For some time, Phil and I have been arguing that the release of CardSpace (in Vista) would not only jump-start the user-centric identity space, but also (and maybe more importantly) change the way the enterprise deployments architect their identity management solutions. That is to say that CardSpace will become as important *inside* of the enterprise as it is outside of it. Adding OpenID interoperability into this mix means that the long tail and non-Microsoft components of the internet will now be interacting with the obvious heft of the Microsoft machine.

For years, identity engineers and evangelists have been tirelessly laboring away to solve the user-centric identity problem -- one that has always seemed to have a "boil the ocean" component. This "marriage" of OpenID and CardSpace won't boil the ocean, but it will definitely raise the global temperature of the identity ocean.

Bottom line: we now have the interoperability needed for a true internet-scale identity system. The only hurdle remaining is the big one -- adoption.

This conversation has spurred a wider community to seriously consider the problem, both in OpenID and the more general case of any browser based identity protocol. Scott Kveton, CEO, JanRain, Inc. has written the following summary of this conversation to date. – Phil Becker]

David Recordon announced the latest draft of OpenID 2.0 to the OpenID general mailing list last week. The discussion that followed involved the lack of support in the latest specification for dealing with phishing. The argument is that since your OpenID could get you into all of the sites you visit on a regular basis, it will become a much bigger target for phishing from attackers. As the argument goes, users will actually be worse off than they are today because they will no longer be protected by just having one account that goes to one site hacked, they'll have all of them compromised at once.

Several people, including Microsoft's digital identity architect Kim Cameron, blogged on this raising considerable concern from the OpenID community and those looking to adopt the technology.

The most worrisome scenario was when a user is redirected to their OpenID provider to enter their password. The user has to trust that the OpenID enabled site they are trying to login to will redirect them to their identity provider and not some bogus phishing site. Really anytime a user has to enter a password into the browser we have cause for concern. However, once the user has logged in, they don't have to enter their password into the browser again until their session times out. This is actually an interesting opportunity. More on that in a bit.

As the discussions continued, several ideas emerged on ways to tackle the OpenID phishing problem:

• Require external authentication via SMS, email or some other out-of-band method when doing the login.
• Develop an identity manager, extension or plugin for the browser that allows you to define your identity to the browser first.
• Deploy something like Yahoo! sign-in seal or MyOpenID's Personal Icon on OpenID providers.
• Create an option on OpenID providers that will not allow logins via password after being redirected to your OpenID provider. The user is force to manually enter the URL of their OpenID provider or use a bookmark that they have already setup.
• Use CardSpace to authenticate with the OpenID provider.

Taken by themselves, these techniques don't give users enough protection against the risks they face. However, if you put a combination of them together, you have a much more compelling means with which to fight phishing.

Phishing has always been a difficult problem to solve but solutions exist on sites like eBay, PayPal and Amazon. The burden, however, has always been placed on the users to implement these personalized solutions. Unfortunately, its not practical to expect that users will setup all of these anti-phishing tools for every single site they go to.

Enter OpenID. With OpenID, users build a strong relationship with their OpenID provider. They visit it everyday when they turn on their computer or open a new browser window. Users will be able to setup several different anti-phishing measures on their OpenID provider and reap the benefits on every single site they go to. What we have here is the interesting opportunity I alluded to before. By employing the anti-phishing tactics described above and as OpenID begins to gain widespread adoption, we will see those very tools being a driver of OpenID.

The tough thing about these options is that they are difficult if not impossible to mandate in the OpenID specification without taking away from the core strength and main driver of adoption of OpenID today -- simplicity. However, several of these features already exist on OpenID providers. Discussions are happening with Mozilla to integrate support for OpenID into Firefox 3.0. There are several extensions out that allow you to set visual queues for specific sites like your OpenID provider. And we already know that CardSpace and OpenID are working together. Not only that, the OpenID and CardSpace community are having discussions on how to leverage each other's strengths to benefit users everywhere.

In spite of all the concerns, OpenID continues to gain adoption at a rapid pass. We are seeing 10 - 15 new OpenID enabled sites coming on-line each day. They are adopting the technology because of its simplicity, because it is decentralized, because it does just one thing really well. The technology will continue to evolve and will mature to answer the security implications we can think of today and as well as the ones that will come up in the future. Most importantly, the response from the OpenID community has been astonishing and proof positive that this vibrant group of people is ready to deliver the next generation of digital identity.

Steve Slater is the Co-founder and President of Security Compliance Corporation ("SCC"), a startup that's focused on solving some of the compliance challenges that focus around validating user access to applications. Last week, he briefed me on SCC's Access Auditor and how it is solving some key compliance needs. The deluge of regulations around compliance (GLBA, Sarbanes-Oxley, etc) has served as a primary driver for identity adoption in recent years, especially for large, public companies. What hasn't been addressed as frequently is the compliance needs of the mid-sized enterprise.

SCC found in The PMI Group a client that fits that bill. The PMI Group is a mid-sized financial services company that has some fairly stringent compliance reporting requirements. They also have an environment that spans legacy (mainframe) systems and a multitude of applications. What The PMI Group does *not* have is the size of organization that they feel justifies a full-blown identity "suite" solution (and the accompanying compliance benefits). In short, the price tag and complexity of implementation of these systems outweighed the benefit of complying with financial regulations. 

SCC provided The PMI Group with a solution that covered A) the requirements, while B) adhering to cost and complexity guidelines. This sounds like every good market research, product management and product launch story, right? Yes, but I think its also much more.

SCC's story betrays the beginning edge of the adoption of identity systems by the mid-size organization. Last year saw BMC and IBM launch identity products aimed specifically at this segment, and if SCC is any indication, we'll see more of the "big suite" vendors do the same.

Tapping into the SMB market has long been the bane of large software vendors, but that doesn't mean that independent, best of breed types don't have relative success. Their success comes from their ability to quickly answer a growing surge of mid-size customer demands -- demands that *always* focus around ease of implementation and ease of administration/use.

Stories like SCC mean that the focus of product management groups inside of the larger identity vendors is about to change. That story will shift, in accordance with market demand, from providing an integrated shopping list of functionality to providing a solution focused on a customer's experience of implementation and use.

That story is a sign of an identity market that is vibrant and expanding. That story will become one of the primary themes of identity management products throughout the coming year.

Brian's "day job" is social media. So, it was with great interest that I read a recent entry on his blog entitled, "OpenID, Portable Social Networks and the Darwoski Problem." In the post, Brian steps us through the logical progression of the great identity opportunity being missed by social networks (and I would add, "web 2.0" at large).

Brian's logical steps (why I should care about OpenID, social networks, etc) culminate in a crucial point: social media companies (his example is LinkedIn, but this applies across other companies as well) are so busy creating closed systems that they intend to "lock in" and "monetize," that they're missing the grand opportunity to become an open identity platform.

The push of identity into the web 2.0 world is driven by the essential realization that identity *must* be abstracted from the silos of applications for the end-user to achieve the true benefits that identity contains. Not doing so results in more lock-in, more silos, more data breaches, and more dissatisfaction. The opportunity lies in a web 2.0 company that is willing to open up its identity stores to portability and a sense of user-centrism. Unfortunately, doing so would jeopardize the "aggregation of community" that so many web 2.0 companies are seeking. To date, no major web 2.0 company has truly opened up its identities (providing an API to allow us to access your silos of applications is *not* opening up). Suddenly though, it seems that pressure is growing for systems like OpenID to succeed.

If they do, we may be standing on the verge of a major victory in the identity world -- a victory that hinges on Brian's realizations.

If they don't, we're just building a web 2.0 world of walled gardens. And that's not even web 1.0 - that's web 0.5.

The players are Kim Cameron (InfoCards/CardSpace) of Microsoft on one side and Dick Hardt (OpenID) of Sxip Identity on the other.  The issue: Kim's recent allegations that OpenID will make identity *less* secure and possibly result in security breaches that will set the user-centric identity work back in the minds of users.

The technical details all focus around the need (or lack of need) for client-side identity selectors -- with Kim arguing that its necessary to prevent spoofing, and Dick arguing that the spoofing security threat is acknowledged and defensible via OpenID. But the technical details (and argument) are not the most interesting thing.

Arguments like this, as all engineers know, are common in the world of the engineering. The reason is simple: the "engineer's mind" (versus the "marketer's mind") naturally seeks the "perfect solution." That's the blessing of the engineer's mind. It is, of course, also the curse.

As any student of technology history knows, the "perfect solution" has rarely won the battle of the marketplace. Instead, the solution that solved the problem set using "the principle of good enough", and *also* attained a critical mass of adoption has won. Does that result in further problems to be solved? Of course it does! That, my friends, is the cycle of innovation.

The current debate between Kim and Dick actually serves to show us where the user-centric identity market actually is. Several years ago, two groups were competing around federation standards (the Liberty Alliance and Microsoft/IBM's WS-* standards). For what seemed like forever, they held obscure debates about the details of the standards. Eventually, the market moved forward (seemingly without either group's help), and now today we find ourselves witnessing a new Liberty Alliance President saying that the "gloves are off" and they'd like to find ways to converge with the WS-* standards.

That simple, recent analogy shows us where we are with user-centric identity. We're on the verge of the market beginning to really adopt some technology. These conversations don't reach this level unless those involved see this potential.

In the meantime, the engineers will continue to debate the details, and that's good for all of us.

Prior to the holidays, I had begun to dig into some new briefings around NAC. Specifically, I was looking to hear from Trusted Network Technologies and Identity Engines -- two startups that *began* with identity and ended up at NAC (instead of the other way around). I wanted to begin there because I know that I don't have to convince TNTand Identity Engines that "identity is center." Rather, we can dig right into what their markets are saying to them.

What I learned was that despite the fact that Identity Engines and Trusted Network Technologies are radically different companies, they're both experiencing the same push in their product architectures. That push centers around the idea that the abstraction of policy is a growing movement *across* both the network and application identity management layers. Allow me to explain.

NAC has traditionally been thought of as a "health check" for machines that are connecting to the network. As the marketplace for NAC has begun to demand post-admission capabilities, NAC has been forced to adjust from simple health checks into an identity-based foundation. And that adjustment is the result of a very basic need: the ability to perform fine-grained authorization (and the accompanying functions of enforcement, audit, etc.).  Notice the switch -- from simple access control (health checks) to fine-grained authorization. The move from binary access (yes or no) to fine-grained authorization betrays a shift in mindset: from a defensible perimeter to a qualifier that identifies who can access what room.

Fine-grained authorization is *the* shift that NAC vendors will wrestle with all year, but it is not the endgame. The endgame (or, at least, next step in the endgame) is to abstract policy and its enforcement across both the network and application layers. Look for the startups like TNT and Identity Engines to begin working toward that level of cross-layer abstraction of policy by the end of next year.

And that is why I keep talking about convergence of application and network layer management around the concept of identity...

1. Identity-related acquisitions will slow to a steady pace.

The acquisition market for identity companies has been very heated for the past two years. Several factors (economic cycle, market development, stage of technology cycles, etc.) will combine to slow the pace of that acquisition cycle. This is not to say that identity acquisitions are going to stop. It is saying that they are going to slow down -- to a pace that is more normalized than we've seen the last two years.

2. Venture Capital continues to fund identity companies.

Funding of identity startups will continue in 2007 (as well as follow-on funding rounds), but we do see it shifting a bit.  The identity "analytics" space that suddenly sprouted around compliance should slow in its funding as. Additionally, the compliance automation space will most likely see primarily follow-on funding. On the other hand, we expect appliance-based identity startups to attract a lot of attention, as the channel successes of some young identity startups becomes more well known.

3. URL-based identity begins a cycle of real adoption in the blogosphere and alpha geek communities.

URL-based identity overcame many technical and interoperability hurdles in 2006, and got key buy-in from developing communities. 2007 will see the early incarnations of this technology begin a cycle of significant and real adoption in the blogosphere and alpha geek worlds.

4. In 2007, NAC that isn't identity-based becomes yesterday's news.

Most of the NAC conversation seems to focus on the interoperability between Cisco and Microsoft. The coming year will see a significant shift. The divide between "pre-admission" NAC companies and "post-admission" (identity-based) NAC companies will widen, and the term "Network Identity Management" will emerge as significant in the space. Identity-based NAC and Identity Management will "find each other" in 2007.

5. NAC's rise in importance brings back "risk management."

Its not about "securing the network." Its about managing the risk inherent in any truly networked application. As NAC goes fully identity-based, look for the marketers to begin pounding on the "risk management" term. "Risk management" is what compliance and security are all about, and it will get high level attention from technology executives.

6. While network identity management gets hot, application identity management goes mainstream. 

First, let me clarify: "network identity management" is what NAC is becoming; "application identity management" is what people commonly think of as "identity management." Application identity management has been the core of the identity marketplace for several years now. This year that core will truly go mainstream - with widespread adoption across major enterprises and beginning moves down-market.

7. Federated Identity will enter the very beginning of mainstream adoption.

For the past several years, federation has been overcoming some of the remaining issues around deployment. Our sense of the marketplace is that those are now largely solved (for the time being, anyway), and that with those obstructions out of the way, federation is about to begin a mainstream adoption cycle. Look for well packaged pure-play federation products to come on strong in 2007.

8. An acquisition will occur in the "user-centric" identity space.

This is our "stretch" prediction for the year. Our sense of the user-centric space is that its about to grow enough to foster an acquisition of one of its players. Nothing you-tube-ish, mind you, but a move that will signal the real "birth" of the user-centric identity marketplace.

9. The enterprise will begin exploring how to use CardSpace in enterprise deployments. 

CardSpace has been thought of as a "user-centric" technology. We believe that there is significant, generally unrecognized, desire to use CardSpace in enterprise deployments. We also believe that 2007 will see enterprise architects who begin to think about deploying CardSpace begin to change how it is that they view identity in the enterprise. Can Microsoft ever thank Kim Cameron and Mike Jones enough? We think not.

10. Compliance will remain the primary drive of Fortune 1000 identity deployments.

Some analyst groups like IDC have postulated that compliance will fade as a driver in 2007. We disagree. Compliance keeps chugging along (at least in identity) as the big driver that could in 2007. This driver may begin to fade by the end of 2007, but the spending cycles associated with compliance will carry major identity management deployment projects through the coming year.

There you have it -- ten predictions for 2007. How will we do? Check back at the end of next year to see how we grade our prognostications. What did we miss? Let us know...

Accordingly, I'll grade our predictions on a scale of 1-5 (where 1 is worst and 5 is best), with a possible perfect score of 50. Below are our original predictions, followed by their grade and reasons for the grade.

The Digital ID World Predictions for 2006

1. The Acquisition Cycle Continues.

Yes, we know that 2005 felt like a big acquisition year for identity -- but, trust us, we're just getting started. 2006 will see acquisitions continue.

Grade: 5.

Reasoning: Companies acquired in the identity space in 2006 include TrustCenter (acquired by GeoTrust), Visage (merged with Identix), GeoTrust (acquired by Verisign), Business Signatures (acquired by Entrust), Passmark (acquired by RSA), Virsa (acquired by SAP), and RSA Security (the big one - acquired by EMC). There's no doubt that 2006 saw the identity acquisitions continue in force.

2. The Funding Continues as well.

VC funding in this sector won't stop. In fact, we believe that VCs will get more and more aggressive, as startups will increasingly "pitch" themselves as identity companies and new products will increasingly be seen as identity products.

Grade: 5.

Reasoning: Companies funded (either initially, or with subsequent rounds) include SignaCert, EpicTide, GuardID, Authernative, Ping Identity, Trusted Network Technologies, and *countless* consumer-facing "solve identity fraud" startups. While the funding in the identity space didn't even come close to rivaling the whole "web 2.0" funding phenomenon, identity funding still progressed at a nice clip.

3. The Identity Universe will be seen to be expanding.

As we've been highlighting on the blog, companies are now beginning to change their positioning so that they're "identity companies" -- and really they are. In fact, the identity universe is (in spite of all of the acquisitions) expanding. In 2006, companies will start rushing to associate themselves with identity.

Grade: 5.

Reasoning: All one need do is read our coverage of how the NAC space is adopting identity, but beyond that companies in areas like mashups, SOA, geo-location and enterprise rights management continue to embrace the identity message.

4. Collaboration applications will get in the identity game.

One of the areas that will suddenly find itself in the middle of the identity conversation will be collaboration applications -- by that we mean blogs, feedreaders, wikis, etc. The new "social networking" applications will start to seriously go after the identity game in 2006.

Grade: 1.

Reasoning: I could argue that this prediction should be graded higher in light of the blogosphere's adoption of identity protocols, but alas, my general sense is that collaboration applications (and those in the "web 2.0" world) are still largely seeing identity as somebody else's problem.

5. URL-based identity will gain some traction.

Yes, we're following the URL-based identity work. Yes, we think its important. Yes, we think it will accomplish some interoperability tests in 2006. Yes, we think it will gain some traction with the alpha geek community -- and stop just short of a critical mass. Watch for URL-based identity to create a deeper understanding of identity for a larger community.

Grade: 5.

Reasoning: OpenID, OSIS, Higgins, Cardspace, Sxip -- the list goes on and on. The work happening in the URL-based identity space is now not only driven by the smaller players, but the larger ones (like Verisign) as well. URL-based identity made an *awful* lot of progress in 2006, but didn't reach critical mass.

6. Identity comes to Search.

Call this one something that happens in an alpha state in 2006. Either Yahoo!, Microsoft or Google will either announce or release an early version of a search product that brings identity profiles to bear. Somebody get me Vint Cerf on the phone! ;-)

Grade: 1.

Reasoning: Another one that I *wished* would've happened, but didn't. While Yahoo!, Microsoft and Google all made some pushes into personalized search (close), no one truly launched identity-based search based on profiles (but no cigar).

7. Strong Auth is the story of the year.

The effects of the FFIEC guidelines haven't even begun to be felt -- 2006 will be the year of strong auth. We won't encounter the problems (yet), just the success. Be prepared to cut through the hype, and watch as the terms "layered authentication" become standard place among industry insiders.

Grade: 4.

Reasoning: While every day seemed to bring new horror stories of unauthorized access to sensitive data and the need for strong authentication, I'm stopping short of calling strong auth the story of the year. Is strong auth succeeding in the market? Yes. Is it the identity story of the year? More on that below.

8. "Risk Management" becomes the identity driver.

In conjunction with strong auth, we'll all come to see that "risk management" is the larger business driver behind the identity deployments in 2006. Watch the analysts as they bear this out - "risk management, risk management, risk management" -- it just sounds daunting ;-).

Grade: 1.

Reasoning: "Risk managment" began to get some play as the driver in identity circles -- especially as it relates to strong authentication. Still, at the end of the day, auditing and accountability, as driven by compliance initiatives landed at the top of the "driver" heap.

9. SAP comes to the party. Microsoft makes a splash with ADFS. The "big guys" concentrate on acquisition integration.

Okay, this is a three-parter (so that I don't go over the magic number of 10). 

1) SAP comes to the party - and I mean through more than simple "partnership" announcements. Shall we start a pool on who they buy? 

Grade: 3.

Reasoning: SAP bought Virsa -- a clear play in the identity-compliance space, but they didn't make the brand name acquisition I was expecting. Hence, the 3.

2) ADFS *accelerates* federation. Yes, we think SAML 2.0 will as well - but Microsoft can really flip the switch on federation by pushing ADFS out to their customers. WS-Federation is the fast-mover in 2006.

Grade: 3.

Reasoning: Federation *definitely* accelerated in 2006 -- maybe more so than any emerging category. But my sense of that acceleration is that while WS-Federation saw a large uptake, SAML still ruled the roost.

3) Translation: "Big Guys" - CA, Oracle, BMC, etc. "Integration" - "Our suite is better, more complete, faster, more efficient, cheaper, insert competitive differentiator, than theirs." On the side - watch Sun, RSA Security, and Novell - they won't really play this game, and may score some big wins because of it.

Grade: 5.

Reasoning: Have you spoken with a large identity suite vendor lately?

Average grade for #9: 3.6.

10. The Divide between User-centric and Enterprise Identity management is the number one conversation in 2006.

Its something we've identified and focused on for some time -- the two different conversations that are "user-centric" identity and "enterprise identity." The historical gap between these two areas is now being addressed by serious folks in the identity game -- and 2006 will see this be the most powerful conversation in the land.

Grade: 5.

Reasoning: I'd give us a "10" on this one if I could. User-centric identity dominated the discussion in nearly all identity circles in 2006. 

Total of Grades for 2006: 35.6 out of a possible 50.

Good enough to win money in Vegas.

Next up: Predictions for 2007.

Many digital identity technologies exist already; why does the world need OpenID?
Its ever-growing ranks of supporters prefer OpenID because it is fundamentally different from other identity technologies in at least two ways:

• OpenID is a fully decentralized system.
• OpenID has a much lighter cost structure than any alternative.

While other OpenID characteristics – like its use of addresses (URLs and i-names), its affinity to blogging and the pervasive availability of Open Source code supporting it – may be more apparent in the market today, it is OpenID's decentralized nature and cost advantage that provide its unique benefits. These benefits cannot be matched simply be retrofitting URLs on top of other identity systems, or by releasing more Open Source code for them.

Of course, as OpenID grows to cover additional use cases from its admittedly minimalistic beginnings, its cost of ownership will necessarily grow, and some companies will choose to deploy it in a more centralized fashion. However, as technology history has amply shown, just like it is always possible to re-centralize a decentralized system and never the reverse, it is always possible to add cost to a system, but exceedingly hard to remove it from a system that was not built in an extremely light-weight way from the very beginning. That puts OpenID into a unique position among identity technologies.

How is OpenID fully decentralized? It is, on many more levels of the stack than others:

• Users can host their own identity on any server they choose, without having to ask anybody for permission or approval; they can also choose to have it hosted by one of the increasingly many OpenID hosting services.
• Service providers can choose from a variety of software implementations from a variety of vendors and Open Source projects.
• As Brad Fitzpatrick (Chief Architect of Six Apart, Ltd.) put it, "OpenID does not crumble if any one company turns evil of goes out of business."
• The OpenID specifications are developed in an unencumbered, meritocratic process, that is open to participation by anyone who shows up.
• Anybody can use their own technical innovations within the OpenID framework, even if they replicate, or compete, with the OpenID specifications themselves.

This latter points is worth repeating: if tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation.

How is OpenID's cost structure fundamentally lower? Consider the parallel with the cost structure of the web compared to the cost structure of predecessor client-server technologies. One can say that earlier client-server technologies could do everything that the web could do; in fact, they could do many things much better. They lost out against the web because the total cost of creating and operating a website was dramatically lower than the cost of building and operating a client-server application; and even more importantly, the cost of getting access to and using a web application was much lower than for a client-server application.

The fact that the first versions of HTML were a "toy" (compared to fully-featured alternatives such as SGML) was of no consequence; missing features got added over time, just like OpenID will keep adding features and grow to the same level, or higher, of other identity systems, just from much lower base cost. This is also why, unlike other identity technologies, OpenID is rapidly being adopted on the open Internet: Internet-scale adoption requires the twin properties of Internet-scale decentralization and Internet-scale cost structures, which other identity technologies do not have.

As OpenID marches on, we expect many of its benefits to accrue to:

• users are more secure, e.g. the phishing attack surface is reduced;
• their on-line experience is more convenient, e.g. fewer user names and passwords to remember;
• their on-line experience is more personal, e.g. because sites can more easily take advantage of identity information shared by the user with the site.

• they can simplify user registration, currently a major obstacle for customer acquisition;
• it allows them – with full approval of the user – to learn more about their visitors, and thus target their offerings better;
• they can reduce the attack surface for identity theft, because identity information that can be retrieved on demand through OpenID does not need to be stored by the site, and thus cannot be lost or stolen (e.g. backup tapes from a car)

• reputation services, which help both end users and site operators and represent a major business opportunity in itself;
• open social networks that are not confined to a single vendor's site;
• more secure, efficient and accountable messaging systems that one day could replace the protocols that e-mail runs on.

Some have told us they consider the OpenID community to lack a clear process or structure, to not solve the "real" problems in identity (yet?), or to be only applicable for low-end problems. They are probably right; however, we think of it as the early days of Internet-scale innovation in action, where these characteristics are desirable, not detrimental. The arguments are the same that were made against the Web in its early days, and the problems either were fixed or turned out not to be problems at all. There is no reason to believe it should be different for OpenID.

Full decentralization and a very light-weight cost structure directly attract and catalyze innovation unlike any other approach. In the end, that is why you should pay attention to OpenID.

Recently, a startup named Securent brought me back to thinking about "authorization." Securent has released some products to deal with what they're calling "entitlement management" at the application layer. The naming convention is interesting, and useful.

As the enterprise has come to deal with the networking of everything, the topic of "authorization" has risen to the top. Controlling "access" to the enterprise was always a nice first step, but it doesn't solve the problems of compliance in today's regulatory environment. Access control was the application layer's version of the network firewall, it created an "inside" and and "outside" and controlled who could get inside. This concept works well as far as it goes, but as has been found with firewalls at the network layer it doesn't scale well and it tends to fight the type of mobility networking seeks to deliver.

Authorization -- dealing with who has the right to do what with what, where, and when -- gets to the heart of the problem: what are people *entitled* to do. It jumps over proxy concepts like location, devices, etc. and goes right to the problem at hand. Thus, "entitlement management" as a category makes some sense. Is that just semantic trickery on the part of Securent in this case? Maybe, maybe not (I haven't seen the products). But it could be a useful semantic step in facilitating the conceptual shift from "barrier security" paradigms to the truly identity based paradigms networked computing requires.

Beyond authorization and entitlement, the breaking wave in identity is visibility. You can provision, federate, authorize, entitle, and audit - but what you're ultimately trying to provide is real-time visibility into a network. Seeing what's going on gives you the ability to enforce policy, but seeing across the entire networked environment of the enterprise is not an easy process.

And the authorization of entitlements is the next step in that process.

1. Ping Identity announced that the U.S. Department of Justice selected them to provide federation to over 7,300 local law enforcement agencies and 700,000 law enforcement officials. (Disclosure: I was the third guy in the door at Ping, and served as their VP of Marketing until July 2005.)

2. Sun Microsystems open sourced the code for their identity federation and web services framework (SAML and Liberty) - the core of federation in their Access Manager and Federation Manager products. The initiative is related to their recent OpenSSO effort and is dubbed Open Federation.

The federated identity marketplace has been growing nicely over the past several years, and all of the large identity management vendors have *some* level of federation functionality in their product sets. At the same time, some have questioned the adoption of federation. I take these two announcements together to signal that federation is now at the cusp of mainstream adoption in the large enterprise sector.

I think these announcements signal that for a couple of reasons. Ping's customer list is now representative of a clear, growing trend toward the adoption of federation technologies. Also, the "open sourcing" of products tends to signify a level of maturity in the market itself. Combining a major initiative at the DoJ and a major open source announcement would seem to indicate a market that is now past the stage of having to prove the worth of the initiative. Am I saying that federation is now "mainstream" in its adoption? No. But I am saying that the federation market has entered the mainstream adoption phase -- and its growth over the next 18-24 months should be roughly analogous to the growth of web access control and provisioning over the past 18-24 months.

One last note: I've just heard from Sun's PR firm that Sara Gates (who was the VP of Identity at Sun) has left the company. I take this tidbit of news to be quite important, as Sara has been a driving force for both the industry and inside of Sun. Interestingly, Mark McClain, who founded Waveset (the company that Sun bought -- and with that acquisition got Sara Gates), has started a new venture in the identity compliance space - Sailpoint. Will Sara be joining her old cohorts on a new water-related identity venture (Waveset and Sailpoint)? We'll let you know...

That finding led me back to wanting to speak with some NAC vendors, and luckily ConSentry contacted me to brief me about some of their new product releases (their InSight product, for those that are interested). What resulted was a realization for me: the dividing line of NAC vendors who understand where their products fit in an identity-based world, and those that do not, is centered on where the core of their functionality comes from.

If a vendor's NAC product is focused on the zone of "pre-admission" -- that is to say, the "admission" process -- then they do not see themselves as an identity-based product. If, on the other hand, the core of the functionality is focused on what happens "post-admission," they do see themselves as living in the identity space.

The reason for this is simple: "post-admission" identity-based NAC is centered around things like role-based provisioning at the network level, policy enforcement around roles, and the visibility and auditing of policies. All of these post-admission activities are driven by the functioning of identity within a network. (All of those capabilities, by the way, are what ConSentry is realizing are core to their customer's needs.) The driving force of this functioning is a customer base that now views the network perimeter as a dynamic zone of permissions and authorizations. Keeping people out isn't the order of the day, controlling what they do and knowing what they've done is.

On the other hand, "NAC" companies focused on "pre-admission" activities still view the network as a static wall. For these companies, the act of authentication and endpoint checking is still a binary switch. The "yes/no" decision results in a "policy" of you're in or out.

Companies like ConSentry seemed to have tapped into a cutting edge customer concern -- treating the network layer (and its accompanying identity problems) in the same way that one would treat the application layer. That focus, and the accompanying shift of NAC products toward "post-admission" activities seems likely to be the growing edge of a hot market.

Needless to say, Digital ID World will still be covering NAC.

1. Mashery launching: an API management service that offers, among other, things "access control."

2. Intel's Web 2.0 Business Suite: a suite of content management and distribution mechanisms that offers "single sign on" across the various applications.

All of this reminds me of how enterprise identity management (at the application layer) was built out. Identity began as embedded in the application layer, and only after the identity's non-interoperable proliferation did the vendor community respond by *abstracting* identity -- thus, resulting in identity management systems.

Is the web 2.0 world doomed to the same fate? Will web 2.0 companies embed non-interoperable identity in its applications and suites and only after identity's proliferation move to abstract it into its own web 2.0 identity management?

I hope not, but its not looking good (see the examples above).

First off, I think Paul represents the great majority of CIOs out there. Having been in the "identity business" since 2002, it becomes pretty easy to feel that since the community has grown so much so fast, the identity community's baseline of understandings *must* be the baseline for the population of IT professionals at large. That is clearly not true. In fact, "identity management" is still widely misunderstood and not widely implemented. While most enterprises now understand that they must accomplish some tasks associated with identity, that doesn't mean that they've gotten a larger perspective about identity. The result is that many identity projects are happening in isolation.

The "phased approach" to IT implementation is accepted as the safe route to not experiencing the debacle of a 7-figure, 36 month deployment failure. This is a good thing. But "phasing" doesn't mean operating in a state of isolation. Phasing should still take place within the larger context of understanding.

All of which brings us back to "identity management." Gaining an understanding of identity management should not simply occur by reading vendor product marketing literature (though I know it often does). The "learning curve" on identity seems to almost always include: A) a small-ish project initiated to achieve a business process goal (i.e., eliminate X costs associated with Y redundant sign-ins); B) a realization by the implementing team that there's a wider identity problem that they must fully grasp if they are to scale any success; and C) a gradual reworking of the architectural principles of the IT organization that makes identity the foundational and organizing paradigm.

So, how should one come to *understand* what identity management is? Begin by understanding the breadth and depth to which identity as a concept must be used as an architectural principle.

More on that to come...

Bryan was, of course, right. He also knew what he couldn't then predict -- that something like OpenID would come from the grassroots in an attempt to solve the internet identity problem. Yesterday, Technorati announced that it would support OpenID -- and in the blogosphere, compiling SixApart and Technorati and WordPress into the same boat gets you pretty close to critical mass. 

So the question remains: Is this a "tipping point?" Have we solved the "internet identity" problem? I'd say that its far too early to say that. There's still a dizzying array of "user-centric" stuff coming down the pipe, but if you have to isolate the major players at this point, you'd say OpenID, CardSpace and Higgins (where Higgins is more development environment, than user-centric stuff). 

Johannes Ernst, one of the primary drivers behind OpenID, is wagging his finger a bit at those that have argued that url-based identity systems are "toys" compared to "real" identity systems. While he's right to savor the current small victory, its still important to realize that SOAP-based systems of identity (SAML and WS-Federation) are still much more adept at maneuvering through high-risk transactions that take place online. 

Phil and I have been speaking a lot recently about the changing of security models in the enterprise. The three basic models actually seem to represent a learning curve that both enterprises and the vendors are evolving through. The three models lay out as follows:

The Security of Exclusion: The security of exclusion is a defensive model based around locking things up and protecting them. Under this model, authorization is the primary characteristic (not who you are, but are you authorized to come in), and identity is largely inferred via IP or MAC addresses. The security of exclusion is now largely about building small, defensible perimeters -- thinking almost solely in a location and domain-based sense.

The Security of Inclusion: The security of inclusion is evolution to a truly identity-based model. Under this model, the primary characteristic is providing the correct access to designated resources. Notice that the shift from authorization to access shifts identity from something that is inferred (exclusion and authorization) to something that is the fundamental quality that must be known (inclusion and access). The security of inclusion is now very advanced at the application layer (where traditional identity management products live), and is growing very quickly at the network layer (as traditional firewall and NAC products evolve from exclusion to inclusion).

The Security of Accountability: The security of accountability is what a fully realized identity solution is trying to offer. It begins from the premise that the networking of the enterprise "flipped the game" with regards to security. No longer is security the fundamental concept from which the benefit of identity falls. Now identity is the fundamental foundation upon which benefits like security can be built. The goal of the security of accountability is to provide *transparency* and *visibility* into the networked model. It seeks to always know who did what with what and whom when -- and to enforce policies around given parameters in real time. The evolution to the security model of accountability is what is driving the red hot areas of provisioning, identity-based compliance solutions, and some of the very very bleeding edge NAC product categories.

Taken as a spectrum of evolution, the models of exclusion, inclusion and accountability give us a lens through which to evaluate both enterprise projects (and their mindset) and the thinking of the vendors that are selling into the space.

There is, however, a category of usernames and passwords that identity management and password management has largely left unmanaged. This is the category of system administration logons for things like root or superuser access to operating systems, router or firewall configuration, hard coded logins to databases embedded in application scripts, etc. This category of system access has quite different characteristics from application and network user access. Among other differences, it is usual for there to be a single logon code that is shared by multiple administrators. This type of access for devices and systems is not usually constructed to track *who* is logging in, only to restrict access to authorized people (defined as anyone who knows the access codes.) These differences mean that managing this set of access requires a different approach than traditional identity management has so far provided.

The key distinction of this type of login authentication is that it is owned not by users, but by one or more systems. As a result this information is used by multiple people - everyone who administers or develops these systems or applications. Most companies today manage these privileged access codes outside of any other access management process. These range from administrators who keep the passwords in their heads, through those who write them down on a piece of paper somewhere, to those who combine them into an encrypted spreadsheet that is in turn passworded - creating a master key to all of the other system master keys.

These privileged passwords comprise a high value target for an unauthorized person who wants to alter how a system behaves for any reason. Compliance auditors are only recently coming to see this category as its own issue to be "brought into compliance" but they are increasingly calling it out as something that must be addressed. It takes little thought to realize that compromising this category of privileged passwords can create an "end run" around most of the security techniques an IT department might deploy.

I was reminded of this "small" problem when I read a recent announcement of a partnership between Courion and CyberArk to address it. I've followed Cyberark for a couple of years now, keeping it on my list of companies with an interesting technology looking for a market. Recently, they have taken on this problem of privileged password management and linking it to identity and they have crafted a unique approach that appears to address the problem in terms system administrators can accept. In the process, they have created an interesting type of provisioning of these system accounts across a network that allows a significant step-up in security as well as identity based tracking of who accessed the administration of what resource when. They have even created the capability for single use passwords for this type of access.

Managing privileged administrative passwords seems like a relatively small problem, as there are usually only a few people who use this type of administrative access. But having passwords live "in the clear" in application scripts, and the master keys live on paper or in spreadsheets creates an environment where administrative access code compromise is nearly untraceable and difficult to detect. Creating and enforcing a password expiration or minimum password strength policy for these administrative entry points is also difficult (which is why it is often done manually).

If you multiply the number of servers, application scripts with embedded passwords, firewalls, VPNs, etc. by the number of authorized administrators, you quickly see that this is a much bigger "exposed surface area" than it may at first seem. I don't know if the marketplace will think that CyberArk has the preferred solution method, but it is clear that identity management must find some way to address this problem if it is to provide the security and compliance capabilities it seeks. At least now there is a way to do it that people can think about, throw darts at, and innovate from - and that's a good thing.