PLENARY
Boundaryless Information Flow™:
Architecting Identity Management
Summary Report
Allen
Brown, President and CEO, The Open Group
At the end of the conference plenary, Allen Brown summarized what had been
presented and achieved in this conference plenary. This summary report is
available for the convenience of those who wish to gain an overall picture of the
plenary meeting without needing to read the reports on each presentation.
Allen acknowledged the good work of Chris Harding and members of the DIF and the
Security and Messaging Forums in putting together this plenary.
The first Open Group open meeting on Identity Management took place three
years ago, in
January 2002, as part of our conference in Anaheim on Integrated Information
Infrastructure. This led to Boundaryless Information Flow™, and integration of IT
solutions. The IT world was focused on the new phenomenon of web services. Microsoft had
announced their Passport initiative to deliver single sign-on to web services consumers,
and the Liberty Alliance had been formed to counter what many perceived as the threat of
domination by a single global identity provider. At that time, we saw three years as the
timescale for the solution of the Identity Management problem.
So here we are three years later – what has been achieved? There has been massive
progress in identity management standards development, based on a growing understanding of
the issues. Products are emerging that conform to those standards. The difficulty for
enterprises is how to use those standards to develop architectures that deliver effective
identity management.
In our plenary we looked at three areas: at the requirements, at the standards and
technology, and at how to pull it all together in enterprise architecture. What have we
learnt?
Requirements
At our meeting in Anaheim, we summarized the requirement in these words: “To
develop a global framework for identity management in which the communities that an
individual belongs to can operate - and cooperate - effectively, while maintaining the
right of the individual to privacy, to dignity, and to be in control of his or her
destiny.”
From today’s perspective, we see two important modifications to that. The first is
that we have some specific issues to contend with, as well as generalities. We have got
far enough into the swamp to find the alligators. Maintaining the right of the individual
to privacy, to dignity, and to be in control of his or her destiny is all very well. But
before this we have to deal with something that hits them where it really hurts – in
their wallets. Identity theft is a major problem. Gene Schultz gave some graphic examples:
the break-in to a research database at the University of California that compromised
personal information of 1.4 million people; the help-desk staff member who sold passwords
that gave access to consumer credit reports. Estimates are that 57 million US adults have
been reached by phishing attacks.
As far as organizations are concerned, CIOs do of course want to establish effective
operation and co-operation. But CIOs are probably more immediately worried about the
company being ruined by security breaches, and about keeping out of jail.
An estimated 88% of companies have been the victims of some kind of cyber attack, though
many will not admit to the true scale of the problem. Insider attacks probably pose a more
serious danger than external hackers. Stuart McIrvine quoted an average cost of $2.7
million for insider attacks, and gave the specific example of the brokerage where an
ex-employee transferred many accounts to his new company. The risk is serious and growing.
Indeed, Gene Schultz suggested that it may be growing faster than our ability to control
it.
There is an explosion of personal privacy and financial probity legislation worldwide, and
compliance is at the front of most CIOs’ minds. Sarbanes Oxley has resulted in boom
times for information security professionals. This is a major driver for implementation of
identity management.
The second modification to our original understanding of the requirements is that we have
found new basic requirements that are not being addressed by current standards activities.
Specifically, we need to identify things as well as people, and we need systemic
identifiers that are common across systems and stable over time.
Justin Taylor put forward a vision of the Identity Driven enterprise, based on
identification of silicon-based, as well as carbon-based, life forms, and Fred Wettling
described in detail the requirements for managing identities of things beyond people.
Stuart McIrvine pointed out the need to be able to trust the devices that people use, as
well as the people themselves, giving the specific example of patches to automobile
engine-management systems that can be downloaded over the Internet - what does this do to
warranties, and to liability?
Jim Hosmer discussed the need for systemic identifiers, from the perspective of a major
corporation with a very large number of customers and business partners. Systemic
identifiers, used by system components, must be distinguished from user-friendly
identifiers used by people; their fundamental characteristics are very different. He
pointed out the drawbacks of commonly-used systemic identifiers, especially their lack of
stability over time. Examples like visual changes brought this point out.
Once the alligators have been dealt with, and before we start looking at new areas, yes -
we do want to address the currently understood requirements and drain the swamp. There is
a clear business case for identity management, and it becomes more important as
collaboration increases. Identity management is a showstopper problem that gains the
interest of high-level management.
As many speakers pointed out, for the communities that an individual belongs to to operate
- and cooperate – effectively, there must be trust. This is the context for
federation based on business relationships.
Steve Zamek listed the fundamental business drivers – lower administration costs,
increased efficiency, lower risk, audit and reporting for regulatory compliance and
governance, improved service levels. Indeed many of the questions to speakers raised the
importance of audit.
Cost savings are important. An Aberdeen Group estimate is that enterprises spend an
average of $300-$350 per user annually on identity systems. But, as John Mori pointed out,
there is a trade-off to be made between cost and risk.
Standards and Technology
The achievement of the Identity Standards community over the last three years has been
impressive.
XML is now the de facto way to represent information of all kinds, identity information
being no exception. OASIS is the body where most XML-based standards are developed.
Patrick Gannon – in a most artistic presentation that used the difference between
Mondrian to Jackson Pollock to illustrate de-perimiterization – described the OASIS
standards related to Identity Management and Web Services, including WS-S,
XCBF, DSS, AVDL, WAS, SPML, XACML, and particularly SAML. Standards matter because they give
businesses risk-reduction for e-commerce, and help businesses to deal with “future
shock”. But standards must be open, and successful standards must be adopted in
product solutions so they have to be relevant and implementable. They must also produce
consistent results, implying a need for assured conformance.
Conor Cahill described the work of the Liberty Alliance, which had created the key concept
of federated identity. The Identity Federation Framework – ID-FF – is the basis
of the Liberty standards. This was originally built on version 1.1 of SAML. Its features
have now been incorporated in SAML 2.0. The Identity Web Services Framework –
ID-WSF
– has been added to ID-FF; it is a framework for locating and invoking identity-based
web services. Layered on top of ID-FF and ID-WSF are identity service interface
specifications: personal profile, contact book, and others.
Not all standard trust frameworks are new. PKI has been around for many years. Some doubt
how well it has done as a technology solution – Gartner has estimated that 50% of all
PKI software is shelfware. However, Mary Dixon pointed out that the DoD has developed PKI
and smart cards over the last five years, and is using PKI successfully. She remarked that
technology does not solve all the problems – it can only make it harder for attackers
to break the process. She stressed the importance of identity proofing as the basis of the
whole process. These are principles that apply to technology of all kinds, not just
PKI.
As John Mori put it, if you don’t know who you are talking to, other security
controls don’t matter. The vetting process is key.
Anthony Nadalin described the Web Services Framework, which addresses the whole lifecycle
of web services – application development, deployment, service delivery, and
management - not just identity. Key elements are WS-Trust, which specifies how to broker
trust relationships, and WS-Federation, which defines a model for single
sign-on based on
the WS-Security specifications. The Web Services Framework incorporates the idea that the
federation framework must be independent of the security token technology. This enables
the framework to encompass legacy trust systems, and PKI.
There is some overlap between the Web Services Framework and the Liberty Alliance, but
they also cover areas that are different. Jamie Lewis remarked that every important vendor
(with one notable exception) has committed to both the Web Services Framework and Liberty;
and we will see coexistence and convergence emerge.
Products that conform to the standards are emerging. Conor Cahill listed a number of
client and server implementations of the Liberty profile that are in production and were
demonstrated at a recent consumer electronics show. Gavenraj Sodhi explained how
federation can be implemented through SAML using production products. Steve
Zamek
described a case study at Clerical Medical where identity management products had helped
deliver increased automation and lowered costs.
The underlying security technology must be kept under review. 90% of companies use
passwords as their primary access control method. Stuart McIrvine forecast that biometrics
will become more prevalent, replacing passwords over the next 5-10 years. But keystroke
logger attacks raise questions for static credentials of all kinds – including
biometrics.
As Jamie Lewis pointed out, there has been a wave of consolidation among product
suppliers, which is now almost complete. But the products are mainly bundles right now;
they are not integrated yet. Good, well-integrated product suites should emerge over the
next couple of years. In the longer term (5-8 years), identity federation features will
“seep into” the platform, although cross-platform management will still be
needed.
Justin Taylor also stressed the need to be able to integrate identity and security
features into products, so that developers can build identity and security services into
applications.
Architecture – "Pulling It All Together"
Jamie Lewis supported the proposition that Identity Management is mainly an architectural
issue for enterprises. And enterprises are surprised at how much customization is
required. Today, federation is a custom integration project.
Gene Schultz stressed the need to "Keep It Simple" and to try to induce some
order into the “controlled mayhem” of the IT environment. Architecture must also
result in systems that are easy-to-use: usability is probably the most neglected aspect of
IT security. This was reinforced by John Mori, who warned of the danger of turning
customers into enemies.
Many speakers, starting with Jamie Lewis, spoke of the value of the Service-Oriented
Architecture (SOA) approach to infrastructure services. Jamie painted the architectural
picture of identity services and application services plugging into the same services bus.
There has been a lot of hype over SOA – but the underlying architectural shift is
probably real.
Standards so far address protocol interfaces but not application interfaces. Connectors to
access control systems, with simpler interfaces, are needed. While we understand how to
communicate between identity systems, we do not yet agree on what identity services and
components can be used to build these systems, or how to plug them into a services bus.
Rakesh Radhakrishnan and Ramaswami Rangarajan presented a proposal that shows specific
identity infrastructure services, in the context of a Service-Oriented Architecture. Their
presentation addressed another key aspect of today’s enterprise environment:
mobility. Their concept of Identity-Enabled Networks (IDEN) relates enterprise systems to
the telecommunications environment.
Richard Paine described a project that addresses support for mobility within the
enterprise – an implementation by Boeing of the Secure Mobile Architecture
(SMA) that
was developed by The Open Group Mobile Management Forum and published early in
2004. The SMA leverages the power of directories to store location and network information
in addition to identity information. This enables identity-driven features to be
incorporated into the network infrastructure.
Ron Williams explored the differences between Enterprise and Federated Identity
Management, and described the practical business of architecting identity-based systems.
The relation of services to a service bus will in practice be in the context of a
development environment such as J2EE or .NET. From an architectural perspective,
environment-independent components would be more desirable. The Model-Driven Architecture
(MDA) approach, described by Ed Harrington, enables a solution description to be developed
at the environment-independent level, and to be used to generate the implementation in the
appropriate platform.
It is a truism that knowing the answers is of little use unless you ask the right
questions – and this is particularly valid for enterprise architecture. The Open
Group Architecture Framework – TOGAF – described by Chris Greenslade
incorporates an Architecture Development Method (ADM) that encourages the architect to ask
the right questions at the right time. It also includes a resource base that the architect
can use in the development of enterprise architectures. When identity management
components are defined and included in that resource base, TOGAF will provide the
framework for development of effective architectures for identity-based enterprise
systems.
Conclusions
Things have moved fast over the last three years. There is now a substantial body of
identity management standards, and products that conform to those standards are emerging.
At the same time we are becoming aware of new requirements that are not covered by the
existing standards.
Pulling the standards and products together into effective enterprise architectures is a
key issue. The architectural principles are not yet completely clear, but they are
beginning to be understood.
Two areas for future work stand out.
The first is the development of our understanding of architecture for identity management.
Service-Oriented Architecture may provide the basic principle, but we need clearer
definitions of the building blocks - the identity management components that plug into the
services bus. With these in our resource base, we can use TOGAF to create effective
enterprise architectures for identity-based enterprise systems.
The second is the development of our understanding of new requirements, and the creation
of standards that help vendors to address them. A meeting session jointly sponsored by the
DMTF, NAC, and The Open Group, later in this Conference, looked at the requirements
for common core identity representations for systemic identifiers, including identifiers
for things as well as for people. The challenge that Jim Hosmer gave us in his
presentation was to achieve a standard on this by the end of 2005.
There has been substantial and real progress in the last three years. Let’s hope that
this continues, so that by the end of the next three years the deployment of
identity-enabled systems in the enterprise has become a matter of routine for IT
architects.
|
