2006 Prediction - Recap

Seems like the 2006 Prediction season is over and so I thought that I will try to capture the various predictions in Identity Management space that I came across.
  • (Nick at WickID) Host/Mutual authentication will be critical. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies). - I am assuming that means machine authentication besides user authentication something similar to that from Passmark and Trusted Network Technology. This makes sense and will really be looking forward to various non-intrusive and intrusive technology in this space.
  • Transaction authentication will become a hot topic later in the year due to session hijacking trojans. - I think people like Bruce Schneier have already been talking about this. An important aspect of transaction authentication is that it needs to be pervasive instead of just being limited to online experience. Besides that the technology that would actually help achieve this should be varied i.e. multifactor, multichannel.
  • Strong authentication systems that don't follow Kim Cameron's Laws of Identity will be seen as weak and catch flak for it.
  • 'Layered Authentication' where lack of a cookie or appropriate IP address triggers additional authentication will be shown to be a marketing neologism covering weaknesses. "Layered authentication" based on cryptographic mechanisms to secure session, host/mutual and transaction authentication will get alpha-geek backing, though it is unclear whether that will help adoption of such systems.
  • (Radovan) "Identity" becomes mega-buzzword - I thought it already was with almost 15 implementations that I can count (with help of my friends) with various vendors in US and we are a really small company in east coast.
  • Many "identity" mistakes happen, but it will take a while for them to be seen - Hmm.. this is a good conclusion that you can draw about anything that touches so many aspects of the enterprise for example like what ERP was for Manufacturing Industry. With regards to WS-Trust and SAML, I completely agree.
  • More client-side identity implementations will be seen - I am not sure how the future will evolve but the way I see it, people should not be keeping sensitive data (including their identity information) on their machine (since it is more vulnerable to attack). But at the same time, I am sure vendors will find better ways (like low cost smart cards, network or set-top box extensions or network devices) on the client side to do the job. But at the conceptual level even though I agree that clients should have the right to manage their identity, the actual management of the identity (i.e. implementation) may be left to professionals.
  • Spam, phishing and pharming will get even wilder - Nothing new here.
  • Strong authentication will get integrated with "identity" - I guess I do not understand the difference between authentication and "identity" the way Rodovan sees it. I think that authentication can not exist without identity being in place. So, the companies are getting the idea in various form that they need to improve the authentication but I am not sure whether we will be seening the SecurIDs anytime soon. It is way too costly (initial and ongoing) and time consuming to roll them out and manage their lifecycle unless it can be shared across the industry (which goes back to federated identity, trust, etc) or taken over by govt through standard digital identity system.
  • We will see attacks targeting legacy "trust" mechanisms - Well I think people have succeeded doing it and others have thought about it publicly and vendors are providing the ways which can possibly be exploited (as specified in the discussions) to make this prediction possible.
  • (Mark Dixon) 2006 will bring new methods for more easily implementing Identity Management solutions - Amen!! But would really like to know what are the vendors and consulting firms (I think this may be called IP by some consulting firm) are doing achieve that. Shouldn't the forums like Liberty alliance be used to develop integration patterns and process patterns. The vendors can then develop a feature guide to point how the basic patterns can be implemented and hopefully we can make this prediction a reality. Any other thoughts on how to achieve this!! Will really look forward to discussion on this topic in "enterprise identity" blogosphere.
  • (Jackson Shaw) people will wake up and realize that identity management "is only the aspirin to the headache we have engineered for ourselves. What are we (end-users, companies, ISVs and platform vendors) doing to solve the root cause of that headache - interoperable authentication, authorization and identity protocols? - I am relatively new to this whole world of enterprise computing (just 7 years) and so should be forgiven for talking out-of-you-know-what but I am not sure what this means in the world where the mainframe is still the main workhorse in large businesses and cost of replacing existing systems is astronomical and sometime unthinkable from business point of view. The meta-directories and connectors are the only way to integrate with a lot of these systems. So, I think this headache is something that we have to live with unless somebody is creating a new company from scratch. He will have the similar headache five year down the line. Did I misunderstand something?
  • (CA) 2006 will mark the beginning of a security market shift as various security elements which were once dealt with separately, such as threat and identity management, begin to 'talk to one another' for even tighter security controls - You can already see this happening with available products like Identity Engine and enterprises are already consolidating their monitoring system to track end-to-end Identity flow. In addition to that, I have seen companies expecting the web endpoint devices to support or integrate with the SSO out-of-box besides the other things like SSL endpoint, tcp connection, etc and Vendors like CISCO going deep into the application layer (and I am sure they are going to encounter identity there). So, seems like it is happening.
  • (Eric Norlin)The divide between user-centric and enterprise identity management is the No. 1 conversation in 2006. - Hmm.. user-centric identity, I will wait and watch (unless a big portal like yahoo or google exposes something for others to use) but Liberty jumping into it does makes it interesting.

Comments

Post a Comment

Popular posts from this blog

Vendor List

Updated: November 12 2006 I am trying to come up with the list of vendors and associated products in the Identity and Access Management arena. Please note that this list is based on marketing/public information and my understanding of the terms which may not comply with any specific groups' definitions and/or requirements. This is by no means a complete list and will keep growing as I get more time to add them and find more companies (any help on that front will be really appreciated). Before we go further along, lets try to define what each of these product typically do so that my mode of classification may make sense or any flaw in my classfication will become apparant. Identity Management/User Provisioning These products typically provide the facility of Workflow-based Identity provisioning, password reset, identity reconciliation/discovery, delegated identity administration and self-service features on wide variety of identity platforms (like LDAP, Unix, Windows, Mainfra
Read more

Understanding IAM Technology: Web Single Sign On (Web SSO) Part I - Introduction and Use Case Definition

Image
Update September 6, 2015: Part II in the series is now available . Update August 19,2006: I am rewriting this entry based on the methodology I am using for some of other domains. Hopefully, the new methodology would make it more useful to some of you. I talk to a lot of people from developer background who still do not have a good background in the IAM technology. Eventhough there is a lot of information on the web, I have felt a lack of good technological discussion on the various component that  actually form the IAM domain. Some of the good sources for the information on IAM are Microsoft Identity and Access Management Series Archie Reed Oracle Federated Identity Buyers guide Oracle Identity Management Buyer's Guide Identity Management Dissected Most of these document discuss the basic concepts but do not extend it to existing technologies and how it applies to them. This series is an attempt to look at the technology behind the Identity and access manage
Read more