Digital ID World

November 16th, 2006

Federation enters a new phase

Posted by Eric Norlin @ 9:08 am

Categories: General

Tags:

Two recent releases in the federated identity marketplace caught my eye — and may speak to the development of federation deployments:

1. Ping Identity announced that the U.S. Department of Justice selected them to provide federation to over 7,300 local law enforcement agencies and 700,000 law enforcement officials. (Disclosure: I was the third guy in the door at Ping, and served as their VP of Marketing until July 2005.)

2. Sun Microsystems open sourced the code for their identity federation and web services framework (SAML and Liberty) - the core of federation in their Access Manager and Federation Manager products. The initiative is related to their recent OpenSSO effort and is dubbed Open Federation.

The federated identity marketplace has been growing nicely over the past several years, and all of the large identity management vendors have *some* level of federation functionality in their product sets. At the same time, some have questioned the adoption of federation. I take these two announcements together to signal that federation is now at the cusp of mainstream adoption in the large enterprise sector.

I think these announcements signal that for a couple of reasons. Ping's customer list is now representative of a clear, growing trend toward the adoption of federation technologies. Also, the "open sourcing" of products tends to signify a level of maturity in the market itself. Combining a major initiative at the DoJ and a major open source announcement would seem to indicate a market that is now past the stage of having to prove the worth of the initiative. Am I saying that federation is now "mainstream" in its adoption? No. But I am saying that the federation market has entered the mainstream adoption phase — and its growth over the next 18-24 months should be roughly analogous to the growth of web access control and provisioning over the past 18-24 months.

One last note: I've just heard from Sun's PR firm that Sara Gates (who was the VP of Identity at Sun) has left the company. I take this tidbit of news to be quite important, as Sara has been a driving force for both the industry and inside of Sun. Interestingly, Mark McClain, who founded Waveset (the company that Sun bought — and with that acquisition got Sara Gates), has started a new venture in the identity compliance space - Sailpoint. Will Sara be joining her old cohorts on a new water-related identity venture (Waveset and Sailpoint)? We'll let you know…

November 13th, 2006

Who is an identity-based NAC vendor?

Posted by Eric Norlin @ 10:56 am

Categories: General

Tags:

Network Access Control ("NAC") was an emerging focus at last September's Digital ID World conference. The reason for including NAC in the agenda arose from my belief (fueled by talks with enterprises) that network-layer identity management was an area that is fast becoming an important piece of enterprise architecture. In the aftermath of the event, Phil and I tried to sit back and take a look at what actually happened. What we found with regards to NAC (and what I've heard since) is that, while the enterprise IT folks I talked with really "get it," some of the vendors in the space don't understand how they fit in the identity world. Curious, right?

Is the product focus "pre-admission" or "post-admission"?

That finding led me back to wanting to speak with some NAC vendors, and luckily ConSentry contacted me to brief me about some of their new product releases (their InSight product, for those that are interested). What resulted was a realization for me: the dividing line of NAC vendors who understand where their products fit in an identity-based world, and those that do not, is centered on where the core of their functionality comes from.

If a vendor's NAC product is focused on the zone of "pre-admission" — that is to say, the "admission" process — then they do not see themselves as an identity-based product. If, on the other hand, the core of the functionality is focused on what happens "post-admission," they do see themselves as living in the identity space.

The reason for this is simple: "post-admission" identity-based NAC is centered around things like role-based provisioning at the network level, policy enforcement around roles, and the visibility and auditing of policies. All of these post-admission activities are driven by the functioning of identity within a network. (All of those capabilities, by the way, are what ConSentry is realizing are core to their customer's needs.) The driving force of this functioning is a customer base that now views the network perimeter as a dynamic zone of permissions and authorizations. Keeping people out isn't the order of the day, controlling what they do and knowing what they've done is.

On the other hand, "NAC" companies focused on "pre-admission" activities still view the network as a static wall. For these companies, the act of authentication and endpoint checking is still a binary switch. The "yes/no" decision results in a "policy" of you're in or out.

Companies like ConSentry seemed to have tapped into a cutting edge customer concern — treating the network layer (and its accompanying identity problems) in the same way that one would treat the application layer. That focus, and the accompanying shift of NAC products toward "post-admission" activities seems likely to be the growing edge of a hot market.

Needless to say, Digital ID World will still be covering NAC.

November 7th, 2006

Will web 2.0 identity make the same mistake?

Posted by Eric Norlin @ 10:17 am

Categories: General

Tags:

Two things have caught my eye recently (both on Dan Farber's blog):

1. Mashery launching: an API management service that offers, among other, things "access control."

2. Intel's Web 2.0 Business Suite: a suite of content management and distribution mechanisms that offers "single sign on" across the various applications.

All of this reminds me of how enterprise identity management (at the application layer) was built out. Identity began as embedded in the application layer, and only after the identity's non-interoperable proliferation did the vendor community respond by *abstracting* identity — thus, resulting in identity management systems.

Is the web 2.0 world doomed to the same fate? Will web 2.0 companies embed non-interoperable identity in its applications and suites and only after identity's proliferation move to abstract it into its own web 2.0 identity management?

I hope not, but its not looking good (see the examples above).

November 1st, 2006

Understanding "identity management"

Posted by Eric Norlin @ 10:47 am

Categories: General

Tags:

Paul Murphy has been writing about identity management over on his Managing Linux blog. His basic thesis is that while most CIOs now are putting "identity management" as a top priority, most also can't tell you what "identity management" is. The reason, says Paul, is that most CIOs are informed about the possibility of identity offerings via their prominent vendor relationships, and those vendor offerings are overlapping, confusing and (in some cases) redundant.How *should* one come to understand what identity management is?

First off, I think Paul represents the great majority of CIOs out there. Having been in the "identity business" since 2002, it becomes pretty easy to feel that since the community has grown so much so fast, the identity community's baseline of understandings *must* be the baseline for the population of IT professionals at large. That is clearly not true. In fact, "identity management" is still widely misunderstood and not widely implemented. While most enterprises now understand that they must accomplish some tasks associated with identity, that doesn't mean that they've gotten a larger perspective about identity. The result is that many identity projects are happening in isolation.

The "phased approach" to IT implementation is accepted as the safe route to not experiencing the debacle of a 7-figure, 36 month deployment failure. This is a good thing. But "phasing" doesn't mean operating in a state of isolation. Phasing should still take place within the larger context of understanding.

All of which brings us back to "identity management." Gaining an understanding of identity management should not simply occur by reading vendor product marketing literature (though I know it often does). The "learning curve" on identity seems to almost always include: A) a small-ish project initiated to achieve a business process goal (i.e., eliminate X costs associated with Y redundant sign-ins); B) a realization by the implementing team that there's a wider identity problem that they must fully grasp if they are to scale any success; and C) a gradual reworking of the architectural principles of the IT organization that makes identity the foundational and organizing paradigm.

So, how should one come to *understand* what identity management is? Begin by understanding the breadth and depth to which identity as a concept must be used as an architectural principle.

More on that to come…

October 20th, 2006

A tipping point?

Posted by Eric Norlin @ 6:10 am

Categories: General

Tags:

Way back in the early mists of identity time, I was speaking with Bryan Field-Elliott (then CTO of Ping Identity) about the earliest drafts of the Liberty Alliance protocols, and whether or not they could be used for what we then called "internet identity." (Note: "internet identity" is now called "URL-based identity," or even more broadly and less accurately "user-centric identity.") Bryan told me that while SAML or Liberty *could* be used for "internet identity" (theoretically), they never would be. They never would be because web developers are their own breed — they don't gather at hotels, "spec out" requirements, and engage architects to build an elegant solution. Instead, web developers stumble upon something that excites them, pull in disparate pieces, kludge something together, get a big guy or two to buy in, and start using it.

Bryan was, of course, right. He also knew what he couldn't then predict — that something like OpenID would come from the grassroots in an attempt to solve the internet identity problem. Yesterday, Technorati announced that it would support OpenID — and in the blogosphere, compiling SixApart and Technorati and WordPress into the same boat gets you pretty close to critical mass. 

So the question remains: Is this a "tipping point?" Have we solved the "internet identity" problem? I'd say that its far too early to say that. There's still a dizzying array of "user-centric" stuff coming down the pipe, but if you have to isolate the major players at this point, you'd say OpenID, CardSpace and Higgins (where Higgins is more development environment, than user-centric stuff). 

Johannes Ernst, one of the primary drivers behind OpenID, is wagging his finger a bit at those that have argued that url-based identity systems are "toys" compared to "real" identity systems. While he's right to savor the current small victory, its still important to realize that SOAP-based systems of identity (SAML and WS-Federation) are still much more adept at maneuvering through high-risk transactions that take place online. 

October 17th, 2006

The evolving models of security...

Posted by Phil Becker @ 1:25 pm

Categories: General

Tags:

[Note: Eric is having trouble posting, so I posted this article for him - Phil]

Phil and I have been speaking a lot recently about the changing of security models in the enterprise. The three basic models actually seem to represent a learning curve that both enterprises and the vendors are evolving through. The three models lay out as follows:

The Security of Exclusion: The security of exclusion is a defensive model based around locking things up and protecting them. Under this model, authorization is the primary characteristic (not who you are, but are you authorized to come in), and identity is largely inferred via IP or MAC addresses. The security of exclusion is now largely about building small, defensible perimeters — thinking almost solely in a location and domain-based sense.

The Security of Inclusion: The security of inclusion is evolution to a truly identity-based model. Under this model, the primary characteristic is providing the correct access to designated resources. Notice that the shift from authorization to access shifts identity from something that is inferred (exclusion and authorization) to something that is the fundamental quality that must be known (inclusion and access). The security of inclusion is now very advanced at the application layer (where traditional identity management products live), and is growing very quickly at the network layer (as traditional firewall and NAC products evolve from exclusion to inclusion).

The Security of Accountability: The security of accountability is what a fully realized identity solution is trying to offer. It begins from the premise that the networking of the enterprise "flipped the game" with regards to security. No longer is security the fundamental concept from which the benefit of identity falls. Now identity is the fundamental foundation upon which benefits like security can be built. The goal of the security of accountability is to provide *transparency* and *visibility* into the networked model. It seeks to always know who did what with what and whom when — and to enforce policies around given parameters in real time. The evolution to the security model of accountability is what is driving the red hot areas of provisioning, identity-based compliance solutions, and some of the very very bleeding edge NAC product categories.

Taken as a spectrum of evolution, the models of exclusion, inclusion and accountability give us a lens through which to evaluate both enterprise projects (and their mindset) and the thinking of the vendors that are selling into the space.

October 12th, 2006

Identity and social business applications

Posted by Eric Norlin @ 7:38 am

Categories: General

Tags:

John Milan has written an interesting piece about "social business applications" over on Read/Write web. He begins by defining "social business applications" as "software that coordinates group interaction that is important to running your business" — a bit amorphous but workable definition. He then goes on to rightly identify "identity" as the key "feature" that is critical to social business applications. Further, he extends identity not only to humans, but to data as well.

October 9th, 2006

Digital ID World recap: final thoughts

Posted by Eric Norlin @ 7:08 am

Categories: General

Tags:

It's now almost a full month since Digital ID World is over and done, and my thoughts about what happened are finally starting to coalesce. "Starting" - I said, and this post (I hope) reflects that beginning.

The primary "big move" that I'm coming away with is the idea that identity is really in the midst of the current enterprise IT environment undergoing a shift in metaphor — from the semi-closed metaphor of the controllable "domain" to the fully-networked (and open) metaphor of the Network (internet, web - call it what you will). I don't think this is unknown. In fact, I think people have been talking around this idea for a long time. I don't, however, think its well understood.

Think of it this way: The "domain" demands location, exclusion, protection and defense. The networked web demands visibility, openness and accountability. That shift — from lease lines to the internet, from token ring to ethernet, from controllable, closed IT environments to a fully network internet-metaphor enterprise, is a shift that cannot be underestimated in importance. That shift is driving not only identity, but things like SaaS, the web as platform, outsourcing, etc. And the reason that identity is so integral is simple: you cannot have an open, visible *and* accountable environment without identity as a foundational concept.

Enterprises are only now beginning to move toward this — and I think its about to really drive the identity industry hard in several ways:

1. "User-centric" identity only grows in importance: Following the internet metaphor, enterprises will increasingly relinquish centralized control (adminstration) to the end user. 

2. The enterprise will mimic the "world of ends": David Weinberger and Doc Searls once described the Internet as a "world of ends" — or a big dumb empty network with all of the intelligence living at the edge. That metaphor is where identity in the enterprise environment is headed. Some of the big guys (Sun and Oracle) see that and are starting to capitalize on it. Its the reason that the identity conversation is now going to start to focus on middleware abstraction, SOA and increasingly modularized environments. 

3. The "network-layer" and "application-layer" theme grows as well: Opening the networked environment will force the "NAC" vendors to abandon older defensive/protective approaches. As such, NAC will increasingly be seen as a vehicle for compliance — and the idea that you have network-layer identity management and application-layer identity managment will take hold. David Berlind is reporting that folks at the Gartner symposium are saying that more and more of IT budgets are going to compliance — and that's all identity.

Three themes: user-centricity, SOA/middleware abstraction, and converging work around network-layer IdM and application-layer IdM because of compliance. Three themes driven by one metaphor change: making the enterprise IT environment mimc the metaphor of the fully networked model (open, visible and accountable). 

October 6th, 2006

A big "small" problem

Posted by Phil Becker @ 12:08 pm

Categories: General

Tags:

Identity management has evolved to provide incredibly granular and flexible capability with respect to managing user logons, authorizations, and access control, provisioning new users and reliably removing access for expired users. Add in delegated and self-service management capabilities plus sophisticated workflow and auditing capabilities to assure policy is followed when granting access, and IdM can successfully automate processes that are very error prone when done any other way. This provides a tremendous boost in security by assuring that access is only granted when, where and to whom needed, and ends when it should. Identity management has been a big contributor to reaching compliance, allowing automation of quite complex policy driven processes.

There is, however, a category of usernames and passwords that identity management and password management has largely left unmanaged. This is the category of system administration logons for things like root or superuser access to operating systems, router or firewall configuration, hard coded logins to databases embedded in application scripts, etc. This category of system access has quite different characteristics from application and network user access. Among other differences, it is usual for there to be a single logon code that is shared by multiple administrators. This type of access for devices and systems is not usually constructed to track *who* is logging in, only to restrict access to authorized people (defined as anyone who knows the access codes.) These differences mean that managing this set of access requires a different approach than traditional identity management has so far provided.

The key distinction of this type of login authentication is that it is owned not by users, but by one or more systems. As a result this information is used by multiple people - everyone who administers or develops these systems or applications. Most companies today manage these privileged access codes outside of any other access management process. These range from administrators who keep the passwords in their heads, through those who write them down on a piece of paper somewhere, to those who combine them into an encrypted spreadsheet that is in turn passworded - creating a master key to all of the other system master keys.

These privileged passwords comprise a high value target for an unauthorized person who wants to alter how a system behaves for any reason. Compliance auditors are only recently coming to see this category as its own issue to be "brought into compliance" but they are increasingly calling it out as something that must be addressed. It takes little thought to realize that compromising this category of privileged passwords can create an "end run" around most of the security techniques an IT department might deploy.

I was reminded of this "small" problem when I read a recent announcement of a partnership between Courion and CyberArk to address it. I've followed Cyberark for a couple of years now, keeping it on my list of companies with an interesting technology looking for a market. Recently, they have taken on this problem of privileged password management and linking it to identity and they have crafted a unique approach that appears to address the problem in terms system administrators can accept. In the process, they have created an interesting type of provisioning of these system accounts across a network that allows a significant step-up in security as well as identity based tracking of who accessed the administration of what resource when. They have even created the capability for single use passwords for this type of access.

Managing privileged administrative passwords seems like a relatively small problem, as there are usually only a few people who use this type of administrative access. But having passwords live "in the clear" in application scripts, and the master keys live on paper or in spreadsheets creates an environment where administrative access code compromise is nearly untraceable and difficult to detect. Creating and enforcing a password expiration or minimum password strength policy for these administrative entry points is also difficult (which is why it is often done manually).

If you multiply the number of servers, application scripts with embedded passwords, firewalls, VPNs, etc. by the number of authorized administrators, you quickly see that this is a much bigger "exposed surface area" than it may at first seem. I don't know if the marketplace will think that CyberArk has the preferred solution method, but it is clear that identity management must find some way to address this problem if it is to provide the security and compliance capabilities it seeks. At least now there is a way to do it that people can think about, throw darts at, and innovate from - and that's a good thing.

September 20th, 2006

Digital ID World recap, part 2

Posted by Eric Norlin @ 6:58 am

Categories: General

Tags:

A recap, part 2

I’m continuing my "what I learned at Digital ID World" series that I started yesterday.

What I learned about Network Access Control

NAC (network access control) and identity was my pet project for this show. I tried to get our audience, which are traditionally application-layer folks, to come to appreciate how they need to start understanding identity at the network-layer. The good news: those that "get it," really get it. One prominent analyst-type at the show told me that the NAC-identity connection was *the* hot topic in their behind closed doors discussion. Additionally, the sessions focused on NAC were loaded with real enterprises asking real questions. Several people even commented on the noticeable absence of Cisco at the show (I invited them and they told me they didn’t see themselves as an identity company).

Bottom Line: Identity-based NAC is a *real* market phenomenon. Customers are learning, companies have products, and analysts are beginning to pay attention. Thinking that identity is simply an application problem is a huge mistake — one that Digital ID World isn’t making. Look for NAC to become a major focus for us over the next year.

What I learned "behind the scenes"

1. Big companies are shifting resources to meet the demand for federated identity solutions.

2. Small to mid-size software vendors in the provisioning, E-SSO, virtual directory and federation areas are seeing *real* ramping of revenue, customers and success.

3. The next big problem for federated identity to solve is "scale."

4. Several big companies spent a lot of time "talking" to several smaller players in the "user-centric" space (take that as you will).

5. Jonathan Penn (of Forrester) declined to be on a panel because he thought he’d get more value by being in the audience (and he said I could quote him).

6. "Penetration" of identity management deployments has still only scratched the surface of the Fortune 1000.

7. Accordingly, the mid-market is just *barely* starting to come on board.

In part 3, I’ll recap some big announcements and thoughts on conferences in general…