Identity and Access Management

I have over time learned that defining things has not been my strength and over time I have understood that most of us in Identity and Access space can run most of our professional life without have a industry standard definitions. But at the same time, I like to keep a glossary list handy which I attach to every project document and let it change as the client tries to make sense out of their environment. After reading the Dave Kearns and Scott Lemon 's thoughts, I was again reminded of the Identity elephants that seems to be in the room and how people are trying to find it. In that context I think I found that these two people are so close in their definition the way I understood them that I had to write about it. The idea in case of Scott is that Identity is "same as" while for Dave is "Identifying" (which for him somehow always leads to DNA, twins, etc, anyway this may be something for other blog). Now incase of an identification system, the identification

I am completely confused by this company's approach in the IAM space. I do not understand what their target market is and can only speculate that it will include small size business or may be a complete Java shop whose developer think this is a good "IAM" product. Take a look at the article (and the discussion ) that have come from Justen Stepka who works with the company. The product seems to be too little too late at first glance (atleast in IAM space) but then may be I donot understand the product and its complete feature set.

After watching the Google EPIC , I had a burst of "creative" thought (which is very rare let me tell you) about a futuristic novel based in 2015 about a renegade who is part of a network of people who run a parallel internet over P2P protocol. The idea being that once you develop protocols to index and search the P2P member site using distributed indexes you may be able to browse the net anonymously. But after reading these articles , it seems to me that something like above may become a reality rather than remaining a fiction in my head. But seriously guys is it good to reject a more structured way to generate internet content just because the format is being proposed by companies that are trying to make money out of people's content. May be I am being too naive.

While going through some articles on the reports from Burton group on Identity Management, I ran into this article from Andre Durand. The basic point of contention was that Burton has predicted that Federation will not be separate product long term while the Patrick Harding contests that it will be a separate product. This point of view from PingID can be attributed to the fact that their flagship product is a federation server though they do provide other components like Token Service . But lets not go there and look at the argument. The basic point of the contention seems to be that the infrastructure needs a federation server to consume SAML assertion and generate internal SAML assertion that can be consumed by the internal infrastructure. But I am not sure whether that means that you have to setup a federation server the way described by them using this diagram. I see the work they describe more the job of a Token Service as I have opined earlier . (which I think is one of the g

With so many federated sign on specification out there, it was becoming really tough to keep track of them. The way I see, we can divide them in to community site initiated Identity URL based specs like SXIP ( new addition), LID , OpenID , i-names(XRI) vs standard/large vendor initiated identity token based specs like SAML , WS-Federation and infocard. Given that the community initiated specs based on URL based Identity have come together under YADIS (except SXIP and I am hoping they will join the party soon), where does that leave us with WS-*, SAML, Microsoft Infocard and Passel (with counter-signed and self-signed attributes). While the community based FSSO specs are consolidating, the businesses are rolling out services mostly using SAML to perform FSSO between the services that they are providing. We are still waiting for the Infocard and WS-Federation to pick steam. It seems that the infocard may be obsolete by the time it comes out if YADIS is accepted by the community (unl

I really like the way this this poem explores the basic question of "who am i" i.e. "what is identity". This poem was composed by Bulla Shah , a 17th century sufi poet, and used in a great song . Bulla, who knows who I am? Neither I am a believer (who stays) in a mosque Nor do I indulge in actions of disbelief Nor am I the pure one amongst the impure Neither I exist in books of Vedh Nor do I stay drunk Nor do I remain stoned, rotting Neither I am happy nor sad Nor am I in the (argument of) Purity and Impurity Neither I am (made) of water nor of earth Nor am I fire nor air Neither I am Arabic nor Lahori Nor am I (resident of) the Indian City Nagaori Nor Hindu nor Turk Peshaweri Neither I found the secret of religion Nor did understand Adam and Eve Nor did I create a name for myself From beginning to end, I tried to understand myself I did not come to know of anyone else I am not just another wise one Bulla Shah, who is this standing?

This article talks about suite vs Anti-suite. Each of these approach have their own pros and cons and fit specific markets. Some factors that may determine it are SMB (suite) vs Enterprise Work with bleeding edge products vs conservative adoption So, I do not think it would be appropriate to categorize any market whether it is network security or identity management as suite or anti-suite.

Given that the InfoCard is based on this service, need to setup a working environment to test this integration. Besides that I am bothered by lack of tokens types on the output side. Anyway, will write about it more once I get chance to do the testing.

First Phase Provisioning Access360 Business Layers Waveset BMC Web Access Control Oblix Netegrity Securant DASCOM Entegrity Password Management Courion M-Tech Meta-directory/Virtual Directory iPlanet Novell Siemens Zoomit OctectString RadiantLogic Second Phase web services, federation, SOA Trustgenix PingIdentity Sxip SOA Software Layer 7 Symlabs Third Phase activity in applications, information governance, identity in the network, and role / privilege analysis Eurikify Bridgestream Prodigen TIzor Consul Virsa Would be adding to the list when i get chance..

The feature list is Support for PDP Chaining Policy Combination algorithm Supported: DENY overrides ALLOW (permit overrides can be simulated by having a MasterPDP which will then controll the other PIP &PDP - Will need to specify sequence of the PDP & PIP Separately) Supports the concept of PIP which works as Interceptor (like PDP) but does not return decision. It instead returns data which can be used by PDP (More info needed on how) ID that will be authorized is extracted from the credential used by client to contact the service. A concept of Resource Owner is supported which can be extracted from "resource, service or container depending on availability in that order of precedence" Authorization Schemes supported self - Caller ID = Owner gridmap - Caller ID part of pre-defined list. This sheme also supports user ID mapping to local user id (how does that help or can be leveraged??) Identity - Caller ID = Specified ID Host - Called's Host ID = specified Host

Links Role Based Access Control IDManagement Problems and IDentity Management Objectives Globus Toolkit ( Summary ), DACS (to read) and Acegi (to read) for Access Control Web 2.0 Components Introduction to biometric device Active Directory Unix Integration IIW2005 Talks GSA Federal Identity Management Handbook covers User Registeration and Issuance Guideline(identity proof, card issuance), Physical Card requirements, Smart card specification, Implementation planning guidelines. Very basic introduction to PKI Enabled Email security Web Services Protocol specifications List VMWare 2005 World Presentation Open-source Identity Management Tools Identity Management project Basics Comparing EPAL and XACML - bottom line XACML is a super set of EPAL.

Another company in the "identity enabled network" space besides Identity Engines that I talked about earlier Moral of the story seems to be that Trusted Identity store (like LDAP) needs to be integrated with network Application access policy must include Identity & Roles Application Control beyond port. Nothing new here. Besides looking at the product itself nothing new on the authentication side (seems to be similar things that other network product would support). But at the same time there are wide variety of applications that are supported "out-of-box" though I am not sure what we are going to achieve by simple performing an allow or deny at the application level since that is as good as port level access! (nothing more finegrained). The field of identity enabled network seems to be the next step in the growth of the identity. It would be interesting to see what other companies are working on.

I think we really need to see how the identity is managed in real world and may be that can help us figuring out how it may work in digital world. So we would need a passport like mechanism, which would assert very basic information about the person across the international boundary and that is where I think we may concentrate at these international conference (any thing beyond that would be equivalent to boiling the ocean). Then we would need trusted bodies for various context. For example the international transactions would need banks working as intermediatery (as used for trade by companies across international boundaries) and then you may have technical bodies like medical bodies who may vouch for their members in transactions. So, I agree with the basic idea that there would be large number of bodies and also think that there would be multiple protocols that would be developed for and by each of community as they need to share this information. I think the idea of having a singl

What is a product like this going to buy me as a citizen of web? I can see their idea of a central repository of user reputation (something similar to Credit Reporting company). But all the big sites have their own repository and why would they want to share that. So, their basic approach would be to get the smaller websites to get to use this service. Now that is a big issue because why would most of these websites want to purchase a service they do not need. As soon as the customer pays via credit card, these people do not care about the reputation of the customer. So unless this system can help them Lets take the model from customer point of view. Most people would like to get tangible benifits out of this before they would be ready to aggregate their identity information in one place. This could be in form of discount in online stores. In addition to that the reputation needs to be integrated with a identity engine that can build a central repository of their profile (which

Good idea and summary of various type of information that is associated with the user i.e. Names Characteristics - Static and dynamic Relationships - I am not sure whether Relationship should be separate from the role. I am assuming that any relationship with always have the roles automatically defined for all the participant of the relationship either implicitly or explicitly. Roles - See the Relationship and that is why roles by them selves may not make sense. These have to be in a given context and the context being the relationship or community of which relationship is part of. Locations Experience - Experience would result in knowlege!! right? and so knowledge would be super set of experience and information that was gathered through experience of others (i.e. teaching, reading). Knowledge - Reputation What do you say?

So finally the company is out with the product. I have been hearing about this company for some time now. Any way seems like these guys are catering to the requirement of companies that want to control access to their network in much secured fashion. Most of these guys have need to perform the following functions Sequestering the machine hooked to the environment unless validated (so it may not even be able to get a IP via dhcp) the laptop would be checked for latest version of firewall, antivirus with the latest updates. The user would need to authenticate to ensure that it gets access to the network. (Not seen a lot though) if the user tries to access an application this access needs to be managed. Auditing all these events with additional information for monitoring and analysis. W.r.t. the third access requirement, I have seen most of the company already have something installed. For example web applications would have the Web SSO products. But most of the client server applicati

That is what tells me that we really need to develop a open source identity management interface for people to be able to do the basic User CRUD Password management (password reset) User data management and basic user provisioning to other products

Seems like the fine grained authorization is really heating up!! But let's wait and see what is Oracle's idea of the finegrained access control .

I see a lot of releases on the vendor installations. This is an attempt to capture them on single page. Mercer Human Resource Consulting - Trustgenix International Bancshares Corporation - Secured Services Inc Wendy's International Inc - M-Tech GM, GE, T-Mobile - Sun Identity Manager Toyota Financial Services , Principal Financial Group , Swedish Police - Thor technologies SunTrust - Courion

Seems like somebody else is also bothered by complete lack of discussion of Liberty/SAML in the Identity 2.0 world like me

I think most of the people will agree that the basic issue with the auto-form filling is storage and security of that storage. That is what makes the existing auto-fills a big no-no for "informed" users. So, till we have browsers that are developed with very good built-in data security through smartcard or encrypted USB support we can not go too far with the whole idea of identity storage on the client. The client till that time will continue to make a good pitstop that will allow the end-user to controll what is going from the IDP/Identity Provider to Service Provider.

There is an existing product that is built around the XRI. Besides that the basic issue of multi-identity and associated management w.r.t. End-user is something that the products and protocols have to manage.

This is one of the worst reason I have heard against the anonymizers. Now why do I have to make myself known to the whole world if I donot have faith that the website that I access do not have adequate resources or will to protect my identity as is apparent from the way the big companies have failed us. So these services will always fulfill a requirement in the world.

The basic concept seems to be similar to that developed by SRD that IBM purchased this year. This whole section of knowlege generation through correlation whether it is through desktop content or database content is something that would be interesting to watch. And the next step that would come in is who is allowed to see the information that is found this way. So due to privacy issue it would be really tough to use these type of products across multiple channels of the companies. Before the companies really go ahead and start doing these corelations they will really need think a lot!

I donot get the business model for this i.e. what is the customer base for this product? The way I have seen not many people have purchased federated SSO products and the one that have expect the vendor to provide implementation of the two competing protocol and all the associated version. Now after purchasing a federation product why would you want to buy a protocol translating product. Need to really understand the why do I need it!!

Hmmm... is this the beginning of the adoption of SAML as federation protocol by corporatate websites. It would really help everybody if it really kicked off... But I am not sure how well the identity systems of the enterprises are to be able to go to the next step of federation. Guess if the service providers build it, they will come!!

Assumptions: Open Identity is in URL format (guess email is not enough?) easy for developer Profiles Browser based Authentication: The service provider contact the IDP URL to get the capability and based on the authentication protocol chosen start the authentication - Now a few things here. First of all this means that SP needs to understand all the authentication protocols i.e. be it LID, OpenID or something else. Does not make a lot of sense but fine, lets continue. SP uses the "protocol supported way" to redirects user to IP which authenticates the user Profile exchange: Well if you need to get specific data about the user you need to ask for the Identity URL like IDURL?xpath=field that is needed&lid=SP's Identity Now only thing is why do we need to have this new "federation" protocol when we already have it in Liberty and SAML. I guess it is all about the removal of SOAP and making the protocol simple. Other than that why sitdown and redo

I love the idea that I can sell my web browser's bookmarks and history. How I wish I had not deleted my browser history. But I guess Attention Date = Identity is too far-fetched. It could be more like a profile or persona but does that uniquely identifies me? Well guess that goes to what do you mean by identifies. If the identification is a "checksum" of my data then yes but other than that it resembles more like the way a corporation would like to see me i.e. a classification system.

Based on what I have seen the Identity in Web 2.0 is about > It is owned by User instead of corporation > Since it is owned it has to be managed by user which brings up the issue of what if user donot manage it actively > it is distributed by user which means user has to look at all the fine prints on what a company that is going to accept its data will do with it. Well I am not sure how different it is compare to now!! > All the work that the identity does is owned by user. guess it is no different than now unless we can build services which can make this process more secure and thus give the law and user more faith on the identity systems. Then the next step comes in of allowing users to sell its attention/web history to the analytics??

The identity as a service makes sense just like Credit card services. I have heard business plan around them almost a year back but did not hear anything after that. May be now is the time to search them out.

Some summary!!

So far the way I see it the language have come one after other i.e. machine code, assembly, 3gl structured languages and scripting language being the next stop. But this has not really caught on. To me this is due to the fact that most of the people see scripting language need to replace structured languages like Java, C, etc. May be better way to look at it is to see scripting languages built over structured language where the third party or OSS base components would expose hooks to write business logic using scripting language and business processes will be a configuration (like a workflow configuration) process rather than code development process. Even then I have not been able to solve how the frontend is going to integrate with this development model.

Two obeservations 1. Now case studies are mostly from University which seems to be due to company's not going on record with the products that they have implemented. 2. TNT has interesting technology and looks goods as a way to take the identity to a level where it would be easier, probably faster and cheaper if this is based on standard so that cisco routers would be able to use the information and route stuff without any compatibility issue. 3. Another thing that bothers me is the IP stack changing technology which may be found intrusive by most of the people a. It is coming from a host firewall guys and it is free while the appliance costs some money b. This technology can support multiple domains and configurations (like vpn technology) Good technology to follow till a big company buys it and integrates and tests it well making the client free (the acrobat/plugin model). .

I am not sure how can the third party deliver an application or service without information about the platform from which the ring tone request was sent (if that is not provided along with cell phone number but then I am just an Identity guy not a cell phone tech expert and do not know about the standard in this field). But I am bothered by cell phone company as “big brother” who own the medium, authentication technology, and the gateway to ecommerce over an unencrypted medium which makes them a very big owner of information on user physical identity, habit, social connections (guess phone usage given you a good idea). I am sure the silos within the company itself may be keeping this information distributed but as the integration of these identity silos are completed over time think of the information they have access to (if the ecommerce through cellphone takes off). So going back to your earlier article, this is probably the biggest difference between Apple iTunes and ring tone

The basic difference between the two approach is that of Federation. Interesting thing to look at with regards to how future federations would work. An important issue that it brings out is that I would really want to understand how that mobile charging works (in terms of privacy and transaction). Does this system makes the identity provider i.e. your cell phone the single point that can use and sell your buying habits to the highest bidder (or all the bidders).

Guess they never read this . But at the same time a start! Still the idea of transaction authentication is better than person authentication. A good food for thought w.r.t. my ideas around identity.

Living in the Browser world we tend to forget that there is a big issue around cross-client federation. More on this later.

Points raised Process and System Integration are challenges "Identity Management is viewed to be responsibility of employees in charge of physical security" This is totally against all my experience in financial industry where the identity management is typically part of the Risk Management group and that co-ordinates with physical and HR to develop and implement identity management solutions. But at the same time HR is the golden data source in most of the place. "Get the background check process right" which is typically performed by HR during on-boarding process. "One ID across the organization" mostly a dream every body wants but nobody has (but there are instances where organization have been able to achieve it atleast for employees though not for customers. "Biometric is the key to solve duplication" but biometric can not be converted into identifier. It is used as authentication data but not as identifier.

I saw this query on one of user groups We are looking to move to a SSO solution, but were wondering what everyone else is doing? we have 5K + employees that all need access to various platforms (Sun Solaris, VMS, AIX, SCO, HP-UX, Windows, Citrix, AD, Web, etc). Is there some sort of app or some such thing that will do a cross-reference of userid's? Or do we even need to worry about that (the 8-character limitation on the Unix boxes)if we implement LDAP or AD? and I thought that this reply should give a starting point to the complete domain of Identity Management for solving the issue. Well my suggestion would be that you should consider the various approaches available to you and probably should implement something that suits your requirements. The various approaches available to you are Consolidation of Authentication repositories well this refers to the basic idea of setting up an enterprise directory which all the products can tie into for authentication purpose and

In the world before the FIM, a lot of technologies were used to implement the federated single sign on. A very common way to allow corporate level access to services, was to allow all the users coming from a specific range of IP (usually the corporate proxy server of client) full access to the service without requiring authentication (though the identification may be implemented for personalization purpose). But with the development of FIM standards, does it make sense to continue to require the IP based authorization in addition to the FIM Sign On or does it give just an additional level of "security" at the cost of sacrificing convinience (people can only access the service from corporate network and not from outside unless VPNed to office)?

After a quick read of thoughts on problems with biometrics , I was thinking how the accounts can be accessed after a person/owner has died. For example if a system is built that provides access solely on biometric authentication (without any escrow system in place), what would be the process to access those accounts after the owner has died. Does this mean that a biometric based security system can not be built without an escrow system in place. Also, does it make sense from a liability point of view to become owner of biometric data. Just in case more stringent privacy laws come in to force and/or a precedence is set specifing the data owner can ask the data manager (enterprise that has the information about the owner) to pay for the damages caused by the loss of data, the biometric database would become a huge liability for any enterprise. Thoughts??

The basic idea of Credential Mapping service is to provide necessary data to the service's client which will help client to identify with a specific security domain. Based on the security policy requirements of security domain, this authentication and identification data can take various forms like id/password, token (cert, kerberos ticket, etc.). This concept has been implemented in kerberos Ticket based authentication system, Global sign on (GSO) , Credential Mapping Providers , Security Token Service and enterprise reduced sign on. In this article I will try to discuss why such a service is important as a separate independent service within an enterprise or for an end-user. As discussed above, the credential mapping or token generation service (here after referred as security token service or STS), has been an important part of Authentication systems, Single Sign on integration, Legacy Application integration, and Federated Sign On. Due to the wide variety of the application t

Updated: November 12 2006 I am trying to come up with the list of vendors and associated products in the Identity and Access Management arena. Please note that this list is based on marketing/public information and my understanding of the terms which may not comply with any specific groups' definitions and/or requirements. This is by no means a complete list and will keep growing as I get more time to add them and find more companies (any help on that front will be really appreciated). Before we go further along, lets try to define what each of these product typically do so that my mode of classification may make sense or any flaw in my classfication will become apparant. Identity Management/User Provisioning These products typically provide the facility of Workflow-based Identity provisioning, password reset, identity reconciliation/discovery, delegated identity administration and self-service features on wide variety of identity platforms (like LDAP, Unix, Windows, Mainfra

In this world of compliance driven provisioning implementation sometimes it may be worthwhile to really think about whether you need a provisioning solution in place. If the requirement is completly driven by the compliance, then how can provisioning solve the issue. Provisioning, most of the time, gives the idea that after implementation, company is going to create user accounts based on the Company's security standards and practices. But it does not provide by its very nature any way to stop rogue administrators from creating accounts, perform operations using that account and then deleting those accounts before the next reconciliation cycle. So it seems that from that point of view only feature that is of any benefit to the compliance driven implementation is provisioning product's ability to reconcile reosurce accounts (either real time or as scheduled task) in conjuction with a policy driven compliance enforcer (that most of the provisioning products are coming out with) w

It has been lingering in my mind for too long now but I was not sure whether the hypothesis had any base in reality or was it another arm chair thought. The idea deals with the two ways (I would love to use the word paradigm but will avoid doing so) in which the provisioning product interface have been designed. Most of the products that I have seen started off with delegated administration in mind where a person (either manager or help desk) needs to perform operations on a single user based on the request that he/she receives out of band (verbally or by other electronically medium like email). The interfaces available to users were for self-service of personal attribute and/or password change . Besides that the idea was that there would be a only a subset of users that will perform the provisioning tasks. Some how that was a underestimation of the processes already in place in most larger firms. Most of the large firms have a very well defined processes that can be initiated by any