Ian Glazer

(The following is the statement I’ll deliver today at the National Strategy For Trusted Identities in Cyberspace event at the White House.)

Our way of thinking about identity management is outdated. This outdated thinking poorly reflects the way we interact on Main Street, and it doesn’t fit the needs of people and enterprises trying to interact on the Internet.

On the whole, current thinking regarding identity management is that of the Industrial Era. Enterprises are creating “company towns” for identity. In the Industrial Era, companies, such as Pullman, created towns for their workers to live in, and these towns provided all the services that the employees could use. In today’s identity “company towns,” the enterprise has created your identity, owns your identity, and you cannot use your identity anywhere else – it has no value or meaning outside of “the town.”

This model is problematic. First, this is antithetical to our belief in self-determination. Second, this model is costly. Enterprises have to create and support extra services to manage identities. This also increases information security risk because the enterprise possesses potentially sensitive information that it must protect, not to mention the problems and risks related to over-collection of personal information. The last problem with this outdated way of thinking is that it doesn’t reflect how the non-digital world works.

In the “real” world, I can choose how I want to be known and how much I want to share with others. I can pick my nicknames; I can choose not to share my name. I can choose to tell a merchant my phone number or that my first car was made in America.

Businesses have grown to accommodate and augment the way we interact. Companies offer services to help an enterprise strengthen individually asserted claims, such as my name and my address. Credit bureaus and other services help businesses gain higher assurance that the “Ian” in front of them is really me.

We must leave the “company town” model of identity management. We must shift our digital interactions to be more like our day-to-day, face-to-face ones. The evolution toward federated identity would mean that our identities are no longer owned by parties other than ourselves.

Just as in the real world, third parties can be consulted to help an enterprise have greater assurance that the “@iglazer” using its service is me. Such third parties can help the enterprise have greater confidence that “@iglazer” is over-21 and has a verified mailing address here in DC. By the way, the services offered by these third parties are new business opportunities.

With both greater assurance about the individual’s identity and confidence in what they claim about themselves, business can:

• avoid managing identities and thus not have to deploy extra services such as password reset
• reduce information risk by collecting less information about individuals
• deliver higher value services to the individual

In the last year, NSTIC has acted as a catalyst, not only for protocol and specification development, but has also driven policy conversations, and more importantly, business conversations. In a way, NSTIC has given the “all clear” signal for the business to get involved in this evolution of identity management.

I used to take calls from Fortune 500 companies asking, “Should we care about OpenID?” Now I take calls that ask:

• “What are business models for identity providers?”
• “What communities of interest are likely replying parties for our identity services?”

Within these questions are lie new business opportunities that my customers are looking to capitalize upon.

Now is the time to act. Study your current use of identity – are you the mayor of an identity “company town?” If you truly think you own other people’s identities, take a hard look at whether that ownership brings enough value to offset the expense and risk of maintaining those identities. For most organizations, the risk and expense of owning identities outweighs any tangible benefits. For most organizations, owning identities is a vestige of outdated thinking. As NSTIC gains momentum, now is the time to plan and deploy for our federated future. I am very eager to hear from my fellow panelists and the audience what they are doing and what they have planned.

Submit a Comment »

Category: Federated Identity Identity Management Market     Tags: "identity commons", iiw, incommon, nstic

Share

Tweet

It’s an open secret among us identity geeks that, despite all of federated identity’s progress, one thing has lagged significantly: relying party participation¹. Getting relying parties to the table, to talk about challenges they have with identity on the Internet, has always been a hard problem. Although the identity community has grown, the number of relying parties getting involved with things like the Internet Identity Workshop hasn’t kept pace.

Willingly or not, NIST’s National Strategy for Trusted Identities in Cyberspace (NSTIC) has taken up the challenge of increasing relying party participation. Without real-life use cases based on actual business, actually problems, NSTIC is, though aspirational, vague. However, armed with a set of discrete use cases, NSTIC (and more importantly the identity community) can begin to craft solutions, discover unforeseen challenges, strengthen protocols, and tackle policy issues. But to get these needed use cases requires relying parties to be involved.

To that end, NSTIC is hosting an event at the White House Wednesday May 23rd. The program office has invited over 100 companies all of whom are potential relying parties. These companies are household names, spanning multiple industry sectors. In short, they are a cross-section of economic engines of this country, and by bringing them together in a safe space, the NSTIC program office hopes pick up the pace of relying party engagement and bolster the ranks of companies who can become more efficient and unlock new value by using federated identity.

But there’s only so much convincing the government can do directly. At the event, I’ll be participating on a panel of companies from different industries discussing the value they can recognize by using the techniques that NSTIC promotes. I am going to try and tweet as much as I can from the event and will follow up with a post on its results. If you want to keep tabs on NSTIC’s relying party party, follow me, and tune in on Wednesday May 23^rd at 10am eastern.

1 I know that getting identity providers to play is an issue too but that seems to be an easier problem to solve.

2 Comments »

Category: Federated Identity     Tags: iiw, nstic

Share

Tweet

Last week was the Internet Identity Workshop. It is hard to believe it is the 14^th IIW; it has definitely come along way in both attendance and content. I think the biggest takeaway from IIW for an enterprise IAM professional is – be ready to coexist.

Identity standards, such as OpenID Connect and SCIM, are evolving rapidly. There were no less than three sessions on SCIM at which the curious and the contributors wrangled out issues. (As I commented on Twitter, I really wish that IIW existed back when we were working on SPML – a lot of pain could have been avoided.) I am cautiously optimistic that SCIM will gain appreciable traction in the next year, and the same is true of OpenID Connect.

In the not too distant future, our SAML infrastructures are going to have to be comingled with our OAuth and OpenID Connect infrastructures. (I highly recommend reading the notes from the enterprise OAuth infrastructure session.) Our proprietary provisioning connectors will push attributes alongside our SPML and SCIM-based connectors.

Although we might be ready for coexistence at the protocol level, we certainly aren’t there at a policy and semantics level. Getting a complete picture of who a person is, what they access, and why do they have that access is only getting more complicated. Constructing administrative and runtime authorization policies that work in concert, across multiple protocols, is just not something that happens these days. Answering the question “who can do what “ still requires a human to be involved to correlate policy and audit information from a variety of sources. As our identity universe expands and we have to serve more constituents across more devices via more protocols, the need for better analytics and policy only continues to grow. That’ll make a good session for the next IIW…

1 Comment »

Category: IAM     Tags:

Share

Tweet

This week, I had the pleasure of presenting to this year’s InCommon ConFab. Jacob Farmer of Indiana University and the rest of the InCommon team put together a great day and half program. Putting people like Bob Morgan (University of Washington), Ken Klingenstein (Internet2), and Anil John (GSA FICAM) on stage to talk about federated identity not only challenges the audience but also the speakers. Even though Bob, Ken, Anil, and I all had different perspectives there some shared themes.

Federated authorization is the real game… a few people are playing it

The predominant focus of federation has been to establish single sign-on, but federated authentication is just a small part of the much larger federated identity game. Even where some communities of interest such as aerospace and defense, education, and the US federal government have formed to foster federated environments, the maturity of federated authorization is quite immature, especially compared to that of authentication. Simply put, it is what happens after SSO that should be our keen interest. BTW, I’ll have more to say on this throughout the year and have a talk on it at Catalyst as well.

Context is key but we aren’t sure what it is

Each of us acknowledged that importance of context, especially in authorization and privacy-related scenarios. But an astute audience member pointed out that none of us had defined it. I’m still working this out but here’s an early set of thoughts. Strictly speaking, context attributes are what’s left over when you eliminate subject and resource attributes. But what is that? I can think of at least two sets: external and shared attributes. External attributes include time of day, current load on the server, and weather conditions. Shared Attributes are, as the name implies, attributes shared by subjects and resources such as relationship. This is an incomplete set and the problem of defining and representing context definitely needs more than just a few of us tinkering with it.

Speaking of that… I’ll be at IIW next. Anyone interested in kicking either federated authorization and/or context around? See you in Mountain View.

Submit a Comment »

Category: federation IAM Privacy     Tags: context, federation, higher education, incommon, internet2, Privacy, SAML, XACML

Share

Tweet

In case you didn’t notice, it’s an election year here in the States. So having taken over the reins of the IdPS research agenda, I wanted to get a jump on the candidates, and announce the first three planks of our platform:

• Constraints are good
• The future is federated
• Relevance is contextual

Constraints are Good

Constraints force us to be creative. Constraints, whether budgetary or scope, force enterprise identity teams to better prioritize requests, reuse technology, and identify real business needs. And where external constraints don’t exist, teams must self-impose them. Identity teams, acting without self-imposed constraints, promised too much (such as automating provisioning to every major enterprise system) and delivered too little. Where vague requirements exist, clarify them. Where constraints are lacking, self-impose them.

The Future is Federated

The future is federated—regardless of whether your business participates in a federation and regardless of whether you accept third-party issued digital credentials today. To meet the needs of mobile workforce, to weave cloud services with your on-premises services, to have more trustworthy interactions with customers, you will have to federate – even if it is only with yourself. By the way, this is why endeavors such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) are important.

Relevance is Contextual

Identity management has been successful in offering a core set of services: on-boarding, access management, SSO, etc. If we (identity professionals) continue to only focus on the basics, we will quickly become commoditized IT operations. Identity management needs to maintain continued business relevance by enhancing its ability to adjust to different business contexts. The ability to offer a blend of identity services to meet business requirements is crucial, but to do this you have to have a keen ear for business expectations.

Our Platform, Your Platform

These ideas will inform and influence what the Identity and Privacy Strategies team research and how we communicate in the coming year. But as I said, these are just the first three planks of the platform. As the new agenda manager for the team, I want, I need your input. What topics to do you want to hear about? Where else should we shine a light? I want to hear from you. Stop me in the halls of our upcoming Security Summit or Catalyst. Hit me up on Twitter or via email (firstname.lastname@gartner.com). Help us strengthen this platform.

P.S. We are hiring. Want to join the team? Apply here.

Comments Off

Category: federation IAM Identity and Access Governance Privacy Provisioning     Tags:

Share

Tweet