European Identity Conference 2009 | dag 1

Idag var första dagen på Kuppinger Coles European Identity Conference, som är den största konferensen i Europa med fokus på Identity Management.

Kuppinger Cole är analytiker som ger råd inom GRC (Governance, Risk, Compliance), Identity and Access Management, IT-säkerhet och nu senast Cloud Computing. De har bra koll, även om fokus naturligtvis blir ganska tyskt. Men det behöver inte vara dåligt då det finns många stora organisationer i Tyskland som har kommit långt på området.

Dagens första övning var en för-konferens där Martin Kuppinger spanade på kort och lång sikt (2008-2019). Här är hans 10 trender.

Trend No. 1: GRC as the Business Control Layer for IAM

GRC (Governance, Risk Management, Compliance) is the superstructure for IAM. GRC provides the business controls (e.g. policies, roles,…) to manage identities and authorizations. Thus, the typical provisioning layers will either be expanded to support GRC requirements or become more lightweight, as just sort of an interface layer between the business controls and the systems which are provisioned.

Overall, the maturity of GRC platforms will increase further. That includes the addition of missing features as well as a better support for business policy management and better interfaces to existing provisioning systems for an effective authorization management.

Trend No. 2: Growing Maturity of Identity 2.0 Approaches

Identity 2.0 becomes more mature. Over the course of the last year, attention shifted from the lightweight OpenID to the more sophisticated Information Cards, now supported by the open ICF (Information Card Foundation). We will observe an increasing momentum in that area, even while the discussion about valid business models for the Identity 2.0 world – especially for Identity Providers – still will be intensive this year.

Trend No. 3: Multi-purpose Cards gain Momentum

A quiet evolution has happened in the market for authentication tokens. Multi-purpose cards are increasingly important. These cards support not only the strong authentication for IT systems, but as well the physical access to buildings and sometimes even payment functions or other features. These advanced cards are increasingly considered as the mechanism of choice for strong authentication, reducing the number of tokens employees have to carry and the logistics costs for such cards through their use for several use cases.

Trend No. 4: Context and Versatility become Reality

Context-based authentication and authorization has been discussed for quite some time, as well as versatile authentication (e.g. the flexible choice of authentication technologies within one platform) has been. Both approaches are becoming increasingly mature and are supported by more and more vendors. In that context, soft-tokens are now frequently supported as one approach for authentication, as well to reduce logistics costs as to provide a fail-over in case that a physical token has been lost or destroyed.

Trend No. 5: More IAM and GRC for the Cloud

Cloud Computing will be the next big thing in IT – a fundamental paradigm shift which provides much more flexibility for IT infrastructures than ever before. That requires IAM as well as GRC for the cloud. Currently, there is only little support for basic IAM standards like SAML. The increasing pressure of customers in a growing market will lead to a broader support for existing and upcoming standards like SPML, OAuth, XACML or CARML as well as to the definition of new standards.

Trend No. 6: Portable Identity Information for Social Networks

Today, typical social networks don’t support a flexible exchange of the identity information (including the relationships and all the other data) which is stored in these networks. That will change. There are first approaches for open, exchangeable identity and relationship information for social networks. There is an increasing pressure of users on the providers of social networks. And there is the impact of Identity 2.0 which allows building new types of social networks. Thus, the lock-in of information in social networks will come to an end.

Trend No. 7: GRC going beyond IAM

GRC will not only become sort of a business control layer for IAM – GRC will also expand beyond IAM. Some first vendors have started to add SIEM (Security Incident and Event Management) capabilities to their GRC platforms. And some of the large vendors are in the starting blocks to add ITSM/BSM (IT/Business Service Management) and other features. Over time, we expect GRC to become a more complete business control layer which allows providing business policies and controls to IT and the status information back from IT to business.

Trend No. 8: First Impacts of new Electronic Passports

The new Electronic Passports (ePA) will become part of IT strategies, especially in Germany with the sophisticated approach of an ePA supporting as well features for non-governmental use cases. There will be first solutions supporting the ePA for strong authentication as well as for integrating Identity 2.0 technologies with the ePA.

Trend No. 9: Increasing Service Orientation in IAM and GRC

A service-oriented approach for IAM and GRC will become increasingly important in three areas: Defining and managing IAM and GRC services, building lightweight, service-oriented implementations especially for provisioning, and supporting SOA. Overall, that will be part of a shift from today’s frequently monolithic approaches towards a more flexible concept of IAM and GRC.

Trend No. 10: Privacy is back – and there are more Solutions

Privacy has been a no-brainer for a pretty long time. Despite some regulations, there hasn’t been much discussion about privacy. And, even more, there haven’t been significant technical improvements to support privacy requirements. That is changing. New technologies for supporting privacy, especially the concept of “minimal disclosure” are on their way – and there is by far more discussion about privacy issues than it has been for years.

Just GRC (Governance, Risk Management and Compliance) kan väl sägas vara årets ”snackis”. Då de tekniska delarna kring provisionering och access funkar allt bättre så läggs ju mer krut på det som är avgörande för om projekt blir framgångsrika eller inte: verksamhetsprocesser och roller. Och då handlar det mer om vad en organisation faktiskt vill uppnå.

Den andra stora ”snackisen” var så klart Cloud Computing. Alla ser att det händer saker både hos leverantörer och hos kunderna, men man är fortfarande lite osäkra på exakt vad det innebär för identitetshantering och access. Men att både behov och krav kommer att öka i en värld där allt fler kunder finns externt, det är alla överens om. Vad som är bra är att många som levererar tjänster i molnet har anammat standarder som SAML, men det kommer fortfarande att bli mycket integration, framförallt om man skulle få för sig att flytta tjänster mellan olika leverantörer i molnet. Spännande!

En naturlig följd av Cloud Computing och SaaS (Software as a Service) är så klart IaaS (Identity as a Service).

Vi ser också tydligt att vissa applikationer driver nya lösningar. En sådan är SharePoint, som har en säkerhetsmodell som skiljer sig radikalt från hur kunderna avser att använda produkten. Det finns lösningar, till exempel Rohati, men det kommer att bli stora problem för de kunder som försöker rulla ut SharePoint utan att ha en vettig struktur för identitet och access.

I det längre perspektivet fanns framförallt spaningar kring modularisering och service-orientering av IDM, ”Identity Bus” som koncept där många olika identitetstjänster kan samarbeta. Också Microsofts ”Geneva” Claims Based Access Platform fanns på radarn, och Kim Cameron var på plats för fördjupningar.

En intressant paneldebatt handlade om Europa hade en egen approach jämfört med resten av världen när det gäller IAM. Alla verkade överens om att det var USA som skiljde sig från alla andra. I USA hade man haft en tidig rush då alla gjorde provisionering som en snabb fix. I Europa hade det gått lite långsammare och man hade kanske gjort saker lite långsammare. I Europa verkade man också jobba mer med rollhantering…

Sent på eftermiddagen kördes det leverantörspresentationer. Tungt.

Uppfriskande var dock Eve Maler från Sun (också känd som xmlgrrl eftersom hon var med och uppfann XML). Hon berättade om de tokiga projekt hon höll på med just nu, som OAuth (öppet protokoll för auktorisering) och ProtectServe. Cool!

Eve Maler is an Emerging Technologies Director at Sun Microsystems, innovating technologies related to digital identity management and developing strategies for promising new technologies on the scene.

Eve was one of the inventors of the Extensible Markup Language (XML). She has also made major leadership, technical, and educational contributions to other successful open standards and communities, such as Project Concordia, the Security Assertion Markup Language (SAML), the Liberty Alliance, the Universal Business Language (UBL), and DocBook. One of her current projects is ProtectServe.

Eve is a frequent public speaker, and chairs the Web Services and Identity track of the annual XML Summer School held at University of Oxford.

Eve co-authored Developing SGML DTDs: From Text to Model to Markup, a book that provided a unique methodology for information analysis and SGML schema design. Eve’s blog, Pushing String at xmlgrrl.com, touches on topics both technical and whimsical.

Lite tidigt för att att sätta saker och ting i perspektiv, men det känns som att området har mognat avsevärt och att man nu ser på IAM i ett större perspektiv.

I morgon hoppas vi på fler storys från verkligheten.

Konferensen kan också följas live på Twitter med tag #eic.