Given a little time and some distance from the RSA Conference last week, I feel ready to comment on all the fun. First, I can’t wait for RSA to be back in San Francisco next year… for a lot of reasons. The “last call at 11:00” on Thursday harkened back to drinking in England. 11? Ask anyone in OASIS or the IETF and they’ll tell you, you can’t collude to make a new standard any time before midnight. Bob has an interesting conspiracy theory on why closing time is 11. Second, RSA is always great to help put faces with names. I got to sit and chat with a bunch of interesting people. Granted, with all the people running around the convention center, it can get a bit overwhelming. Third, I got to try out some new ideas on a variety of people from the press to analysts to other vendors in our space. Two things came up in these talks: policy interfaces and the second thing. (The second thing will be a separate post.) Reading Sara’s post on policy was refreshing. The Identity lexicon is a strange one. We use words that have multiple meanings. We use terms to hide the realities of market segments. Policy is definitely high on the list of overused and under-defined terms. Combining some trends I have seen in the market and reflecting on my post about Yet Another Management, I think it is time to highlight another problem with the P word - the management of policy. Quick, vendors, count how many policy management interfaces you have? I spent last week asking a variety of vendors how many different policy management interfaces they have for their products. I think the average for a decent sized identity management vendor is around 5. (One vendor told me of over 10 different policy management interfaces for their suite of products.) Customers are being overwhelmed with different policy tools. Multiple policy management interfaces from multiple vendors. This wouldn’t be so bad if:

Roles, Courion and Trusted Network Technologies Between Rob and Dave, we’ve started a nice little set of discussions on roles. Since the boss and the CTO have weighed in, I figured it was my turn. Roles have been a touchy subject. The industry has wandered a bit over the years to get to where we are now. I remember when role based access control (rbac) was losing a bit of steam and being upstaged by rule based access control (rbac). I used to tell customers, “NIST has it easy. They don’t have to sell anything. If you find that the first idea you had isn’t working, replace it with a new one with the exact same abbreviation. That way you can change what you are talking about without having to reprint the marketing material.” Now this was back in the day that Access360 and Waveset were going head to head. (Ah… the good old days.) The industry has grown a lot since then. We (the industry and customer base) are ready to have more meaningful discussion about role lifecycle management. The US market is starting to come around to roles as new forms of technology can turn role lifecycle management from a painful expensive task into an ongoing dynamic process. We can talk about bottom-up versus top-down. We can look at the way policy and role definition intermingle in various applications. It is a great time to be working in this space. Dave’s post on roles as the fuel for something more than identity management and security addresses the real end goal of customers: IT governance. How does a company turn business process into IT operations into operational efficiency? I’m with Dave here in saying roles can help. However, if role definition is static and done in isolation then it is a wasted effort. Enter our announcement with Courion. Between Courion’s abilities to mine their data to build roles and our abilities to observe identity interactions on the network, we can turn role lifecycle management from a painful expensive task to an ongoing dynamic process. If the process is not ongoing, then any IT governance decision based on role decisions will be using stale data. If these decision are not made on valid data from the identity map of the enterprise, then they are made in isolation and will be suspect. Together Courion and Trusted Network Technologies can do role mining in a timely fashion based on the identity interactions of the enterprise. A Prediction for 2006 It’s a bit late to be making predictions for the year, but better late than never. The Identity Management market is a broad market. It encompasses everything from two-factor authentication to role lifecycle management to federation and beyond. There, as you would expect, are a lot of vendors in this space, with more coming every day. My gut tells me we are going to see a more and more of the smaller vendors in this space teaming to bring better more meaningful solutions to the market. Instead of having a flurry of market consolidation and large companies acquiring smaller ones, 2006 will be a year of seemingly unrelated companies coming together with products that simply work better together. This space is finding natural resonance with verticals like health care, higher education, and retail banking. Smaller vendors are nimble and can bring joint offerings to these spaces quickly. We’ll see how this prediction pans out as the year progresses. RSA Finally, we are headed, along with just about everyone else in the space, to the RSA conference next week. I’ll be hanging around our booth (#1816) along with the rest of our bloggers: Dave, Rob, and Doug. Come on by and say hi. Put a face to the blog entries. Tags: identity, IdM, identitymanagement

Mark Dixon nailed it with his post on software being only a part of identity management. He sums with two great points.

1. Accept the fact that Identity Management projects are inherently complex. This is not because the software to be implemented is complex, but that Identity is at the core of how a business is operated. Many people will use the system. Many disciplines must be involved in making it work.

So another player in the identity market has been absorbed. HP is acquiring Trustgenix Reading Andre’s blog entry on this subject got me a nostalgic. Maybe its the season. Maybe its the leftover turkey’s tryptophan. Being part of the 1st generation of user provisioning tools in the market, and having been acquired by a “suite” vendor, I’ve had a ringside seat to watch the industry expand and contract. There was the first wave of expansion with Access360, Business Layers, Waveset, BMC for provisioning and Oblix, Netegrity, Securant, DASCOM, Entegrity for web access control. There was Courion and M-Tech for password management. Among the meta-directory group you had iPlanet, Novell, Siemens, Zoomit. OctectString and RadiantLogic were there for virtual directory services. Then there was the first major market contraction. The bubble had burst. We had blown through our cash. The dreams we had of making a squillion dollars vanished… now we had to actually work for our money. In this first major contraction, we saw CA eat Netegrity who ate Business Layers. IBM swallowed Access360, DASCOM, and Metamerge while Sun consumed Waveset. RSA bought Securant. Microsoft got Zoomit. Oracle bought Oblix and, recently, Thor and OctectString. (The ink has barely dried on this one but I consider the tail end of the first market contraction.) As the first market contraction was going on, the second wave of expansion was beginning. This centered around web services, federation, SOA, and the like. In this second wave, there are players like: Trustgenix, PingIdentity, Sxip, SOA Software, Layer 7, Symlabs. We have started to see the second contraction as HP acquires Trustgenix. There will be more to come. The real question is will the identity suite vendors buy companies from this wave, or more traditional middleware vendors snatch these players up? Federation and web services deals more with a business interaction as it happens. They deal with identity issues on the fly. Vendors from the first wave focused on the setup and tear down of identity around the business interaction. The BEA Weblogics and IBM Webspheres of the world deal with business interactions in flight and probably are more interested in the second wave vendors than the pure identity suite vendors. What’s going on now? The third wave of identity is rolling along now. The third wave focuses on activity in applications, information governance, identity in the network, and role / privilege analysis. Here we find us, Eurikify, Bridgestream, Prodigen, TIzor, Consul, Virsa, and others. This wave brings a new perspective, an identity-focused perspective, to old subjects like network and application activity. This new perspective was long in coming. Where is this market going? We have yet to see a second and third wave of contraction in the market, and we are bound to. The quest for the complete identity suite is winding down as vendors realize how hard it is to stitch together all the peices they need. Instead of unifying policy tools, we’ll get unified reporting in the name of compliance. Business orchestration tools will consume a lot of the federated and SOA players out there. As one vendors gets absorbed into another, new ones spring up. We are starting see a lot of activity reputation, portable identity, Identity 2.0, etc. As this market matures, it keeps getting more and more interesting. Technorati Tag: identity

I was thinking about the role management panel at Digital ID World in New York this weekend. My first reaction to the panel discussion, which consisted of BearingPoint, Prodigen, Bridgestream, and Thor, was that roles are finally growing up. The idea that roles require lifecycle management just as identities do is, at first, a little shocking but then makes a great deal of sense. Working in the enterprise provisioning market for years, I got used to hearing how hard it was to complete a role deployment. At the same time you had Burton Group and others professing the value of roles. Customers were fighting both the difficulties in deploying identity management solutions as well as the difficulties in understand and leveraging roles. As the industry provided better automation for the provisioning problem, we saw deployment times go down. But, roles were still tough to deal with. We are now seeing tools to help truly automated the role lifecycle management problem. One of the points that was agreed upon by the panel members was that business roles are separate from IT roles. Who I am in a company is very different than my privilege sets in target systems. Some provisioning products attempt to make this distinction. By elevating roles to a discipline that truly needs its own tooling, we will be able to manage that distinction far better than we can today. I do wonder if potential customers will still look at roles as too difficult and not address them appropriately. “Roles are hard. See… they have to have tools to deal with them,” I can hear a potential buyer say. To this, I often respond with a wink, “IT would be simple if we didn’t have end-users.” My concern with role lifecycle management is not with the concept itself. I think this is a space that was long in coming. My concern is role lifecycle management is yet another “Management” or YAM. Our industry is full of YAMs. We’ve got the access YAM, provisioning YAM, strong authentication YAM, network security YAM, federation YAM. As we look forward to 2006, I think we are going to see pushback against YAMs. Customers are growing weary of yet another policy tool, yet another reporting tool, and another YAM. I think that some of the false hope in the past market consolidation and the IdM suite vendors was that they would cut down on the YAMs. The dream of a single tool that translated business goals and regulations into their various IdM components: access, privacy, provisioning, etc, has yet to be realized. I worry that the number of YAMs keeps increasing without unfiying language and tooling. I worry that the industry is over-specializing without having generalist tools to link these specializations together. It’s good to see these vendors working together to tackle the role lifecycle management problem from different sides. In their own way, they are fighting the YAMs. We need more impromptu collaborations between solution vendors, deployment specialists, and visionaries. We need less YAMs. With Thanksgiving fast upon us, I leave you with a yam recipe that will leave your guests in a food coma. If we can’t help fight YAMs in our products, we can at least fight yams one fork at a time! Technorati Tags: identity

There’s a hole in the web The web has a hole in it. That hole is shaped just like me. Anyone, with sufficient time and desire, could find the scattered bits that make up my composite identity and pour them into the hole. Between Google, Zabasearch, Technorati, del.icio.us and others you could fill the me shaped hole in the web. But then again, I can do the same with the you shaped hole in the web. And if we can do this with free or nearly free tools, just imagine what you can get with a little cash and some research. (Maybe this thought ought to be titled, “How I learned to stop fearing Eschelon.”) So how can I prevent you from filling the me shaped hole in the web? I could attempt to change the shape of the hole. The problem is that in order to do that I have to change myself. Since this isn’t a self-help blog and we really don’t have time to delve into the vast array of my quirks, let’s move on to another approach. What if I could somehow generate more scattered bits about me than could fit in the hole? More me than is really me? If I could flood the usual channels with bogus identity information that was close enough to me to fool systems that you use to triangulate me and fill the me shaped hole, then I could make it impossible to tell the bogus bits from the real ones. You couldn’t be sure that you really filled the me shaped hole with real me bits. (By the way, I am in no way endorsing some sort of strange identity-based breakfast cereal… Me Bits, Now with more self-asserted claims!) The best place to hide something is in plain sight. In order to mask myself from the web, instead of trying to remove all my bits from the web, I flood it with more me than is me. (This is starting to sound a bit like Smith from the second Matrix.) What I am rambling about here is a pink noise generator for identity. On an individual basis this is a little impractical. I’d have to spend a bunch of time and effort trying to create the systems to generate a me-flood. That isn’t going to happen any time soon. But what about communities I belong to? Would the hosts of my various communities create the technology to mass produce its members on web as a value-add? Would you join a group which offered the ability to mask you or your membership from the web by making a you-flood? I have to thank Jan Hauser for impetus for this one. I don’t get it Why are the identity problems of the enterprise so different from the individual? It became immediately obvious to me that my past experience in enterprise identity management was not going to be directly applicable to the issues and use cases that IIW2005 was addressing. The identity needs of the individual are clearly different than those of an enterprise comprised of individuals. Fair enough. But why is there such a gap? If you examine an employee in an enterprise do they have similar identity problems to private citizens? An employee and a citizen (I am using citizen here to represent a regular user like my grandfather) clearly operate in different contexts. I think the SocialPhysics gang would say that this difference in context is the root of the difference in identity needs. It just strikes me as odd that all good work of Sxip, NetMesh, OpenID, and their kin don’t seem to merge with the hard work of Sun, IBM, Novell and their kin. This inside versus outside of the enterprise context really eats at me. This division between the two seems artificial. Make identity issues meaningful It’s great that there are groups like the Identity Gang. They care about real meaningful issues. But those issues that are meaningful to those familiar with them are often hard to explain to outsiders. (And let’s not forget that the outsiders here at 99.999% of web users.) Sometimes you have to turn to outside sources to help explain issues that mean a lot to you. I think that Dick’s presentation is great for doing just that. I also think that this video from Red Versus Blue (sorry for the wmv file) does much the same… with the added bonus of guns, herbal Viagra, and Halo goodness. Enjoy. Technorati Tags: iiw2005 identity

Overall, I am really enjoying this workshop. It serves as a great high speed primer for a variety of identity issues and technologies. Some highlights from the presentations so far: Doc Searls - Identity in the marketplace: The Rise of Fully Empowered Customer It’s always good to hear Doc give a talk. His belief that the web is a marketplace, a place for business and culture definitely has a Diamond Age feel to it. His example of customer freedom from vendor CRM shackles is an interesting one. Though his example of renting car is certainly valid and demonstrates the reverse nature of our world today, I’d love to get the vendors’ perspective on this. There are a few people from Yahoo in the audience and I am sure that they have some strong opinions about the freeing of identity. Brad Fitzpatrick - OpenID Brad put on the best show of the day, by far. It was a very Dada affair full of self-criticism. It was a simple talk about how OpenID works and why it does what it does. A simple tool for a specific problem… frickin’ brilliant. OpenID is a way to prove you own a URL using an identity provider you trust. Fairly simple. I sat there wondering why, when we see a simple solution, we say, “That’s all it does?” Why is it that we seem to always want some grandiose solution to a massive problem. What happened to elegant, simple solutions to problem? For that matter, what happened to problems that can be expressed in a few words and not an onslaught of slides? Paul Trevithick - Social Physics and The Higgins Trust Framework Paul and co’s work has lead them to the conclusion there is no identity independent of context. Context is the real king here. Not individual demographic attributes. Not roles. Not protocols. It the the context of interaction between users, trusted parties, vendors, etc that is the real domain of identity. I applaud the group’s work around creating the Framework. It is an abstraction layer that helps tie the vast array of user information to contexts appropriately. Paul’s honesty on the subject of implementation are hard was definitely a welcome admission. After hearing his presentation, I was a little annoyed that I hadn’t heard of this before. You’d think if you have read my Shadows of Identity piece that I would have already been an versed in Higgins. Nothing could be further from the truth. Strange how things happen sometimes. Other thoughts: Although these presentations today do not represent the entirety of the identity world, they are a sketch of the problems and solutions out there. It seems to me that there is so much attention to possible solutions, technologies, protocols, and the like that we are losing sight of the problems we have set out to solve. To me, there are two general classes of problems. First, there are the problems of an individual. How do I manage my identities out there? How do I describe what data about me I will allow to be disclosed? Who can get that data? The second class of problems are relationship-based where the relations involve more than two parties. How do I share my perferences and needs with an entire market? One question I keep coming back to is, if we figure out a way to solve both classes of problems, who is going to pay for it? Technorati Tags: iiw2005 identity

So I am sitting here at the Internet Identity Workshop and so far, I’ve been impressed with the quality of the presenter. (I’ll have more on that later.) I was chatting with Dale Olds from Novell and came across the following thoughts. With the rise of the empowered user, as Doc Searls speaks of, we may be facing a major downside. These concepts of user-centric identity are great… if the user actively manages their identity. What happens when this empowered user isn’t actively managing his or her identity? It seems to me that an inactive empowered user’s identity is equivalent to an unpatched Windows machine. Without actively managing my identity, it becomes a great target for not nice people to do not nice things. If we elevate identity to the same status as a domain or device, then we elevate the responsibility of the identity owners. I, as an identity owner, have to maintain that identity: update privacy choices, update demographics, geographic information, etc. I would say that maybe, just maybe, 5% of the overall web population actively maintain their identities. My grandparents, for example, are not part of that 5%. So of the nearly 1 billion web users out there, there are literally hundreds of millions of identities which will not be actively maintained. An unmaintained identity is a prime target for not nice people just as an unpatched machine is a prime target. Will unmaintained identities become weedy vacant lots in the city of the web in which nefarious types can use to their own ends? I think so. Which means:

Thinking of that Buddhist koan, “If you meet the Buddha on the road, kill him,” I realized it is relevant for identities as well. If you met your identity, would you recognize it? When I register at a site I usually use the same username. It helps keep the catalog of things I have to remember to a manageable number. I always get concerned when my choice in username is taken. My first thought is, have I been here before? Did I already register? If so, “who” did I register as? I start scouring through offline emails trying to figure out if I saved the registration notice. 9 times out of 10, I haven’t. The next option is hoping that the Keychain or Password Manager grab the credentials for me. If the site’s login didn’t get prepopulated there’s little chance either repository of has what I need. This leads me to the annoying process of having to register with a different username which I am definitely bound to forget. The first problem is that recognize my identity based on a login on a site. This is clearly a weak way to link me to the services I want to access on that site. If you don’t meet your identity, how would you know it? The following just happened to me. I went to a site to order some software. I know that I’ve used this site before. I know that I have ordered things from them before. But for the life of me cannot remember “who” I registered as. In this case, the site uses email address as identity. The problem is I have multiple email address, some of which changed over time due to takeover, domain changes, etc. I can search my old emails, Keychain, Password Manager, etc, but I am still left with little to go on to figure out who I registered as. In this case, I can try and use a “Forgot your username / password” service, if the site has it. But what if I am mistaken and, in fact, I have never used the site before? The second problem is that my catalog of registered identities is limited, if it exists at all. Worse yet, that catalog is spread across multiple machines both personal and work issued. How do you kill your identity? I know I have registered at dozens of sites over the years. Some, I’m sure, don’t even exist any more. But those that do have some little piece of my identity information on them. At the very least, they contribute to some of the spam that heads my way every day. I just don’t like the idea that I am not in control of the places my identity lives. Now, I grant you, if I was that concerned I would have kept better records about where I registered and “who” I registered as. The problem is five, eight, ten years ago we simply didn’t have the problems we have now. (Amazingly though, the oldest account I can think of that I have, my CDNow account, did morph into my Amazon account. Let’s hear it for good customer identity management on Amazon’s part.) Quick quiz, how many sites that you frequent let you delete your identity? I think I may have seen one or two in all the sites I have been too. The third problem is there is not a common facility for tracking and deleting an old identity. And that leaves me where exactly? I don’t have a reliable and complete catalog of my identities. I don’t have a way to discover my registered identity from a given site. And even if I did have a catalog and could find identities I forgot about, I couldn’t prune old identities I no longer wanted out there. To some extent this problem has been solved within the enterprise. Identity Management vendors can maintain the catalog of my identities and can prune of identities as necessary. Those solutions, however, will either not work on the Internet-scale or will not be accepted by end users. We tried to building something like this at Access360 with out Access360.net offering, but that flopped horribly and completely. My gut tells me the solution is more along the lines of Identity 2.0. I can’t wait for the Internet Identity Workshop next week to hear people’s thought on problems like these. Technorati Tag: identity

After reading about the latest round of attacks against DoD and other government computers, I started thinking about the defensive, reactive nature of security world. Vendors are consistently on their heels trying to catch up with hackers and crackers. Consumers are consistently running behind vendors trying to deploy security patches, let alone adopt security-based best practices in their own applications. Yes, there are more proactive solutions, especially at the network level, but its safe to say that the computing world has yet to achieve a complete proactive stance when it comes to security. Being proactive is hard. As a vendor, there is so much you can do to stay head of the curve, making sure that your code is a well behaved as possible. As a consumer, you are beholden to both the vendor-world as well as the particulars of your organization in terms of rolling out patches and new technology. We, as an industry, have to make sure that there are security functions at every layer of our customer solutions. But more than that, those functions have to be able to act in concert. They have to be able to be monitored and audited in a more holistic manner. I feel that an Identity Metasystem is part and parcel to this. We owe it our customers to create a computing world which is security proactive on its own, freeing the customer to focus on their day to day business.