Blogger: Kevin Kampman
Catalyst 2008 went by so quickly, but that’s always the case when you are having a good time. It started off well, particularly when Bob Blakley couldn’t tell me (Kevin Kampman) apart from Mark Diodati on stage during the Market Overview. It helped that we had “Anonymizer 2008” bags over our heads, but Bob’s confusion is a good sign that lifestyle changes are at hand.
Conference attendees indicated their appreciation for the new presentation format; however, the changes are more than cosmetic. Several perspectives were presented that offer the potential to change the identity industry for the better. In particular, Bob introduced “relationships” as an overarching theme for the establishment and continuity of interactions.
Tim Weil, Vice Chair of the INCITS CS 1.1 Role-Based Access Control (RBAC) Working Group discussed their effort. His group is developing a standard for the implementation and interoperability of RBAC components described in INCITS 359-2004. Widespread adoption of the standard has been impeded by a lack of practical guidance; this effort is an attempt to resolve these issues. A military perspective was provided by Russell Reopell of MITRE, who discussed ABAC, or Attribute-Based Access Control. This approach requires qualitative attributes, such as roles and other characteristics, that can be evaluated singly or in combination by policies to make access decisions in real-time. It is particularly relevant in situations where pre-registration of users is not possible.
A practical need for role interoperability has been expressed by Darran Rolls of Sailpoint, who recently established the Open Role Exchange Forum. This forum was discussed during the Role Management and Provisioning vendor panel (including Rolls, Aveksa’s Jim Ducharme, Sun’s Nick Crowne, Oracle’s Jeff Shukis, and Eurekify’s Ron Rymon). The exchange represents an opportunity for more seamless enterprise role implementations by addressing how to normalize role definitions across multiple platforms. The panel concluded that role management and provisioning represent parallel complementary initiatives that will benefit both the business and administrative communities, respectively.
Ken Anderson, of Burton Group’s Executive Advisory Program, helped me to address a topic of significant interest to the business community: representing the value of role management. In a role play that featured Riley the Cat (a loose metaphor about conversations with executives), Ken and Kevin moved from a technical discussion of administrative trivia to a strategic overview of Return on Organization. The bottom line is that role management is a discipline, one that provides a relationship-driven perspective about the social dynamics of organizations. The point of the role play was how to speak to executives about business transparency and effectiveness, rather than administrative efficiency and compliance. The former is beneficial to the business, the latter to administration.
From a customer-centric perspective, it was standing room only for the Friday presentation and customer panel on identity services. The panel included Gavin Illingworth from Bank of Montreal, Susan Staples-Holt, MassMutual, Chris Harvison, ScotiaBank and Andrew Cameron, representing General Motors. Burton Group facilitated this year’s effort to establish the rationale and requirements for interoperable identity services. The multinational membership has grown to include contributors from financial services, manufacturing, telecommunications, and government agencies; additional interest has also been expressed by health services, pharmaceutical and educational institutions.
The current vendor efforts towards identity services are more project- than community-driven. Customers are challenged to deal with the development and integration of identity services, particularly for cross-platform and legacy purposes. While there is a general perspective about what the services should accomplish, there is no agreement on their demarcation or specifications for how they should do this. In order to develop this guidance, and to prioritize development activities, the participants have agreed to invite vendors and standards community representatives to contribute to the effort.
The area where there has been significant traction has been federation, but it has been challenged by supporting capabilities and agreement on information at the endpoints. Given the breadth of opportunities, one area for investigation includes authentication, authorization, and attribute services. Another is session and context management. Each of these represents an elephant-sized task; by working together we hope to line them up trunk to tail in short order.
Interested parties should contact me at email@example.com for information on how to become involved. Our goal will be to develop shared requirements, a development plan, and an interoperability schedule to present during a joint customer-vendor panel at Catalyst 2008 in Prague.