This post is the second in a series of eleven articles I am writing about trends in the Identity Management industry. 

After all is said and done, Authentication continues to be right at the heart of Identity Management.  Determining whether the correct set of Identity credentials is presented, so a person or process can be granted access to the correct system, application or data, is critical to the integrity of the online experience.   Authentication is like the gatekeeper or enforcer who determines who gets in the door. 

1. Demand for strong authentication is accelerating as the sophistication and sheer numbers of people who would defraud or damage online systems continue to grow.  More effort is being focused on just how to economically, but securely, implement strong authentication methods to protect confidential information.
2. As the need for strong authentication grows, there has been considerable conversation about whether the pervasive use of passwords is headed for extinction.  Is the password really on its deathbed? In a Network World column posted earlier this year, Dave Kearns equated passwords to buggy whips.  In my response entitled Passwords and Buggy Whips, I challenged “Replace username/password with what?"  Until we get wide acceptance of alternate methods, it is unlikely that passwords will join buggy whips in the dustbin of history.
3. In a subsequent post entitled, Seat Belts and Passwords … and Buggy Whips, I proposed that “until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.”  The key issue dogging the industry is how to provide identity credentials that are so easy to use that the technical unsavvy majority can easily use them while providing a level of security commensurate with the rising tide of online threats.

Recommendations:

1. Assess what level of security is needed for different areas of your enterprise.  In some cases, authentication must protect high value information.  In other cases, less strong authentication may be appropriate.
2. Seek to understand what your users need.  What methods are both secure and easy to use for them?
3. Is the cost of strong authentication commensurate with the risk of data loss or compromised system access?
4. What is the best combination of authentication methods to serve my user community and protect my business interests?

Many years ago, while involved in a large physical security project, we joked that you need to invest enough in your security system so it is cheaper to bribe the guard than to breach the electronic system.  The same principle may be true with Identity Authentication.

As I slept last night, my Twitter follower count edged above 1,000. In light of the fact that President Obama has 2,278,978  followers and even John McCain has 1,446,896, all this proves is that I am firmly entrenched way out on the long tail of the Twitter economy.

A provocative line in a song I have known since childhood declares, “Time flies on wings of lightning. We cannot call it back … ”

Based on an embarrassing social networking experience I had yesterday, I think we could safely paraphrase: “Words fly on wings of lightning. We cannot call them back!”

It all started when I noticed a comment from a prolific tweeter from London:

if you are retweeting something from google in order to get a wave invite then you are a <deleted>. and so are they. that is all.

Since I had just done that abominable thing, I quickly looked up <deleted> in the dictionary and posted this tweet:

Just learned a new word:  <deleted> = contemptible person; jerk.  Based on Twitter commentary, I must be one. 🙂

When that tweet reached Facebook, it triggered a small avalanche of comments.  It was great to see a friend speak up and say:

you are definitely not a <deleted>.

It was also nice to hear from a young man who used to live next door, but whom I haven’t seen in many years:

…my brother calls me a <deleted> all the time. I’m glad to get a definition on that…..sort of.

But I started to wonder what I had done when an acquaintance suggested:

Tip: Don’t have this conversation with anybody from the UK…. 🙂 … It has a very specific meaning across the Atlantic, one that is best left unexplained on a public forum 🙂

What had I done?  I quickly dug a bit deeper into the meaning of <deleted>, only to find he was exactly right.  I shouldn’t be using such language in a global forum.

Well, words had flown on wings of lightning.  I even tried to call them back via Twitter:

Actually, when I looked into it, it is definitely British slang that is not used in polite company.  Oops!

And later:

Lesson learned today: Be very, very wary of repeating slang used by a tweeter from another country.  Could be very embarrassing.

It was heartening to hear from some friends who obviously had a chuckle, but questioned my motives at first:

Whew! I frankly was a bit surprised to see the Mark Dixon I know using that term. We all learn something new every day!

Yeah Mark, I was gonna jump in and say something, but then I realized i have no business correcting anyone’s language.

LOL, I was wondering when you’d figure that word out. 😉

Well, I have been painfully reminded again that we must be very careful about what we sling out into cyberspace.  Words do indeed fly on wings of lightning!

This post is the first in a series of eleven posts I am writing about trends of key importance to the Identity Management industry.

As the following series of photos shows my son Eric progressing from infancy to young adulthood, the Identity Management market has matured, but still has a bright future ahead.

The Identity Management industry has been building for about a decade.  The market is definitely maturing out of adolescence into young adulthood.  Key characteristics of this maturing market include:

1. Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations, enterprises are concentrating on system refinement, expansion or replacement.
2. While the industry quite universally agrees that “quick wins” are essential first steps to implementing Identity Management systems, significant additional value can accrue as enterprises expand the reach and scope of their Identity infrastructure.
3. The importance of Identity governance is becoming entrenched in enterprise culture, as holistic initiatives to address the broad areas of governance, risk and compliance recognize the critical importance of Identity Management in these processes.
4. Experience has shown that Identity Management is a journey, not a destination.  Enterprises are recognizing that they must approach Identity Management as a long-term program, not a single project.
5. The industry continues to consolidate, as we at Sun are well aware.  While there are still several emerging niche companies, larger vendors offer complete suites of Identity Management products.
6. The major business drivers for investing in Identity Management systems still continue to be regulatory compliance, operational efficiency/cost and information security.  However, more focus is being placed on Identity as a key enabler of customer satisfaction through context-aware personalization.
7. Identity Management is also moving down market, particularly as vendors and systems integrators are addressing the issues of rapid deployment and reduced pricing for smaller businesses.

Recommendations:

In light of this maturing industry, I recommend that enterprises concentrate primarily on the business value Identity Management can deliver.  Questions such as these are appropriate:

1. Where am I on the journey to implement Identity Management in my enterprise?
2. Where has Identity Management already delivered value to my business?
3. Where else can Identity Management deliver value?
4. How can Identity Management enable Privacy and Security?
5. How can Identity Management enable compliance?
6. How can Identity Management increase efficiency and reduce cost?
7. How can Identity Management enable a better user experience to my customers?

This morning, I listened to an excellent webinar entitled “Pinning Down Cloud Computing,” hosted by Yankee Group Research.  Yankee Group Vice President Camille Mender and Senior Analyst Agatha Poon explored the popular topic of cloud computing, focusing much on the business details enterprises must pay attention to if they are to successfully harness the promises of cloud computing – important things like uptime/availability, maintenance, penalties for non-performance,  limitations of liability and privacy / data protection, to name a few.

I liked the following diagram used to discuss the different levels or tiers of a cloud “stack” architecture.  The “Security and Compliance” bar to the left is a good way to illustrate the importance of information security and related compliance activities at each tier of the stack.  Of course, Identity Management is a critical underpinning of that security and compliance functionality.

(Diagram Copyright © 2009 Yankee Group Research, Inc. All rights reserved.  Used with permission.)

It was pointed out that the top three barriers to cloud computing uptake are:

• Security (39%)
• Reliability (35%)
• IT governance (33%)

The cloud computing market is still maturing.  So far, only a small percentage of enterprises are shifting a large part of their IT budgets to the cloud.  Recognizing the essential role Identity Management plays in security and governance is critical to accelerating that movement.

Congratulations to the Sun team for today’s release of Sun Java Communications Suite 7.  Did you know that there are over 150 million seats of the Sun Java Communications suite in production?  Telcos and other service providers all over the world use this suite for high scalability and performance in a service provider environment.

I particularly like the “Convergence” web client that provides a state-of-the-art AJAX Web 2.0 client experience for users.   It’s great to see the innovation rising out of this great group of Sun people.

I was honored today to have the wise sage of Identity, Dave Kearns, refer to me a “fellow grandfather” and borrow content from my DIDW post (with my permission, of course) in his article about Digital ID World.  It’s always great to share thoughts with Dave.

My Sun Microsystems colleague Dave Edstrom asked me recently to prepare a webinar entitled “Identity Management in 2010: Trends and Predictions” and present it on the weekly “Software Technical Roundtable” he co-hosts for Sun Microsystems employees and partners.  Preparing for this specific event gave me just the right impetus to crystalize my thoughts on this subject, so I thank Dave for giving me the challenge.  I prepared the presentation deck (in OpenOffice, of course) earlier this week and presented the webinar to about 90 people this morning via Webex/teleconference.

I can’t share everything I discussed with our restricted audience this morning, but in this blog post, I’ll briefly describe eleven major trends that I see in the industry.  This is a precursor to more detailed posts I’ll author on each trend over the next several days.

First, a few caveats:

1. Predictions rarely happen as quickly as we would like.  For example, in 2007 I gave an Identity Trends presentation at the JavaOne conference.  While some of my predictions evolved as expected, several trends have taken longer to develop.  I suppose it will be the same with the trends I describe in this post.
2. This presentation focuses more on business issues than technology.  I did not attempt to address the trends in specific protocols or products, but chose to focus on the impact of these trends on business.
3. This list of trends reflects my own opinions, which are not necessarily reflective of Sun Microsystems official positions or product road maps.
4. This presentation does not represent Oracle in any way.  I have not discussed this list of trends with any Oracle people, nor could I comment on those conversations if I had.

With those caveats, here is my list of the top eleven Identity Management trends for the year ahead.  I really tried to make a nice round list of ten, but I felt it made more sense to separate Authentication and Authorization into separate subjects.

1. Market Maturity.  The Identity Management market is maturing.  Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations,  enterprises are concentrating on system expansion or replacement.  The industry continues to consolidate, as we at Sun are well aware.
2. Authentication. Demand for strong authentication is growing as enterprises and government agencies seek to deter cybercrime. While some have predicted “death of the password”, the widespread use of UserID/Password as the predominate method for authentication will most likely not go away until we see wide adoption of alternate authentication methods that are both secure and easy to use.
3. Authorization.  Fine grained authorization is increasingly desirable but difficult to implement.  Policy management standards (e.g. XACML) are also desirable, but not in broad production.  Complexity in adapting applications to take advantage of standard authorization methods will continue to delay adoption.
4. Identity Assurance.  Answering the question “are you really whom you claim to be?” prior the issuance of Identity credentials continues to be a thorny problem, but is increasingly important in the ongoing battle against fraud. The Liberty Alliance Identity Assurance Framework provides a valuable industry model that defines four levels of assurance, based on confidence in the validity asserted identities and the potential impact of errors.
5. Roles and Attributes.  There is a growing acceptance of role based access control in production systems.  Governance of the role definition and maintenance process, linked to governance of the Identity Provisioning governance process, is essential.  Enterprises are discovering that the use of roles is potentially broader than RBAC, including use of data analytics to evaluate the effectiveness of organizations.  The use of attribute-based authentication is being hailed in some markets, particularly the public sector, as an alternative to RBAC.  However, a blended approach may be the best solution.
6. Identity Federation.  In some ways, Identity Federation is a given.  SAML is broadly used a standard protocol and successful business models have been implemented.  However, broader adoption is often difficult because business challenges are larger than technology challenges.  Burning questions swirl around the challenges of using federation in cloud computing.
7. Regulation.  Government regulations (e.g. SOX, HIPAA/HITECH), which primarily address governance, security and privacy issues, will continue to expand, both on national and state/province levels.  For example, the HITECH Act which became law earlier this year expanded HIPAA security and privacy regulations to address business partners, and added security breach notification to the national statute.  At the same time, industry-driven regulations such as PCI DSS also impose stringent requirements on online merchants.  In all these areas, Identity is a critical enabler for compliance.
8. Personalization and Context.  Personalization can enhance the value of online user experience.  Both identity and context are essential for personalization.  Concepts such as “persona selection” and the “purpose-driven web” focus on enriching user experience by blending identity and context.
9. Identity Analytics.  Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).
10. Internet Identity.  Identity systems for the Internet must efficiently accommodate billions of individual Identities.  User-centric or user-managed Identity technologies such as Infocard/Cardspace and OpenID are trying to address the inherent tension between security and ease-of-use requirements.  Commercial Identity providers are emerging, including the likes of Facebook, Google, Yahoo, PayPal, Equifax and others, both in public and private sectors.
11. Identity in the Cloud.  Identity as a Service (IDaaS) is a critical foundation for Cloud Computing.  A number of IDaaS companies are emerging to address this specific need.  One of the main barriers to effectively implementing Identity in the cloud is the increased complexity of having to establish effective trust relationships between enterprises and service providers, while protecting the security and privacy requirements imposed by customers and regulations.

So, there is my list of eleven major trends.  Your list or focus on specific topics might different.   Please let me know what you think.  Please also stay tuned to my discussion of these eleven trends in future blog posts.

I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Admit it. We’ve all been here …