The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management

Unfortunate coincidences on the title aside, the overall response to my session was quite positive, especially from folks whose opinions I really respect like Bob Blakley and Lori Rowland from the Burton Group. There was general agreement that widespread adoption of Cloud Computing is going to be a major disruption on the existing evolutionary path that Identity Management has been following. And adoption of the Identity Services model is a major component to readying IdM for the Cloud.

Check out the screencast (slides with audio of the session) of my session below. Registered attendees of OpenWorld can download the presentation itself and the MP3 audio recording of the session from OpenWorld On-Demand (just login with the Username and Password you created during your OOW registration).

The audio includes the questions that were asked of me, and turns out that the questions didn’t record well and I forgot to repeat them. Hopefully my answers are cogent enough that you get an idea of what questions were asked. I did want to follow up here on this blog post a few of those answers:

• A question came up regarding the licensing terms for Oracle IdM products when they are being used in a cloud environment (specifically, by organizations that are going to be Cloud Providers of Identity Services). The biggest challenge for such organizations is that they cannot accurately estimate the number of users, or other such variables licensing is typically based on, beforehand, which creates uncertainty for them as to the cost they will have to bear. After the session, I confirmed with our PM team that there is special licensing available for ISVs. Talk to your Oracle sales rep about this if interested.
• Another question came up regarding the impact of all this on standards like SPML. I believe my answer covered my opinion on the greater emphasis the cloud identity model will put on the evolution of these standards, especially SPML, which has been languishing. Follow up conversations with some of the original architects of the SPML standard and others involved in standards efforts brought up that the communities responsible for these standards are looking at this very hard and are gearing up efforts to address this. So stay tuned for more on that.
• A question was asked regarding Just-In-Time Deprovisioning of access to cloud-based assets. This is something I discussed quite a bit in a blog conversation with folks like Ian Glazer and Pam Dingle a while back. So check out that post and the related thread.

Tags: Cloud Computing, Cloud Identity Model, Identity Services, OOW09, Oracle OpenWorld, Oracle_IDM

• Session ID: S309525
• Location: Moscone South Room 308
• Date and Time: 10/12/2009 | 11:30am-12:30pm

Below is the abstract for the session, in which I plan on expanding a great deal on the presentation I did in the webinar with KuppingerCole:

Cloud computing is about to revolutionize enterprise IT and architecture. But leading industry analysts see security as a gating factor preventing enterprise adoption of cloud solutions, as enterprises grapple with the unique characteristics of cloud security and the challenges of compliance and governance. This session outlines key identity management considerations for evaluating a move to the cloud. It discusses how enterprises can leverage their existing identity and access management infrastructure and the principles of service-oriented security and standards-based interactions to secure their assets in the cloud. It also looks at the prospects for identity management as a service and how it will affect cloud computing’s future.

As I prepare for my talk, I found myself revisiting some of the previous talks I gave at OpenWorld the last few years. It was very interesting to see how my vision for Identity Services has evolved over that time. I found it a most amusing exercise, so I thought I would extend the courtesy to my readers. To that end, I have uploaded my previous OpenWorld presentations to my Slideshare page (you can also get to them from the links on my Speaking page). I can’t believe I thought the Love Guru angle was a good one to take for a tech talk

If you are going to be attending OpenWorld, you can pre-register for my session using the Schedule Builder tool for OpenWorld attendees. And as always, ping me on email/LinkedIn/Twitter if you want to meet up that week. Look forward to seeing you there.

Tags: Cloud Computing, Identity Services, OpenWorld, Oracle OpenWorld

It started off with Martin Kuppinger talking about his views on cloud computing and identity management. I then spoke for about half an hour on how I think cloud computing will disrupt traditional enterprise identity management – but in a good way.

Enterprise IdM, Interrupted

More than anything else, cloud computing is going to accelerate the evolution of identity management to a services-based model. I have, of course, been talking about identity services on this blog and at OpenWorld and other forums for quite a while now. But the need for good security and controls in the completely elastic, plug-and-play world of the cloud mandates that identity be externalized into an infrastructure layer.

I wish we had left more time for questions during the webinar, because I would have loved to hear from folks about their thoughts on the topic. Hopefully there will be a chance for discussion when I speak on this at Oracle OpenWorld (session details below). In the meantime, check out the webinar recording or my deck. And as always, I encourage you to leave me some comments.

Identity Management and the Cloud: Stormy Days Ahead?

Session ID: S309525 | Moscone South Room 308

10/12/2009 | 11:30am-12:30pm

Tags: Cloud Computing, Identity Services

The webinar is today, Monday Sep 21st, 11 am EST (yeah, I know, short notice. But hey, if you were following me on Twitter…). You can register for the webinar (it’s free!) here.

And if you miss it, it will be available as a podcast later.

Tags: Cloud Computing, Identity Services

The Cloud Hanging Over Us

At Catalyst, Dan Blum stated that cloud computing is not ready to be a serious player in the enterprise when it comes to applications that handle sensitive data (some would argue that covers most enterprise apps). This reflects the biggest obstacle facing cloud computing acceptance – Trust. Enterprises need to be able to rely on cloud providers (read: have SLAs) for availability, security, performance, governance and privacy. But how can they do that when there are so many unanswered questions (as I pointed out in my previous post) and a lack of transparency on the part of the cloud providers? How can an Enterprise feel comfortable when Google says “The service is neither designed nor intended for high risk activities” or Amazons contract states “We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data…”

Looking at the Silver Lining

When people talk about the business drivers for cloud computing, it is often summed up as the following list: Cost, Flexibility, Simplicity, Availability. But why not Security? Cloud architecture actually lends itself to a far more robust and reliable security architecture than anything that has come before. Everything can be built right into the platform and the applications, and the need for vendors to support multiple customers in a dynamic environment means that all of it has to be standardized and easy to put up/take down.

So what are the major identity management pieces in this puzzle?

• Federated Authentication that spans the enterprise environment and the cloud environment
  • Alternatively (or additionally), consider supporting User-Centric Identity
• Strong User and Access Lifecycle Management (Provisioning/De-Provisioning Capabilities)
• A Claims-Based Authorization model, coupled with strong XACML-based Entitlement Management
• Enterprise Identity Providers protected by IGF-style policy controls
• DLP (Data Leakage Protection) tools that protect sensitive data moved to the cloud
• A standardized Audit Framework for creating, managing and analyzing audit trails across cloud services

In my follow-up posts (and in the talks I am giving), I will look at each of these in more detail. In the meantime, register for the KuppingerCole webinar I’ll be doing and lets exchange some thoughts.

Tags: Cloud Computing, Federated Identity, Identity Services, User-Centric Identity

Marines can’t use Twitter or Facebook on duty, but soldiers and sailors can. For airmen, it depends on the base.
As for YouTube, the Air Force has created its own channel – which can’t be accessed from work computers.

A lot of people in favor of social media use (including yours truly) view it as an important communication and PR tool, providing some much needed openness and transparency in a time of record low recruitment and mistrust. It is also viewed as a weapon for the military to take back the narrative regarding the wars in Iraq and Afghanistan from the hype-driven media. The rate at which information can be gleaned from these media makes them effective early-warning systems on all manner of critical events – from earthquakes to civil war and revolutions. And don’t forget how incredibly useful it is as a tool for our troops to stay in contact with friends and loved ones. For a much better, insider take on how critical the use of social media is to our national security, read this extremely well-written article in the Federal Times.

I shared the story on twitter, along with my opinion that the ban was the wrong approach for the military to be taking. Brad Tumy challenged me to explain why I thought it was the wrong approach, and what I think they should be doing instead. I promised I would address his question in a blog post soon, so here goes.

Lets take a look at some of the main reasons given for banning social media.

1) Bandwidth Issues

The amount of bandwidth sucked up by YouTube, Facebook and the like puts a strain on limited DoD resources. But today, network tools that monitor bandwidth usage and throttle the traffic based on conditions are quite common. And using geolocation and device identification to cut off access on machines being used in the field (that use extremely limited satellite-based bandwidth) is technically possible (and as someone I met at Catalyst told me in a different context, is being done every day).

2) Spread of Malware

Highly publicized incidents like the Koobface worm spreading via Facebook have led some of the security experts to consider these sites to be tremendously dangerous to the integrity of the DoD networks. But the malware threat from social media is nothing compared to the attacks the DoD has to fend off on a daily basis via sanctioned channels, namely email and so called “good” websites. And the tools to protect against the malware attacks are well understood and widely deployed. Most folks learn pretty quickly to identify and ignore malware messages, no matter what the medium. And cloud-based social media sites will do a much better job of cutting an attack off at the knees than thousands of distributed email systems ever will.

3) Information Leakage

In providing their reason for banning social media, the Marine Corps said

the very nature of social networking sites creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage.

This is probably the most serious cause for concern, and one where IAM and Security technologies can play a crucial role. In many cases, the challenge here is similar to the one faced when dealing with any communication channel, whether it be email or ftp. Many enterprises rely on Security Information Management to protect their most sensitive resources – their data. A well established Identity Management infrastructure provides the first layer of protection by ensuring that only authorized individuals have access to sensitive information, and then providing a complete audit trail around the access of that data. This has been shown to have a deterrent effect in information protection, and can assist in tracing back the source of a data leak. DLP (Data Leakage Protection) tools provide data security by enabling data identification, classification, usage and wrapping controls around it all. Firewalls are getting increasingly sophisticated (take a look at Palo Alto Networks, which is getting traction with a content inspection engine that can “accurately identify applications … and scan content to stop threats and prevent data leakage“). The fact that Facebook and Twitter have APIs that allow the creation of custom clients means that users can be given access in a secure way through apps developed by the military. And there is commercial software out there that does much the same.

Now, the way I see it, the armed forces are facing the exact same dilemma that most enterprises are facing when considering how to tackle the use of social media in the workplace. The only difference is in the amplification of the potential consequences. Exploitation of the attack window that social media use creates could lead an enterprise to lose a lot of money, but in the case of the armed forces it could lead to serious loss of life. That does mean that while the issues are the same, the risks are vastly different. This would necessitate a completely different risk mitigation strategy. But does that mean that the solutions that can help would change too?

A blanket ban such as the one being discussed would lead you to believe that there exists no ability to handle what are essentially security and access control issues in the system, and that simply is not the case. I’m not saying that it is perfect, but a combination of tools, policies and guidelines can make it possible for social media to be leveraged by the military in ways that serves their (and our) national cause without harming their mission. And that would be to everyone’s benefit.

If you ever saw the movie “Breach” about how Robert Hanssen leaked national secrets by photocopying files and carrying them out in his bag, just think of how much more quickly he might have been caught if he had been sending those files over a social media connection. USB drives and email are far bigger threats (right now) than social media. and by being proactive, the military can turn these tools to their advantage. On the other hand, by not playing in one of the emerging technologies in the market, the US military risks becoming outdated, outmoded and outplayed by our adversaries.

Tags: Data Leakage Protection, DLP, Facebook, Firewall, Identity Management, Military, Oracle_IDM, Social Media, Social Networking, Twitter

Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer’s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory

Day 1: A focus on IdM evolution

I don’t know if this was par for the whole conference, but at least in the IdPS track, each half day was devoted to a particular theme. The first half of day 1 was a landscape update as usual, and focused on some of the interesting developments in the space, like Oracle’s pending acquisition of Sun (that’s all I’m going to say on that topic), the integration of DLP (data leakage prevention) with IdM programs, and the emergence of some commercial Identity Oracles.

I especially liked Bob Blakley’s discussion on Identity Services, since it resonated with a lot of what I have been talking about on this blog and the work I have been doing at Oracle. In his talk on the subject, Bob pointed out that cloud-based identity services will challenge the fundamental architectural notions of IdM infrastructure. The large blocks of IdM functionality that we are used to – access management, provisioning etc – will get broken down into smaller, modular pieces – like identity proofing, enrollment, identity risk assessment, breach remediation – that can interplay within enterprise environments as required. This is pushing the market towards smaller, specialist vendors that handle specific services rather than the large IdP that is a one stop shop for all identity needs. And these services have to work in concert with each other to provide the enterprise the value they are looking for. The vendors that have emerged in this space are delivering their services via various deployment models – ranging from on-premise SaaS to cloud-based services – but mostly stick with the per-user/per-transaction billing model. And all of them are going to get a big push when some of the cloud security issues currently holding enterprises back get resolved.

The second half of the day focused on a big part of IdM’s evolution – the mainstreaming of role management and the ascending discussion on the nature of Entitlement Management. Role Management is now widely accepted as an important part of any comprehensive identity management practice, and Kevin Kampman’s talk on the subject highlighted the importance of positioning it as a business problem instead of a technical problem. In discussing the results of a survey Burton conducted with customers that did role management projects, Kevin laid out the premise that the tools are actually secondary when it comes to implementing role management. First and foremost is the need for customers to understand the business processes that impact the design and use of roles, and document the same so that a practice could be built around them.

And as role management has taken hold in the conscious of IdM practitioners everywhere, entitlement management is rearing its head as a disruptive topic. In what was a theme for the conference, Burton laid out a terminology issue that exists around the term “entitlement management”, which is often used to describe tools that deal with runtime evaluation of fine-grained authorization decisions (like what Oracle Entitlement Server does), and neglects the lifecycle management practice around entitlements and their assignments. As customers dig deeper into their role management projects, they are finding that what they really want to do is entitlement management. And the tools to help with the lifecycle side of this equation are just not there.

The day finished at the hospitality suites, where a lot of the evolution being discussed here was on display. There was also a very successful interoperability event demonstrating SSO for cloud-based applications, a first step towards management of the extended cloud-based enterprise by enterprise IdM deployments. All in all, day 1 was quite satisfying. But the best was yet to come.

Tags: Burton Catalyst Conference, Catalyst09, Entitlement Management, Identity Services, Role Management

The SIG Meetings

For me, the conference was divided into two parts. Monday and Tuesday I attended a few SIG meetings on topics that were varied yet highly interconnected. Monday was a meeting of the Concordia Workshop, which is now a discussion group under the new Kantara Initiative. The focus of the meeting was Use Cases driving Identity in Enterprise 2.0: The Consumerization of IT. The ever intrepid Eve Maler has posted materials from the day to the Concordia site, so you can check them out yourself. While the individual discussions covered all manner of areas, the connecting thread throughout was Authorization. There was a morning discussion where a panel talked about the progress made in the authorization space, from the XACML API contributed to the TC by Oracle and Cisco, to the emergence of AuthZ as the critical service in the identity services reference architecture being developed in the Burton Group ISWG (which I have been participating in and writing about). Mike Gotta and Alice Wang gave an excellent talk on the emerging concerns regarding social tools in the enterprise, and a lot of those concerns again boil down to authorization issues, in this case regarding data and information. Eve talked about her work on the ProtectServe protocol that enables authorized data sharing from a user perspective. And the day finished with a talk on Levels of Assurance, a critical piece in allowing for partners to make informed authorization decisions.

Tuesday started with a meeting on Cloud Computing Security and Identity Management. As readers of my blog/twitter know, I have been saying for a while that cloud computing is going to have a major impact on the identity management business, in much the same way that compliance concerns did a few years ago. It is probably a sign of the immaturity of the market that the discussion was focused on describing the challenges to be solved rather than any solutions.

The meeting included a deep dive presentation by Liam Lynch, Ebay’s Chief Security Strategist, on how the auction giant tackles their internal cloud computing needs. There were a few points made during his presentation that I found interesting:

• eBay is into cloud computing as a provider, not a consumer, since they allow 3rd party developers to create their own auction sites on eBay infrastructure using a development kit called eBox
• As such, eBay feels that security considerations have to be made inherent in cloud architecture as they cannot rely on these 3rd party developers to not make mistakes
• eBay uses contextual behavior and reputation, including biometric analysis, as the underpinnings of its identity management strategy. Reputation and behavior analysis generate (over time) dynamic identity claims that then get used in access control decisions
• eBay found RBAC to be a bad match for their performance requirements, and shifted to a claims-based model for authorization. In this model, claims are attached to the data object being accessed itself (sort of a next-generation ACL). The access then compares the claims the actor has at runtime with these to make an authorization decision.
• Liam made the point that managing access through roles was a bad model for them, which is why they went claims-based. I understand the performance concerns that arise when evaluating RBAC at runtime, but for managing the grants of access, nothing beats a role-based model. So I was a little surprised by his statement. When I dug deeper, it turned out that they simply replaced RBAC with Organization-based AC, and not because of performance reasons but because of compliance reasons since the org change has approval attached while the role change did not. So it wasn’t really an issue with RBAC, just the implementation they had in-house.
• Liam pointed out that a move to the cloud can be an opportunity to fix broken internal processes, since the cloud will amplify any issues you may have

The meeting also had Nils Puhlmann, co-founder of the Cloud Security Alliance, speaking to the participants on the need to come up with a practical security checklist that all Cloud Service Providers could be measured against, so that enterprise customers can make accurate assessments of the risk with using a particular CSP. He called for greater vendor involvement and focus on the cloud, since the cost dynamics of the cloud make adoption inevitable. And that CSPs need to be more transparent about their security controls and policies.

Later that afternoon I attended the next meeting of the Identity Services Working Group that I’ve been participating in. There were a lot of new folks in the audience, so it was a good opportunity to recruit new blood into the effort. As Kevin Kampman presented the work that had been done previously on the Authentication service and laid out the effort lying ahead on the Authorization service, we got into highly spirited, and productive, discussions on the nature of the services architecture. One of the points made repeatedly (and which was echoed later in the week during the sessions) was the terminology issue that plagues the identity community, in this case around words like Policy (vs. policy). There was a strong sentiment from the group that policy management needs to be made part of the overall framework for it to work properly. And there was also a strong push from the group to try and condense the best of the prior efforts at defining AuthZ services into our vision.

While on the surface all of these SIGs were on different topics, I found them to be highly intertwined. Identity concerns in cloud computing are tied in directly to the need for an identity services architecture that allows cloud services to leverage enterprise identity (and therefore security) apparatus, thus reducing risk for the enterprise and providing compliance with both internal and regulatory controls. And Enteprise 2.0 is mostly about the intrusion of  cloud-based services like social media into the enterprise environment (or the extrusion of the enterprise into commercialized IT services, depending on how you want to look at it), where concerns about consistency of identity and controls are foremost in the minds of CIOs and CISOs everywhere. So while the discussion is still somewhat fragmented (as it probably should be at this time), I look forward to all of this coming together nicely in the future (maybe even at a future Catalyst conference).

I think I need to do a better job breaking these posts into smaller, more readable chunks. My next post(s) will focus on the sessions themselves.

Tags: Authorization, Burton Catalyst Conference, Catalyst09, Cloud Computing, eBay, Identity Services, Kantara Initiative, Oracle_IDM, Project Concordia