Then you could do worse that take a look at this animated tutorial from Ping Identity (note: registration required). It explains the interaction flow between service provider (relying party) and identity provider (asserting party), with SSO initiatiated by either party. Certainly cleared up a few things for me.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I just came across (well, Neil pointed me to it) this post from Todd Biske, an SOA Enterprise Architect at MomentumSI in which he discusses the implications of a service-oriented approach for identity. Todd raises an important question:

what “identity” is in the context of service security

Identities are not just important to humans’ interactions with IT systems. The advent of technologies such as RFID tagging, the deployment of software services acting as proxies for real people, the proliferation of digital media assets and so forth are leading to the realisation that identity applies equally to the management of access to digital resources.

Coming at this from the perspective of an SOA architect, Todd highlights a number of other important issues:

The problem gets even more complicated when dealing with composite services. If policies are based on system identity, what system identity do you use on service requests?

and

If this wasn’t enough, you also have to consider how to represent identity on processes that are kicked off by system events...Events are purely information. Service requests represent an explicit requests to have action taken. Events do not. Events can trigger action, and often do, but in and of themselves, they’re just information. This now poses a problem for identity.

He's absolutely right to highlight these issues. The question is how do you deal with them. The first step is to rethink identity management architecture and shift away from a focus on identity management as a set of applications for user management, provisioning, authentication etc. Such a rethink will also address a variety of other challenges and should adhere to a number of core tenets:

- Identity management needs to transition from an architectural approach which is user-centric to one which is identity-centric
- The authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual
- Hybrid identity data integration approaches are required to combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
- There is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
- A federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
- Identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
- Roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I was in transit to Germany when the news of Microsoft's Interop Vendor Alliance winged its way into my inbox and prohibitive WLAN pricing at the conference hotel meant I haven't been able to comment until now.

This is just the latest in a series of interoperability-related announcements from Microsoft, including the formation of its Interoperability Customer Executive Council back in June and the more recent agreement with Novell. These announcements all reflect a growing pragmatism in Microsoft's approach to addressing the concerns of technology adopters, particularly larger organisations awash with a broad range of heterogeneous hardware and software assets: "Integrated Innovation" may be in Microsoft's DNA but reality demands interoperability around the integrated stack.

25 or so hardware and software vendors are currently participating the in Interop Vendor Alliance (why Interop Vendor, which suggests they are vendors of interoperability?) and to be honest the majority of the names are unsurprising - although some of the ommissions are - since they are already close of partners of Microsoft, including:

* AMD (but no Intel!)
* Centeris (Linux/Windows management)
* Novell (they had to be for obvious reasons)
* Quest (management, including Linux/Unix integration)
* SugarCRM (open source on Windows - no JBoss though)
* Sun Microsystems (a continuation of the 2004 agreement)
* XenSource (virtualisation)

BEA is also there, which is perhaps surprising - until you cast your mind back to last August when BEA acquired Plumtree, whose portal technology (now BEA AquaLogic User Interaction) is equally at home on .NET and Java.

So what's so interesting about a bunch of partners coming together to focus on interoperability? To my mind it's the approach. This is not about the slow, vendor-dominated establishment of interoperability standards for the future. Instead, and no doubt informed by the feedback from the Interoperability Customer Executive Council, the alliance will focus on real-world interoperability scenarios based on deployed technologies, testing of those scenarios and the publication of best-practice advice and guidance.

Good intentions are one thing. Results are another. The alliance is going to have to deliver if the very people it is trying to address don't quickly perceive it as another vendor marketing wheeze paying lip service to their very real requirements. The other key challenge, and perhaps a more significant one, is for Microsoft and mutual customers (the more effective route) to corral the likes of EMC, IBM, Oracle, SAP and many others into the alliance.

Organisations with any reasonable investment in Microsoft technology should at least monitor progress and prefereably exert pressure for results and participation from their other strategic suppliers.

Posted by nmacehiter in | Permalink | Comments (0) | TrackBacks (0)

A few days ago, a friend of mine sent me an email from his Flickr account, asking me to hook up with him. The surprise to me was that I even had a Flickr account - I created it back in May 2005, probably in a frenzy of pre-2.0 excitement, and hadn't touched it since; indeed, I hadn't even clicked on the "confirm" link in the registration email. But there it is: perhaps I'll get round to using it some time. I sent him a message back, and now we're connected.

But did I send him a message? I know that a communication passed between us, that I would term a "message". It left my outbox and went into his inbox, looking to all intents and purposes like an email. But was it? I have no idea what the underlying technology looks like - whether I created a text stream, an entry in a database, or whether a race of highly intelligent mice tapped the thing out in morse code.

To the point. A couple of weeks ago, Symantec was explaining at its European analyst event, that it was merging its understanding of "secure messaging" to cover both email and instant messaging. This is laudable perhaps - it is absolutely true that more and more business conversations take place via IM, and it is good that the associated risks are being appreciated.

However rapidly email and IM are growing, a cursory glance around the Web is that they are only the tip of the messaging iceberg. I have a "messaging" account with Groove; others with WebEx, with LiveMeeting; I can send a message in eBay, in Amazon and others sites used in companies large and small for procurement and sales; I can converse with colleagues, customers and business partners in Internet Relay Chat, any number of Jabber or Java-based chat facilities, or even Second Life and other immersive enviroments.

If there is a messaging market, it is fragmenting at a tremendous degree. The fact that I have such a wealth of options means I am more likely to choose the most appropriate mechanism to enable a conversation. And I haven't even mentioned blogs , wikis, discussion boards or other social spaces yet - what are these other than collaborative messaging tools?

The rationale behind integrating the security of email and messaging may be valid, but it forgets that information security is more about porosity than it is about closing stable doors - from a risk management perspective it can pointless to close one, if others are left open. Perhaps John Thompson has created a petard for Symantec by agreeing to coin the phrase "Security 2.0" to define the company's strategy. Symantec has no tools or capabilities to secure online communications outside its quite limited remit: when asked, for example, the company said that it would not have a blogging solution in place any time soon.

This is no idle point. The reasons behind some of the delays in Windows Vista were reported, direct from inside Microsoft, on a blog; as were the details of some up-and-coming products from Apple, who would be delighted to locate the sources of the information. Whether it's a gimmick or a leadership position, companies are setting up shop in Second Life - if nothing else it may become, for some, a virtual golf course, where business conversations can take place away from prying eyes. The blogging world is under constant, unremitting attack from comment spam; meanwhile, blogs themselves are being used ('splogs') to raise the profile of blogs and other sites on search engines. In other words, there are plenty of threats in the 2.0 world, that are currently under-addressed.

If Symantec wants to secure messaging effectively, it needs to start by radically changing what it means by messaging, to cover the exploding variety of communications that are very quickly becoming part of the mainstream. Then, maybe, it needs to plan how it addresses the issues and challenges that these raise, and soon. Otherwise, it may find itself forever fashioning locks too late, for doors that perhaps should never have been left open.

Posted by joncollins in IT Governance | Permalink | Comments (0) | TrackBacks (0)

My latest podcast appearance, together with Dana Gardner, Steve Garone and Joe McKendrick is now available (or you can read the transcript here). This episode focusses on SOA-related news from Oracle's OpenWorld conference, including some of Oracle's Web 2.0 aspirations, and concludes with a discussion of the company's Unbreakable Linux announcement.

Posted by nmacehiter in Architecture | Permalink | Comments (0) | TrackBacks (0)

I've been meaning to blog on this story from the Register for ages, but it got lost somewhere deep in my pile of "blog on these things" messages to myself...

It's no secret that IT industry standards bodies are hotbeds of jockeying and jostling - especially as vendors get ever smarter about ways to use standardisation processes to both make themselves more "open", and keep ahead of the competition at the same time (for an example, see JEE - many of the "enhancements" suggested over the years by the big middleware platform vendors have been engineered to make the resulting standards pretty difficult for small vendors to get certified against. Also, it's no secret that many a proposing vendor will seek to push a standard based on something they've already developed, so giving them a head-start in having a "compliant implementation").

So anything that organisations which buy IT can do to get involved with standardisation processes has to be a Good Thing - helps to keep the vendors honest, and with any luck helps to make sure that new standards actually standardise things that are actually useful. Traditionally some of the big telcos and financial institutions - the companies with the longest and most complicated histories in terms of IT use, in other words - have put time and budget aside to participate. But overall, standardisation efforts are 99% driven by vendors.

Why? Are standards somehow operating outside other market dynamics, which should be driven by what people actually want and need?

Perhaps now, in this time of open source communities, commons and participation, it's time for "users" (what a horrible word) to think about moving beyond contributing code to open implementations, to contributing ideas to open standards?

The Liberty Alliance appears to a case in point: it has involved big IT users since the outset who've kept the vendors honest - and it is one of the few standards bodies that is driven by use cases.

What do you think?

Posted by neilwarddutton in | Permalink | Comments (2) | TrackBacks (0)

The big IT news of the week is obviously the Microsoft-Novell alliance. Take a look here and here for Jon's (before the event!) and my thoughts.

Posted by nmacehiter in IT Service Management | Permalink | Comments (0) | TrackBacks (0)