AuthenticationWorld Blog

This is the first in a series of blogs about topics I found very interesting at this year's 2007 Burton Catalyst conference in San Francisco which has just completed. This blog will cover federation.

Mike Neuenschwander of Burton gave an interesting presentation about federation discussing potential glass ceilings. I agree with most of his comments but I had some trouble with the lack of discussion about the many legal issues surrounding federation as well as ways to increase the speed of getting potential federation partners on line.

In a conversation I had with Andre Durand, CEO of Ping Identity, he said that his focus was on figuring out how to scale federation deployments.

In my opinion, Legal needs to be brought in at the very beginning of any federation project. I have seen and heard of many projects significantly slowing down because Legal was brought in too late, they didn't understand the many issues involved in federation and they also weren't involved in creating streamlined federation legal processes.

Secondly, many federation projects also slow down due to testing issues. Frequently, the partners aren't ready to test the federation interface. I believe that this too can be sped up by technology and business process.

A small company called Fugen Solutions was at the conference. They have some software that allows both Federation parties to test independently and then to bring them together. This will likely prove very valuable in speeding up the process.

I believe that the federation business process can be streamlined similar to the SSO factory model that I have constructed several times in the past. A Federation factory would involve the business partner being provided with business, legal and technical documents in advance. These would answer most questions about what responsibilities the business partner has.

The business partner would complete an online form. The form would step them through all aspects of the federation requirements. When the form is submitted, the Federation Team would contact the partner.

The Federation factory would have different processes depending on the initial discovery work with the partner. Those who don't require customized contracts would proceed on a more automated path than those who do. Customized contract partners would immediately be put together with Legal on a separate track.

Further separate business processes would be set in place for those partners with their own identity management systems. These partners would almost immediately be granted access to the test environment.

Those partners who don't have any identity management systems would go down a separate business process. They would be contacted by the team and directed to simple, identity management tools involving manual identity entry systems, a virtual directory, etc.

The Federation Team must include staff from legal, business partner management and IT technical experts. Wherever possible, common legal contracts must be used trying to avoid doing unique contracts for every business partner.

A separate Federation test environment must be available. As part of the process, business partners must be told what is allowable in the test environment and what is not. Performance testing should be kept to an absolute minimum. Performance test results should be made available to the business partner documenting that the federation interface meets the requirements.

Many business partners should be in the front end of the "hopper" at any point in time. They should be completing their documentation and getting their legal, identity and infrastructure requirements in order. Enterprises should consider providing virtual directories and manual identity entry systems for smaller business partners that don't have an identity infrastructure. This can be outsourced to large telco's who offer outsourcing of servers and infrastructure services.

Many partners should be in the test environment at any point in time after completing the documentation and been given approval to proceed to the test environment. Use of software from Fugen may increase the pace of testing.

Then many business partners should be moving towards Production.

Boeing gave a presentation where they referred to some of the components listed above. They have a Federation team with legal. They also provide the customer with a Federation Handbook.

It is by applying a industrial model to federation that a better scalable federation system can be achieved. Is all this easy? No. However, I personally believe that thousands of business partners a year or more can be integrated successfully into Federation by applying these principles.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This blog will cover a panel discussion at the Catalyst Burton Conference, hosted by Bob Blakely, that discussed the role of the CIO. The panel included Eric McNeil from IBM who, in my own personal opinion, gave one of the most enlightening speeches at the conference.

Eric's premise was the role of the CIO was changing dramatically and, this change was going to affect all of IT. He gave a short story about a CEO meeting the CFO in an elevator. The CEO queries the CFO about what's happening. The CFO tells the CEO about three major metrics he is monitoring the fiscal health of the enterprise.

The CEO later gets in an elevator with the CIO. The CEO queries the CIO on how the enterprise is doing. The CIO proceeds to tell the CEO about 200 different projects all of which are mission critical. The CEO is confused.

Eric's point was that CIO's role is going to change from one viewing IT as a series of projects to one where it is measured against enterprise business risk and cost. He said that he was already seeing this change occur in the financial industry.

Eric pointed that many new CIO's are coming from audit and compliance and most have little or no IT experience. He said that the CIO's were taking enterprise business risk and concentrating on the top business risks. They were then taking IT budgets and focusing on reducing and managing risk for these top priorities while accepting risk for lower risk business processes.

He said that many IT departments were struggling mightily with this change. The language of IT was now begin forced to become the language of business. Many IT employees were struggling to work with this new type of CIO.

The presentation was music to my ears! I have always wondered when the IT techno crowd would be forced into measuring performance against business risk? That time is just arriving. As this unfolds, watch out for significant change in IT priorities and ways of doing business.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

An historical event occurred this past week at Catalyst. There was an interop event where different identity management systems shared different identity tokens including Micosoft's InfoCard, SAML, OpenID, Higgins and others.

The event was historical because it clearly demonstrated the inter-operability of the different identity systems. All of the many vendors had worked hard together to show that their systems could and would use other vendors identity systems to authenticate.

Pam Dingle from Nulli Secundus, and head of the Pamela Project, gave an excellent presentation at Burton. With enthusiasm she showed the attendees the opportunity, the pain and the potential of moving towards an inter-operable identity system.

An excellent afternoon of presentations proceeded the interop. Speaker like Dick Hardt of Sxip, Praveen Alavilli of AOL, Gerry Gebel of Burton and a good panel discussion of Bob Blakely of Burton, Dale Olds of Novell, Dave Miller of Covisintand George Flether of AOL and Kim Cameroon of Microsoft all painted a realistic vision of the future involving inter-operable identity systems, user-centric identity and the challenges ahead.

Congratulations to all the many folks who have spend a long time working hard to make this happen!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This past week at Catalyst an exciting interop occured demonstrating the interoprability of authentication and authorization systems using XACML. in the room were many, many different vendors using other vendors' authentication and authorization on their systems.

The demo involved a brokerage system. Different identities and roles were used to authenticate and authorize different trades.

This interop, together with the other interop on identity systems, paves the way for exciting changes in the world of identity. Now we have a way of seamlessly exchanging who an identity is and their authentication and authorization.

Congratulations to all the many participants in the XACML demo!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

One of the most disappointing presentations at last week's Catalyst was by SAP. The presentation was so bad I got up and left the room. Instead of presenting a detailed, unified vision of identity management and security, the presenter was left speaking generalities, talking mostly about GRC and leaving one wondering if this was the best SAP could produce?

What was most embarrasing was that the next presentation by Oracle clearly spelled out the action plan they are taking. All aspects of identity management were covered. Areas where they felt they were weak were discussed and what actions they were taking to cover this.

My message to SAP is this. If you want to be a player in the identity and security markets, you need to have a comprehensive vision, a well laid out plan and personnel who can articulate it well. Your recent acquisition of Maxware is a good step, but only small step, in this direction.

For the last two years in a row, I have squirmed in my seat as the SAP presenters made their spiels. The presenters, while well intentioned, are clearly not well equipped to present a detailed plan that will convince your customers that you are going to be a major player in this space.

Watch out or Oracle may eat your lunch. Pull your collective socks up and by the next Burton Conference, have an excellent presentation, product selection suite and a well laid out action plan that addresses the market.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Bob Blakely, formerly of IBM and now of Burton Group, has for years been talking of the "identity oracle". This was an enterprise that would vet for other enterprises the validity of an identity without actually giving away identity information. This year, at Catalyst, the first identity oracle appeared!

Privo is a company that as their website describes "Privacy Vaults Online, Inc., d/b/a Privo has created a proprietary technology platform that enables participating companies to initiate and manage responsible relationships with their online consumers through an identity and permission management platform. The platform, the PrivoLock™ system, allows consumers, or registrants, to maintain control of their personally identifiable information, edit its content, and extend this privacy protection to their children while providing companies with a legally compliant "opt–in" marketing database for communicating with their customers."

In my own words, it is, in essence, an insurance mechanism for enterprises who want to deal online with kids that the kids and their parents consent to the relationship.

In greater detail here is what Privo does (taken from their website):
"
The PrivoLock™ system is a secure, third–party Kid registration and Parental consent service for companies who attract kids to their websites.

PrivoLock™ offers:

* Control – Parents have the ability to manage their child's online identity and control their child's website and feature access. Kids can request additional permissions simply and quickly so he/she can access additional interactive features or websites with little interruption for parental consent.
* Choice – A variety of parental consent verification methods simplifies the ability for parents to complete the registration and permissioning process.
* Time – Privo Parents are enabled for "next–time" ease in registration and consent when kids request permission at other PrivoLock™–enabled websites, eliminating redundancy in the registration process.
* Ease of Use – Parents and Kids create a sign–on name and password that enables interaction at all PrivoLock™–enabled websites.
* Customization – Privo can proactively contact Parents to suggest pre–authorization at new websites that meet their kids' or their own personal interests.
"

As Bob said, he was crushed that the founder or Privo, Denise Tayloe, hadn't hear his presentations in years gone by and decided to create the identity oracle. Regardless, he was very pleased that she had gone ahead and paved the way.

Congratulations Denise!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

At this year's Catalyst, I had the distinct pleasure of having a drink with Craig Burton, the original founder of the Burton Group and the Catalyst Conferences. He is a legend in the industry. His vision on directories and identities was well ahead of most other people's time.

I asked Craig what he thought were the top there challenges facing identity? He answered:
1. Identity needs to be bottom up driven rather than top down driven as it is today.
2. Identity speak needs to get out of the technical babble and instead talk in the language of the user.
3. We need a new identity language that can speak to this.

Thanks for the wisdom Craig!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

A very interesting track at Burton this year was on collaboration and content. This is, in my own personal opinion, where the main industry focus will occur over the next five years.

I sat in on a presentation by Craig Williams of Capital One. Craig's presentation covered the last year at Capital One as they focussed on collaboration and content. He presented a business methodology that clearly laid out their business goals, the architecture used and their initial deployments of collaboration. It was an excellent presentation.

Unfortunately, I missed another great presentation later that morning. Called "Collaboration, Community, Learning: Second Life Lessons for the Real World", many people told me that this presentation was one of the best mind bender presentations at Catalyst. Joe Miller from Linden Lab gave an excellent overview of how virtual worlds are using collaboration and identity to build new ways doing things. I am hoping to get a copy of his presentation to learn more!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The last presentation of the conference was a real mind bender. Ken Ross, CEO of Seriosity, gave an excellent presentation on how his company is pioneering the use of gaming methods to improve business processes in the real world.

Specifically, he presented their use of virtual cash "Serios Dollars" to drive efficiencies in email information exchange. A number of enterprises are currently piloting the use of this in their enterprises. By assigning virtual Serios Dollars to every email you send, you are forced to prioritize your email. The fact that you have a limited number of Serios Dollars to spend every week/month helps create the pressure.

Further, the person you are responding to can reward you with Serios Dollars. Thus a market is created with the exchange of Serios Dollars within an enterprise.

More gaming features are also presented in the display of the Serios Dollars the person sending you the email has, their past performance, etc. In other words, gaming methodology is creeping into the enterprise in order to help enterprises reduce the number of information logjams preventing a good idea from making it's way to the top.

While there were many questions asked after the presentation, Ken indicated that it's still too new to fully understand the implications, challenges and opportunities by using this method. He referred the audience to a recent paper by IBM on their work.

Keep up the good work Ken!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

During the Catalyst conference I bumped into three guys from a company called "imagicsoftware". They have a patented system for using biometric typing rhythms to use as an authentication mechanism. When I indicated that this was good but I thought it could be susceptible to a replay attack I was told that this wasn't the case. They have "something in the software" that prevents robotic type attacks.

Assuming, for the moment, that this is true, it offers a possible advancement on the use of passwords and as such should be considered. However, remember that this form of authentication is, in my own personal opinion, open to a man in the middle attack where the criminal simple passes along the authentication. Thus this method as with many other authentication methods still doesn't solve for phishing attacks where the man in the middle passes along the authentication.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

There were some specialized compliance and audit vendors I would like to highlight at this year's Burton Group Catalyst conference.

Sailpoint, has an excellent product aimed at providing enterprises with compliance auditing. Put together by the former founders of Waveset, they have a product that focuses on risk management, access certification and policy enforcement. It seems to be an well thought out tool able to quickly adapt to your enterprise.

NetVision also has a policy driven audit and compliance tool. It has the ability to query in real time Windows at the DLL level to understand what actually is happening. This differs from some of it's competitors in that they are not fully reliant upon the windows logs.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com