Identity and Access Management

Seems like the 2006 Prediction season is over and so I thought that I will try to capture the various predictions in Identity Management space that I came across. ( Nick at WickID ) Host/Mutual authentication will be critical. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies). - I am assuming that means machine authentication besides user authentication something similar to that from Passmark and Trusted Network Technology . This makes sense and will really be looking forward to various non-intrusive and intrusive technology in this space. Transaction authentication will become a hot topic later in the year due to session hijacking trojans. - I think people like Bruce Schneier have already been talking about this. An important aspect of transaction authentication is that it needs to be pervasive instead of just being limited to online experience. Besides that the technology that would actually help achieve this should be va

I am at the moment in talk with Vincent who is part of the AuthX team that is working on developing Authentication Authorization framework/service as part of Apache Directory initiative. Feel free to ping me if you would like to join the discussion on this topic. I sincerely feel that as somebody who are looking at the various trends in IAM industry, we should try to help them get the system right so that it can be leaveraged across the various opensource application. Feel free to leave how you would like to participate (email update, blog post, etc).

After James kicked off the discussion on Enterprise Identity, there has been a [cro] lot [Pat Patterson] of [Johannes Ernst] input [Radovan] on the various subject of Enterprise Identity. I thought that I should also chime in, since some of the thoughts that James has expressed are similar to that I have expressed earlier on provisioning and repository consolidation and wanted to respond to some of points raised. So, lets take the points one at a time Workflow and MOM/ESB - The basic idea behind this is that most enterprise have workflow system and what they need is a connectors to a few identity repositories. Well, I know of a similar implementation that I was part of and we wanted to do all the way so that we will have a bunch of workflow engines and connectors in each geographical areas each of these connected to each other using MOM (the existing ESB was built over MOM). Now the project failed due to a lot of project management issues (I know how it sounds) and Vendor was bro

I came across the AuthX project some days back and read through some of the code and documentation. I will not claim that I have understood the whole project and would request you to feel free to correct my understanding. Now getting down to the whole idea of AAA, lets me put my understanding of this domain. Frameworks do not work, Services Do: I have spoken to a few architects and in addition to that during the process of various implementations, I have realized that frameworks are really a tough sell. Instead what people are looking for is lousely coupled services. So, there would be an authentication service, a fine grained authorization service, and so on. By the concept of service, I do not mean a SOAP or a REST interface but just a java interface that has method that accept primitive variable types (I like to include strings in this which you may not agree with), to ensure it can easily be exposed using REST, SOAP, RMI or VMPipe Call through the MINA. Authentication Service:

I do not like writing two blog entries in one day because writing each entry is very gruesome task for me (because for some reason what should be a simple memory/thought dump becomes 1 hr multi-review process to ensure my dump does not stink :) ). But, after running in to entry from James McGovern on my favourite subject of fine grained access control, I think I will write another dump. The basic point being raised in the article are What about XACML ? A question for Vendors and Analysts. Implementation Patterns for opensource - Authorization Provider and Role Mappers with central management (just like an cross-cutting service in an enterprise - My addition to James' thought) end-to-end (including database) Identity tracking (if I have understood the requirements properly) I will try to put down my understanding on these subjects. What about XACML? - Well it seems like people like James (and other enterprise architects that I have met in other financial institutions) and vend

This idea started growing in my head after two events, one my parents started using their new PC and, second, CISCO bought scientific atlanta. Well seeing my parents struggle with the basic internet and window skills really made me understand that the PCs are an overkill for 60-70% of the PC users that looking to do basic things like check email, browse and listen to music and play media clips once in a while and a much smaller and simpler product should do the job. Based on the way things are moving it seems like that is already at works. The industry thinks that the triple play will not stop at the last mile but will actually continue to the antenna terminal on the TV. And I think that this is where the retail computing markets will be making their move in near future. So instead of the triple play being addressed by separate components like digital convertor, cable modem, VOIP box, wireless router and a PC, there would be one single product to get the job done. In this way, these