February 8th, 2007
Global warming of the identity ocean
The big news out of the RSA conference is the announcement of a "marriage" of OpenID and CardSpace. For those that aren't up on the inner workings of user-centric identity: CardSpace is Microsoft's instantiation of the InfoCards Meta-system that Kim Cameron proposed several years ago; OpenID is a URL-centric identity protocol that has grown up with the grassroots nurturing of players like Sxip Identity, JanRain, Verisign, Cordance, Six Apart, and Netmesh. A while back, we made the prediction that OpenID would gain some serious traction this year, and this announcement of interoperability between CardSpace and OpenID effectively seals the deal.
For some time, Phil and I have been arguing that the release of CardSpace (in Vista) would not only jump-start the user-centric identity space, but also (and maybe more importantly) change the way the enterprise deployments architect their identity management solutions. That is to say that CardSpace will become as important *inside* of the enterprise as it is outside of it. Adding OpenID interoperability into this mix means that the long tail and non-Microsoft components of the internet will now be interacting with the obvious heft of the Microsoft machine.
For years, identity engineers and evangelists have been tirelessly laboring away to solve the user-centric identity problem — one that has always seemed to have a "boil the ocean" component. This "marriage" of OpenID and CardSpace won't boil the ocean, but it will definitely raise the global temperature of the identity ocean.
Bottom line: we now have the interoperability needed for a true internet-scale identity system. The only hurdle remaining is the big one — adoption.
February 1st, 2007
OpenID: gone phishing
[Ed. The OpenID protocol is rapidly gaining momentum in the social networking arena. Exemplifying the momentum OpenID is gaining, Symantec recently announced that it would support OpenID in its Security 2.0 identity offering. As it is gaining visibility the OpenID protocol is being scrutinized more closely by those looking for it to handle identity usage in higher value applications. In this process, a discussion has arisen about OpenID's susceptibility to phishing attacks, and what the protocol might do about this fact.
This conversation has spurred a wider community to seriously consider the problem, both in OpenID and the more general case of any browser based identity protocol. Scott Kveton, CEO, JanRain, Inc. has written the following summary of this conversation to date. – Phil Becker]
David Recordon announced the latest draft of OpenID 2.0 to the OpenID general mailing list last week. The discussion that followed involved the lack of support in the latest specification for dealing with phishing. The argument is that since your OpenID could get you into all of the sites you visit on a regular basis, it will become a much bigger target for phishing from attackers. As the argument goes, users will actually be worse off than they are today because they will no longer be protected by just having one account that goes to one site hacked, they'll have all of them compromised at once.
Several people, including Microsoft's digital identity architect Kim Cameron, blogged on this raising considerable concern from the OpenID community and those looking to adopt the technology.
The most worrisome scenario was when a user is redirected to their OpenID provider to enter their password. The user has to trust that the OpenID enabled site they are trying to login to will redirect them to their identity provider and not some bogus phishing site. Really anytime a user has to enter a password into the browser we have cause for concern. However, once the user has logged in, they don't have to enter their password into the browser again until their session times out. This is actually an interesting opportunity. More on that in a bit.
As the discussions continued, several ideas emerged on ways to tackle the OpenID phishing problem:
- Require external authentication via SMS, email or some other out-of-band method when doing the login.
- Develop an identity manager, extension or plugin for the browser that allows you to define your identity to the browser first.
- Deploy something like Yahoo! sign-in seal or MyOpenID's Personal Icon on OpenID providers.
- Create an option on OpenID providers that will not allow logins via password after being redirected to your OpenID provider. The user is force to manually enter the URL of their OpenID provider or use a bookmark that they have already setup.
- Use CardSpace to authenticate with the OpenID provider.
Taken by themselves, these techniques don't give users enough protection against the risks they face. However, if you put a combination of them together, you have a much more compelling means with which to fight phishing.
Phishing has always been a difficult problem to solve but solutions exist on sites like eBay, PayPal and Amazon. The burden, however, has always been placed on the users to implement these personalized solutions. Unfortunately, its not practical to expect that users will setup all of these anti-phishing tools for every single site they go to.
Enter OpenID. With OpenID, users build a strong relationship with their OpenID provider. They visit it everyday when they turn on their computer or open a new browser window. Users will be able to setup several different anti-phishing measures on their OpenID provider and reap the benefits on every single site they go to. What we have here is the interesting opportunity I alluded to before. By employing the anti-phishing tactics described above and as OpenID begins to gain widespread adoption, we will see those very tools being a driver of OpenID.
The tough thing about these options is that they are difficult if not impossible to mandate in the OpenID specification without taking away from the core strength and main driver of adoption of OpenID today — simplicity. However, several of these features already exist on OpenID providers. Discussions are happening with Mozilla to integrate support for OpenID into Firefox 3.0. There are several extensions out that allow you to set visual queues for specific sites like your OpenID provider. And we already know that CardSpace and OpenID are working together. Not only that, the OpenID and CardSpace community are having discussions on how to leverage each other's strengths to benefit users everywhere.
In spite of all the concerns, OpenID continues to gain adoption at a rapid pass. We are seeing 10 - 15 new OpenID enabled sites coming on-line each day. They are adopting the technology because of its simplicity, because it is decentralized, because it does just one thing really well. The technology will continue to evolve and will mature to answer the security implications we can think of today and as well as the ones that will come up in the future. Most importantly, the response from the OpenID community has been astonishing and proof positive that this vibrant group of people is ready to deliver the next generation of digital identity.
January 29th, 2007
SCC tells the mid-market identity story
The RSA conference always serves as one of the two or three windows that the identity community uses to launch new products (the other two being Burton Group's Catalyst and our own Digital ID World conference). As such, the weeks leading up to RSA always feature a spate of new company briefings. These briefings span the spectrum from "good" to "bad" to "says something about how the identity market is developing." Last week, I ran across one of the latter.Tapping into the SMB market has long been the bane of large software vendors.
Steve Slater is the Co-founder and President of Security Compliance Corporation ("SCC"), a startup that's focused on solving some of the compliance challenges that focus around validating user access to applications. Last week, he briefed me on SCC's Access Auditor and how it is solving some key compliance needs. The deluge of regulations around compliance (GLBA, Sarbanes-Oxley, etc) has served as a primary driver for identity adoption in recent years, especially for large, public companies. What hasn't been addressed as frequently is the compliance needs of the mid-sized enterprise.
SCC found in The PMI Group a client that fits that bill. The PMI Group is a mid-sized financial services company that has some fairly stringent compliance reporting requirements. They also have an environment that spans legacy (mainframe) systems and a multitude of applications. What The PMI Group does *not* have is the size of organization that they feel justifies a full-blown identity "suite" solution (and the accompanying compliance benefits). In short, the price tag and complexity of implementation of these systems outweighed the benefit of complying with financial regulations.
SCC provided The PMI Group with a solution that covered A) the requirements, while B) adhering to cost and complexity guidelines. This sounds like every good market research, product management and product launch story, right? Yes, but I think its also much more.
SCC's story betrays the beginning edge of the adoption of identity systems by the mid-size organization. Last year saw BMC and IBM launch identity products aimed specifically at this segment, and if SCC is any indication, we'll see more of the "big suite" vendors do the same.
Tapping into the SMB market has long been the bane of large software vendors, but that doesn't mean that independent, best of breed types don't have relative success. Their success comes from their ability to quickly answer a growing surge of mid-size customer demands — demands that *always* focus around ease of implementation and ease of administration/use.
Stories like SCC mean that the focus of product management groups inside of the larger identity vendors is about to change. That story will shift, in accordance with market demand, from providing an integrated shopping list of functionality to providing a solution focused on a customer's experience of implementation and use.
That story is a sign of an identity market that is vibrant and expanding. That story will become one of the primary themes of identity management products throughout the coming year.
January 22nd, 2007
Brian cracks the identity and web 2.0 problem
I first met Brian Oberkirch at the Syndicate conference in San Francisco in December of 2005. At the time, I'm quite sure that he didn't know of my connection to Digital ID World, or identity in general. But, as so often happens in this small world we call "technology", I'm running into Brian again — this time around identity.
Brian's "day job" is social media. So, it was with great interest that I read a recent entry on his blog entitled, "OpenID, Portable Social Networks and the Darwoski Problem." In the post, Brian steps us through the logical progression of the great identity opportunity being missed by social networks (and I would add, "web 2.0" at large).
Brian's logical steps (why I should care about OpenID, social networks, etc) culminate in a crucial point: social media companies (his example is LinkedIn, but this applies across other companies as well) are so busy creating closed systems that they intend to "lock in" and "monetize," that they're missing the grand opportunity to become an open identity platform.
While I take Brian's statement to be a significant one, I actually take the timing of the statement to be more significant. The "identirati" (those of us obsessed with all things identity) have been arguing for Brian's point for quite some time. In Brian's statement, we see someone from the other side of the aisle reaching the *exact* same conceptual solution. The challenge, of course, is that many of the "next-generation" web 2.0 companies are still living in business models that are so 1.0.
The push of identity into the web 2.0 world is driven by the essential realization that identity *must* be abstracted from the silos of applications for the end-user to achieve the true benefits that identity contains. Not doing so results in more lock-in, more silos, more data breaches, and more dissatisfaction. The opportunity lies in a web 2.0 company that is willing to open up its identity stores to portability and a sense of user-centrism. Unfortunately, doing so would jeopardize the "aggregation of community" that so many web 2.0 companies are seeking. To date, no major web 2.0 company has truly opened up its identities (providing an API to allow us to access your silos of applications is *not* opening up). Suddenly though, it seems that pressure is growing for systems like OpenID to succeed.
If they do, we may be standing on the verge of a major victory in the identity world — a victory that hinges on Brian's realizations.
If they don't, we're just building a web 2.0 world of walled gardens. And that's not even web 1.0 - that's web 0.5.
January 11th, 2007
Debating the state of user-centric identity
Every now and then a technical disagreement betrays the state of a marketplace. That phenomenon is currently happening in the user-centric identity trenches.
The players are Kim Cameron (InfoCards/CardSpace) of Microsoft on one side and Dick Hardt (OpenID) of Sxip Identity on the other. The issue: Kim's recent allegations that OpenID will make identity *less* secure and possibly result in security breaches that will set the user-centric identity work back in the minds of users.
The debate highlights where we are with user-centric identity.
The technical details all focus around the need (or lack of need) for client-side identity selectors — with Kim arguing that its necessary to prevent spoofing, and Dick arguing that the spoofing security threat is acknowledged and defensible via OpenID. But the technical details (and argument) are not the most interesting thing.
Arguments like this, as all engineers know, are common in the world of the engineering. The reason is simple: the "engineer's mind" (versus the "marketer's mind") naturally seeks the "perfect solution." That's the blessing of the engineer's mind. It is, of course, also the curse.
As any student of technology history knows, the "perfect solution" has rarely won the battle of the marketplace. Instead, the solution that solved the problem set using "the principle of good enough", and *also* attained a critical mass of adoption has won. Does that result in further problems to be solved? Of course it does! That, my friends, is the cycle of innovation.
The current debate between Kim and Dick actually serves to show us where the user-centric identity market actually is. Several years ago, two groups were competing around federation standards (the Liberty Alliance and Microsoft/IBM's WS-* standards). For what seemed like forever, they held obscure debates about the details of the standards. Eventually, the market moved forward (seemingly without either group's help), and now today we find ourselves witnessing a new Liberty Alliance President saying that the "gloves are off" and they'd like to find ways to converge with the WS-* standards.
That simple, recent analogy shows us where we are with user-centric identity. We're on the verge of the market beginning to really adopt some technology. These conversations don't reach this level unless those involved see this potential.
In the meantime, the engineers will continue to debate the details, and that's good for all of us.
January 8th, 2007
Demand for post-admission NAC grows
[Note: Eric is having trouble posting today, and I have posted this article for him. So "I" refers to Eric in this article. - Phil]
Prior to the holidays, I had begun to dig into some new briefings around NAC. Specifically, I was looking to hear from Trusted Network Technologies and Identity Engines — two startups that *began* with identity and ended up at NAC (instead of the other way around). I wanted to begin there because I know that I don't have to convince TNTand Identity Engines that "identity is center." Rather, we can dig right into what their markets are saying to them.
Abstraction of policy across both the network and application identity management layers is a growing movement.
What I learned was that despite the fact that Identity Engines and Trusted Network Technologies are radically different companies, they're both experiencing the same push in their product architectures. That push centers around the idea that the abstraction of policy is a growing movement *across* both the network and application identity management layers. Allow me to explain.
NAC has traditionally been thought of as a "health check" for machines that are connecting to the network. As the marketplace for NAC has begun to demand post-admission capabilities, NAC has been forced to adjust from simple health checks into an identity-based foundation. And that adjustment is the result of a very basic need: the ability to perform fine-grained authorization (and the accompanying functions of enforcement, audit, etc.). Notice the switch — from simple access control (health checks) to fine-grained authorization. The move from binary access (yes or no) to fine-grained authorization betrays a shift in mindset: from a defensible perimeter to a qualifier that identifies who can access what room.
Fine-grained authorization is *the* shift that NAC vendors will wrestle with all year, but it is not the endgame. The endgame (or, at least, next step in the endgame) is to abstract policy and its enforcement across both the network and application layers. Look for the startups like TNT and Identity Engines to begin working toward that level of cross-layer abstraction of policy by the end of next year.
And that is why I keep talking about convergence of application and network layer management around the concept of identity…
December 19th, 2006
Identity predictions for 2007
Having graded our identity predictions from last year, its time to venture forth into the uncharted waters of 2007. The following are our divinations on what is to come:
1. Identity-related acquisitions will slow to a steady pace.
The acquisition market for identity companies has been very heated for the past two years. Several factors (economic cycle, market development, stage of technology cycles, etc.) will combine to slow the pace of that acquisition cycle. This is not to say that identity acquisitions are going to stop. It is saying that they are going to slow down — to a pace that is more normalized than we've seen the last two years.
2. Venture Capital continues to fund identity companies.
Funding of identity startups will continue in 2007 (as well as follow-on funding rounds), but we do see it shifting a bit. The identity "analytics" space that suddenly sprouted around compliance should slow in its funding as. Additionally, the compliance automation space will most likely see primarily follow-on funding. On the other hand, we expect appliance-based identity startups to attract a lot of attention, as the channel successes of some young identity startups becomes more well known.
3. URL-based identity begins a cycle of real adoption in the blogosphere and alpha geek communities.
URL-based identity overcame many technical and interoperability hurdles in 2006, and got key buy-in from developing communities. 2007 will see the early incarnations of this technology begin a cycle of significant and real adoption in the blogosphere and alpha geek worlds.
4. In 2007, NAC that isn't identity-based becomes yesterday's news.
Most of the NAC conversation seems to focus on the interoperability between Cisco and Microsoft. The coming year will see a significant shift. The divide between "pre-admission" NAC companies and "post-admission" (identity-based) NAC companies will widen, and the term "Network Identity Management" will emerge as significant in the space. Identity-based NAC and Identity Management will "find each other" in 2007.
5. NAC's rise in importance brings back "risk management."
Its not about "securing the network." Its about managing the risk inherent in any truly networked application. As NAC goes fully identity-based, look for the marketers to begin pounding on the "risk management" term. "Risk management" is what compliance and security are all about, and it will get high level attention from technology executives.
6. While network identity management gets hot, application identity management goes mainstream.
First, let me clarify: "network identity management" is what NAC is becoming; "application identity management" is what people commonly think of as "identity management." Application identity management has been the core of the identity marketplace for several years now. This year that core will truly go mainstream - with widespread adoption across major enterprises and beginning moves down-market.
7. Federated Identity will enter the very beginning of mainstream adoption.
For the past several years, federation has been overcoming some of the remaining issues around deployment. Our sense of the marketplace is that those are now largely solved (for the time being, anyway), and that with those obstructions out of the way, federation is about to begin a mainstream adoption cycle. Look for well packaged pure-play federation products to come on strong in 2007.
8. An acquisition will occur in the "user-centric" identity space.
This is our "stretch" prediction for the year. Our sense of the user-centric space is that its about to grow enough to foster an acquisition of one of its players. Nothing you-tube-ish, mind you, but a move that will signal the real "birth" of the user-centric identity marketplace.
9. The enterprise will begin exploring how to use CardSpace in enterprise deployments.
CardSpace has been thought of as a "user-centric" technology. We believe that there is significant, generally unrecognized, desire to use CardSpace in enterprise deployments. We also believe that 2007 will see enterprise architects who begin to think about deploying CardSpace begin to change how it is that they view identity in the enterprise. Can Microsoft ever thank Kim Cameron and Mike Jones enough? We think not.
10. Compliance will remain the primary drive of Fortune 1000 identity deployments.
Some analyst groups like IDC have postulated that compliance will fade as a driver in 2007. We disagree. Compliance keeps chugging along (at least in identity) as the big driver that could in 2007. This driver may begin to fade by the end of 2007, but the spending cycles associated with compliance will carry major identity management deployment projects through the coming year.
There you have it — ten predictions for 2007. How will we do? Check back at the end of next year to see how we grade our prognostications. What did we miss? Let us know…
December 13th, 2006
Grading our identity predictions from 2006
At the beginning of 2006, we posted a list of predictions over on Digital ID World for the upcoming year in identity. In keeping with our historical tradition, I'd like to grade our past performance prior to looking toward the future.
Accordingly, I'll grade our predictions on a scale of 1-5 (where 1 is worst and 5 is best), with a possible perfect score of 50. Below are our original predictions, followed by their grade and reasons for the grade.
The Digital ID World Predictions for 2006
1. The Acquisition Cycle Continues.
Yes, we know that 2005 felt like a big acquisition year for identity — but, trust us, we're just getting started. 2006 will see acquisitions continue.
Grade: 5.
Reasoning: Companies acquired in the identity space in 2006 include TrustCenter (acquired by GeoTrust), Visage (merged with Identix), GeoTrust (acquired by Verisign), Business Signatures (acquired by Entrust), Passmark (acquired by RSA), Virsa (acquired by SAP), and RSA Security (the big one - acquired by EMC). There's no doubt that 2006 saw the identity acquisitions continue in force.
2. The Funding Continues as well.
VC funding in this sector won't stop. In fact, we believe that VCs will get more and more aggressive, as startups will increasingly "pitch" themselves as identity companies and new products will increasingly be seen as identity products.
Grade: 5.
Reasoning: Companies funded (either initially, or with subsequent rounds) include SignaCert, EpicTide, GuardID, Authernative, Ping Identity, Trusted Network Technologies, and *countless* consumer-facing "solve identity fraud" startups. While the funding in the identity space didn't even come close to rivaling the whole "web 2.0" funding phenomenon, identity funding still progressed at a nice clip.
3. The Identity Universe will be seen to be expanding.
As we've been highlighting on the blog, companies are now beginning to change their positioning so that they're "identity companies" — and really they are. In fact, the identity universe is (in spite of all of the acquisitions) expanding. In 2006, companies will start rushing to associate themselves with identity.
Grade: 5.
Reasoning: All one need do is read our coverage of how the NAC space is adopting identity, but beyond that companies in areas like mashups, SOA, geo-location and enterprise rights management continue to embrace the identity message.
4. Collaboration applications will get in the identity game.
One of the areas that will suddenly find itself in the middle of the identity conversation will be collaboration applications — by that we mean blogs, feedreaders, wikis, etc. The new "social networking" applications will start to seriously go after the identity game in 2006.
Grade: 1.
Reasoning: I could argue that this prediction should be graded higher in light of the blogosphere's adoption of identity protocols, but alas, my general sense is that collaboration applications (and those in the "web 2.0" world) are still largely seeing identity as somebody else's problem.
5. URL-based identity will gain some traction.
Yes, we're following the URL-based identity work. Yes, we think its important. Yes, we think it will accomplish some interoperability tests in 2006. Yes, we think it will gain some traction with the alpha geek community — and stop just short of a critical mass. Watch for URL-based identity to create a deeper understanding of identity for a larger community.
Grade: 5.
Reasoning: OpenID, OSIS, Higgins, Cardspace, Sxip — the list goes on and on. The work happening in the URL-based identity space is now not only driven by the smaller players, but the larger ones (like Verisign) as well. URL-based identity made an *awful* lot of progress in 2006, but didn't reach critical mass.
6. Identity comes to Search.
Call this one something that happens in an alpha state in 2006. Either Yahoo!, Microsoft or Google will either announce or release an early version of a search product that brings identity profiles to bear. Somebody get me Vint Cerf on the phone! ;-)
Grade: 1.
Reasoning: Another one that I *wished* would've happened, but didn't. While Yahoo!, Microsoft and Google all made some pushes into personalized search (close), no one truly launched identity-based search based on profiles (but no cigar).
7. Strong Auth is the story of the year.
The effects of the FFIEC guidelines haven't even begun to be felt — 2006 will be the year of strong auth. We won't encounter the problems (yet), just the success. Be prepared to cut through the hype, and watch as the terms "layered authentication" become standard place among industry insiders.
Grade: 4.
Reasoning: While every day seemed to bring new horror stories of unauthorized access to sensitive data and the need for strong authentication, I'm stopping short of calling strong auth the story of the year. Is strong auth succeeding in the market? Yes. Is it the identity story of the year? More on that below.
8. "Risk Management" becomes the identity driver.
In conjunction with strong auth, we'll all come to see that "risk management" is the larger business driver behind the identity deployments in 2006. Watch the analysts as they bear this out - "risk management, risk management, risk management" — it just sounds daunting ;-).
Grade: 1.
Reasoning: "Risk managment" began to get some play as the driver in identity circles — especially as it relates to strong authentication. Still, at the end of the day, auditing and accountability, as driven by compliance initiatives landed at the top of the "driver" heap.
9. SAP comes to the party. Microsoft makes a splash with ADFS. The "big guys" concentrate on acquisition integration.
Okay, this is a three-parter (so that I don't go over the magic number of 10).
1) SAP comes to the party - and I mean through more than simple "partnership" announcements. Shall we start a pool on who they buy?
Grade: 3.
Reasoning: SAP bought Virsa — a clear play in the identity-compliance space, but they didn't make the brand name acquisition I was expecting. Hence, the 3.
2) ADFS *accelerates* federation. Yes, we think SAML 2.0 will as well - but Microsoft can really flip the switch on federation by pushing ADFS out to their customers. WS-Federation is the fast-mover in 2006.
Grade: 3.
Reasoning: Federation *definitely* accelerated in 2006 — maybe more so than any emerging category. But my sense of that acceleration is that while WS-Federation saw a large uptake, SAML still ruled the roost.
3) Translation: "Big Guys" - CA, Oracle, BMC, etc. "Integration" - "Our suite is better, more complete, faster, more efficient, cheaper, insert competitive differentiator, than theirs." On the side - watch Sun, RSA Security, and Novell - they won't really play this game, and may score some big wins because of it.
Grade: 5.
Reasoning: Have you spoken with a large identity suite vendor lately?
Average grade for #9: 3.6.
10. The Divide between User-centric and Enterprise Identity management is the number one conversation in 2006.
Its something we've identified and focused on for some time — the two different conversations that are "user-centric" identity and "enterprise identity." The historical gap between these two areas is now being addressed by serious folks in the identity game — and 2006 will see this be the most powerful conversation in the land.
Grade: 5.
Reasoning: I'd give us a "10" on this one if I could. User-centric identity dominated the discussion in nearly all identity circles in 2006.
Total of Grades for 2006: 35.6 out of a possible 50.
Good enough to win money in Vegas.
Next up: Predictions for 2007.
December 4th, 2006
The case for OpenID
[Ed. We have recently seen a rise in interest in several new identity technologies. These technologies arise from a different set of missions than traditional enterprise focused, domain-centric identity management systems. This article, written by Netmesh's Johannes Ernst and VeriSign's David Recordon explores the "why" of one of these technologies - OpenID.]
Many digital identity technologies exist already; why does the world need OpenID?
Its ever-growing ranks of supporters prefer OpenID because it is fundamentally different from other identity technologies in at least two ways:
- OpenID is a fully decentralized system.
- OpenID has a much lighter cost structure than any alternative.
While other OpenID characteristics – like its use of addresses (URLs and i-names), its affinity to blogging and the pervasive availability of Open Source code supporting it – may be more apparent in the market today, it is OpenID's decentralized nature and cost advantage that provide its unique benefits. These benefits cannot be matched simply be retrofitting URLs on top of other identity systems, or by releasing more Open Source code for them.
Of course, as OpenID grows to cover additional use cases from its admittedly minimalistic beginnings, its cost of ownership will necessarily grow, and some companies will choose to deploy it in a more centralized fashion. However, as technology history has amply shown, just like it is always possible to re-centralize a decentralized system and never the reverse, it is always possible to add cost to a system, but exceedingly hard to remove it from a system that was not built in an extremely light-weight way from the very beginning. That puts OpenID into a unique position among identity technologies.
How is OpenID fully decentralized? It is, on many more levels of the stack than others:
- Users can host their own identity on any server they choose, without having to ask anybody for permission or approval; they can also choose to have it hosted by one of the increasingly many OpenID hosting services.
- Service providers can choose from a variety of software implementations from a variety of vendors and Open Source projects.
- As Brad Fitzpatrick (Chief Architect of Six Apart, Ltd.) put it, "OpenID does not crumble if any one company turns evil of goes out of business."
- The OpenID specifications are developed in an unencumbered, meritocratic process, that is open to participation by anyone who shows up.
- Anybody can use their own technical innovations within the OpenID framework, even if they replicate, or compete, with the OpenID specifications themselves.
This latter points is worth repeating: if tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation.
How is OpenID's cost structure fundamentally lower? Consider the parallel with the cost structure of the web compared to the cost structure of predecessor client-server technologies. One can say that earlier client-server technologies could do everything that the web could do; in fact, they could do many things much better. They lost out against the web because the total cost of creating and operating a website was dramatically lower than the cost of building and operating a client-server application; and even more importantly, the cost of getting access to and using a web application was much lower than for a client-server application.
The fact that the first versions of HTML were a "toy" (compared to fully-featured alternatives such as SGML) was of no consequence; missing features got added over time, just like OpenID will keep adding features and grow to the same level, or higher, of other identity systems, just from much lower base cost. This is also why, unlike other identity technologies, OpenID is rapidly being adopted on the open Internet: Internet-scale adoption requires the twin properties of Internet-scale decentralization and Internet-scale cost structures, which other identity technologies do not have.
As OpenID marches on, we expect many of its benefits to accrue to:
- users are more secure, e.g. the phishing attack surface is reduced;
- their on-line experience is more convenient, e.g. fewer user names and passwords to remember;
- their on-line experience is more personal, e.g. because sites can more easily take advantage of identity information shared by the user with the site.
- they can simplify user registration, currently a major obstacle for customer acquisition;
- it allows them – with full approval of the user – to learn more about their visitors, and thus target their offerings better;
- they can reduce the attack surface for identity theft, because identity information that can be retrieved on demand through OpenID does not need to be stored by the site, and thus cannot be lost or stolen (e.g. backup tapes from a car)
- reputation services, which help both end users and site operators and represent a major business opportunity in itself;
- open social networks that are not confined to a single vendor's site;
- more secure, efficient and accountable messaging systems that one day could replace the protocols that e-mail runs on.
Some have told us they consider the OpenID community to lack a clear process or structure, to not solve the "real" problems in identity (yet?), or to be only applicable for low-end problems. They are probably right; however, we think of it as the early days of Internet-scale innovation in action, where these characteristics are desirable, not detrimental. The arguments are the same that were made against the Web in its early days, and the problems either were fixed or turned out not to be problems at all. There is no reason to believe it should be different for OpenID.
Full decentralization and a very light-weight cost structure directly attract and catalyze innovation unlike any other approach. In the end, that is why you should pay attention to OpenID.
November 20th, 2006
Does authorization equal entitlements?
Back in the early mists of identity time, "identity management" was referred to as "AAA" (triple A) — authentication, access control and authorization. Over time, AAA evolved to mean authentication, authorization and acountability. Those were seen as the three large functional categories within what came to be called identity management. Eventually, as technology and understanding evolved, categories such as provisioning, federation, web access control, E-SSO, etc. were added. The big three categories remained, but we came to call the whole group of functions "identity management."
Recently, a startup named Securent brought me back to thinking about "authorization." Securent has released some products to deal with what they're calling "entitlement management" at the application layer. The naming convention is interesting, and useful.
As the enterprise has come to deal with the networking of everything, the topic of "authorization" has risen to the top. Controlling "access" to the enterprise was always a nice first step, but it doesn't solve the problems of compliance in today's regulatory environment. Access control was the application layer's version of the network firewall, it created an "inside" and and "outside" and controlled who could get inside. This concept works well as far as it goes, but as has been found with firewalls at the network layer it doesn't scale well and it tends to fight the type of mobility networking seeks to deliver.
Authorization — dealing with who has the right to do what with what, where, and when — gets to the heart of the problem: what are people *entitled* to do. It jumps over proxy concepts like location, devices, etc. and goes right to the problem at hand. Thus, "entitlement management" as a category makes some sense. Is that just semantic trickery on the part of Securent in this case? Maybe, maybe not (I haven't seen the products). But it could be a useful semantic step in facilitating the conceptual shift from "barrier security" paradigms to the truly identity based paradigms networked computing requires.
Beyond authorization and entitlement, the breaking wave in identity is visibility. You can provision, federate, authorize, entitle, and audit - but what you're ultimately trying to provide is real-time visibility into a network. Seeing what's going on gives you the ability to enforce policy, but seeing across the entire networked environment of the enterprise is not an easy process.
And the authorization of entitlements is the next step in that process.
Recent Entries
- Global warming of the identity ocean
- OpenID: gone phishing
- SCC tells the mid-market identity story
- Brian cracks the identity and web 2.0 problem
- Debating the state of user-centric identity
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Give Your Business a Boost with Sun SMB
-
You're a growing business looking for a technological edge - but without the usual high cost and complexity. Sun is here for you, with powerful, open innovations - starting as low as $895 - that can drive revenue and add bottom-line value.
- Learn more about Sun's real-world solutions for your business >>
- Intel forum post: vPro is great, but who has the best vPro agent?
-
"Some agents have remote control and power issues with Vista; some agents server consoles don't work with 64 bit servers; some agents don't do IDE redirect. I have staged two companies with VPro machines, but have not installed an agent until I find the complete solution. Help!!"
- Follow an interesting discussion about the Intel® vPro™ technology platform >>
Archives
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- The Core Truth
- Dev Connection
- Digital Cameras
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Alley
- Enterprise Anti-matter
- Enterprise Web 2.0
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Irregular Enterprise
- IT Facts
- IT Project Failures
- John Carroll
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- The Social Web
- Software as Services
- SOHO Networking
- Storage Bits
- Team Think
- Tom Foremski: IMHO
- The ToyBox
- The Universal Desktop
- Virtually Speaking
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Popular white papers
- Executive Report: The Path to Sales Effectiveness AchieveGlobal
- Travel and Procurement: The Convergence Concur Technologies
- A Step-by-Step Guide to Starting Up SaaS Operations OpSource
- One Touch Business Travel and the End of the Expense Report Concur Technologies
- Releasing Resources to Support Growth - The Long-Term Benefits of Finance Transformation Concur Technologies
- Avoiding the Compliance Trap for Travel and Expenses Concur Technologies
- BNET Industries
- Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
-
- The technology industry from a different angle
-
- See what's hot in the auto industry
-
- Stay on top of the energy industry
