Presentations on Identity Management Deployment Strategies
The meeting started with a plenary keynote presentation on
The
Evolution of Identity Management in a Web Services World
by Justin Taylor, Chief Strategist for Directory Services at Novell.
Justin explained how the need to support web services is driving
the development of Identity management, but against a background
of falling IT budgets, and within an increasingly constrictive legal
framework. Directories provide the foundation, enabling scalable,
flexible, and policy-driven services to be implemented cost-effectively.
A federated identity management system, separate from the services
that it supports, is the key infrastructure. Directories are evolving
and XML-based languages such as DSML and SAML will replace LDAP.
The necessary standards are still in their infancy; Liberty Alliance and Passport both
have valuable contributions; neither is sufficient on its own. Certification
is important to guarantee conformance. Overall, simplicity will be the key
to success. A
fuller summary of this presentation is available.
Gavenraj Sodhi, Senior Technical Analyst at Business Layers,
presented on Identity
Management and Provisioning standards: Providing Identity Management Infrastructure
Product Interoperability. He reviewed the customer requirements, business
drivers, and technical drivers. These are leading to applications driven
by different infrastructures. The development of Identity Management standards
should result in federated identity, interoperable solutions, security, and scalability.
The key current standards, which Gavenraj described, are
SAML, SPML, XACML, the Liberty Alliance, and PingID. Customer involvement is
essential to their further development.
René Head, Business Solution Architect at ePresence, gave a presentation
entitled The
Art of Identity Management. This emphasized
the intuitive, as opposed to the formalistic, aspects of Identity. Pure technology will
not meet the need. A business-driven approach is required to architect a solution
for each enterprise. René described such an approach, based on obtaining
involvement and commitment of the stakeholders, and with decisions based on metrics
that show the value of particular technology-supported organizational initiatives to the business
mission.
Toby Weiss, Senior Vice President for eTrust Identity Management Development at
Computer Asociates, spoke on Identity
Management - Connecting Users to Services. He started with the requirements in The Open Group
Identity Management Business Scenario, noting that some of the requirements
vary in different contexts, and that there are further important requirements: for
scale, performance, practicality, cost, and business logic. There will be a need
to justify the return from investment in Identity management. Identity Management
connects users to services: it handles user provisioning and validation; it is intelligent
and it applies business logic. Directory is its basis. UDDI may become an important
component.
Ian Glazer, Security Market Strategist at IBM, gave a presentation on Identity
Management - The State of the Union. He reviewed the
history of Identity Management. The current enterprise practice is to place its systems
inside a control layer with an outer perimiter defense. When applied without an Identity
Management foundation, this approach does not give good security, and it has high
development and operating costs. The components of an Identity Management
foundation are user provisioning, privacy management, access management, and
data synchronization. Enterprises are now applying centralized Identity Management.
Distributed, federated, Identity management will be essential for co-operation with
partners and affiliates, but enterprises are not yet ready for it. The trust model is the
key; given this, the standards and technology will come together.
Mandeep Khera, Product Line Manager for the Security services Business Unit at
Verisign, spoke on the subject of the Lifecycle of Identity
Management. Verisign is a supplier of third-party Identity Management services.
Its services enable its customers to provide access to their systems and services
in a secure manner, through authentication and access management.
They are based on a managed PKI architecture. They can use
business logic and can draw on information from public records, credit bureaus, etc.
They support trust gateways between enterprises and their business partners.
They can handle identities of machines as well as of people, and can
provide non-repudiation through digital signature.
Justin Taylor then gave a second presentation, on Web services
Evolution. This outlined his view on how directory will
evolve as the basis for Identity management.
Directories will gain new capabilities in the areas of security, intelligence, and data
integration. They may have both Passport and Liberty Alliance functionality built in.
They will have a "polyarchical" rather than a single hierarchical data
model, which will lead to manageability and ease of integration with other systems.
Discussion Arising from the Presentations
What Are The Risks Of Doing Nothing?
Current solutions may serve for about two years.
Then, not implementing Identity Management will lead
to companies failing to provide service, and going out of business.
In some cases they may break the law.
There is a need to handle proxy identities, for example in hospitals
where young relatives may act for elderly patients that can not act for
themselves. Simple delegated administration will not work.
The challenge is to model the situation intelligently. There is no
clear answer right now. Banks are beginning to address the issue.
There is standards work on a CRM mark-up language in OASIS
and on an XML syntax for legal applications. The Liberty "circle
of trust" concept may be relevant. Whatever solution is adopted must
be easy to understand by users and ideally should support a
"self-care" operating model.
Identity theft is a serious problem. It raises the question of how to
reconcile security issues with common identity, and of the need for
multiple levels of password. A single "honeypot" item whose
theft gives access to everything would make this more serious; people
should think about what they want to present, and how much of it, and
to whom. Biometric identification, different forms of credential,
and different access permissions depending on location of user, will all help solve
the problem. Introducing more complexity into systems may cause people
to write the details down and actually lower security.
The emerging solutions are oriented towards the needs of the organization
rather than the individual. There are significant individual concerns, and there
are significant public and governmental concerns relating to individuals'
control over their identities and personal information. Individuals may know
what they want to present, and how much of it, and to whom, but they are
not able easily to give effect to their wishes. Organizations, naturally, will
look after their own interests. But it is arguable that the true interest of the
organization is to empower its individuals, which means that its systems must
meet individuals' identity management needs.
Identity Management Standardization
Chris Apple, Principal Architect at DSI Consulting and Identity Management
Work Area chair, presented an Overview of Identity Management
Standards and Consortia. It summarized the work on Identity Management of
The Open Group, the Liberty Alliance, Microsoft Federated Identity Management,
OASIS, ITU-T, and the IETF. The final slide of the presentation shows
the coverage of the requirement areas by the various standards initiatives.
The Open Group Identity Management Work Program
Chris gave a second presentation on The Open Group
Identity Management Effort Status. This included, in the final slide, a list of
proposed work items for 2003:
- Identity Management Roadmap White Paper;
- Identity Management Implementation Catalog;
- Revision of Business Scenario;
- Interoperability Challenge.
These work items were accepted. In addition, the following work topics were suggested:
- Identity Management Architecture;
- Identity management Guide book;
- Identity Management Certification.
Work on Identity Management Architecture would address the role of
Identity management in supporting Boundaryless Information Flow within the
enterprise. It would be in the context of The Open Group Architectural Framework
(TOGAF). Eliot Solomon was forming a cross-functional task force on Boundaryless
Information Flow, and members of the Identity Management work area were invited
to participate in that task force to address this topic.
Identity Management guidelines could be considered together with the Implementation
Catalog.
Identity Management certification is certainly an aspiration of The Open Group for
the longer term. Certification Programs should be identified by the Roadmap White
Paper.
