... you're waiting for an identity management acquisition and then along come three at once. This time it's IBM which has acquired 40-person, privately-held Encentuate. If you think that Ecentuate's size is indicative of gap-filling motivations from IBM then you'd be right. The 7-year old company is a specialist in enterprise single sign-on (ESSO), which until now has been provided through IBM's OEM relationship with Passlogix. Clearly, owning rather than OEMing technology gives IBM greater control of its ESSO destiny - particularly as Encetuate is Java-based which should help with integration with the broader Tivoli identity management portfolio. In fact, during the announcement briefing the two companies explained how Tivoli Identity Manager is already able to manage Encentuate provisioning (although there are no production customer deployments). This is presumably the result of work that IBM Global Services did with Encentuate at the Singapore Government: the two companies weren't technology partners.

Having said this is largely about filling gaps in the IBM identity management portfolio, Encentuate does bring more than ESSO to the IBM table. The company has done a good job of integrating with a variety of strong authentication solutions and has a rather nifty ability to take physical access tokens (door swipes and so forth) so that they can be used as second authentication factors. Encentuate also has some neat audit and compliance capabilities which IBM will undoubtedly tie into the Tivoli Compliance Insight Manager (based on the acquisition of Consul in late 2006). In addition to the technology upside, Encentuate could also help IBM in the healthcare market, where smaller players such as Imprivata and Sentillion have done quite well: there's a good smattering of healthcare customers amongst Encentuate's 80.

Overall a smart acquisition by IBM. I am not so sure whether IBM's Tivoli Access Manager for Enterprise Single Sign-on customers will be quite so happy though. The company has committed to continued support but the next iteration of the product is going to shift from Passlogix to Encentuate. IBM will make it attractive for them to move but replacing identity and security solutions is, by definition, a risky business and I am sure they will have to carefully balance the risks of moving against those associated with sticking with a product which is not going to see further development.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Hot on the heels of last week's acquisition of Credentica by Microsoft, Ping Identity (who I covered here in an On The Radar report) announced yesterday that it has acquired the Sxip Access business unit from Sxip Identity.

Sxip was early to spot the potential opportunity in providing organisations with a simple, easy-to-deploy single sign-on (SSO) solution for software-as-a-service (SaaS). Sxip Access was its response to that opportunity, combining provisioning capabilities with some Sxip hosted services and an appliance. The company had also cultivated relationships with the likes of Salesforce.com and Google (for Google Apps).

The acquisition of Sxip Access is a smart move by Ping Identity. Although it can be used to provide SSO for SaaS, PingFederate (the company's flagship multi-protocol federated identity offering) lacks some of the rapid implementation and deployment capabilities of Sxip Access. Part of the SaaS proposition is that organisations can get up-to-speed much more rapidly. Authentication and authorisation shouldn't hold you back: something that Sxip Access should help to prevent. Back in September Ping began to actively target the SaaS opportunity, allowing providers to sell PingFederate-based SSO to their customers and share the revenue with Ping. Yesterdays announcement should accelerate this.

(As an aside, I do wonder whether we might see Ping's SignOn.com user-centric identity offering heading in the other direction, given that Sxip is now fairly-and-squarely focused there).

Ping and Sxip, whilst they are comparatively small, punch above their weight when it comes to identity mindshare. I wonder whether this announcement might shake the much larger incumbent identity management vendors, none of whom have really articulated a credible SaaS proposition, into action. It should. SaaS buying decisions often bypass the IT organisation and the business buyers aren't (and in fact shouldn't be) interested in identity management: they want access. If a Salesforce.com recommends that the customer just needs to get their IT department to deploy this box and hook it up to the existing identity management solution so be it. Job done. With SaaS increasing in popularity, particularly in the SME segment where they have struggled to gain a foothold, the incumbents need a strong proposition or lose out to the likes of Ping.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Microsoft today announced that it has acquired Canadian cryptography specialist Credentica. This news sees Microsoft reverting back to its more traditional approach of acquiring small (Credentica is a team of three) specialist technology vendors to plug very specific gaps. In this case, Credentica brings its U-Prove technology to Microsoft's Identity & Access Group to enhance the privacy assurance capabilities of Microsoft's CardSpace and Windows Communication Foundation (WCF).

Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to third parties directly without the involvement of identity providers, whilst preventing the disclosure of personally-identifiable information - in a way that allows accounts to be linked across service providers. It also provides resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:

The SDK is ideally suited for creating the electronic equivalent of the cards in one’s wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.

This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are more at least 12-18 months away.

Businesses and public sector organisations offering B2C/G2C services should be following Microsoft's integration strategy closely as privacy becomes a more significant concern (and thus differentiator).

Posted by nmacehiter in Identity Management | Permalink | Comments (0)

Perhaps it's because we're in the run up to the holiday season or because the press release came from the UK that accounts for the lack of commentary on the announcement that Experian has developed a CardSpace proof of concept with Microsoft. This is notable for a couple of reasons.

First it's another of what is still a comparatively rare breed of "real-world" adoptions of CardSpace (Otto in Germany, which I commented on back in September, being another).

Second it sees Experian exploiting the wealth of information it has gathered about individuals, together with its relationships with commerce service providers due to its position as the largest credit checking agency in the UK (it claims to process over 70% of all UK credit applications), to position itself as an identity provider.

In a nutshell Experian plans to issue individuals with a 'Experian Card' information card. When the individual visits a CardSpace-enabled site, they will be able to present the 'Experian Card' when challenged to provide credentials and other identity-related data. CardSpace (and presumably non-Microsoft identity selector alternatives, such as the Bandit Project's DigitalMe) would then send a request to Experian to validate the identity and return a signed token to be used by the site to determine whether the individual is who they claim to be.

Having a proof-of-concept is one thing but Experian is in a similar position to the first person to invest in a fax machine. They need others to participate if the technology isn't to languish as just an interesting experiment. Experian, because it is already trusted by service providers, is well positioned to get the identity selector ball rolling and according to the press release is

already in discussion with a number of organisations

and

will be in a position to demonstrate it to organisations, with the ultimate intention of launching an Identity Management Service in the near future.

That's only half the story though. The customers of those service providers also need to come on board. Whilst the wallet metaphor of CardSpace is intuitive, we have all grown too accustomed to the username/password/PIN/mother's maiden name ... approach to authentication and I am not convinced by Experian's claims that

there will be enormous demand for such a service from ... consumers

Rather, I think Experian is going to have to encourage service providers to actively promote the identity selector approach, not least because individuals (unless they are using Windows Vista) are going to have to install CardSpace or a non-Microsoft alternative.

I definitely don't want to pour cold water on the announcement. It's encouraging to see the adoption of "user-centric" (a term that I think is going to bandied about less in 2008) alternatives to traditional authentication mechanisms, given the enhanced usability and security, and I hope we do see a launch with a healthy group of service providers in the near future. Definitely something to watch.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Back in September Oracle announced that it had acquired privately-held Enterprise Role Management (ERM) player Bridgestream continuing its "identity management-through-acquisition" strategy. With many eyes focused on the company's Oracle Open World shindig this week, Sun also entered the fray with its plans to acquire another leader ERM independent: Vaau. Role-based access control (RBAC) is hardly new: the US' National Institute of Standards and Technology (NIST) initiated standardisation efforts back in 2000 and an ANSI/INCITS standard (359-2004 if you're that way inclined) was published in 2004. So why all this acquisition activity?

As with many things identity management, it's primarily driven by compliance, with a small helping of increased operational efficiency and cost reduction. As well as promising to streamline the provisioning and de-provisioning of entitlements, roles can help organisations to define, enforce and demonstrate those entitlements to address regulatory compliance demands.
The realisation of that potential, however, has proved elusive. Organisations have struggled to identify (!) the roles that they need, and inconsistent management approaches have often resulted in an explosion of roles to the point where there are as many roles as users. The likes of Bridgestream, Eurekify and Vaau, whose offerings provide role discovery, analysis, allocation and provisioning, emerged specifically to address these challenges, creating the identity management sub-market of ERM along the way.

With compliance top-of-mind for many of their customers and prospects, the major identity management suite vendors who were unable to respond as rapidly as the nimble ERM start-ups quickly established partnerships and, in some cases, moved beyond the press release to actually provide pre-built integration. Sun, for example, provides bi-directional data integration with Vaau (which should help to speed up the integration process). With two of the leading ERM players now with competitors, this leaves the likes of CA and IBM in an interesting position. Their partnership teams no doubt have their eyes (and potentially their wallets) pointing in the direction of Israel, where Eurekify is based.

Some of you may wonder why I didn't include Novell in this list. Had I been writing this post straight after the Sun announcement it would have been. But not long after the announcement I came across this post from an identity management group blog at Novell, which discusses how the company has been building its own role management capabilities, focused on role provisioning, exploiting its directory heritage (discussed in more detail in our assessment here) and partnership with Eurekify for role discovery and analysis. The post's author claims no knowledge of acquisition talks. Then lo and behold, and far be it from me to suggest that Sun's announcement had anything to do with the timing, the next day Novell announced its new Roles Based Provisioning Module.

Of course, a Eurekify acquisition by Novell could still be on the cards, despite the blogger's ignorance of any such discussions, but it seems to me based on Novell's stated strategy that the Israeli company is more likely to end up in the arms of CA or IBM.

The implications for customers are varied. Bridgestream and Vaau customers, who have plumped for a vendor other than Oracle or Sun, should be a little nervous and seeking concrete assurances regarding ongoing support. Customers of the likes of CA, IBM and Novell who are considering ERM will have to think very carefully before plumping for Bridgestream or Vaau for similar reasons.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Ben Laurie of The Bunker Secure Hosting has a provocative post about the two emerging (and that's important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID's:

popularity is entirely on the provider side. There are no consumers of note.

and that CardSpace:

appears to live in its own little world, supported only by Microsoft products

I think this is to be expected given that we are still in the early stages of both.

Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there?s no practical difference between Cardspace and Passport right now.

Ben's right about the implications for privacy when the those consuming identity information collude with those providing it but that's not an issue peculiar to CardSpace.

Even Microsoft would (and indeed does) agree that Passport was a failure due to the company's control of identity data, I think Ben doesn't tell the whole story. It wasn't just down to control of an individual's identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft's business partners and customers. The same can not be said of CardSpace and that's why I believe there is a difference between CardSpace and Passport. There are already examples, Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it's still early days.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Microsoft agrees to participate in ID project ... For the first time representatives of Liberty Alliance and Microsoft are going to sit down together ... Microsoft is to meet this month with vendors and organisations that are backing several different identity management systems. The Microsoft meeting suggests that cooperation between the software giant and its peers is improving.

These are just a few examples of press excitement resulting from the formal announcement of the Liberty Alliance's Concordia project and the news that Burton Group's Catalyst 2007 conference will host a panel discussion between representatives from Liberty, Microsoft and OpenID about identity interoperability. Perhaps it's because I have been following identity so closely over the last few years but I can't say that this really justifies the implication of the headlines that this represents a significant change of heart for Microsoft. Microsoft has been an active participant (and arguably leading) the charge towards interoperable identity solutions for a number of years.

Far more interesting, as far as I am concerned, is what the panel will be discussing. Concordia is initially focusing on gathering real-world use cases some of which will be presented to the panel. With effective identity management so critical to many of the strategic challenges and opportunities that organisations are faced with today, it's time to move away from "vendor sports" and address the needs of those organisations.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

It's perhaps unsurprising, given all the brouhaha surrounding Microsoft's claims that open source software infringes on 235 of its patents (which incidentally I take to be largely 'sabre rattling' from Redmond in the face of the implications of the GPLv3 for its deal with Novell, as discussed in the Risk Factors of the latter's recent 10-K filing), that some recent news regarding the Redmond company's very positive collaboration with the open source community has not received the attention it deserves.

The news in question concerns a series of announcements the company made at last week's Interop conference in Las Vegas. These announcements, as the title of the post suggest, all revolve around Microsoft's vision for an Internet-scale, interoperable identity metasystem and range from additions to the Open Specification Promise (OSP) through to support for OpenLDAP with Microsoft's Identity Lifecycle Manager.

So, what did they announce? First, Microsoft is

making the Identity Selector Interoperability Profile available under the OSP to enhance interoperability in the identity metasystem for client computers using any platform. An individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft, nor will it need to worry about future patent concerns related to the covered specifications for that technology

In other words, third parties are free to build the equivalent of Microsoft's CardSpace, following the likes of the Higgins project, Ian Brown's Apple Safari Plug-In and Chuck Mortimore's Firefox Identity Selector. This is important not only because it extends the reach of CardSpace-like capabilities beyond Windows but also because it facilitates the consistent user experience (I know because I have used CardSpace, the Safari Plug-In and the Firefox Identity Selector) which helps to reduce errors and misunderstanding by users.

Second, Microsoft

is starting four open source projects that will help Web developers support information cards, the primary mechanism for representing user identities in the identity metasystem. These projects will implement software for specifying the Web site’s security policy and accepting information cards in Java for Sun Java System Web Servers or Apache Tomcat or IBM’s WebSphere Application Server, Ruby on Rails, and PHP for the Apache Web server. An additional project will implement a C Library that may be used generically for any Web site or service. These implementations will complement the existing ability to support information cards on the Microsoft® Windows® platform using the Microsoft Visual Studio® development environment.

Or, to put it another way, doing for back end servers what the first announcement is doing for the front-end: enabling web sites and enterprises running a wide variety of web server infrastructure to support authentication using CardSpace and the other identity selectors.

The cyncical amongst you might be forgiven for thinking that these two announcements are just Microsoft paying lip service to interoperability. This post should help to allay your concerns: at the Internet Identity Workshop earlier in May the Open Source Identity Selector (OSIS) group demonstrated interoperability amongst 5 identity selectors, 11 relying parties (the party relying on authentication to prove an identity), 7 identity providers (the party asserting the identity), 4 types of identity token (the mechanism for conveying the identity assertion), and 2 authentication mechanisms. Also, on the same day as the Microsoft press release, Internet2 announced plans to extend Shibboleth, a federated web single sign-on solution based on SAML that is widely used amongst educational institutions, to support CardSpace and compatible identity selectors.

The third piece of news from Redmond last week, concerned the new Identity Lifecycle Manager product and is thus primarily focussed behind the firewall. Microsoft is going to be working with KERNEL Networks and Oxford Computer Group to enable bi-directional synchronisation of identity data between OpenLDAP, an open source implementation of the ubiquitous directory standard, and Microsoft's Active Directory. Identity Lifecycle Manager already supports a wide range of the commonly-deployed identity data repositories so I think this move is primarily in the "playing well with open source" category - but valuable nonetheless.

These announcements are further evidence that the likes of Kim Cameron, Microsoft's chief identity architect, and Mike Jones, the company's Director of Identity Partnerships, have been working hard to foster the relationships and commitment (both from Microsoft and third parties) required to help make the identity metasystem a reality. That reality is too important for the results of those efforts to be diluted by political shenanigans around patents and GPLv3.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Well, better late than never. SAP today announced the acquisition of privately-held MaXware, a supplier of identity management infrastructure. Back in June 2005, I discussed SAP Venture's (its VC arm) investment in another identity management specialist: Ping Identity and at the beginning of 2006 predicted that SAP would enter the identity management acquisition fray. My timing was off but SAP has finally done it. In light of the investment in Ping Identity I was somewhat surprised by the choice of MaXware rather than Ping Identity but I think geography may have had a part to play. It is going to be easier for SAP to integrate a Norwegian company than one based in the US.

MaXware is hardly a new entrant in the market: the company has been around for over 15 years, initially providing virtual directory solutions. The company has subsequently built on that foundation to add identity lifecycle management, provisioning and federated web single sign-on. As a result MaXware provides SAP with a pretty comprehensive set of capabilities to bulk up its NetWeaver and broader application proposition, particularly when it comes to competing with arch-rival Oracle which has done a good job with acquiring and subsequently integrating identity management capabilities as part of Fusion Middleware.

SAP still has some way to go, obviously, when it comes to actually delivering an integrated proposition. The fact that both companies are European should help. However, I note that SAP does not appear on the list of MaXware partners and the press release doesn't mention "building on the existing strong partnership" or "exploiting existing integration between the companies' solutions" (or other such press release-ese) so its difficult to gauge the extent of the technology integration work ahead. Customers and potential customers should look for detailed integration roadmaps.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Sun yesterday announced:

a new initiative around support for OpenID, a decentralized, web-friendly single sign-on mechanism that allows consumers to reuse a single login across different websites, tackling the "login explosion" problem. OpenID is currently limited to facilitating low-risk transactions such as blog comments. Through its new initiative, Sun is exploring what changes and practices are needed to make OpenID applicable to a broader spectrum of business and IT challenges. The company will actively encourage participation from customers and technology partners through a series of activities and real-life implementations that are initially driven by Sun's Chief Technologist's Office.

It would be all too easy to focus on vendor sports and discuss this announcement in the context of Microsoft's embracing of OpenID at the RSA Conference in February. But I will avoid the temptation (not least because I think the sport wouldn't be much of a spectacle).

I also don't want to join the ongoing debate (at least over at the Identity Gang) sparked by this statement in the press release:

People using Sun- based OpenID identifiers at an OpenID-accepting website can convey in this simple and secure manner that they are indeed Sun employees, a piece of information that can enable access to employee discounts and unlock other special services all across the web.

which confuses authentication with authorisation - contractors may be given OpenID identifiers to access particular services but they are not Sun employees; what happens in the future if Sun provides OpenID identifiers to partners in the future but a service provider is working on the assumption that OpenID identifiers have only been issued to employees?

No. It's this statement which captures my particular interest:

As enterprises increasingly open up access to data and services to wider audiences and improve usability, the use of a decentralized technology like OpenID will be an appealing way to manage account proliferation. Integration with existing deployments, which often involve enterprise-ready technologies like SAML and the Liberty Alliance's Identity Web Services Framework will become an essential consideration. Sun is working with customers and partners to combine and converge these technologies to maximize effectiveness.

I discussed the importance of convergence of user-centric and enterprise-centric approaches to identity in our report on identity management. Although there have been some very valuable discussions in the identity community, this has not resulted in much pragmatic guidance for enterprises assessing the implications of OpenID and other user-centric identity technologies behind the firewall. Sun's experiment should hopefully provide some valuable insight. I for one look forward to hearing more.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

The Liberty Alliance today announced its Advanced Client specifications which are

designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers and televisions

For those of you that are so inclined, you can read the specifications here but, in a nutshell, the Advanced Client relies on ID-WSF 2.0 (which I discussed here) to provide the following capabilities:

Trusted Module - protocols which allow a client (be it hardware, software or a combination of the two) that is sufficiently secure to be trusted by third-parties to participate in identity-based transactions e.g. to make identity assertions on behalf of an identity provider event if the client is disconnected from the identity provider

Provisioning - over-the-air provisioning of data and/or functionality to the client

Service Hosting/Proxying (SHPS) - facilities which allow an identity web service service hosted on the client, such as an individual's e-commerce profile, to be accessed under the control of the individual (whether or not the client is connected)

These capabilities allow identity data to be provisioned to and stored on a client device, such as smart card or a mobile phone SIM and subsequently used in a variety of scenarios, including single sign-on and identity federation. In SSO scenarios, the client can either perform the role of an identity provider (self-asserted) or take responsibility for certain aspects of the SSO process, essentially acting as an extension of a third-party identity provider.

The Advanced Client is the third phase of Liberty's four-phase roadmap for delivering client capabilities, following on from the Liberty Enabled Client/Proxy (which I discussed at some length here and here) and the Active Client, which provides client-based identity web services and SSO capabilities in an untrusted environment. The final phase is the Robust Client, which will add support for multi-factor authentication and mobility of Trusted Modules.

This is not just about dry specifications though. Earlier in the year at the RSA Conference BT, together with HP and Intel, demonstrated an Advanced Client proof of concept (you can download the presentation here - it's a 10MB ZIP file!), with HP doing the provisioning and Intel providing the trusted client environment, based on its Identity Capable Platforms (ICP) technology. The proof-of-concept is based on a Wi-Fi provisioning scenario where an individual subscribes to Wi-Fi on the web and completes the BT-initiated provisioning process using credentials which have been pushed down to the ICP-based trusted Active Client.

As I have said before (and I was as guilty of this as anyone) the work of the Liberty Alliance can be perceived as focusing on server-to-server protocols for enterprise-centric federation. Its work on client-enablement, however, provides compelling evidence that this is not the case. With major telco players such as BT, Ericsson, NTT, Nokia, T-Com, Telefonica, Telenor and Vodafone on its membership roster its highly likely that its client specifications are going to see significant deployment. Their participation also explains the emphasis on over-the-air provisioning and active, trusted participation of the user which are essential for telecom services. With an increasingly mobile and disconnected workforce, this is not just a consumer play and organisations should be monitoring these developments closely.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

BEA today announced a stategic partnership with CA, which will see the latter's access and identity management solutions (SiteMinder and Identity Manager) integrated with the former's WebLogic and AquaLogic application and service infrastructure platforms.

I agree completely with Wai Wong's (BEA's executive vice president of products) statement in the press release that

Identity and Access Management is critical within SOA

not least because we have said as much in our service infrastructure assessment model and our report on identity management.

Despite this agreement, I am still left a tad confused by this partnership as it is far from clear what this means for AquaLogic Enterprise Security (ALES), which BEA describes as

a fine-grained entitlement management solution that combines centralized policy management with distributed policy decision-making and enforcement. This combination provides management and control of your critical applications

How will SiteMinder integrate with ALES? Will ALES continue to integrate with other identity and access management solutions? Does BEA plan to provide a common policy definition and enforcement framework across ALES and SiteMinder?

We point out in our assessment of BEA's service infrastructure offerings that there are some important gaps when it comes to security and identity management, which explains why BEA felt the need to establish this partnership. However, as well as answering a number of questions from potential adopters, this partnership is going to raise a few more for existing customers with an investment in ALES. I for one look forward to learning more about the two companies' plans to

validate and further extend integration between CA SiteMinder and BEA WebLogic and AquaLogic technologies

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

If you're interested in what's happening (and there's a lot) in the world of user-centric and federated identity you'll want to know about Microsoft's CardSpace, OASIS' SAML, OpenID and the Liberty Alliance's ID-Web Services Framework (ID-WSF), all of which I have discussed here in one way or another. Given recent developments, it's also important to understand the interplay between these different systems.

Ping Identity (who is not a client) has recently published a very useful white paper, which
goes into these issues in some detail. The paper uses the interactions between a user, a service provider/relying party and identity provider to define a framework which considers the pros and cons of the different systems in terms of the identifiers they support; how they deal with attributes; authentication mechanisms; the flow of identity data and the involvement of the user; trust models and discovery mecahnisms. It concludes with a number of use cases which highlight how the systems can be used to together in a way which exploits their mutual strengths.

Definitely worth a read.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Bill Gates' keynote yesterday at the RSA Conference was his last. He is handing over to chief research and strategy officer, Craig Mundie, with whom he shared the stage yesterday. Gates marked his departure with a couple of significant identity-related announcements: one primarily focussed at the consumer, the other at the enterprise.

The first concerned a collaboration with the OpenID community, which has been comprehensively and effectively covered by those involved, including Microsoft's Kim Cameron, NetMesh's Johannes Ernst, SXIP's Dick Hardt, JanRain's Scott Kveton as well as OpenID's inventor, Six Apart's Brad Fitzpatrick. In a nutshell, the collaboration focusses on harnessing the benefits of both technologies, allowing individuals to control their own identity through the use of OpenID whilst exploiting the anti-phishing benefits of the CardSpace identity selector technology. The announcement doesn't come as a total surprise since there has been some fairly intensive and constructive debate regarding OpenID and anti-phishing with some valuable contributions from Kim Cameron regarding how CardSpace could help out. I do wonder when and if the Liberty Alliance will join the party.

The second announcement concerned ILM. No, not Information Lifecycle Management - Identity Lifecycle Manager. Microsoft announced the planned availability in May this year of its identity data synchronisation, user provisioning and credential management offering, building on the capabilities of Microsoft Identity Integration Server (based on technology acquired - together with Kim Cameron - from Zoomit). The announcement came as a bit of a surprise to me but is much needed in Microsoft's portfolio of identity management offerings. ILM is pretty comprehensive and will appeal particularly to organisations for whom Active Directory is a key identity data repository. That being said, Microsoft also plans to support directories from the likes of IBM, Novell and Sun (as well as mainframe security systems from IBM and CA and SAP business applications - but somewhat surprisingly Microsoft Dynamics is not listed!). Identity lifecycle and credential management are important capabilities but, as we discuss in our model for assessing vendors' identity management offerings, they are a subset of what is required if organisations are to maximise the business value of their identity management initiatives. It is therefore important that Microsoft extends its positioning of ILM to explain how it fits with its other identity management capabilities. Organisations considering ILM should therefore seek clarification from Microsoft how it fits with its other identity management solutions, as well as those from other vendors.

So although did not go out with a big bang, Gates did leave the RSA audience with something tangible.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

A couple of interesting CardSpace items of note.

The first comes via Kim Cameron, Microsoft's Identity Architect, and highlights how Otto (a German online retailer) is using CardSpace for its rich client shopping application. The post should of interest to any organisations considering CardSpace-based authentication since it explains the process through which individuals get a branded card for authentication.

The second comes from Ashish Jain at Ping Identity announcing availability for download of an Apache module to enable CardSpace authentication of Apache-based applications. This should certainly ease the job of organisations using the dominant web server.

With Vista (which bundles CardSpace as part of the .NET Framework) now out of the gate from consumers and enterprises alike, I am sure these are only early examples of what will be an ever increasing amount of CardSpace related news.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I highlighted (with more than a little cynicism) Symantec's Security 2.0 vision back in October. Yesterday, at the DEMO conference, the company announced one element of that vision - its Identity Initiative - and demonstrated the Norton Identity Client.

This is good news for those promoting user-centric identity, given Symantec's solid footprint in the consumer space. Symantec claims there will be support for sites enabled for OpenID and CardSpace and I find myself agreeing with Johannes Ernst's analysis:

This is great news for OpenID. Not having seen the product, I'm not sure how great news it is for CardSpace: the press release can be read to say that Symantec's Norton Identity Client will compete with CardSpace for the same place on users' PCs

A quote from Enrique Salem, Group President, Symantec Consumer Business Unit in the press release:

We have a strong base to build from, with almost half of our active Norton user base already enrolled in a basic Norton Account. We’ll enable our millions of customers to extend the functionality of their Norton Account to manage all their information, all in one place.

raises another question in my mind. Is Symantec creating another identity silo? If all of the user information resides in the Nortan Account how does that relate to other identity providers? Hopefully that will come to light as the Identity Initiative rolls out in the next 12-24 months.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

A couple of interesting stories related to open source user-centric identity came my way, courtesy of CNET. The first concerns a donation to the Higgins Project from IBM and the second is about some important interoperability announcements to come at this week's RSA Conference.

The Higgins Project, which I have been following closely for the last year or so, is under the auspices of Eclipse and sets out to provide a platform- and identity protocol-independent software framework to aid in the development of user-centric identity management solutions. IBM has donated the results of some work, the Identity Mixer, carried out by its Research Lab in Zurich focussed on enhancing user privacy. Identity Mixer exploits advanced cryptographic techniques so that individuals do not have to provide "real" data to service providers. Instead, they can provide pseudonyms and other credentials which the service provider can verify directly or indirectly to provide the service. So, for example, in an online commerce transaction there is no need to provide a credit card number. Instead, the individual provides an encrypted credential which the service provider sends to the credit card issuer for verification. The credentials are single use in much the same way that the likes of Citigroup and PayPal issue one-time credit card numbers.

This will necessitate changes to the way that service providers, credit card issuers work. However, I think the potential barriers to adoption will reduce as user-centric identity initiaitives mature. As more immediate problems, such as the proliferation of usernames and passwords and inconsistent user experiences, are addressed then issues such as privacy assurance will take on a higher profile and individuals will come to demand it.

On a related note, I came across this post from Bill Barnes (a product manager for Microsoft's CardSpace) discussing another potential barrier to adoption of such privacy enhancing techniques: the fact that they introduce additional transaction steps. Bill discusses how CardSpace could help to address this. When a CardSpace user selects an information card associated with their credit card issuer, a credential representing the credit card could be sent to the service provider alongside other information required for authentication and authorisation.

The second story also concerns Higgins, together with the closely related Bandit Project (which I first discussed here). The story is a little light on details but it seems that there will be some demonstrations of interoperability scenarios involving CardSpace and the Liberty Alliance protocols. Definitely something to watch out for.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

The Liberty Alliance, which does great work in the world of federated identity technology standards, policies, guidelines etc, has succumbed to the 2.0 bug. On the 22nd January it will be holding the "Liberty 2.0" workshop but don't let that put you off. The excellent line-up of speakers (and I am talking from experience) will be covering the Identity Web Services Framework (ID-WSF) which, as I discussed here, addresses user-centric as opposed to enterprise-centric federation scenarios.

ID-WSF is not the only user-centric identity initiative in town, though, so I hope the press release lives up to its promise and will feature experts in OpenID, which is rapidly becoming a significant force. Without interoperability, user-centric identity is a non-starter. In that regard, it's encouraging to note that the Higgins project (see here, here and here) has a slot on the agenda.

If I wasn't in the UK I think it would be worth a day of my time.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Then you could do worse that take a look at this animated tutorial from Ping Identity (note: registration required). It explains the interaction flow between service provider (relying party) and identity provider (asserting party), with SSO initiatiated by either party. Certainly cleared up a few things for me.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I just came across (well, Neil pointed me to it) this post from Todd Biske, an SOA Enterprise Architect at MomentumSI in which he discusses the implications of a service-oriented approach for identity. Todd raises an important question:

what “identity” is in the context of service security

Identities are not just important to humans’ interactions with IT systems. The advent of technologies such as RFID tagging, the deployment of software services acting as proxies for real people, the proliferation of digital media assets and so forth are leading to the realisation that identity applies equally to the management of access to digital resources.

Coming at this from the perspective of an SOA architect, Todd highlights a number of other important issues:

The problem gets even more complicated when dealing with composite services. If policies are based on system identity, what system identity do you use on service requests?

and

If this wasn’t enough, you also have to consider how to represent identity on processes that are kicked off by system events...Events are purely information. Service requests represent an explicit requests to have action taken. Events do not. Events can trigger action, and often do, but in and of themselves, they’re just information. This now poses a problem for identity.

He's absolutely right to highlight these issues. The question is how do you deal with them. The first step is to rethink identity management architecture and shift away from a focus on identity management as a set of applications for user management, provisioning, authentication etc. Such a rethink will also address a variety of other challenges and should adhere to a number of core tenets:

- Identity management needs to transition from an architectural approach which is user-centric to one which is identity-centric
- The authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual
- Hybrid identity data integration approaches are required to combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
- There is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
- A federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
- Identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
- Roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I just came across this whitepaper which discusses how CardSpace (formerly InfoCard), together with the Identity Metasystem - Microsoft's vision for an interoperable architecture that allows Internet users to use context-specific identities in their various online interactions - address Internet user privacy.

The paper is worth a read if you're interested in understanding how CardSpace works (it's on its way with Vista after all), both from an architectural and user perspective. Even if you're not particularly interested in the technology, it provides a good summary of the threats to and challenges of privacy assurance as well as EU data privacy law (which as you will find is not just an issue for organisations established in the EU).

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Last week, the Liberty Alliance announced the final version of its Identity Web Services Framework (ID-WSF) - I briefly touched on ID-WSF back in April when discussing Liberty's approach to user-centric identity. I have to admit, I have always struggled to get my head around ID-WSF, which Liberty defines as providing:

the framework for building interoperable identity services, permission based attribute sharing, identity service description and discovery and the associated security profiles

Liberty has used a variety of resources, from marketing requirements documents to webinars, to help others facing a similar predicament. I put these resources to good use and finally got to the bottom of identity services, permission based attribute sharing and what these might mean in business terms. For all the details, take a look here.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

I have discussed the Eclipse Higgins project on numerous occassions over at the MWD blog (here, here and here for example). I recently had the chance to discuss Higgins with Tony Nadalin, Chief Security Architect for IBM's software group and one of the participants in the project.

The key component of Higgins is the Identity Attribute Service (IdAS), an abstraction layer that is designed to allow developers to access identity data in a variety of repositories (LDAP, RDBMS etc) without having to concern themselves with the underlying data access API. Since first encountering Higgins, I have often wondered why the IdAS is any different from virtual directory solutions - apart from the obvious support within Eclipse - so I asked Tony. The answer is the IdAS Data Model which aims to

provide a common representation for identity, profile and relationship data in order to provide interoperability.

In other words, IdAS not only attempts to mask the the complexity of dealing with a wide variety of repositories but also to grapple with differences in semantics and so provide developers with a common way of thinking about and accessing identity data. The development of a common data model is a significant undertaking and I can imagine the lengthy and no doubt heated debates amongst the likes of IBM and Novell in coming up with it.

Higgins will eventually make its way into "enterprise identity management" solutions from the likes of IBM and Novell (something confirmed to me by both Tony and Dale Olds, one of his counterparts at Novell) so it is definitely worth watching. IdAS and the associated data model should certainly make life easier for the vendors grappling with the proliferation of identity data stores and formats within their own product. It should also help the customers of those products, many of whom are gappling with the fragmentation of identity data I discuss in our identity management report.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)

Back in April I called out Cyber-Ark's privileged account management solution and its role in compliance. At the time I highlighted Cyber-Ark's partnership with IBM:

This is not something that is acknowledged, at least in my research, by current identity management players, and it's therefore no surprise that Cyber-Ark has established partnerships with the likes of IBM with Tivoli Identity Manager.

This partnership reflects the fact that privileged account management is really a specialised case of more general account management and so integration with provisioning solutions is an obvious step for Cyber-Ark. The company took a further step, announcing a partnership with specialist provisioning vendor Courion, which will see Courion offering Cyber-Ark's Enterprise Password Vault as an optional add-on to its provisioning solution. This should certainly help to extend the reach of Cyber-Ark and provide Courion with some differentiating capabilities. However, Cyber-Ark needs to make similar inroads with the likes of BMC, CA, HP and Oracle if it is to get on the enterprise identity management radar.

Posted by nmacehiter in Identity Management | Permalink | Comments (0) | TrackBacks (0)