[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, April 25, 2024

Catalyst: Day 1 – June 25

Author: Mark Dixon
Tuesday, July 1, 2008
9:17 pm

My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Wednesday, June 25, 2008, are included below:

Jamie Lewis: Identity Management – Are We There Yet?

  • Business transformation collides with IT transformation. A more unified approach is needed.
  • The chasm between enterprise identity management and consumer-oriented ideas of Identity on the Internet will be bridged with elements of both.
  • Federation isn’t magic, but it is still valuable. Customers are beginning to really see the need for it.
  • More provisioning projects are successes than failures, but failures tend to be spectacular.
  • Relationships provide context for Identity.

Lori Rowland: Identity Management Overview: A New Era in Identity Management

  • The Identity universe is expanding in scale, control and focus dimensions.
  • Service Oriented Identity (SOI) and Identity Services are emerging.
  • Compliance is still the main driver for Identity, but there is a shift towards risk management.
  • Customers should seek to understand Identity vendor roadmaps.
  • Oracle has the most market momentum, with Sun, CA and Novell following with positive momentum.

Gerry Gebel: Federation and Distributed Control

  • Sun’s introduction of the Fedlet and Ping’s introduction of Autoconnect are key product advancements – addressing ease of implementation and use.
  • OpenSSO is an example of advancements in open source federation technology.
  • Federation services and hosted federations models, such as those offered by Fugen are accelerating broader consumption.

Gerry Gebel: Entitlement Management

  • Product offerings from IBM, Oracle and Cisco have expanded, but demand hasn’t grown as quickly.
  • Existing questions about this space include adequacy of XACML or other standards, performance and interoperability testing.
  • Applications developers need tools, open source access and communities in this area.

Mark Diogati – Authentication

  • Functions lacking in authentication products include general customization flexibility and provisioning capabilities.
  • Personal, portable security devices such as USB devices and wallet cards are gaining popularity.
  • Authentication control for privileged account management often falls through the cracks, leaving dangerous security risks.

Kevin Kampton – Roles and Provisioning

  • The market is reaching maturity. Success predominates, usually as a result of realistic expectations.
  • Companies are receiving benefits from expanding expertise in this area.
  • Provisioning and roles may not converge into one product. They address parallel, complementary endeavors.

Kevin Kampton – Identity 2.0

  • OpenID and InfoCard have much more activity from providers than consumers.
  • What is the business model for Identity? How will the industry pay for it?
  • Data sharing models such as OpenSocial and others have no trust sharing or security models.

George Sherman (Managing Director, Morgan Stanley) – Discovering the Iceberg of Identity Management in a Large Integrated Financial Services Firm

  • Morgan Stanley’s main drivers for Identity are regulatory compliance and security.
  • Key success factors for an Identity program are program sponsorship, governance and program management.
  • Cost justification and funding for an Identity program require more than spreadsheets. It depends highly on the trust and confidence of champions for the program.
  • The industry need to provide better security for the provisioning engine itself, more expert developers and the integration of certification and provisioning tools.

Bob Blakley – Relationship Layer for the Web

  • Accurate Identity models are needed to predict others’ behavior.
  • Identity models are built through relationships between people or between people and businesses.
  • A well understood object model is needed to clarify relationships and use them in automated systems. Bob proposed such an object model.
  • The main types of relationships are Custodial, Contextual and Transactional.
  • Companies with billing relationships with their customers will win in the marketplace over those without such relationships.

Gail Reynolds (Aetna, Security Architect) – Who are you, how do I know, and why do I care?

  • Impersonating others to gain access to their private information is a large problem in the health care industry.
  • Identity Assurance is required to create a high level of confidence that credentials indeed match the person using them.
  • Identity Assurance has implications in protecting intellectual property, privacy, corporate reputation and ecommerce profits.
  • A strong registration process is essential to Identity Assurance.
  • Identity providers that deliver high levels of Identity Assurance are required to meet industry needs.

Eve Maler – The care and feeding of online relationships

  • The common area in the venn diagram of intersecting Identity Management, Vendor Relationship Management and Social Networking encompasses personalized, access-controlled application behavior based on data sharing.
  • Two major areas of online applications requiring Identity relationships are enterprise/e-government (applications are chosen for you) and free agent applications (you choose).
  • The term “user-centric Identity, which comes from human factors design, is giving way to “user-driven Identity.”
  • The Vendor Relationship Management movement (projectvrm.org) is focused on empowering user interactions with online vendors.
  • While some degree of self-revelation is essential to online relationships, users will come to trust applications that require less Identity information to be revealed.

Mark Diodati – Siusyphus’ Rock: Why is Authentication So Hard?

  • Identity Assurance is the strong end goal. If you don’t have Identity Assurance in place, your system is not secure.
  • Passwords remain the dominant authentication method because they are easily portable and specialized software is needed.
  • Biometric authentication is not broadly deployed.
  • Smart cards have seen increased interest, but deployments are few. They rarely replace tokens.
  • Privileged account management is a huge problem. Run, don’t walk to address risks with privileged accounts.

Mark Diodati, Doug Simmons – Physical and Logical Convergence, Approaching Singularity?

  • Physical and logical convergence (PACS) projects are significantly costly, justified for security, not cost savings.
  • The workflow of assigning credentials, etc., is a difficult process for physical and logical convergence
  • The FIPS Standards are provided underpinnings for vendors and agencies for response to Homeland Security directives
  • These projects are inherently heterogeneous, requiring much integration.
  • Executive leadership is required to facilitate bridging between groups having responsibility for physical and logical access.

Knowledge-based Authentication (KBA)

Panel participants:

  • Chris Young (VP and GM, RSA)
  • John Dancu (President and CEO, Idology)
  • Peter Tapling (President and CEO, Authentify)


  • Three types of KBA include Static (e.g. specify mother’s maiden name), Dynamic (user doesn’t have to remember specific attribute) and Out of Band (requires strong registration; used for high risk transactions or temporary access)
  • Dynamic KBA may be beneficial for consumers who don’t visit a specific application or account frequently.
  • Dynamic KBA pulls the evaluation of private information away from the enterprise
  • No single authentication method is foolproof. You must layer technology to reach acceptable level of risk.

Mark Diodati – Identity Assurance Framework: The Path to Scalable Trust

Panel participants:

  • Frank Villavicencio (Citigroup)
  • Robert Temple (British Telecom)
  • Andrew Nash (PayPal)


  • The Liberty Alliance is developing an Identity Assurance Framework
  • Four assurance levels are defined, from a level of little or no confidence in the asserted Identity’s validity to a very high level of confidence.
  • What is the business model for an Identity Provider (IDP)? For the consumer?
  • An independent IDP with a sustainable business model isn’t really available.
  • Questions of liability must be worked out for IDPs.

Gina Montgomery (AVP and Manager of IT Project Management, MFS Investment Management) – The Privileged Account: IT’s Dirty Little Secret

  • Privileged accounts have much potential for abuse because they are poorly controlled and often violate the least user privilege principle.
  • It is a large challenge to discover and manage hundreds or thousands of existing privileged accounts and to understand the impact if passwords are changed.
  • Recommended actions include 1) education of users on risks, 2) identify existing accounts, deploy accountability and control mechanisms.
  • Password Access Management (PAM) systems are available to help support this effort.

Bob Blakley: Conference Announcements

  • Bill Mann (CA): CA Federation Manager, CA SiteMinder support for CardSpace, expansion of CA IAM and CA to resell Arcot’s WebFort
  • Eric Goldman (CEO, Symplified): “On Demand Identity includes Identity as a Service, Identity Cloud and Identity Router.
  • Dieter Shuler (Radiant Logic): Release 5.0 of virtual directory
  • Paul Trevithick (Information Card Foundation): InformationCard.net

Technorati Tags: ,


2 Responses to “Catalyst: Day 1 – June 25”

    Great recap. I wasn’t able to attend the conference this year so your recap is very useful!

    Comment by Jodi Florence on July 2, 2008 at 7:52 am


    I’m glad you found it useful. Thanks for stopping by.


    Comment by Mark Dixon on July 2, 2008 at 10:44 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.