Burton Group Identity Blog

Blogger: Gerry Gebel

If you use conferences as a guide, then identity management is hotter than ever. It seems a month doesn’t go by without at least one event that is identity related and March 2008 is no exception. In fact, I’m participating in two conferences this week in Europe – where the list of interesting identity-related events continues to grow. On Monday, I’ll be at the Net ID 2008 conference in Basel, Switzerland talking about SharePoint access and identity management. I’ll also be on a panel discussing interoperability – a favorite topic of mine, so this should be fun.

Later in the week, I’ll be presenting at the ic Consult conference at BMW World in Munich. My presentation is titled “IdM Markkt, Schwerpunkt SSO” (IdM Market, Focus on SSO) in the program, but rest assured I will be doing this in English and not torturing the audience with my meager German language skills!  The guys at ic Consult always put on a great program – I’ve had the great fortune to participate in their fall event that happens to coincide with Oktoberfest… In any language, it’s remarkable that, as an industry, we haven’t done more to ease the authentication burden for end users. Certainly, there are enough technologies to choose from: passwords, smart cards, PKI, federation, E-SSO, Kerberos, SPNEGO, GSS-API, and the list goes on. But the problem, if anything, is getting worse.

In addition to talking about SSO in Munich, we’ll be focusing quite a bit of attention to authentication at Catalyst this June. My colleague, Mark Diodati, is leading the charge on that topic and you’ll hear more from him about it between now and the conference.

Novell rounds out the March conference schedule with their BrainShare event in Salt Lake City. While not exclusively focused on identity, Novell includes a heavy dose of it on the agenda. And one of the better features is that this conference is local to the Burton Group headquarters. Hope to see you on the road, or on home territory this month. 

Blogger: Gerry Gebel

Lately, I’ve been thinking a lot about the big challenges of the identity management industry as it’s currently constructed. The tag line I’ve been using is that “the end of command and control is near” – as far as the way we approach the administration and control of access to systems and resources. Our collective IT admin culture is to control every aspect of access to systems in our domains – registration, credential issuance, authentication, access administration, and so on. Such an approach is reminiscent of the x.500, top-down hierarchical ways that are so difficult to implement within dynamic, fluid organizations. This works relatively well, however, if most resources and users exist under the same roof – but that is rapidly changing as businesses and organizations become increasingly distributed. Can IdM technologies and administrative practices keep up with the pace of change?

The current generation of IdM products actually reinforces the traditions of centralized control structures. Technologies such as user provisioning, federation, and of course PKI rely on excessive coordination and orchestration to be optimally implemented. Highly distributed and massively scalable organizations can’t operate in this manner, and it’s not too far from your future to tackle problems like: onboarding 100 million new users during a weekend marketing campaign, enabling 500 new joint ventures or partnerships and decommissioning 600 others in a couple months, or operating an application that reaches a billion users. How well do you think it will work with today’s tools and approaches?

Evidence of change and evolution is all around us. The globalized economy applies pressure to and creates opportunities for modern organizations. Enterprises are driven to focus on core competencies – and outsource or offshore every thing else. Software as a Service (SaaS) companies continue to emerge and are growing steadily, some studies estimate that SaaS applications will represent more than half an organization’s business application portfolio over the next 5 years.

Executive management understands new business dynamics and seeks ways to leverage it for business advantage. IT and security departments, for the most part, haven’t gotten the message yet. It’s hard to let go of the command and control mindset that’s been ingrained in our thinking. You’ll recognize the ailment if you see or hear symptoms like:

• Access to our applications is only permitted if we issue the credentials

• I don’t trust their identity management systems or practices

• We must collect as much data on partner users as we do for our own employees in order to vet them

• “Can’t we solve this with PKI?”

Technologies like federation help us make incremental advancements beyond the command and control approach. If we permit authentication to occur outside our domain and project this information through a federation exchange, that’s a sign of progress. However, federation products, as they are currently constructed, still require considerable coordination between parties in order to establish the connection:  we focused on this issue at Catalyst last year. So, it was interesting to see the recent video sparring between Sun and Ping Identity regarding what they’ve done to address this from a technology perspective. To follow up, we recorded a podcast this week with Sun, Ping Identity, and Covisint – which will be available soon on the podcast site.

More incremental change is what we can expect in the near term until different identity business models emerge. Similarly, the introduction of OpenID and information card systems purport to change the dynamic by providing more user control over identity data, but this is in name only – business still determine what attributes are required to complete an e-commerce transaction and the user can select an information card that matches the business’ criteria. Real change happens when third party identity agencies and intermediaries proliferate and are utilized by Internet properties. Identity oracles, as described here, are examples of intermediaries that are beginning to appear in the marketplace.

Identity-based intermediaries and agencies handle the heavy lifting of identifying and vetting individuals, freeing enterprises and other relying parties to concentrate on managing access to applications. It’s another step toward more scalable and manageable business applications. At Burton Group we are dedicating a fair amount of time to exploring new identity business opportunities, in addition to all of the more tactical research areas we cover. Please join in the conversation throughout the year and especially at Catalyst in June and October.