Catalyst: Day 1 – June 25
My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Wednesday, June 25, 2008, are included below:
Jamie Lewis: Identity Management – Are We There Yet?
- Business transformation collides with IT transformation. A more unified approach is needed.
- The chasm between enterprise identity management and consumer-oriented ideas of Identity on the Internet will be bridged with elements of both.
- Federation isn’t magic, but it is still valuable. Customers are beginning to really see the need for it.
- More provisioning projects are successes than failures, but failures tend to be spectacular.
- Relationships provide context for Identity.
Lori Rowland: Identity Management Overview: A New Era in Identity Management
- The Identity universe is expanding in scale, control and focus dimensions.
- Service Oriented Identity (SOI) and Identity Services are emerging.
- Compliance is still the main driver for Identity, but there is a shift towards risk management.
- Customers should seek to understand Identity vendor roadmaps.
- Oracle has the most market momentum, with Sun, CA and Novell following with positive momentum.
Gerry Gebel: Federation and Distributed Control
- Sun’s introduction of the Fedlet and Ping’s introduction of Autoconnect are key product advancements – addressing ease of implementation and use.
- OpenSSO is an example of advancements in open source federation technology.
- Federation services and hosted federations models, such as those offered by Fugen are accelerating broader consumption.
Gerry Gebel: Entitlement Management
- Product offerings from IBM, Oracle and Cisco have expanded, but demand hasn’t grown as quickly.
- Existing questions about this space include adequacy of XACML or other standards, performance and interoperability testing.
- Applications developers need tools, open source access and communities in this area.
Mark Diogati – Authentication
- Functions lacking in authentication products include general customization flexibility and provisioning capabilities.
- Personal, portable security devices such as USB devices and wallet cards are gaining popularity.
- Authentication control for privileged account management often falls through the cracks, leaving dangerous security risks.
Kevin Kampton – Roles and Provisioning
- The market is reaching maturity. Success predominates, usually as a result of realistic expectations.
- Companies are receiving benefits from expanding expertise in this area.
- Provisioning and roles may not converge into one product. They address parallel, complementary endeavors.
Kevin Kampton – Identity 2.0
- OpenID and InfoCard have much more activity from providers than consumers.
- What is the business model for Identity? How will the industry pay for it?
- Data sharing models such as OpenSocial and others have no trust sharing or security models.
George Sherman (Managing Director, Morgan Stanley) – Discovering the Iceberg of Identity Management in a Large Integrated Financial Services Firm
- Morgan Stanley’s main drivers for Identity are regulatory compliance and security.
- Key success factors for an Identity program are program sponsorship, governance and program management.
- Cost justification and funding for an Identity program require more than spreadsheets. It depends highly on the trust and confidence of champions for the program.
- The industry need to provide better security for the provisioning engine itself, more expert developers and the integration of certification and provisioning tools.
Bob Blakley – Relationship Layer for the Web
- Accurate Identity models are needed to predict others’ behavior.
- Identity models are built through relationships between people or between people and businesses.
- A well understood object model is needed to clarify relationships and use them in automated systems. Bob proposed such an object model.
- The main types of relationships are Custodial, Contextual and Transactional.
- Companies with billing relationships with their customers will win in the marketplace over those without such relationships.
Gail Reynolds (Aetna, Security Architect) – Who are you, how do I know, and why do I care?
- Impersonating others to gain access to their private information is a large problem in the health care industry.
- Identity Assurance is required to create a high level of confidence that credentials indeed match the person using them.
- Identity Assurance has implications in protecting intellectual property, privacy, corporate reputation and ecommerce profits.
- A strong registration process is essential to Identity Assurance.
- Identity providers that deliver high levels of Identity Assurance are required to meet industry needs.
Eve Maler – The care and feeding of online relationships
- The common area in the venn diagram of intersecting Identity Management, Vendor Relationship Management and Social Networking encompasses personalized, access-controlled application behavior based on data sharing.
- Two major areas of online applications requiring Identity relationships are enterprise/e-government (applications are chosen for you) and free agent applications (you choose).
- The term “user-centric Identity, which comes from human factors design, is giving way to “user-driven Identity.”
- The Vendor Relationship Management movement (projectvrm.org) is focused on empowering user interactions with online vendors.
- While some degree of self-revelation is essential to online relationships, users will come to trust applications that require less Identity information to be revealed.
Mark Diodati – Siusyphus’ Rock: Why is Authentication So Hard?
- Identity Assurance is the strong end goal. If you don’t have Identity Assurance in place, your system is not secure.
- Passwords remain the dominant authentication method because they are easily portable and specialized software is needed.
- Biometric authentication is not broadly deployed.
- Smart cards have seen increased interest, but deployments are few. They rarely replace tokens.
- Privileged account management is a huge problem. Run, don’t walk to address risks with privileged accounts.
Mark Diodati, Doug Simmons – Physical and Logical Convergence, Approaching Singularity?
- Physical and logical convergence (PACS) projects are significantly costly, justified for security, not cost savings.
- The workflow of assigning credentials, etc., is a difficult process for physical and logical convergence
- The FIPS Standards are provided underpinnings for vendors and agencies for response to Homeland Security directives
- These projects are inherently heterogeneous, requiring much integration.
- Executive leadership is required to facilitate bridging between groups having responsibility for physical and logical access.
Knowledge-based Authentication (KBA)
Panel participants:
- Chris Young (VP and GM, RSA)
- John Dancu (President and CEO, Idology)
- Peter Tapling (President and CEO, Authentify)
Discussion:
- Three types of KBA include Static (e.g. specify mother’s maiden name), Dynamic (user doesn’t have to remember specific attribute) and Out of Band (requires strong registration; used for high risk transactions or temporary access)
- Dynamic KBA may be beneficial for consumers who don’t visit a specific application or account frequently.
- Dynamic KBA pulls the evaluation of private information away from the enterprise
- No single authentication method is foolproof. You must layer technology to reach acceptable level of risk.
Mark Diodati – Identity Assurance Framework: The Path to Scalable Trust
Panel participants:
- Frank Villavicencio (Citigroup)
- Robert Temple (British Telecom)
- Andrew Nash (PayPal)
Discussion:
- The Liberty Alliance is developing an Identity Assurance Framework
- Four assurance levels are defined, from a level of little or no confidence in the asserted Identity’s validity to a very high level of confidence.
- What is the business model for an Identity Provider (IDP)? For the consumer?
- An independent IDP with a sustainable business model isn’t really available.
- Questions of liability must be worked out for IDPs.
Gina Montgomery (AVP and Manager of IT Project Management, MFS Investment Management) – The Privileged Account: IT’s Dirty Little Secret
- Privileged accounts have much potential for abuse because they are poorly controlled and often violate the least user privilege principle.
- It is a large challenge to discover and manage hundreds or thousands of existing privileged accounts and to understand the impact if passwords are changed.
- Recommended actions include 1) education of users on risks, 2) identify existing accounts, deploy accountability and control mechanisms.
- Password Access Management (PAM) systems are available to help support this effort.
Bob Blakley: Conference Announcements
- Bill Mann (CA): CA Federation Manager, CA SiteMinder support for CardSpace, expansion of CA IAM and CA to resell Arcot’s WebFort
- Eric Goldman (CEO, Symplified): “On Demand Identity includes Identity as a Service, Identity Cloud and Identity Router.
- Dieter Shuler (Radiant Logic): Release 5.0 of virtual directory
- Paul Trevithick (Information Card Foundation): InformationCard.net
Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
BurtonGroupCatalyst08
Great recap. I wasn’t able to attend the conference this year so your recap is very useful!
Comment by Jodi Florence on July 2, 2008 at 7:52 amJodi:
I’m glad you found it useful. Thanks for stopping by.
Mark
Comment by Mark Dixon on July 2, 2008 at 10:44 am