Wednesday, November 12, 2008

Gartner's IAM Summit 2008 - Day 2

Here's my summary observations of the most interesting sessions I sat in on Day 2 of the Gartner IAM Summit...

The Future Panel: User Centric Identity

Awesome panel that Gregg Kreizman from Gartner moderated. Kim Cameron (Microsoft), Dave Nikolesjin (CIO, Province of British Columbia), Dale Olds (Novell) and Frank Villavicencio (Citigroup) were the panelists. It was interesting that the CEO of JanRain was listed as a panelist in the agenda but didn't show. That was too bad since hearing his viewpoint regarding the likes of InfoCard would have been interesting.

The most interesting points to come up in this panel were that claims could be used for authorization (Kim), PKI is being stretched and will not be elastic enough for use as claims or roles transport packages (Frank), and how if the lawyers get involved in this business we're cooked (Dave). It was great to hear Kim discuss how much Microsoft was trying to break down internal barriers to enable InfoCard use across their enterprise. Also, Dale's comment about how far we have managed to come in two years was bang on - the industry has moved forward around identity but we sure have a long way to go yet.

Oracle's session on Services Oriented Security

Amit Vasuja did a good job outlining some of the problems in this space and how Oracle is addressing them. He pointed out a great hole that we have in the authorization space: "Need for open standard authorization API based on XACML". I couldn't agree more. Oh, yes, and with bindings to all the popular languages out there including Ruby, Perl, .NET and, of course, Java.

Trust in a Heterogeneous World

Jim Hosmer, Principal Architect at Lockheed-Martin gave this presentation right after mine and it was awesome. What I liked the most about Jim's presentation was how he discussed the two approaches to dealing with heterogeneity in an organization: manage or integrate. Manage is easier but yields less benefits whereas integration is harder but yields the most benefits. Lockheed-Martin chose to integrate. Jim outlined the technical challenges they had, the solutions they picked and how they are integrating over 140,000 users and thousands of systems to enable trust in their widely dispersed company. Oh, and it is all based on Active Directory! If you'd like a copy of Jim's slides drop me an e-mail.

From Gartner IAM Summit 2008

Next stop on the reality tour: Gartner Strategie & Technologie Konferenz 2008 in Frankfurt, Germany from Dec 2-3. See you there!

Technorati Tags:
, , , , , , , ,


Anonymous said...

Hi Jackson!

You quoted Amit as saying that there is a "Need for open standard authorization API based on XACML", and that you couldn't agree more. Good to know! That makes even more of us ;-)


Michael Graves said...


Caught this blog post in my net, and wanted to take time to say that I, Michael Graves, was supposed to be filling in for Brian Kissel in that panel, as JanRain's CTO, but do crossed wires on the setup -- my fault! -- I missed it.

If I can chip in a couple thoughts here on your comments in the post:

+ JanRain is a champion of OpenID-based technologies and infrastructure, one of the pioneers in this space, but we are also one of the leading providers that integrates InfoCards into our service. We've been working closely with Microsoft on InfoCard+OpenID, and we've gotten lots of good feedback on that integration -- you can try it for free at right now if you'd like.

There's been some rumblings on and off in the past couple years about InfoCard being a "competitor" to OpenID. On on level, that's the case -- you can spin up an STS in the sky in lieu of an OpenID provider, and that certainly would be competitive to the OpenID solution. But we've found the combination to be much more symbiotic than competitive, and I think you would hear much the same response from Kim Cameron. InfoCards provide some features that are nicely complementary, and the combination of the two at demonstrates how each can make the other better.

+ While the basic combination is working well, there's still a lot of room for further development on bridging the high assurance and metadata elements of InfoCard into OpenID. OpenID is just now getting its focus pointed at those kind of payloads, and while I'm bullish on the potentials here, there's a lot of issues to sort out. There's been a lot of interest in a SAML(ish) assertion framework that meet some needs, and I can't see any reasons why these three (InfoCards, OpenID, SAML) cannot dovetail around strong identity tokens and assertions, but we're not there yet.

+My previous stint before JanRain was at VeriSign, so I'm well aware of the "elasticity" problems of PKI, and as appealing as PKI is here, the same lifecycle problems that have beset PKI even in more controlled environment remain a major challenge to it's effectiveness. For "federations" and the like, it's proven workable, if problematic. For SSO and unified ID on the wild, open web, I think just deploying in in terms of IDs will be difficult, and I agree with Villavicencio's observation noted in your post -- it's hard to see how that scales well for retail users in everyday consumption of claims and authorizations.

-Michael Graves
CTO, JanRain, Inc.