I have thoroughly enjoyed this week at the Burton Group Catalyst Conference in San Diego, California.  It has been good to take the pulse of the Identity Industry, re-connect with old friends and meet new people.  I would have enjoyed attending the Cloud Computing or Mobility tracks this year, but stayed with my old standby, the Identity track.  Key points I gleaned from the sessions I attended are included below.  If you would like to review my complete notes on any session or discuss any of these topics, please send me a comment.

Thanks for stopping by.

2009: Upheaval In The Identity Market

Bob Blakley (Burton Group)

1. The expanding identity universe is changing in three dimensions:
1. scale – moving both to small (SaaS, SMB) and massive (consumers, social networks)
2. control – moving from centralized to distributed (de-perimeterization, outsourcing)
3. focus – moving from business to individual
2. An infrastructure is evolving that will allow us to transform from being just an "account" in a system to being a "person" in a world where physical and virtual worlds are no longer distinct.

Identity Management: No Time Like the Present

Lori Rowland (Burton Group)
Bob Blakley (Burton Group)
Mark Diodati (Burton Group)
Gerry Gebel (Burton Group)
Ian Glazer (Burton Group)
Kevin Kampman (Burton Group)

1. Much more focus on efficiency, short ROI and accelerated time to value.
2. Strong market for IdM during tough economic times; pent up demand will probably fuel growth when economy recovers because organizations have discovered new requirements as they use IdM systems.
3. Oracle acquisition of Sun is strongly impacting the industry.
4. Oracle will probably not abandon the Sun user base.
5. Need to re-define or clarify IdM terms, such as provisioning, roles, entitlement managment and privilege user/account management.  These terms have grown to mean too many things or are ill-defined in the industry.
6. SPML is re-emerging as a potentially important standard.
7. Identity and access governance may emerge as an architectural layer distinct from provisioning and role management.
8. The uptake on role management is tremendous.
9. Federation will be default protocol for cloud computing.
10. Interoperability and integration continue to be large challenges.

Two Billionths of a Second after the Big Bang – Where Is Consumer Identity?

Michael Barrett (PayPal)

1. Many consumers have too many online identities to effectively manage.
2. Consumer Internet interactions are repetitive, frustrating and littered with outdated info.
3. Super scale: billions of Internet users; millions of relying parties.
4. Effective consumer-managed Internet Identity infrastructure is needed.
5. We don’t have a "network effect in action" for consumer Identity, and we need one.
6. The problem not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants.
7. A fourth role in the Internet Identity process may be the "assertion provider" or "attribute broker" (e.g. credit bureaus).
8. PayPal may be interested in being an IdP; other candidates include eBay, Google, Facebook, Microsoft.

The Identity Services Market

Bob Blakley (Burton Group)

1. The value proposition for cloud computing is not lower cost, but time to value.
2. Independent service vendors can provide slices of Identity functionality – customers design how they are packaged together.
3. The market is building with small firms offering discrete billable units in areas such as vetting, provisioning, logon, risk scoring and user experience augmentation.
4. Azigo and Kynetics are examples of enabling users to be "recognized", rather than "interrogated".
5. The "pay as you go" aspect of services will force people to explictly focus on business value, not just technology.

Externalizing Authorization in a large scale Software-as-a-Service Environment

Steve Merritt (Hoover’s, Inc.)

1. Hoover’s need was driven by complex needs for delivering business information to users, based on subscriptions.
2. Requirements included
1. fine grained control
2. flexible – different types of objects, apps
3. complex entitlements
4. dynamic groups
5. centralized administration
6. easy application integration – easy to use API or standard protocol
7. scalable
8. multitenant
9. integration with enterprise IdM solutions
3. Evaluated build vs. buy.
4. Selected Ccisco Enterprise Policy Manager (formerly Securent).
5. Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure.

The Age of  Identity Oracles

Mary Ruddy (Meristic, Inc.)
Ron Carpinella (Equifax)
Tom Oscherwitz (ID Analytics)
Rick Rubin (OneHealthPort)
Denise Tayloe (CEO, Privo)

1. "Identity Oracles" deliver value individual companies can’t provide for themselves.
2. Achieving critical mass and establishing defacto community standards are essential to adoption.
3. To build critical mass, it can be helpful to bring large group up to a low level of security, rather than a few people to high level of security.
4. These markets will see more government regulation unless the industry can demonstrate it can self-regulate.
5. Many solutions failed because they don’t walk line between assurance and usability.

Roles: The Real, the Imaginary, and the Broken

Kevin Kampman (Burton Group)

1. Speaking as voice from the customer, based on feedback from customers.
2. Vendor products tend to be focused on a particular aspect, but not the whole space.
3. Tools tend to be oriented toward technologists, not the business community.
4. Efficiency and compliance are still major drivers.
5. Governance of role management initiatives is essential – usually in concert with overall Identity Mangement governance.
6. Execution is a classic project management challenge: identify scope, manage priorities, establish metrics, recognize challenges.
7. Many people, from business and technology viewpoints, must work together effectively to achieve success.
8. Roles brings value to downstream processes like provisioning and entitlement management.
9. To start, pick well-understood domains, with fairly stable populations, where there is a real problem to be solved.
10. Quality data is critical – you must be able to rely on it.

Empower the Business with Identity Management

Robert Amos (NuStar Energy)

1. Funded project based on efficiency for HR department.
2. Managers and role owners must agree to new process.
3. Work with simple role structure first.

Role Management – Leveraging the Investment

Paul Rarey (Safeway, Inc)

1. Focus on highest value: using 25 roles addressed 60% of the problem.
2. Choose roles by focusing on high volume of people change and malleability of business process.
3. The identity warehouse, which holds trusted and aligned Identity data from multiple sources, provides the foundation.
4. Roles support more than RBAC; they support good decision making: is right person in the right place doing the right thing?

The Intersection of Roles and Entitlement Management

Kevin Kampman (Burton Group)
Alice Wang (Burton Group)

1. Assigning entitlements directly to users doesn’t scale, lacks flexibility, is not agile and increases compliance risk.
2. Policy: glue that binds roles to, or divorces roles from, entitlements.
3. XACML is a reference model for separating authorization processing out of application, but is not the only one.
4. Bottom line goal for entitlement management: control access efficiently, with clarity, in compliance with regulations.
5. Roles facilitate meaningful conversations between different consituencies.
6. Roles are off to the races … entitlement management is learning to walk.
7. How many roles are effective? It comes back to how many to manage effectively.
8. A role/rule based system is a good way to balance the problem of too many roles.

Role Management Evolution

Ed Coyne (SAIC, Veteran’s Health Administration)
Alan O’Connor (RTI International)
Paul Rarey (Safeway, Inc)
Robert Amos (NuStar Energy)
David Laurance (JPM Chase)
Kevin Kampman (Burton Group)

1. NIST is preparing to update a 2002 study on economic returns to IT and business from using role based access technologies and methods to look at where wins have occurred and economic benefit can be improved.
2. Roles can be used as organizing principle for defining, provisioning and interpreting user access and related information.
3. To effectively define roles, we must talk in the context of business process and workflow.
4. The term "role" has come to have several different meanings in different contexts.
5. Standards may be helpful for RBAC systems to interoperate.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup