Yesterday I talked about the state of identity standards with regards to authentication and authorization. Today I’ll cover attributes, user provisioning, and where we ought to go as an industry.

Attributes

The wheel of attributes is roundish. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to need a protocol that enables workers in the modern web to access attributes… and LDAP ain’t it. As for a standardized representation, we have one. Name-value pairs. In fact, name-value pairs might be the new comma. And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.

Don’t want to read all of this? Check out the video:

Why do human continually seem to reinvent what they already have? Why is it that we take a reasonably functional thing and attempt to rebuild it and in doing so render that reasonably functional thing non-functional for a while? This is a pattern that is familiar. You have a working thing. You attempt to “fix” it and in doing so break it. You then properly fix it and get a slightly more functional thing in the end. Why is it that we reinvent the wheel? Because eventually, we get a round one. Anyone who has worked on technical standards, especially identity standards, recognizes this pattern. We build reasonably workable standards only to rebuild and recast them a few years later. We do this not because we develop some horrid allergy to angle brackets - an allergy that can only be calmed by mustache braces. This is not why we reinvent the wheel, why we revisit and rebuild our standards. Furthermore, revisiting and rebuilding standards isn’t simply a “make-work” affair for identity geeks. Nor is it an excuse to rack up frequent flyer miles.

A few weeks back I had the pleasure of delivering my ideas for the Laws of Relationships. The Laws are meant to be design considerations to everyone building, deploying, or consumer identity relationship management services. The team at ForgeRock, our hosts at the IRM Summit, were kind enough to video the talks. What follows is both a video of my delivery as well as the slides themselves. I am very much interested in getting feedback on this. I want to channel the response into the Kantara Initiative Working Group that is forming around IRM.

Here it is… week 10 of my new job at salesforce.com. Needless to say it has been a bit of a blur. Part of my gig here is to hit the speaking circuit. I was at the European Identity Conference a few weeks ago talking about killing off IAM and how it should be reborn, and next week I am off to the Identity Relationship Management Summit. I have to say, I am little nervous about speaking at IRM this year… not one, but two of my ex-bosses will be speaking there, not to mention my current one. I have to admit when I first heard the noise surrounding Identity Relationship Management, I cringed, especially when people started referring to it as IRM. IRM sounds way too much like DRM to me and that just leads to bad things. Furthermore, my concerns with what Kantara and ForgeRock laid out was that it didn’t necessarily address relationship management; they presented the needs of modern IAM well but didn’t present the needs of relationship well. However, after many conversations and email threads, I still loathe the IRM name but have come around to the larger mission that Kantara has in mind. Simply put, relationship management is the future of identity and access management.

There’s a little bit of a kerfuffle going on in XACML-land. A non-Gartner analyst made the claim that XACML is dead. Such a claim doesn’t go unnoticed; so Gerry, Anil, Danny, and Remon have all responded that no, XACML isn’t dead. It is not pining for the fjords. It isn’t even zombified.

Anyone can declare a protocol dead. Last year it was SAML. This year, apparently, it’s XACML. Now as someone who killed off the entire IAM industry, I think I’m in a position to comment about this.

Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it - white smoke wafting up from the chimney. It’s time to provision a new Pope!

Step 1 – Meet the new Pope

First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)

Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.

Step 1 – Listen to HR

In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2

I gave this talk a few months ago. I had just finished writing our 2013 Identity and Privacy Planning Guide and was trying to think of a different way to express what I had written. What I came up with was this very very different way to express what I had written. I’d love your feedback. Also, no commas were harmed in the filming of this presentation.

Yesterday’s National Strategy for Trusted Identities in Cyberspace event was a bit of a blur. Really good conversations. Lots of new ideas swimming through my head. Here are some of the highlights: New faces from outside the echo chamber First and foremost, there were a lot of new faces and new companies at the NSTIC event. The NSTIC team did an admirable job of getting companies to the table that hadn’t been there before. There were retailers, energy companies, and banks in the room who had never engaged with the identity community before. This is a huge step forward. As I wrote about last week, participation, specifically relying party participation, is critical to the success of NSTIC. As Senator Mikulski said, “The key to a voluntary system is actually having volunteers.” If the event was indication, there is a new wave of volunteers, willing to participate in NSTIC. Business of Identity The bulk of our conversations yesterday were regarding the business impact of better identity practices. Companies pointed to existing inefficiencies that they can remove from their business simply by starting to accept federated credentials. These sorts of scenarios weren’t particularly complex, which is why they have good chance to succeed. They are simple scenarios with real business impact – exactly the kind of thing identity teams need in order to demonstrate value. What was even better was that these simple scenarios were the stepping-stone to more complex, new business opportunities. Remove inefficiencies, then unlock new business, repeat. We’ll be talking more about these opportunities in future blog posts and in our research. Identity Market Opportunities Abound I noted that there is a huge gap between trust frameworks and the application of identity technology. If I was a medium-sized business, I would have no idea how one related to the other. I would have no idea how different identity services inter-relate and how to best deploy them. What is needed are identity service brokers. An IdSB would take your service-level, level of assurance and confidence, and privacy requirements, then match them to an existing trust framework and select and deliver identity services, likely from different providers that meets your requirements. IdSBs do not exist, but they need to. Carrier-grade Identity An attendee asked “what are the attributes of carrier-grade identity providers?” That’s a puzzler. Just having a really big set of identities doesn’t make you a carrier-grade IDP. But what does? A fellow panelist suggested that attack resilience is a key attribute. Resilience is part of the story but not the whole. I’m not entirely sure we, the market, knows what a carrier-grade identity service looks like… I’m not sure they exist yet. We have lots of product, an emerging array of services, but we don’t have an identity dial-tone for the Internet. It will be interesting to see which business emerge as the telcos of identity. Catching-up and going forward This was just a little sample of the conversations we had. I’ve captured the Twitter stream, which you can check out for a little more detail. So what next? NSTIC’s momentum is definitely picking up. If you want to get engaged, come to our Catalyst conference. Jeremy Grant, director of the NSTIC program, will be giving an update. But more importantly, we are hosting a workshop for NSTIC at which you can sit down with the NSTIC team to talk about what the strategy means to your business and industry, and learn how to participate.

(The following is the statement I’ll deliver today at the National Strategy For Trusted Identities in Cyberspace event at the White House.)

Our way of thinking about identity management is outdated. This outdated thinking poorly reflects the way we interact on Main Street, and it doesn’t fit the needs of people and enterprises trying to interact on the Internet.

On the whole, current thinking regarding identity management is that of the Industrial Era. Enterprises are creating “company towns” for identity. In the Industrial Era, companies, such as Pullman, created towns for their workers to live in, and these towns provided all the services that the employees could use. In today’s identity “company towns,” the enterprise has created your identity, owns your identity, and you cannot use your identity anywhere else – it has no value or meaning outside of “the town.”