will now focus on consumer solutions, such as Sxipper. However, Sxipper was basically a freebie. Sxip is a commercial company, and needs to make money. Sxip can make revenue from future versions of Sxipper either through paid support, or by having a “light” and a “commercial” version. Or maybe Sxip will focus more on the consulting side.

I admit, I’m speculating. But I’m sure Dick is up to something, and as soon as I find out, I’ll let you know!

Update

Dick just got back to me and did confirm that in fact he is up to something:

Subject: Re: So what are you up to now?
From:    "Dick Hardt" <dick@sxip.com>
Date:    Wed, March 12, 2008 4:38 pm
To:      "Felix Gaehtgens" <fg@kuppingercole.com>
--------------------------------------------------------------------------

Hi Felix

We are looking at a number of revenue streams from Sxipper including a
PRO version. Right now we are focused on building a great product
that provides value to users and that they will trust. We have a 2.0
release that is imminent.


I will be curiously awaiting what Sxip is going to be cooking next and report in due time. Good luck, Dick (although I don’t think you’ll need it because you seem to be on the right track)!

WEDNESDAY, March 5th. Chicago, seems a tad warmer, but still too cold for my taste!

The last day of the conference was a short one for me - I had to leave around 11:30 to catch my plane. I had a nice long chat with Dieter Schuller from Radiant Logic, who brought me up to par with their vision and technology. In my previous job Dieter and I were competitors, so we had a lot in common and of course knew each others products, but I got a much deeper understanding on Radiant Logic’s vision and approach to virtual directories. As I am currently writing Kuppinger Cole’s technology report on virtual directories (due before the European Identity Congress in April), this came in very handy. DEC 2008 has been an intense, and immensely rewarding experience, and my head is spinning! This has been my first, and certainly won’t be my last!

During my recent analyst calls and briefings I came across a bunch of companies and products that all start to tackle an area I have been interested in for quite a while:

getting the “holistic security” approach well beyond the borders of our mindset - beyond the digital realm! Being a CISSP and full of interest for social engineering as well, ”security” has always been a wider topic to my understanding. And it looks like the industry is catching up…

First of all, there are those companies that try to bridge the management gap between native systems of both worlds, such as IDpendant. Then there are coampanies such as Imrivata with their SSO appliance or Made4Biz with their “Dynamic Security” product, both of which use combined functionality of established time&attendance (physical access management) solutions together with mechanisms in the IT access management (authentication) domain.

For IDpendant, making the joint administration of access cards (time&attendance with RFID, Legic/Mifare), digital identities and certificates is the main focus - one that I find to be most attractive as lifecycle management for cards and certificates has only recently be added to the functionality of the Identity Lifecycle Manager, property of Microsoft. Microsofts solution does lack the “physical” side though, and that is where the XML oriented middleware kicks in that IDpendant uses to get things together. Getting the RFID object out of the card and writing it to a field in the AD while creating a certificate through the CA at the same time AND getting the card layout printed to the blank card (personalization) is a pretty nice piece of integration work.

Now that Imprivata and Made4Biz are able to get the “attendance” part of the physical solutions as input for their authentication process. the “real integration” of the realms seems to be getting closer! Users can only log in to their workstations if they have previously swiped their access card - nice! Even if users share their passwords, misuse is countered through the deactivation of “absent employee users”.

Well, not all that shines is gold (uhh, german sayings…) - there are definitly flaws to that approach, but I see rising interest the topic…

Would love to hear from you guys - thoughts, comments?

PS: on a sidenote, Imprivatas “ProveID” concept is pretty cool - it actually provides IAM technology (authentication, that is) for applications without the
need to implement that for each app. Quite the idea behind our KCP vision of layered IAM - simply an authentication layer that pops up any time you need it!

I talked to my Sensei-san, Dr. Kpatcha Bayarou of Fraunhofer SIT, recently and allthough only having a few minutes, we came to some extreme views on what User Centric IAM really was about.

Power!

The power to control who gets access to what of my content and information! You are reading this text without disclosing anything about yourself, which is due to  my totally hedonistic way of “sharing the knowledge” . Ok, one might say it is to lure some of you into registering for this site, for our newsletters and even some of the reports. That is, to get YOUR IDENTITY and YOUR MONEY ;-)  Do you get a feeling where this will go?

Until recently, anybody who had something to offer on the internet (or elsewhere in the brick&mortar world) would request your registration to do business with you. This was tedious, had lots of flaws and still puts a  lot of burden on us consumers, especially the ones with the infamous “Geiz ist geil” attitude, always hunting for the best price of a merchandise. These bargain hunters would willingly subscribe anywhere and register with any online-shop where they would be able to buy something marginally cheaper of get their hands on a shiny new gagdet first. Well, we all did this sometime, somewhere, didn´t we? It may even have been just to get a special software that we would need to get something done quickly…

There the bargain hunters end up with a multitude of logins and passwords, as if we had known it. The background is the same everywhere: somebody who has something we want won´t let us have it until we sacrifice/disclose some of our identity information. Actually these people have power over us, and they are executing it freely. We seem to ignore this fact, as we are so much used to “register for free…”. This is seldomly “free”, we pay with facettes of our identity, and those are valuable to me.

It is absolutely impossible, that somebody in a position like Jerome Kerviel can hold trading positions for 50 bn Euros and burn 10% of that amount. It is impossible, because

• banks nowadays would never rely on simple password protection for their trading systems.
• they all have state-of-the-art identity management in place and manage business roles in a way that one single trader could not crash the whole bank
• such big deals would always be routed through acknowledgement processes where duties are segregated
• Strong Authentication techniques and strict authorization would let all employees of a bank feel, that it is impossible to operate with multiple identities falsifying acqunowledgement processes
• risk dashboards would turn red and start screaming long before such a damage occurs

And, just to be complete: no, it is not possible to attack PIN/TAN online banking transactions, ATM Cards cannot be falsified and it never rains in Hamburg.

In a recent post, I  wrote about those 25 Million British people, whose bank information had been “lost”. Jeremy Clarkson, a British TV presenter, wrote in his Sun newspaper column, that such a loss is of no value for somebody who may now own this data. To proof this, he published his own Barclays Bank account information. He now had to admit, that somebody exploited this information and transferred 500 GBP from his account to some welfare organization. So he either was lucky or didn´t have more on his account, I suppose.

Ok, nothing is more boring than yesterdays news, I guess!

Despite this oh so true statement, especially in the blogosphere, I would like to rant about SUN’s recent acquisition of VAAU, a small company that offers tools around role mining and role engineering as well as compliance.

I had the sincere pleasure to work with some of the VAAU EMEA people and found both their tools and their approach to be very exciting. SUN in Germany is also very excited - at least the SUN guys I talked to lately - and they are eager to put their new tools to work exclusively, bearing in mind that VAAU was open to most IAM vendors before and will now probably go exclusive with SUN ID Management solutions. I´d say this is quite a punch for the remaining bunch…

Same as SAP has to prove that their Maxware deal was worth the prize, SUN now has to make sure that the competitive advantage of exclusive access to VAAU technology can be supported with special ties and deeper integration with their IAM solutions. I intend to closely watch these guys next year, and probably have a chat or two with representatives of both sides! This is an invitation - but you know that, don´t you?

See you all soon

Sebastian

Welcome to my world of Digital Identity - hopefully it will be as entertaining (and hopefully at least slightly insightful) for you to read as it is for me to write!

First of all, I would like to post my vision own of digital identities - which might slightly differ from what others think… there are some people out there who have rather far fetched visions, driving the future of how our digital lives will look like in some five to ten years or even beyond that. What I would like to sketch is rather short sighted for being called a vision, nonetheless this is far from being reality, to my own regret!

Let us start with our normal daily identity treadmill - booting my PC and… logging in… Ok, well…starting my Email client and… logging in! Getting a nice message that my Blog is online, and these & that are the credentials to… log into it. Catch my drift? Anyway, we all know this and there are products out there to tackle these problems, some doing a great job, some only improving the situation slightly. Most of these solutions come as enterprise packages, with lots of administration and a beautiful (or not so beautiful) GUI to tweak and turn. So, my work place identity/-ies are taken care of. Nice! But what happens with the “other” digital identity, my personal, private one? There is no admin to take care of it, there is no ID management tool that coordinates and keeps track of everything. And if there was - how would this thing cope with me being on the road all the time?

Well, there are tools for this also, one might say. And yes, some of them are pretty elaborate, mainly those based on some sort of USB memory stick with security functions. None of those do offer me the security and usability I would be looking for, though! What happens if I loose the USB stick? What happens if I change the password to access it, and then forget the right password due to me being only a lazy human?

As I had the pleasure to speak at a security conference lately, I was bound to ask: where is my digital drivers license? (courtesy of Dick Hardt, some will remember!). But could Dick be more accurate? His analogy holds true in most scenarios! Often I only need to proove that I am of certain age to access “content” - and we have our own little identity crisis here in Germany around this since the BGH (Federal High Court) ruled that XXX content needs to be protected by proper age verification. In other scenarios, it is only necessary to prove that I am that certain guy who registered some account and needs access to it. No need to disclose “real” personal info - just a verification that I have a valid claim to access the information in question. Thus, claims based ID management, such as discussed by Kim Cameron, come into play (but this is really the future, I guess- I won´t start wishful thinking until next year!). 

One could come with more and more of these scenarios, each with small but significant deviations from each other. Most of those could be tackled with some sort of digital drivers license, I presume. And I would be mre than happy to get my hands on Dick Hardts’ digital drivers license any time soon… just to check out if I could buy Vanilla Stoli with it in Canada!

Cheers and a wonderful christmas time as well as a perfect New Years Eve!

 See you all soon

Sebastian  

Today, I had to put an end to a story lasting for months now, where I tried to change my mobile phone contract I have had at Vodafone since 1996, through cancelling any contract which may exist under my name/my address/my bank account number/my customer number(s).  It all started, when my employer was generous enough to take over my phone contract. Therefore, invoice address and bank account information had to be changed. I wanted to take this occasion and get rid of some add-ons I had been chased to subscribe to through aggressive telemarketing, which I actually never used and did not miss. And I wanted to change from one flatrated type to another one suiting better my phone habits.

As telcos in general may not be too famous in terms of customer service quality, I did not expect it to be easy.  But what happened was far beyond my imagination:

The first trial (