Burton Group Identity Blog

This Thing is OFF (in a good way). BONUS: Catalyst SPML SIG

2010-05-11T14:00:41-05:00

blogger: Bob Blakley

Pam recently asked "is this thing on?" We have indeed been pretty quiet; the combination of preparing for two Catalyst conferences, migrating from Burton's IT infrastructure to Gartner's, doing three months' work in a two-month quarter (we've realigned our content quarters with Gartner's schedule), and searching for a replacement for our fearless former leader Gerry Gebel have kept us pretty busy.

But that's all behind us now, and I'm happy to be able to report that, as of today, the answer to Pam's question is "NO, this thing is NOT on. THAT OTHER THING is on."

We've just finished the process of integration into the Gartner IT systems, and as part of that we're moving, effective immediately, to the Gartner Blog Network.

Each IdPS analyst will now be publishing on his or her own page rather than as an aggregated service blog. You can find me here (posts coming shortly!) and the rest of us will be up & running very soon.

I've already sent Pat a request to add us to Planet Identity, so all you feed freaks can get your fix in the usual place. The rest of you should update your blogrolls and bookmarks.

We'll leave you with an invitation and a parting gift. Here's the invitation: if you want to know what we've been doing in our quiet time, join us at Catalyst Europe and Catalyst North America. We've got a lot of exciting material to talk about. (If you've heard from a shadowy source that Catalyst Europe was cancelled, you know who's worried about competing with us :-)

Here's the gift: a parting entry from Mark Diodati.

blogger: Mark Diodati

Service Provisioning Markup Language (SPML) Special Interest Group at Catalyst

As you may recall, Burton Group has been closely tracking the SPML v2 standard and its adoption by the industry and the enterprise prior to its approval in early 2006. We have called the standard’s viability into question via our recent blog entries (SPML Is On Life Support and SPML: Life Support Redux) and our research document OASIS or Mirage: Standards-Based Provisioning (client subscription required). Since our “Life Support” blog entry, other folks in the industry have contributed to the discussion about SPML’s future, including Jeff Bohren (Whither SPML or wither SPML? and SPML 3.0 in 3D!!!), John Fontana (SPML 3.0. Coming next week to a TC near you?), Anil John (Standards Based Provisioning and SPML and SPML Use Cases and Profiling Choices), Nishant Kaushik (SPML Under The Spotlight Again?), and Jackson Shaw (SPML – Not dead yet!). We are very pleased to have Anil and Nishant speaking at our Catalyst NA conference in San Diego this summer as part of our New Identity Architecture track.

In the spirit of our conference name (and the fact that the conference is the most important identity conference on the planet, where the identerati converge for a week), we will be hosting an SPML special interest group (SIG) on July 27 (Tuesday) for a few hours in the early afternoon. Anil, Nishant, Patrick Harding (Ping Identity), Nick Nikols (Novell) and other additional industry luminaries will be participating. I will be hosting the SIG. We want to conclude the meeting with the answers to at least several questions:

What is wrong with SPML v2 today?
What should the next version or profile of SPML look like?
If deficiencies are corrected, will people use the next version of SPML?

We’re looking for a few more people to participate in the SIG, especially from the enterprise. Are you interested? If so, please send me a few sentences about your background, your experience with provisioning services, and why you would like to participate.

Catalyst Europe is Coming Up Fast!

2010-03-05T10:07:53-06:00

Blogger: Bob Blakley

We hit the stage for Catalyst Europe on April 19. If you haven't already made your plans to join us in Prague, we've got a little treat for you at the end of this post.

We're going to focus this year on the emerging identity architecture. If you're looking, you can see this identity architecture around you already, in offerings from mainstream identity vendors like Microsoft and Oracle, but also in offerings from smaller firms like Gluu, Unbound ID, Radiant Logic, and others.

The elevator-pitch version of the story is this: licensed provisioning software packages compete in a market for identity management systems. User-centric identity providers compete in a market for identity providers. What enterprises need is neither a market for identity management systems nor a market for identity providers - what they need is a market for identities.

Federation technology, directory virtualization, and contextual access control can be combined to create a technical architecture on top of which this market for identities can emerge. The market for identities has many advantages, but getting there will take time and it will take work. We'll lay out the roadmap in Prague.

If (like me) you're a last-minute kinda person and you haven't registered yet, here's your reward for waiting: use the promo code "INSIDER" during registration, and you'll get your ticket for the discounted price of only 995 Euro.

SPML: Life Support Redux

2010-02-22T17:01:24-06:00

Blogger: Mark Diodati

Two weeks ago, Burton Group published a blog post on the viability of using SPML to build viable, interoperable provisioning services. Many thanks to those who have contributed to the discussion. In particular, Jeff Bohren, Anil John, Nishant Kaushik, and Jackson Shaw shared some sound insights about SPML. I have great respect for these gentlemen. If you are interested in the topic, I recommend that you read their blog posts. I’d like to comment on several topics from these blog posts. First, a thought from Nishant:

“Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported.”

The assertion—that customers are asking for SPML in their RFPs—is true. The conclusion—that SPML is not on life support—is incorrect. Our position is based upon speaking to many organizations with deployed provisioning systems, as well as organizations that are considering the purchase of a provisioning product. For many customers, standards support is a “checklist” item. For other customers, leveraging SPML to build provisioning services is a long-term goal. Provisioning RFPs which specify SPML support is expected. But very few organizations have created provisioning services based upon SPML. The request for SPML support is based upon a key assumption—

SPML can be used to build viable provisioning services with interoperability among the components. As we discussed in our blog post, that just ain’t so.

A second thought from Nishant’s blog post:

“I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.”

This is good news. For SPML to become viable, it will require a benefactor to lead the process of improving the standard. It will also require that the vendor community work together. Oracle’s position in the identity management market means that it has the muscle to lead this effort, if it sincerely commits to it.

From Jackson Shaw’s blog:

“My experience so far with SPML has been good. Quest Software supports SPML V2 in our ActiveRoles Server product. We have a number of customers who have used Sun’s Identity Manager to provision and manage Active Directory, Exchange and SharePoint by via ARS and its SPML provider. When SPML works it really works and the benefit is quite clear to the customer.”

Quest is to be applauded for building one of the few commercial SPML provisioning service points. Last month, we spoke to a leader of the Quest Active Roles Server development team. The conversation focused specifically on interoperability between ARS and the different provisioning products via SPML. To accommodate the different vendor implementations, Quest must customize the ARS SPML interface for each provisioning product. The customization includes using different operations supported by each provisioning vendor. A future reference implementation for SPML v2 (that is, Core operations and optional Capabilities) would help facilitate interoperability between provisioning components.

The recent show of vendor interest in SPML v2 is a great sign. Let's hope it leads to real work to improve the standard in the coming months.

SPML Is On Life Support ….

2010-02-01T12:38:28-06:00

Blogger: Mark Diodati

But it (or something like it) is desperately needed.

At Burton Group, we closely watch emerging identity standards. In particular, we pay close attention to the development and adoption of the Service Provisioning Markup Language. We have hosted two interoperability events at our Catalyst conference. We issued our first research document on SPML in early 2006—coincident with the release of the SPML v2 standard. The publishing of our second document is imminent, and it is based upon some “hands-on” work with the standard, as well as ongoing discussions with vendors, end-user organizations, and OASIS Provisioning Service Technical Committee members (past and present).

The primary goal of SPML is provisioning without the use of proprietary connectors. The reality is that SPML is not currently viable for building useful, standards-based provisioning services because it is too complex and places too much of a performance burden on the connector. For example, the SPML Search capability is required for most viable provisioning services, and its support is infeasible due to complexity and performance concerns. I’ll talk more about these issues (including the Search capability) in my next blog.

The SPML standard—like all emerging standards—requires more work. More work is required to harmonize SPML with SAML. An optional “inetorgperson-like” user schema is required to promote greater SPML adoption (the OASIS Provisioning Services Technical Committee tried to create a standard user schema when developing SPML v2, but the members could not agree on one). A simpler “real world” search capability is needed, with a limitation on the number of attributes and filter expressions. The latter two requirements should be combined into a future “SPML Simple” profile.

Unfortunately, there appears to be little industry support for SPML enhancements. A vicious cycle exists. Few people are using the standard, so there’s less momentum to enhance it. The IdM vendors’ participation in the OASIS Provisioning Services Technical Committee has been minimal at best since the 2006 approval of the SPML v2 standard. The last meeting of the Committee was in early 2008. None of the major provisioning vendors have developed an SPML v2-conformant product. Many of the vendors who have created commercial SPML connectors tell us that they must create specific SPML implementations for each of the major provisioning products. An SPML reference implementation does not exist, but would surely help.

What is the future of standards-based provisioning?

SPML may prevail if the industry simplifies the standard and supports it in commercial products. It may be too late to pull it out of the fire, though. Another alternative is a “pull” model—LDAP-based directory services supported by virtual directories. For example, both salesforce.com and Google provide a pull capability via LDAP. The applications query existing enterprise directories for authentication and identity information. Many organizations express concern about exposing a directory (especially Active Directory) to cloud-based applications. Burton group believes that virtual directories can mitigate these concerns. It is worth noting that neither vendor supports SPML. Both salesforce.com and Google expose a relatively simple (compared to SPML) SOAP interface for provisioning. Another path to standards-based provisioning may be SAML.

My colleague Bob Blakely will be speaking more about standards-based provisioning in the IdPS Telebriefing “The Future of Identity Management is Pull”.

Identity Services: Tackling Authorization

2010-02-01T09:28:30-06:00

Blogger: Kevin Kampman

At the end of 2009, the Identity Services Work Group (ISWG) found a formal home at the Kantara Initiative. Encouraged by its prior work products, and the interest and participation at Burton Group’s Birds of a Feather session at Catalyst San Diego earlier in the year, the group revised its charter and the group was approved by Kantara’s leadership committee.

The group anticipates that the Kantara Initiative will increase opportunities for participation and distribution of its results. Observers or participants do not have to be Kantara Initiative members, and there is no investment requirement to become involved, although participants must sign a Group Participation Agreement (GPA). Brett McDowell, Kantara Initiative Executive Director, indicates that the results of the effort will be “freely re-usable and will be advanced by an open, inclusive and democratic process.”

At this point, the Identity and Access Services (IAS) group has issued a call for leadership and participation. The first order of business is to continue building out the use cases for authorization. If you are interested in participating, contact Gavin Illingworth at gavin.illingworth@bmo.com or register at http://signup.kantarainitiative.org/.

Oracle and Sun Clear a Big Hurdle

2010-01-23T14:53:49-06:00

Blogger: Lori Rowland

Thursday the European Commission gave Oracle its unconditional approval to take over Sun Microsystems. Oracle still awaits approval from other jurisdictions including Russia and China, but given the EU’s ruling it is likely that these approvals will be expedited. It is fair to say that the EU’s approval was the last major hurdle for Oracle to overcome before the acquisition can move forward. The EU’s prolonged approval process had cast a cloud of doubt over the acquisition, leaving Sun’s IdM customers anxious over the fate of their IdM solution. Today’s announcement is particularly good news for those customers.

The IdM community has been closely watching the developments of this acquisition. Whereas many of Sun’s products have no direct equivalents in the Oracle portfolio, there is significant overlap between the companies’ IdM products. Since Oracle announced its plans to acquire Sun in April 2009, Burton Group has been inundated with inquires from both Oracle and Sun customers wondering how to move forward with purchases, deployments, upgrades, and product choices.

Oracle remains restricted in the amount of information it can share before the acquisition closes. The company has, however, put a plan in motion to communicate its roadmap and integration strategy over the coming months. On January 27, 2010, Oracle CEO Larry Ellison will host a webcast highlighting the combined Oracle and Sun strategy. Oracle and Sun customers can register for the webcast via this link:

http://www.oracle.com/go/?&Src=6806472&Act=22&pcode=WWMK09040443MPP007

Once the acquisition closes Oracle will be able to provide more specific information on its planned IdM roadmap. On January 27, we expect Oracle to lay out its combined IdM strategy and roadmap while discussing maintenance and support implications in line with Oracle’s track record in past acquisitions. Based on what we’ve seen with the BEA acquisition, Burton Group expects that representatives from Oracle will offer to meet with individual organizations to ensure that the transition is as smooth as possible. Burton Group encourages organizations that have a strong investment in Sun (or Oracle) IdM products to take advantage of such meetings to express their individual needs and concerns.

Although the European Commission’s approval does not mark the closure of the acquisition, it is significant progress. The pending acquisition has had a measurable impact on the IdM market. The most obvious being the uncertainty it has left for Sun customers. As the adage goes “it’s the not knowing that kills you.” As Burton Group has done in the past, we encourage Sun IdM customers to remain calm – do not rush to any drastic conclusions regarding the acquisition. One thing that Oracle has consistently communicated throughout its past acquisitions is its intention to provide customers with long-term support and maintenance. Burton Group urges customers to attend the January 27 webcast, continue to check the IdPS blog for updates, and schedule a dialogue with Burton Group analysts to discuss our perspective on a combined Oracle-Sun IdM strategy and the implications it may have in your environment. You may also visit the April, 2009 IdPS blog post where we laid out Burton Group’s perspective on the implications of the acquisition.

Catalyst Tickets: Get 'em While They're Hot

2010-01-06T17:13:34-06:00

Blogger: Bob Blakley

Somebody asked me this today:

Is it true that the Burton Group Catalyst conferences have been cancelled now that we've been acquired by Gartner?

Um, how shall I put this...

DON'T BE SILLY: THE CATALYST CONFERENCES ARE ABSOLUTELY HAPPENING!

Gartner bought Burton Group because they love our content, including our Catalyst content.

In fact, here in IdPS we're betting that Catalyst - both in Europe and in North America - is going to sell out early, because as a result of the acquisition we're going to have more customers.

And you're not going to want to miss the IdPS content at Catalyst this year. The team's been taking advantage of our (ahem) unexpected get-together this week to work on our presentations. What we're going to lay out for you at Catalyst is that 2010 marks the beginning of a revolution in the enterprise's identity architecture. We're going to tell you what we think is coming, and we're going to show you a roadmap to help you get from the identity infrastructure you have today to the one you'll need to have in the future.

Book your tickets now; we already have. See you in Prague, or in San Diego, or both.

CIO Wisdom: Taking Care of Business

2010-01-06T14:45:17-06:00

Blogger: Kevin Kampman

At the Dayton Technology First CIO Forecast on December 9th, there were a number of key insights set forth about what firms should expect in 2010. The Forecast was facilitated by Burton Group Executive Strategist Jack Santos; participants included Rob Whittington of WorkflowOne, Jim Bradley of Motoman, John Huelsman of Midmark, and Jon Russell of Kettering Health Network. While these executives’ companies are all based in the Dayton Ohio area, their perspectives correspond to those of other organizations that Burton Group interacts with:

Notably, initiatives such as “Cloud Computing” and “Business Alignment” weren’t mentioned by the panel. Next year’s focus is conservative: Delivering practical, tactical, measurable capabilities is on everyone’s agenda.

Generally, IT hiring will be cautious yet optimistic, in lockstep with the economy. Use of contingent and contract employment will often precede hiring in order to keep staff levels in line with business velocity. An exception will be in healthcare; Jon Russell indicated hiring will be aggressive to deploy capabilities like electronic patient record systems. Qualified NCR talent that doesn’t relocate to Georgia, for example, may be leveraged for these efforts.

Globalization is a continuing theme for these companies, especially those in the manufacturing and services sectors. Outsourcing and off-shoring will continue to grow where appropriate; local firms all participate in the global economy.

Each firm will focus on optimizing existing processes and resources, consolidating capabilities, and standardizing infrastructure. In Motoman’s situation, Jim Bradley indicated that this may involve the adoption of his parent company’s ERP solution. Rob Whittington pointed out that over time, IT has developed lots of good ideas; the challenge now is to pull these together into a few solid solutions. For example, enhancing business activities such as sales and customer service using collaboration technologies was identified, as well as improving decision support and business intelligence by analyzing existing data.

Paying attention to overall governance so that business and IT priorities and activities are jointly recognized and satisfied was acknowledged by the panel. John Huelsman pointed out the value of governance processes, but recognized that these are evolving.

To conclude the discussion, the panelists provided the audience with actionable advice for the coming year:

Success depends on effective analysis and project management, in particular business analysis capabilities.

Demonstrating business partnership and value are critical: IT must be seen as an “indispensible business partner.”

To do this, it is important to learn and understand what the business is about, to recognize the “power of teams”, and pay constant attention to working together.

Gartner acquires Burton Group

2010-01-05T08:54:52-06:00

Blogger: Gerry Gebel

Under normal circumstances, we are making comments on vendor merger and acquisition activity in his blog. Today, tables are turned as Gartner announced the acquisition of Burton Group this morning. Needless to say, it’s an exciting and tumultuous time for us as we become a part of the largest research and advisory firm in the industry.

Many details of the integration plan will be worked out over the next few months, but essentially the Burton Group research product that many are familiar with and rely on remains intact within the larger Gartner organization. For many years we have been saying that Burton’s research is complementary to Gartner’s offerings – obviously Gartner came to the same conclusion!

Here is a link to a note from Gartner CEO Gene Hall and you can expect more information in the near future. In the meantime, feel free to contact us with questions or comments

Catalyst Europe call for papers extended

2009-12-23T17:52:08-06:00

Blogger: Gerry Gebel

Here's a reprieve for all of you busy with Christmas shopping and holiday preparations: the Catalyst Europe call for papers has been extended until January 4th. Please consider sharing your identity management experiences with your peers in Prague this coming April! All the information you need can be found at the Catalyst web site.