SSOCircle Blog

Three days of conference plus a Workshop day packed full with IAM and GRC topics and even more. The KuppingerCole European Identity Conference EIC2010 was a great success. In my opinion the best EIC I have seen, although there were some confusion and unexpected changes that let me miss some of the presentations I was eager to visit. But that can be easily excused looking at the choice and quality of speakers. KuppingerCole again did a very good job in gathering many of the leading heads in Identity Management and GRC. The only thing I missed were people from Google like Eric Sachs, who did a lot in the OAuth and OpenId space the last years.

This year EIC was combined with Cloud 2010 and the “Mittelstandsdialog Informationssicherheit 2010″, the latter was held in German. I have counted the occurrences of the word “cloud” in the presentation and panel topics and compared it to the frequency of the word “identity”.  The result was: cloud vs. identity 36:39. So the conference was still more of an identity conferences than a cloud conference, although my impression was that the most used word was “cloud” and the most seen slide was the one on NIST’s cloud computing definition.  When counting the words, I noticed that there are lots of companies that carry the word “identity” and there was no presenting company with “cloud” in its name.  My bet that this will change next year.

Here are some of my impressions, as always 100% subjective and far from being complete.

4th of May – 1st day. Keynotes first part. Martin Kuppingers Opening
Keynote as usual gave us an overview on the key topics and top trends this year.

The key topics:

• How to make value out of the cloud
• How to deal with privacy
• How to mature to Enterprise GRC
• How to benefit from convergence
• How to optimize your investments
• How to improve information security

 

The five hot topics in IAM

• User-Centric, privacy, national eID cards
• privileged access management integrated
• versatility and context
• externalization of all 4 A’s
• IAM in enterprise architectures

 

Five hot topics in GRC

• Closing the loop – from detective to preventive controls
• information governance – beyond access
• extending governance for a hybrid IT
• Enterprise GRC Architectures – bridging the gap between business and IT
• Organizational development for enterprise GRC

 

Five hot topics in Cloud Computing

• Understanding what’s really in for you in Cloud Computing
• Hybrid Clouds
• Cloud Mesh-Ups, community clouds, industry clouds
• cloud governance – services, risks, security and identity
• cloud resource planning based on service management

The keynotes began with several moments of reflection on non-technical IT topics by presenters like Peter Ligezinzki, CIO of Allianz Investment Bank and Rainer Janssen, CIO od Munich Re. Interesting to note that the first two keynotes were held by customers not vendors or visionaries – my impression was that this year the customer site had much more weight, and this was good. Both speakers did not tell us technology but business or even philosophical lessons. Their presentations titled “It is not enough” and “What business has to learn so that IT can align”.
The next presentation was held by John Hermans, KPMG “Trust in the Cloud”. He mentioned that cloud is really the first business driven shift in computer paradigm, the shift from CAPEX to OPEX. He also mentioned the difficulties that auditors have with auditing cloud providers because of missing standards as SAS70 type II is not applicable to services like Salesforce.

Then Dave Kearns gave an overview of the development of access control from the 70’s til now. From a control by a person sitting at the entrance who knows you, a badge with photo still checked by a real human in the 80’s, a badge with no photo and automatic control by card readers in the 90’s to all the access control technology the 21st century gave us. He described the convergence of data governance and access governance to information governance but pointed out that convergence is not the answer to everything – but worth a try.

After the coffee break Kim Cameron, Microsoft, announced that ADFS 2.0 will be released on 5th of May and gave us an outlook to the next frontier: the federated directory which he named “federated interscalar directory”.

Daren Rolls, SailPoint, described the next generation provisioning which is more business centric: “Learn from BPM more than just workflow”. Provisioning will be model based: “build models – you have to know what you want to achieve, not just build a role model”. The next generation should also be last mile agnostic and should support multiple fulfillment processes. Bridging the business process to the technical process, no matter which provisioning product is used. He also said he wishes to replace the overloaded term “provisioning” with “identity change management process” . These thoughts were present in many talks and underlined that identity management is trying to climb the next level:  farther away from technology and approaching business.

Sabine Erlinghagen from Siemens gave an overview on the opportunity national ID documents have in driving eBusiness applications.

Gerry Gebel, former identity analyst at Burton Group – now president of Axiomatics in the US, vgave interesting thoughts to IAM governance as a Six Sigma oriented business management strategy which aims to improve quality of process output, providing discipline for IT planners and speeds up the decision making process. He also mentioned that with XACML 3.0, a delegation model will be defined that is of particular interest for SaaS applications. XACML 3.0 will be finished later this year. Gebels “architecure anywhere” will be build upon XACML, SAML and STS.

5th of May – 2nd day

Today I followed the tracks “Mitigating Risk” and “Linking IDM & GRC to corporate performance” moderated by John Hermans from KPMG in his special way of challenging the panelists. He was asking questions like “Can you do GRC without IAM” , which was answered with yes, you can do that but manually process can be effective but not efficient, it is a matter of cost. Another question was  “When will the IDM & GRC product vendors be rich ?” Panelists agreed that it depends on  education and on the mandating of law. One speaker quantified the time span to 2 years others to 7 years and more … In most of the presentations on IDM & GRC people agreed that the way to go is a more business process oriented way and not a technically focused.

In the afternoon I visited the track “Authenticaton and Authorization” with presentations of Fulup Ar Foll and Vittorio Bertocci. Two kind of characters you should not miss when visiting EIC. Both talking about “Attribute Centric Identity Architecture” or in Microsoft parlance “Claims based Identity and the Cloud”. Fulup was provoking the audience with statements  like “If the IT were architected correctly you don’t need provisioning software”. What he meant is that a better way would be to deliver user attributes with each request and just deliver as much of information you need for your access. 

One of the highlights of EIC2010 was the a very motivating keynote of André Durand from Ping Identity. I remember his words from EIC2008 when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: “we will see whether we are still here in 2-3 years”. After he was missing last year at EIC2009, he returned this year and in what a self-confident way with statements like “Our business is eliminating passwords. We will be long in business as there are many passwords” or “Enterprises must stand up for standards” that let http://twitter.com/winemaker twitter “Andre Durand for president”. Beside these strong quotes his presentation  “Identity in the Cloud – Finding Calm in the Storm” pointed out that federation is the solution with saml & openid for Authentication and SSO

• WS-Trust for delegation
• XACML & Oauth for Authorization
• SPML & PoCo for provisioning
• A6 for Audit

Unfortunately I wasn’t able to talk to him as it seems he flew in to deliver his fulminate keynote, celebrate a Ping Party and then flew out.

In the next keynote Dale Olds of Novell described 3 trends:

1. identity-based security is increasing in importance
2. SaaS and IaaS is converging to PaaS
3. cloud provider are getting identity providers (federation hubs)

He also presented a survey that showed the customer demands in SaaS. The survey to the question “which security capabilities customers are asking SaaS providers about” resulted in the top three topics:

• Single Sign On
• Audit tracking in SaaS
• Provisioning of users to SaaS apps

with all three requested by around 50% of respondents.

The last keynote of the day was held by Dirk van Rooy. Head of Sector Trust and Security of the European Commission who presented the programs the EC is working on and planning in the future like the European internet future portal and a digital agenda for Europe, of which a draft can be found through googleing. He also mentioned the European Comission ICT conference 27 September 2010 in Brussels. 

It is really a great achievement of KuppingerCole and a demonstration that they succeeded to put together very interesting speakers not only from the vendor space.

The day finished with the presentation of the Winners of the European Identity Award 2010:

Category: Best Innovation
Shared by Microsoft and IBM for their solutions “U-Prove” and “Idemix” and Wipro Technologies for their IAM appliance solution based on Novell software.

Category: Best Internal Project
Shared by Şekerbank T.A. of Turkey for a solution developed together with Smartsoft and Oracle,
Hannover Municipal Works based on a product supplied by Voelcker Informatik,
Schenker AG in conjunction with IC-Consult and technology from IBM.

Category: Best Project B2C
Shared by University of Washington together with Microsoft,
Catholic University of Leuven for a solution linked to SAP,
Kassenärztliche Vereinigung Bayerns with the help of Devoteam Danet

Category: Best Project B2B
Shared by BMW together with Omada and Microsoft,
Thomson Reuters solution based on Microsoft Identity Foundation,
Finnish State Railways Group with the help of RM5 Software

Category: Best IAM Project in Cloud Computing
Shared by Orange FT Group of France, BasisOne from South Africa and
Piaggio Group

Category: eHealth and eGovernment
University Clinic Munich solution developed with Siemens,
German Ministry of the Interior’s electronic identity card project (“neuer Personal-Ausweis”, or “nPA”).

More on awards http://www.kuppingercole.com/articles/award2010

6th May – 3rd day

The last day started again with very interesting keynotes held by Tim Dunn from CA who presented a world wide survey on cloud computing.  One of the questions 1000 enterprises were asked was about the reasons for migrating IT to the cloud: 70% of the respondents answered “reduced costs”, 57% “faster deployment time” and 56% “increased efficiency”.  The survey also pointed out the difference between European and US customers in their approach to cloud computing: Europeans do more sandbox testing of cloud apps and have more of a controlled preproduction manner. In the US it is more business driven. Customers are finding services almost by accident.  He concluded with “cloud computing is on the hype curve and it will happen fast with or without security. We better hurry and do it WITH security”.

Jackson Shaw from Quest Software presented “The most valid wins of IAM” which are

• Save money, REAL ROI != vendor roi table
• Generate money
• improve efficiency of the majority != IT staff
• improve compliance, anything which reduces the time to audit is good

He developed an IAM Report Score Card:

password sync, self service	A
websso	A	needs to work smarter, it is a biz enabler, vendor lock in, prop authz, federation?
consolidation	B+	consolidate into central directory like AD, true SSO
strong auth	B	not paying attention
federation	C+	shows promise – still long way to go, why buying if ADFS is free ?
provisioning	C+	needs improvement, his opinion: still 1.0 ? not so good in complicated scenarios and high costs for implementation, just-in-time provisioning needed – still lack in that area
privileged account management	C	good in unix (starts with sudo) become mainstream because GRC play, cloud makes it difficult,what to do with scripts and apps with passwords inside
entitlements, authorization, rbac, it-grc	incomplete

For me the day continued with tracks on “Roles & Attributes”, “Single Sign On Identity Federation” and “Identity Assurance”. Lots of interesting best practices and customer experience but I should stop writing here as this is a blog and not a book …

Just one additional thing. The conference ended with another provoking keynote by Sachar Paulus. One point of his presentation was his answer to “Cloud – What is in it – for YOU, Personally?”:

• For corporate users: prepare for a big storm
• For vendors: prepare for a much smaller market
• For integrators: prepare for more work to do

Which is good news for the consulting business, isn’t it ? The last word has Tim Cole who did a very excellent moderation. Who counted his and his colleagues takeaways:

• IAM and GRC escaping from technical to business
• ID assurance getting exposure it deserves
• Cloud computing becomes reality
• Cloud changes both business models and technology

7th May – Workshop day.
As usual the week of IAM & GRC ended with a day of workshop

Wrapping up: It is obvious that identity and cloud computing are hot topics that cannot be separated. KuppingerCole European Identity Conference 2010 again was a must for people interested in Identity and Access Management & GRC and Cloud Computing. The conference is a “feed good” conference in very good surroundings. We are looking forward to EIC or better EICC 2011 (European Identity and Cloud Conference) which will held in Munich but not in the Deutsche Museum, since the conference rooms will be closed for renovation.

European Identity Conference 2009

Listed in reverse chronological ordering and with focus on SSO, federation and authorization topics.

My conclusions:

A very well organized conference from Kuppinger Cole and partners. Many distinct persons attended, presented and discussed in panel sessions. Visiting the conference is a must as it is the leading identity conference in Europe. Many thanks to Kuppinger Cole for organizing it.

After returning home my personal impression this morning is that I had been traveling to Babylon. I heard many people speaking about GRC ( governance, risk, compliance ), claims and attributes, authorization and externalization of authorization decisions, RBAC and ABAC and XACML, not to mention DABBOPDS (differentiated app behavior based on permission data sharing). Is this the way to go ? In most of the keynotes I visited on GRC the presenters were giving their best to answer what GRC is, especially in the context of IAM. Have we seen a satisfying answer ? In the presentations on Geneva it was always necessary to clarify what “claims” are and how claims differ from attributes, if they differ at all. I noted the best definitions I heard:

I guess we are somehow away from mutual understanding. I’ll be with Tim Cole’s ruminative closing note where he asked: how can the identity challenges be solved for the cloud if today there are so many unanswered questions in the “small” enterprise world. Elaborating it a little bit more, I would say we are giving ourselves a hard fight, if we will not come to a more simple and clear approach. I guess simplicity is key, more then ever.

Looking in more detail on the SSO and federation field. When we started SSOCircle in 2006 we were convinced that the federation protocols finally converged into SAML 2.0 and that it is just a matter of time for the mainstream breakthrough. Basically SSOCircle has always had the ambitious goal to help accelerating the take-off process. Reflecting the last three years we saw OpenID sky rocketing from scratch which had good reasons: simplicity. With OpenID 2.0 we notice this advantage going away and becoming even more complicated as SAML. Now we are facing interesting times with the coming Geneva server which plugs into Active Directory pushing the infocard technology and with Microsoft getting collaborative supporting SAML 2.0. Considering the market share of Active Directory and the very pragmatic approach of Microsoft which keeps a lot of problems unsolved for the moment (thinking of the missing solution of storing infocards for roaming users or that there is no way of combining claims from different infocards) there is a good chance for success. I am comparing this to the discussions around https and shttp protocols in the mid 1990s. Were many people had many reasons that shttp is the better solution for securing web traffic but Netscape pushes https through due to their browser market share at that time and the simplicity http over SSL had and still has. Without https the commercial internet would not be where we are now. I am curious to see the impact the release of Geneva will have. RTM is expected for the second half of 2009. Maybe the European Conference 2010 will be the right moment to make up an early benchmark.

Now you’ll find some comments on some of the sessions I have visited in reverse chronological ordering:

day 4: workshop day

Friday was dedicated to workshops on serveral topics. One of them was on XACML held by Bakak Sadighi and Ludwig Seitz from Axiomatics. A very didactically structured training that started with an introduction on access control lists, capability lists, group based, role based and attribute based access control. Sadighi pointed out the difference between role and group based authentication is “role activation” which means that you can dynamically decide to act in a specific role. They then further dig into the XACML 2.0 standard and the additions XACML 3.0 (currently in draft) will bring, basically the concept of hierarchical administrative policies that help leverage administrative delegation.

day 3

Dipping into the world of Identity Systems and Claims: Vittorio Bertocci from Microsoft, answered the question of the definition of “claims” with: A claim is the answer to a question somebody would ask you to allow you access to a specific task. It can be a privilege or a simple attribute. Ariel Gordon, Microsoft, detailed that after asking him for the difference of a claim and a attribute. He said a claim is a rated attribute. In a presentation of Liam Lynch and Upendra Mardikar described the shift from identity 1.0 to identity 2.0 where in their understanding behavioral checks and reputation play a major role in authentication and authorization. He mentioned that Ebay has to evaluate 20 TByte of logfile a day to do risk analyzes. A “real time” behavioural analyses might ease this problem. He is motivating to participate in cloud security efforts that you can find in cloudsecurity.org.

A panel session moderated by Dave Kearns discussed the topic of authentication beyond passwords: tokens, biometrics and others. These methods have all their pros and cons. From case to case one has to decide on what the value of the protected resource is to justify the method used. A good way would be to have a single sign on solution protected by strong authentication to limit the number of tokens used and to reduce the overall costs, Jackson Shaw of Quest Software mentioned. By the way this is one idea behind SSOCircle. You can find authentication methods from user name/password, X.509 certificates in software or hardware tokens, OTP tokens, Swekey’s and soon the award winning Yubikey. The topic leads to the next panel on context based authentication where Dave Kearns was asking the 6W+1H question of who, what, when, where, which, how and why that may have influence on the decision of authorizing access. As the first six may be answered by technical means there is still the question of why a user is doing a specific action. Another proof that the big questions of IAM cannot only be answered by technical means.

In Tim Cole’s closing note he asked the question: how can the identity challenges be solved in the upcoming cloudy IT be solved if today there are so many unanswered questions in the “small” enterprise world. He is asking who will be the Google in identity context. Google ? A little pity that Google wasn’t present and demonstrated their vision of cloud identity. We are all looking forward to find answers to the open questions. A great conference. Well done Kuppinger Cole & Partners.

day 2

Felix Gaethgens gave an overview on the mess of authorizations and entitlement management today which starts at role based authorization (RBAC) to Attribute based authorization (ABAC) in which XACML ist the most prominent representative. His presentation was the foundation for the succeeding talk and a very interesting panel discussion. It was emphasized that the role based model is to coarse to be applied to all business rules, one example was given: an employee of an insurance company who is also a customer became ill and a colleague of her sitting next in the same office had access to their medical record in her business role as insurance consultant). Their is a need to take context into account to decide whether a person should be authorized to a particular action. This is what leads to a very fine coarse definition of elementary claims/attributes and not to the definitions of uncountable roles by combining all variants of claims to new roles. Another eye-catching aspect is the externalization of entitlement management from within an application to a central system. This is a point all speakers agreed but obviously such an architecture brings up the questions of performance. How can an application performantly work if for a single task the application has to request hundreds of attributes and policies ? This is where things become unclear and unsolved. The same applies to the question how XACML can solve the problem, as it is a policy language but doesn’t solve how to access the policies. There need to be different solutions according to the problem and the audience. There should be a solution for simple internet based web2.0 applications in a very simple say restful way and there must be more sophisticated solutions for environments like financial industries etc. APIs are definitively not the preferred way here. But all participants agreed to that there would be at least an improvement if all vendors would work together and put their applications on the same foundation of a policy language like XACML. Seems like a simple obvious first step. But in reality it seems to be a difficult one.

In his presentation of real life federation deployments Chris Harvison from Scotiabank explained the difficulties they faced on utilizing federation in the Canadian banking sector and how difficult it is to convince service providers to implement federation protocols as these companies do not see this as their core business. He mentioned that only an agreement between the Canadian banks (fortunately there are only 4 chartered banks) finally forced the service providers to do so. The same applies to an effort withing the German automotive industry where companies formed the SESAM project as Wofgang Jodl, BMW, mentioned in his session. Harvision also mentioned how the virtual federation concept of OpenSSO and the Fedlet eased there efforts. Daniel Raskin added that the Fedlet is supported through OpenSSO enterprise support. So if a company with support contract gives out the Fedlet to a partner, the partner can call Sun and receives support. By the way: a SSOCircle Fedlet is soon downloadable from our download site. Beside our CGI and lightbulb samples this is another way to easily integrate with SSOCircle.

Joost van Dijk gave another presentation of a successful deployment: the SURFfederatie project. A Federation service for the Dutch Higher Education. As they formerly developed their own federation protocol A-Select and they didn’t want to limit the federation to a single protocol, they deployed a federation protocol gateway based on Ping Federate. They provide their offering as “identity as a service” which leads to the next panel session on IaaS. Up to this point I was missing participants of Ping. Last year Andre Durand and Patrick Harding were attending but I remember Andre Durand’s words when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: we will see whether we are still here in 2-3 years. With contentment I noticed Marc LLerandi from Ping Identity was taken part in the IaaS panel session. Actually IaaS is something SSOCircle is pushing since more than a year by introducing IDPee, a hosted IDP. The advantages are obvious: leave the complexity of operating and managing an identity provider to specialized providers and save money and hassle. We will see how this business evolves when people get used of the idea to outsource there identity management. Good luck to all these pioneers.

European Identity Award winners:

day 1

Tuesday morning I am faced with two problems: a long 4 hours drive from Frankfurt to Munich early in the moring and then, after arrival, the decision where to go at the conference. For the first point it might appeal to Kuppinger Cole to change the conference location to Frankfurt. The latter is certainly nothing I can blame Kuppinger Cole for an excellent conference program with many choices.

At the OpenSSO community meeting Daniel Raskin is showing the OpenSSO roadmap. He is emphasizing that OpenSSO is the software that manages enterprise SSO, federation and web services security with one product. This sounds like a message to Oracle and its bundle of point products. But no word on the future of OpenSSO under Oracle’s flag. I guess nobody can say something about the way Oracle is going – or did I miss it ?

OpenSSO is now at express build 7 which brings a new configuration wizard for Google Apps on the task panel of the administration GUI. The task panel is something which will be extended in the next releases. Raskin is mentioning wizards to configure Salesforce.com and SugarCRM. In progress of development are improvements for a better entitlements management. Although OpenSSO has XACML request/response, PDP and PEP functionality it lacks an intuitive management GUI and a scalable policy engine. In one of the next builds a new authentication module will provide one time passwords without the need of a hardware token. OpenSSO will generate OTP through OATH and send out the password by SMS to your mobile. This sounds cheap, but keep in mind that you either will need hardware to send SMS or adopt the module to use an API of a SMS provider. Further development work is done on OAUTH integration into OpenSSO.