Sunday, January 15, 2006

2006 Prediction - Recap

Seems like the 2006 Prediction season is over and so I thought that I will try to capture the various predictions in Identity Management space that I came across.
  • (Nick at WickID) Host/Mutual authentication will be critical. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies). - I am assuming that means machine authentication besides user authentication something similar to that from Passmark and Trusted Network Technology. This makes sense and will really be looking forward to various non-intrusive and intrusive technology in this space.
  • Transaction authentication will become a hot topic later in the year due to session hijacking trojans. - I think people like Bruce Schneier have already been talking about this. An important aspect of transaction authentication is that it needs to be pervasive instead of just being limited to online experience. Besides that the technology that would actually help achieve this should be varied i.e. multifactor, multichannel.
  • Strong authentication systems that don't follow Kim Cameron's Laws of Identity will be seen as weak and catch flak for it.
  • 'Layered Authentication' where lack of a cookie or appropriate IP address triggers additional authentication will be shown to be a marketing neologism covering weaknesses. "Layered authentication" based on cryptographic mechanisms to secure session, host/mutual and transaction authentication will get alpha-geek backing, though it is unclear whether that will help adoption of such systems.
  • (Radovan) "Identity" becomes mega-buzzword - I thought it already was with almost 15 implementations that I can count (with help of my friends) with various vendors in US and we are a really small company in east coast.
  • Many "identity" mistakes happen, but it will take a while for them to be seen - Hmm.. this is a good conclusion that you can draw about anything that touches so many aspects of the enterprise for example like what ERP was for Manufacturing Industry. With regards to WS-Trust and SAML, I completely agree.
  • More client-side identity implementations will be seen - I am not sure how the future will evolve but the way I see it, people should not be keeping sensitive data (including their identity information) on their machine (since it is more vulnerable to attack). But at the same time, I am sure vendors will find better ways (like low cost smart cards, network or set-top box extensions or network devices) on the client side to do the job. But at the conceptual level even though I agree that clients should have the right to manage their identity, the actual management of the identity (i.e. implementation) may be left to professionals.
  • Spam, phishing and pharming will get even wilder - Nothing new here.
  • Strong authentication will get integrated with "identity" - I guess I do not understand the difference between authentication and "identity" the way Rodovan sees it. I think that authentication can not exist without identity being in place. So, the companies are getting the idea in various form that they need to improve the authentication but I am not sure whether we will be seening the SecurIDs anytime soon. It is way too costly (initial and ongoing) and time consuming to roll them out and manage their lifecycle unless it can be shared across the industry (which goes back to federated identity, trust, etc) or taken over by govt through standard digital identity system.
  • We will see attacks targeting legacy "trust" mechanisms - Well I think people have succeeded doing it and others have thought about it publicly and vendors are providing the ways which can possibly be exploited (as specified in the discussions) to make this prediction possible.
  • (Mark Dixon) 2006 will bring new methods for more easily implementing Identity Management solutions - Amen!! But would really like to know what are the vendors and consulting firms (I think this may be called IP by some consulting firm) are doing achieve that. Shouldn't the forums like Liberty alliance be used to develop integration patterns and process patterns. The vendors can then develop a feature guide to point how the basic patterns can be implemented and hopefully we can make this prediction a reality. Any other thoughts on how to achieve this!! Will really look forward to discussion on this topic in "enterprise identity" blogosphere.
  • (Jackson Shaw) people will wake up and realize that identity management "is only the aspirin to the headache we have engineered for ourselves. What are we (end-users, companies, ISVs and platform vendors) doing to solve the root cause of that headache - interoperable authentication, authorization and identity protocols? - I am relatively new to this whole world of enterprise computing (just 7 years) and so should be forgiven for talking out-of-you-know-what but I am not sure what this means in the world where the mainframe is still the main workhorse in large businesses and cost of replacing existing systems is astronomical and sometime unthinkable from business point of view. The meta-directories and connectors are the only way to integrate with a lot of these systems. So, I think this headache is something that we have to live with unless somebody is creating a new company from scratch. He will have the similar headache five year down the line. Did I misunderstand something?
  • (CA) 2006 will mark the beginning of a security market shift as various security elements which were once dealt with separately, such as threat and identity management, begin to 'talk to one another' for even tighter security controls - You can already see this happening with available products like Identity Engine and enterprises are already consolidating their monitoring system to track end-to-end Identity flow. In addition to that, I have seen companies expecting the web endpoint devices to support or integrate with the SSO out-of-box besides the other things like SSL endpoint, tcp connection, etc and Vendors like CISCO going deep into the application layer (and I am sure they are going to encounter identity there). So, seems like it is happening.
  • (Eric Norlin)The divide between user-centric and enterprise identity management is the No. 1 conversation in 2006. - Hmm.. user-centric identity, I will wait and watch (unless a big portal like yahoo or google exposes something for others to use) but Liberty jumping into it does makes it interesting.

Wednesday, January 04, 2006

AuthX followup - Request

I am at the moment in talk with Vincent who is part of the AuthX team that is working on developing Authentication Authorization framework/service as part of Apache Directory initiative. Feel free to ping me if you would like to join the discussion on this topic. I sincerely feel that as somebody who are looking at the various trends in IAM industry, we should try to help them get the system right so that it can be leaveraged across the various opensource application. Feel free to leave how you would like to participate (email update, blog post, etc).

Enterprise Identity - Discussion

After James kicked off the discussion on Enterprise Identity, there has been a [cro] lot[Pat Patterson] of[Johannes Ernst] input[Radovan] on the various subject of Enterprise Identity.
I thought that I should also chime in, since some of the thoughts that James has expressed are similar to that I have expressed earlier on provisioning and repository consolidation and wanted to respond to some of points raised.
So, lets take the points one at a time
  • Workflow and MOM/ESB - The basic idea behind this is that most enterprise have workflow system and what they need is a connectors to a few identity repositories. Well, I know of a similar implementation that I was part of and we wanted to do all the way so that we will have a bunch of workflow engines and connectors in each geographical areas each of these connected to each other using MOM (the existing ESB was built over MOM). Now the project failed due to a lot of project management issues (I know how it sounds) and Vendor was brought in to review the design. They told us that we were not using their product like they intended it to be used and got a big rap on that. It is at that point that I realized that the existing provisioning products are like the ERP suites that tried to do all the things by themselves and we will have to wait for next few versions for these vendors to realize that they need to do what they are good at i.e. creating connectors and allow workflow to integrate with their products. Another big issue that I have with the vendors with product design that has no concept of connectors for Groupware, ESB, Email systems which is not exactly a resource.
    Going back to Radovan's contention that where is the workflow engine, I agree that most of the existing Identity Management system were mostly built on Lotus Notes like document based groupware system which can not be called a great workflow engine. BUT the rise of Business Process Management (and existing ticketing systems to some extend) are a good choice for most of the request based Identity Management workflows and provide good architecture for integration with third party systems including identity management systems.
  • Repository Consolidation - I may be preaching to the choir here but just to reiterate when ever a new application is coming on-board the centralized identity access management infrastructure, it has a few options based on what the team managing that infrastructure is ready to provide
    • Use consolidated Repository - This typically represents the enterprise LDAP which can be leaveraged by the applications for authentication and authorization purpose. An important aspect of this is how easy it will be for application to come onboard i.e. will the Repository management team provide adequate interfaces to allow the applications to leaverage the consolidated respository to its maximum (i.e. easy user, group and user to group mapping management with both web based and web service based interfaces).
    • Use consolidated Authentication point - Most of the times, architects are not willing to give access to repository stores or consolidation of repositories is not possible, authentication can be made available in form of Web SSO, Security Token Service (SAML), etc which can be leaveraged to get the work done. Again as before unless there is appropriate and easy application on-boarding, off-boarding and BAU management process is in place, application would not like to integrate with such systems. Or as I heard one application architect told me that "it should be as easy as dropping a jar file and changing a few configuration" (which I guess is a utopia that all cross-concern services want to be at)
    • Use consolidated Administration point - This should be the last option for the applications that fulfill specific criterias like third party, legacy, high volume/performance application (as pointed out by Radovan).
  • Microsoft - After looking at Windows Workflow Foundation, the first thing in my head was more around, web interface to windows workflow design + MIIS = Provisioning Product. I am sure a lot of Window shop would really look forward to similar product instead of going out and purchasing product from other vendors.
  • Policy Directory (assuming that is what James meant) vs Policy Service - I am a bit confused here and I think we may have to go back to same discussion about the Authentication such that may be at the moment an Authorization Service makes sense and later on people can start thinking about Policy Directory. This I think makes more sense because of the basic fact that authentication (even though it was theoretically easier task) has taken us so long, I am not sure when we will really understand the most of the issues around authorization (which I think is much larger nut to crack given its shear size and reach into the application - who wants to make the decision whether something is a business logic or authorization decision)
  • Enterprise DRM/Data Privacy - This is an important thing that I want to throw back at James since he raised the DRM and would like to know everybodies thoughts on the subject. Basically so far Enterprises have solved the issue of Data access using a wide variety of integration systems like ESB, simple ftp, etc and all the bunch of laws requires you to make sure that you know who is accessing the data and doing what with it. Now how do you build a system that allows you to create a right management system which can ensure and track this requirement. How are enterprises solving this issue?

Monday, January 02, 2006

Letter to AuthX team

I came across the AuthX project some days back and read through some of the code and documentation. I will not claim that I have understood the whole project and would request you to feel free to correct my understanding.
Now getting down to the whole idea of AAA, lets me put my understanding of this domain.
  • Frameworks do not work, Services Do: I have spoken to a few architects and in addition to that during the process of various implementations, I have realized that frameworks are really a tough sell. Instead what people are looking for is lousely coupled services. So, there would be an authentication service, a fine grained authorization service, and so on. By the concept of service, I do not mean a SOAP or a REST interface but just a java interface that has method that accept primitive variable types (I like to include strings in this which you may not agree with), to ensure it can easily be exposed using REST, SOAP, RMI or VMPipe Call through the MINA.
  • Authentication Service: The authentication service should be able to support identity and password, certificate (which is a single blob) and additional protocols which take multiple steps to complete (like some token based authentications). So, in such a scenario, the interface design should be able to handle all these scenarios. I would recommend that you look at WS-Trust specification as a good starting point for how you may want to design authentication service i.e. as a token issuance service.
  • Authorization Service: I think you have got the basic idea correctly but there are a few important things that I think are missing from your design like the idea of context of authorization, obligation, additional apis. Lets take the idea of context which typically means additional information which are important to make the authorization decision. For example how will I use the authx system to grant access to a person based on the client IP(i.e. intranet vs extranet). This context information typically will include additional information about user, resource, action and environment (like IP, time of day). Even though you may not support these facilities in 1.0, I would suggest that you develop interface to support this feature. I would also suggest looking at XACML specifications. In addition to that authorization interface must support additional set of APIs besides isAuthorized (or renderdecision in your case). It should be able to return answer to the question of type "give me all the resources that this subject can "read". This is asked time and again by the customers for developing their application (for example drawing menus)
  • Other services: I would recommend that you guys should seriously think about developing "Auditing Service" and "Administration Service".

XACML : Where are you!!

I do not like writing two blog entries in one day because writing each entry is very gruesome task for me (because for some reason what should be a simple memory/thought dump becomes 1 hr multi-review process to ensure my dump does not stink :) ). But, after running in to entry from James McGovern on my favourite subject of fine grained access control, I think I will write another dump.
The basic point being raised in the article are
  • What about XACML ? A question for Vendors and Analysts.
  • Implementation Patterns for opensource - Authorization Provider and Role Mappers with central management (just like an cross-cutting service in an enterprise - My addition to James' thought)
  • end-to-end (including database) Identity tracking (if I have understood the requirements properly)
I will try to put down my understanding on these subjects.
  • What about XACML? - Well it seems like people like James (and other enterprise architects that I have met in other financial institutions) and vendors like Securent (I have interacted with these guys and I think they "get it") are keeping the XACML alive. Most of the enterprise groups that are looking for fine grained access control products expect basic implementation of XACML and expect vendor assurance on this subject. This is forcing the vendors to comeup with good analysis of XACML w.r.t. to the things that are misssing from the XACML specification (like authorization delegation). This information can be used by enterprise to force these vendors to get together and sort out the details for these sections. As long as enterprise keep their pressure and show interest, XACML will continue to grow.
    Besides that, like James has described for opensource, another policy that I have seen Architect follow is to make sure that new products that they run into (for e.g. in grid computing) are aware of IAM products and technologies and what they should be doing to ensure their product will integrate well with existing IAM technology. This in case of authorization would automatically lead them to XACML.
    One of things that really bothers me is the issue that people do not associate the authorization with a centralized management system and thus do not understand the need of standards for authorization resulting in being unaware of any standards. Besides that some of the architects approach the authorization as an extension of their business rules engine and thus miss the XACML aspect of the authorization. So, to some extend, the XACML is hurt by these mis(sing)conceptions of the architects in the enterprise.
  • Implementation Pattern in opensource - The opensource still seems to be trying to figure out the identity. Looking at the list put together by Jim Yang, we can see that opensource is still building the technologies as they need it. So, we are still looking for the Apache Server of Identity Access Management. Well incidently I did run into an initiative at Apache and was both overjoyed (that somebody is working on it) and was disheartened (I think they are on slightly wrong track [My thoughts]) after reading through the available documentation. Besides that I am of the opinion (after looking at other available stuff) that J2EE got the authorization API model wrong. This realization comes from the basic issue of how can you build a API model that is dependent a specific authorization model (in this case RBAC) when we already have had atleast three access control models (like MDAC, MAC, RBAC) that have come and gone. The basic question is "Can the user perform specific action on a resource" and not "Does the user belong to specific role". So, this is where I think we need a authorization provider (no role mapper is necessary for application!!) API which is built on XACML request/response model. Based on this understanding I would really love if opensource is able to figure it out the right way and would be more than happy to help them in what ever way I can.
  • end-to-end Identity tracking - James also raises the idea of identity enabled connection pooling. I think this points to the basic issue of end-to-end user transaction auditing, monitoring and access control. The front-end and business logic layers are mostly Identity aware (due to Web SSO) but we are completely at loss in transferring the identity to database system and other backend systems. In that regard, James approach would be a good start. But I am really looking for a complete data access control layer at this control transfer point or a standard way to transfer the identity to backend system so that they can do access control based on the identity (besides the "Run As" Identity that is used in most database application). I would really be looking forward to Access control product from Oracle and hope that it will have the ability to transfer the session identity from container to database as part of database call for authorization function or may be one of Application Server company (BEA seems to be well placed to do this with their weblogic and WLES) will release something to take care of this efficiently (i.e. with very low overhead).
So be it.

The phase out of retail PC

This idea started growing in my head after two events, one my parents started using their new PC and, second, CISCO bought scientific atlanta. Well seeing my parents struggle with the basic internet and window skills really made me understand that the PCs are an overkill for 60-70% of the PC users that looking to do basic things like check email, browse and listen to music and play media clips once in a while and a much smaller and simpler product should do the job.
Based on the way things are moving it seems like that is already at works. The industry thinks that the triple play will not stop at the last mile but will actually continue to the antenna terminal on the TV. And I think that this is where the retail computing markets will be making their move in near future. So instead of the triple play being addressed by separate components like digital convertor, cable modem, VOIP box, wireless router and a PC, there would be one single product to get the job done. In this way, these components will probably go through the same convergence process as has been the case in other areas of technologies (like wireless).
I understand that this idea has not been new and some (including me) have thought it to be the basis of Internet Operating System. But the important point is how will the various players fair in this. Now we can easily identify some of the good contenders like PVR/DVR/Set-top box, Retail Networking(modem, routers, voip hardware), PC retailers and some not so obvious [Crigley on Google-mart]. Each of the groups have their own strength and weaknesses and I guess only time will tell how they will fair. But as of now, I think PVR/DVR and Network will be fighting it out and PC business would become more focused on the enterprise, specialized retail and accessory business. The cisco's move to buy Scientific Atlanta in this regard and IBM move to get out of PC business, may be part of that or may be reading too much into them.
The cisco's move after integrating the aquired technology with their networking products makes them a great end-to-end networking technology provider for the phone and cable companies which at the moment no other company seems to be doing in the routing business (which I guess would be juniper, Nortel, etc). In addition to that their upward movement in the TCP/IP stack gives them the ability to push the intelligence in to network and help build the efficiency and controls that the phone and cable company may want.
In addition to the whole idea of software as service is very condusive for these new products. These products can subsidize their set-top boxes with the money from the payment for additional software services. This model gives the companies like TiVO a big advantage since they have existing product, presence and technology which can be a good starting point. But they still need to build support for additional products like VoIP and browsing capabilities to become a good alternatives. I guess we will have to wait and see who is able develop and execute a good business plan to achieve the end goal. The convergence by its very nature means that it will become very crowded very quickly and then the market will play its part in finding the companies that will survive in long run.
Before I conclude, I will try to put together a list of feature of various components and features of the package.
  • Set-top box
    • Low cost box similar to networking and PVR products
    • Large set of interfaces like bluetooth, RFID reader(??), USB (drives for storing personal information), Firewire, Wireless and other properitory interfaces to connect other products to the triple play medium (cable wire, phone wire, optic fiber).
    • Scripting and development Engine - AJAX like application to increase responsiveness and allow developers to develop easy applications.
    • Better (and I really mean better) input devices for User interactions.
  • Software as service
    • Low cost rental model
    • Searching/Information/Advertizement-on-demand service
    • Multi-media management software
    • Storage service
    • Email service
    • On-demand softwares ranging from basic office applications to photo-shop, etc available on per-use basis.
  • Better Mobile Platform - The convergence of Wireless mediums/protocols would ensure that new mobile computing products will be available which will use the same software-as-service model to deliver the software services with voice/handwriting recognition and/or better user input tools.