Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

1. There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
2. In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
3. Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
4. A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

1. If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
2. The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.

I guess it became unpopular to read printed news in some societies but I really enjoy reading WELT KOMPAKT, a smaller printed formfactor of well-known daily WELT. Today, the more or less entertaining “Internet” section had a lead article called “Safe in the Web 2.0″ or “Sicher im Web 2.0″ by author Peter Zschunke. Eager to learn more about how “the general public” is informed about the dangers that lurk in the web, I read the mid-size article, featuring a James Bond-like shot of what seems to be Security Ops Center. My interest turned into surprise, ending in a sort of rage when I finished the article.
It takes quite some time and effort to make me angry, but I instantly – for the first time in my life – wrote a letter to the author and the editors, and went like this:
Sehr geehrte Damen und Herren, sehr geehrter Herr Zschunke!

Ich habe anfangs mit Interesse, später mit zunehmender Verwunderung das gelesen, was die Welt Kompakt als redaktionellen Beitrag in der Internet Rubrik hat drucken lassen. Für mich klingt diese doch sehr einseitige, leider wenig von journalistischer Qualität sprechende Berichterstattung eher nach Advertorial, denn nach guter Recherche und umfassender Information. Dem Format und dem Umfang sei geschuldet, dass hier nur ein Bruchteil der Problematik von Datensicherheit und Datenschutz im Web 2.0 beleuchtet werden kann – aber dann ernsthaft dem Leser zu vermitteln, die Firma RSA hätte „die Lösung im Schrank“ und könne diese Probleme quasi „wegzaubern“ wenn sich die sozialen Netzwerker denn endlich mal aus dem Sessel bequemen würden? Das halte ich nicht nur für inkorrekt, ich halte es für gefährlich! Zumal „RSA“ nun wirklich nicht das Produkt sondern der Firmenname ist und Sie, wie ich annehme, eigentlich von einer Kombination der enVision Produktlinie mit anderen Werkzeugen sprechen. Zumindest die Nennung einiger vergleichbarer Technologien oder Anbieter wie Novell, ArcSight, CA etc. hätte der Neutralität gut getan… Die Produkte und Lösungen der RSA sind sicher anerkannt und wirkungsvoll – sowohl bei der Analyse von (Fehl-)Verhalten als auch beim Zugriffsschutz und der Verschlüsselung. Aber, um es sinngemäß mit den Worten von Bruce Schneier zu sagen:
„Wer denkt, dass Technologie seine Probleme lösen kann, der hat weder die Technologie noch die Probleme verstanden.“

Das Problem mit der sehr einseitigen Berichterstattung bleibt – es gilt eher am Konzept der sozialen Netzwerke, ihrer Datensammlung und Datenverwaltung zu arbeiten und den Anwender besser aufzuklären. Meiner Meinung nach steht Ihr Artikel der Aufklärung der Anwender eher im Weg, da hier ohne Sinn nach Technologie verlangt wird obwohl der eigene Menschenverstand ein viel besseres Mittel zum Schutz vor Missbrauch wäre. Bei mir hinterlässt dieser Artikel einen sehr faden Beigeschmack.

There is nothing wrong with a good advertorial or product related story, but this was so blatently single-sided, I just could not resist! I would love to discuss this with alll of you – feel free to comment, mail or call me!

The Deutsche Bahn has been sentenced to a penalty of 1,1 Mio Euro for breaches of the German data protection law, e.g. the privacy regulations in Germany. That is the record penalty based on the BDSG (Bundesdatenschutzgesetz), how the law formally is called. The reason for that penalty were abusive analysis of employee data, to identify potential cases of corruption and fraud. Data of bank accounts of suppliers and employees were compared. That became public, there was a lot of public discussion about – the topic was top in the news for several days. And the CEO, Hartmut Mehdorn, was (factually) fired.

However, dealing with corruption and fraud is a must for the management of any corporation. Heinrich von Pierer, the former CEO of Siemens, had to leave the company because he didn’t address corruption and fraud. Hartmut Mehdorn did it – and lost as well. Obviously, there are regulations in conflict. The problem of both was that they had no valid concept of which regulations are relevant, which are in conflict and how to deal with these conflicts. The Bahn analyzed far too much data and didn’t put that approach into a bigger concept, openly discussing it with the works council and so on.

So one lesson which should be learned by everyone with responsibility for compliance regulations (and the BDSG is one of them) is: Analyze the relevant regulations, clearly define the valid approach to deal with, discuss it with the works council as far as employee data is affected, talk with your auditors – in fact have a strategic approach on how to operationalize the regulations.

The second interesting aspect around the “Bahn” case is that the penalty is a record penalty – and only 1.1 million Euro, which is sort of paid out of the petty cash. Thus it hurt some people at the Bahn, loosing their jobs. But it is only a small penalty from the perspective of the large corporation. It seems that the BDSG is sort of a “law that has no teeth” (in German the saying is “toothless tiger”…). But there is good news (from the perspective of enforcing privacy and data protection): The new amendments of the BDSG will change things fundamentally – the tiger will get teeth.

#SAPTechEd – SAP Netweaver & GRC Identity Management
During the last 30 month I was rather critical towards SAP´s approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some valuable functionality as provisioning tool for complex environments, the capabilities regarding the “Netweaver to SAP application” provisioning can now safely be called “unparalled” in the market. If you have access to the SDN platform, make sure to get your hands on the numerous slides in the SIMxyz track of TechEd. You can learn how to easily implement SAP Netweaver Identity Management, integrate with SAP Business Objects GRC and much more. As pointed out above, the joint deployment of the “standard provisioning engine” and the GRC one does have some benefits, especially if the Compliant User Provisioning (CUP) features are needed due to strong GRC requirements. It has been stressed in the sessions, that such a design needs to be planned very carefully and that cross-competence teams should be in charge of this to get all requirements and stakeholders represented in the final architecture.
Regarding 3rd party system integration, the ongoing standardization plays into SAPs hands, as Keith and I discussed the growing relevance of SPML and SAML 2.0, which, by the way, has now been tested and certified to be working with SAP ID management solutions and might find its way into the core product in the future. More and more provisioning targets become easier to integrate, as the corresponding ISVs now see openness towards IAM solution as a benefit.
To sum the impressions up: Keith and all the others did a great job in “turning around a skeptical analyst”. I am positive, that the current setup and strategy will result in a good position in the ever changing Enterprise Identity Management market for SAP.

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US.
Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us.
First let´s check the market pull: both companies said they received multiple requests by existing customers to provide insight on how to couple the more business-GRC oriented SAP solutions and the more IT-GRC oriented SIEM tool Sentinel of Novell. As open APIs were already available and Novell had their products on the path to SAP certification, taking the next step and analyzing the related business opportunity was only a matter of weeks. The joint approach beyond using and testing the APIs was then tested by a large consulting and system integration company in their labs. Looks like when there is a proven market, everybody is interested in providing a solution.
Second, the demand for End-to-End GRC solutions: as KuppingerCole indicated during last year`s GRC event in Frankfurt, more general and broader oriented solution would be necessary and on offer soon. Only 10 month later, not a single-product but a joint solution IS available! SAP and Novell beat our projections and I guess it will take another 6-9 month before we either see another co-op or even a merger between two niche-players to offer a competing solution or product.
Third, the business opportunity: SAP being the Business Intelligence provider they are, quickly was able to provide Novell with numbers on SAP GRC customers and quite a few hundred of them were identified as possible candidates to be addressed for a joint deployment. Vice versa, existing Novell customers with SAP deployments turned out to be of a significant magnitude, thus both groups form a considerable target. We at KuppingerCole can only second, that both the identified customers and the remaining “white space” in the market would benefit from a joint and integrated deployment – the former generating added value almost instantly – the latter reaping the benefits from the then (expectedly) available best practices generated by the early adopters.
General perspective: KuppingerCole sees their own projections and analysis fulfilled ahead of time! SAP and Novell now have a considerable head-start in the market and thus have potential to counter offerings such from Enterprise GRC vendors such as BWise, OpenPages or Mega due to the breadth and depths of the combined solution.
If you like to receive further insight, which GRC approach now makes sense for you, feel free to contact us and make sure to attend our upcoming related webinars http://www.kuppingercole.com/webinars

Communication & Collaboration – that is what email is all about – or should be.
The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also.
The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression…
Who used OneNote online before, may be used to see the joint changes of multiple participants in one document – but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye.
To see somebody adding a Google-map into the wave and have it adjusted to show the right location IS amazing!

Let us put it like this:
As a digital nomad and “never in the own office” worker, I want this, and I want it NOW!
Now for Enterprise 2.0:
adding a SAP Business Process Design tool Gravity to Wave enables cooperative work on new process designs inside the Wave.
Re-designing processes to adjust changes caused i.e. by Mergers & Acquisitions now becomes easier due to real-time collaboration between subject matter experts. Cool user experience…

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC.
Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects.
Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise.
The solution will leverage technology by all three vendors, comprising SAP ERP back-end information, Nokia mobile device extensions for on-site reading/scanning of products and Gi+De technology to secure the process steps and information. The company will be led by Claudia Alsdorf as CEO and will be located in Frankfurt, Germany. As to specific requirements, the solutions will be technology agnostic and available on devices and systems not offered by the contributing parties.
Target customers will be the brand-owners and vendors of high-value or high-risk products, e.g. luxury goods, pharmaceuticals or the like.

On the Webinar that Babak and I did on ABAC and XACML three weeks back, there were quite a few questions that popped up! Unfortunately we did not have time to answer all of them during the webinar, so we promised that we would collect them and answer them afterwards.

BTW today there is another webinar on a related topic: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Q: Please, specify the major difference between role mining (role consolidation based on role attributes) and the privilege giving mining approach?

A: (Babak) Role mining is about finding groups of permissions that can be bundled in terms of roles that can then be assigned to users. The idea of privilege-giving attribute mining is to find those attributes that affect permissions and use them to create access rules. Let’s take an example. In a business application, users may have been assigned permissions to Create and Release Purchase Orders, to Maintain Vendor Master data, Release Requisitions, Register Service Entry and Release etc. In a role mining project doing a bottom-up survey of permissions, an analysis of these permissions and how they are grouped into roles will be made. If a role called Purchasing combines all of the above permissions, we would probably identify a Segregation of Duties violation between the rights to Release Purchase Orders and the right to Maintain Vendor Master Data. As a result we would suggest remodeling of the Purchasing role to avoid the conflict. In a top-down approach, Role mining is about identifying a role in business critical processes that will need to be entitled with certain permissions in order to serve its purpose in that process. Role mining projects are typically about top-down and bottom-up combined, which in the end will lead to considerable efforts to map permissions to roles in such a way that everyone is able to do his or her job without acquiring excessive permissions – quite a daunting task.

An Attribute Mining project would very much like the top-down approach in role mining start with business processes to define which RULES for access can be derived. Examples: Attestation of purchase orders exceeding the amount of $xx, can only be made by users who a) belong to the cost center charged and b) have a management level of 10 or higher. From this rule we can derive that the following attributes are privilege-giving: a) user profile’s cost center assignment, b) users management level, c) purchase orders cost center and d) purchase order’s amount. To verify, these attributes would allow a rule to be formalized like this: If user.costcenter = purchaseorder.costcenter and user.managementlevel>=10 and purchase.amount<=$xx then permit else deny.

Q: Tell me more / define better what you mean when you talk about a missing context of the RBACs model?

A: (Babak) What we argue is that RBAC is a static model which makes it difficult to capture the context that may affect an access decision.  If we try to capture the context for an access in terms of roles then we will easily get a role explosion. We may for instance need to differentiate permissions depending on time of day – some users have access only during normal business hours whereas others have 7*24 access. This could lead to the creation of two roles, one for normal business hours, one for extended access. Add other context-related conditions such as remote login, authentication strength, line encryption etc. and we end up with the need to capture very many different roles. It is worth noting that normal ERP systems typically need to handle very large numbers of roles (thousands) internally to capture all their user permissions. If a combined role structure from multiple ERP systems must be established with contextual aspects included, role explosion issues simply become unmanageable.

Q:  I didn’t quite get the difference between attribute based access control and rule based access control. can you elaborate?

A: (Felix) In a nutshell, the main difference between ABAC and RBAC is that RBAC revolves around the concept of the role. ABAC can use any attributes (including the role) so it is much more flexible.

A:  (Babak) Attribute based access control is not in conflict with rule based access control. Rule based access control is about creating rules defining access permissions, but if these rules are based on attributes then we have a type of attribute-based access control.

Q: I understood there exists a better way in comparison to the RBAC model, but a language is not enough at all. You need a product which combines both. Is this the message you want to send out here?

A: (Babak) Well, the purpose of the workshop is to present the concept of ABAC and how it solves some of the common and well-known issues with RBAC. But you are right that we also need products to support this new approach. Axiomatics has a complete product suite to support xacml policy life cycle management 360. Most vendors of business applications and IAM products also have more or less elaborate support for XACML built-in.

Q: Is there a defined migration path from an established RBAC model to an ABAC model?

A: The OASIS XACML committee has released an XACML Profile for Role Based Access Control (RBAC) which can be used as a basis for migration projects. That said, one naturally needs to be aware of the constraints given by the architecture of legacy systems – “converting” an existing RBAC-based business application to an ABAC-based model may require a considerable effort. In some instances it may be more attractive to implement connectors that can provision attribute-based rules from a Policy Administration Point to application specific rule configurations which in turn may be RBAC based.

Q: How do you manage attribute based access to multiple resource? Traditionally, privilege attributes are bundled into roles and are assigned to users. If you have many attributes that control access to resources, doesn’t that increase administrative burden?

A: No, as we said in the presentation it will most likely be much less number of attributes needed to define access permissions than the number of roles. This is because we will define access rules based on the attributes rather than representing different set of permissions in terms of roles.

Q: Sounds like this method will have significant application impact – can you respond to this concern?

A: Yes, we believe that many applications will in the future implement the XACML request-response protocol. Already today, most large vendors of Identity & Access Management products or applications that handle business critical data have some sort of “XACML story”.

Q: Does ABAC related to Claim Based Authentication? Are they like corresponding concepts?

A: (Babak) Yes, one way to see claims is as provisioning of attributes to the access control system, so these are definitely complementary technologies.

A: (Felix) Authentication and authorisation are two different concepts, but of course they are related: authentication tells us who the user is, and then authorisation tells us whether the user is allowed to do something. The concept of Claim-based authentication is based on the fact that a “Claim” will already deliver attributes to an application. What happens then? These attributes could be made available to the authorisation engine.

Q: Are there any good resources and real world examples to get started with ABAC?

A:  (Babak) Well a good place to start with is the XACML TC page. Axiomatics has also a very informative website (www.axiomatics.com) with all introductory information regarding ABAC and XACML.

A: (Felix) We also have recently released a XACML Technology report that is available from our web site.

Q: RBAC seems after implementation quite static in maintenance ABAC seems intensive in maintenance, since attribute values vary over time (daily, hourly etc) would it not make maintenance costs more expensive and more complex?

A: (Babak) Well this is really the other way around. The idea is not to change the time attribute manually but to fetch the data from the right attribute source which is perhaps a clock.

A: (Felix) To add to Babak’s point there: ABAC will make use of information that already exists in an enterprise. The initial maintenance cost would be to deliver those attributes to the policy decision engine. And for that, good technology such as virtual directories already exist.

Did you find yourself adding hash-tags in emails or “old-fashioned” blog posts recently?
Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure…

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC in Munich.
Novell made some great announcements recently and – to no surprise for me – their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies.
Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka “more technically”. As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty … ambigious.
While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality – my own little “analyst crystal ball” only had a “warning period” of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations…
SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- )
So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself…
Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out):
Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy – and it is set to MANUAL. Unless you look that service up in the “Services” menu and change its start behaviour to “Auto”, you will not get the expected results—
Just to get you a faster solution if this should occur to you, too!
Keep up the safe&secure computinge experience!

Well, unlike Falco in his famous hit single, this time it is SAP, who´s calling the worlds´ERP elite to Austrias capital next week – and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event
Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP´s own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master´s thesis I have been advisor for. Next is “mesaforte” of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders).
Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer!
Looking forward to meet you in Vienna!

Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don’t have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!

Sorry, that is definitely nonsense!

It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,…) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn’t work with social network sites? I don’t see any real reason why!

For sure there are two reasons why at least some social networks don’t do that in this way:

• Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don’t design security in their products but add it at the end, as something painful they have to do at the minimum level.
• Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.

But to be honest: These aren’t valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.

By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle’s Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about “security first”. If the providers of social networks can’t afford the cost of security, their business model just doesn’t work.

XACML (eXtensible Access Control Markup Language) gains an increasing attention as one of the core standards in the field of information security and thus IT security. Whilst standards like SAML (Security Assertion Markup Language) address the problem of authentication, XACML is about authorization – the more complex threat. XACML allows the definition and exchange of authorization policies in a heterogeneous environment. Whether it is about cloud security and controlling the authorization policies of cloud services or about SOA security for internal applications: XACML supports the authorization management in such use cases.

However, there is no such thing as a free lunch: XACML not only tools like XML/SOA Security Gateways which support that standard or cloud services with XACML support. There are two other important aspects:

• XACML in fact means a shift from a more static security approach like with ACLs (Access Control Lists) towards a dynamic approach, based on policies which are applied at runtime. These dynamic security concepts are more difficult to understand, to recertify, to audit and analyze in their real-world implications. Thus, the use of XACML requires not only the right tools but well-thought concepts for policy creation and management.
• XACML is just a foundation to express policies. Within a use case, policy concepts have to be defined. Over time, there should be higher level standards or defined use cases building on XACML and focusing on a standardization of the content of these policies.

Anyway, XACML is very useful. One of the most interesting areas for XACML is SOA Security. Currently, many SOA-based applications still lack a valid concept for authorization. Authorization still frequently is built into these applications. XACML can provide the policies to externalize the authorization management and thus add flexibility to SOA-based applications.

Overall, it is – from my perspective – definitely worth to spend some time exploiting the potentials for XACML to improve the security of systems and applications. There are many areas where XACML can be used successfully today. However, like with any emerging technology, there will be a lot of improvements in the managing and consuming applications (and, hopefully, around the standards ore use cases building on XACML) over the next few years. Thus the step to XACML has to be considered carefully. The good thing is: It is about standards, thus the risk of lock-in isn’t that big.

We will talk more on depth in an upcoming webinar. Register for free!

How many terrorists work for your company? Dunno? Well, see you in jail, pal!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”

It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.

On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.

Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.

So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?

According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?

As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.

Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.

My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.

So whose job is GRC, anyway? Unfortunately, there is no clear-cut answer. Most intuitive solutions prove at closer glance to be just too simple. It can't be the CFO, because that would mean that he would be in charge of policing his own bailiwick. The CIO can't do it, either, unless we're talking about controlling the IT services that his department provides to the business units. The controlling department's duties are usually too limited. Other obvious candidates may include the CCO (Chief Compliance Officer) or the CRO (Chief Risk Officer), but both probably lack clearly defined functions.

This is why most companies approach GRC as an isolated solution. In the world of »Enterprise GRC« (that should be more aptly named »Business GRC«), it's all about business controls and how IT can support them. In practice, this means substituting spreadsheets for less manual, more highly automated controls.

Continuous Controls Monitoring calls for automated supervision of IT systems, typically with a focus on business processes. Unfortunately, these solutions seldom deliver what they promise. And so-called Process and Risk Control solutions which focus on the IT systems fall somewhere between Enterprise GRC and more technical solutions.

Of course, there are loads of very specific »GRCs« offerings out there, including solutions involving attestation and recertification of access rights, which we should best call »IAM-GRC« (Identity und Access Management-related GRC), as well as a smattering of SIEM solutions (Security Incident and Event Management), a few odd BSM solutions (Business Service Management) and lots more. Mostly, they address a narrow range of controls in great detail and with a high degree of automation.

With no clear lines of responsibility for GRC or clean separation of duties, many companies suffer from "GRC anarchy", with multiple , often self-defeating and costly projects being put in place by different departments. It doesn't help that vendors have been much too slow in achieving full integration between different systems and various levels of implementation. This, however, is essential if companies are ever to achieve seamless control of business and IT, along with the necessary automation and granularity, over their entire organization.

Getting there will call for strong leadership by the CIO. He's the one with the broadest overview, and only he can provide the necessary level of detail in creating IT-based controls for the entire firm. However, this also means that the CIO must be able to anticipate the needs of the business units as well as the demands of management for a comprehensive solution offering a clear overview of corporate GRC. The better the CIO does his job of convincing all concerned that the road to real GRC leads through integrated solutions, the sooner the company will achieve its goal of clear business-IT alignment.

Last week I had a discussion with Seclore, a software company based in Mumbai, India. They are focusing on the area of Information Rights Management (IRM), one of my favourite research areas. I’m interested in this topic mainly for two reasons:

1. Information Rights Management is one of the IT topics with the closest relation to the core business topic of Information Security/Protection (including Intellectual Property Rights, IPRs).
2. Information Rights Management is the approach which allows the ongoing protection of information at rest, in move and in use – compared to many other approaches which cover only one of these phases.

Most solutions in that market are based on plug-ins into existing applications which enforce the IRM policies. The policies are managed centrally, information (documents) are protected by encryption.

Seclore’s approach is different in that they not mandatorily rely on such plug-ins but mainly act “below” the application. The client component (which is required to access protected, e.g. encrypted, documents) tries to analyze the activities off the application like access to the file system. One impact of that approach is that a document might be opened with different applications supporting the specific document format.

Even while I personally believe that implementing IRM functionality within the applications (the more common approach of vendors like Microsoft, Adobe and Oracle) allows a tighter control about the actions of a user and application on a document, the Seclore approach has some appeal. It is lightweight and works well today with different applications and in different environments, beyond the enterprise. As long as there is no common standard for the interactions of applications (the policy enforcement points) and the IRM backend systems across different vendors, this is a workaround. And once there is such a standard, Seclore is very likely to support it. Thus, not only looking at the big vendors but as well at Seclore makes sense in these early days of Information Rights Management.

On Monday I’ve met with Matthieu Hug from RunMyProcess in Paris, an interesting start-up company in the “cloud”. Their focus is pretty easy: Integrate the cloud – with what you have internally and with other cloud services. At CeBIT 2008 I’ve done a presentation about “SaaS” and related topics (we didn’t use the term “cloud” at that point of time). One of the three major issues I’ve discussed as threats in that area (and would mention nowadays as cloud threats) is integration. How do you integrate external cloud services with other external services or internal applications? Some of these services provide a set of web service interfaces. But even then, integration is a tough work.

RunMyProcess now provides an external “cloud” service to do that integration. They provide pre-configured web services of a series of (external) cloud service providers, including Salesforce.com, SAP BusinessByDesign, and GoogleApps. And they allow to define processes which include one or more of these products. That allows to build integration between such services and existing internal applications. It as well allows to enhance cloud based services like GoogleApps. Matthieu told me that some of his customers are adding workflows to GoogleApps to replace Lotus Notes (even while I’d recommend the customer to consider LotusLive as an option in that case…). And there are some companies starting to create added-value services by integrating and enhancing cloud services, creating sort of “industry clouds” or “community clouds”.

I like the approach of providing an integration platform in that way. It doesn’t solve every problem (and more complex platforms built on top of classical application servers might provide some more functionality) but it is an answer to one of the biggest threats in the cloud. Thus it is definitely worth to have a look at that solution. And it is just another example of the amount of creativity unveiled by the cloud evolution.

If you want to learn more about the cloud, you definitely should attend Cloud 09, Dec 2nd-4th, Munich. And you should always have a look at the Kuppinger Cole webinars. We do webinars on cloud topics frequently – and there are many recordings of cloud webinars available.

In fact there are a number of good reasons why you should think about IAM (Identity & Access Management) every time you think about GRC (Governance, Risk & Compliance). Despite all the efforts to secure externally managed services and applications through policies and technology, gaps in the safety nets set up by those in charge of GRC remain. Third-party access to outsourced data is a good example. Just take maintenance and management services: written agreements on security standards and policies notwithstanding, reality shows that controlling, audit trails and internal compliance assurance measures are often incapable of closing every loophole.

What are the real problems? Take as an example hosted applications operated by one service provider but originally developed by another. The company information being processed is probably both valuable and restricted. How do you ensure that it isn't compromised when the developer has to run an update? And how is the developer to perform the necessary tests to ensure that the application won't crash once the update has been performed? Finally, how do you ensure that neither service provider can access the confidential data in the system itself?

Again, the answer is IAM when the situation calls for managing access rights, persons and identities in cases where external identities (service personnel) come in contact with internal data. Solving these issues requires legal and contractual procedures on the one hand and technical measures on the other. Given that all this is happening outside the administrative jurisdiction of the company itself, ensuring central management of access rights may very well require an external operations service provider, too.

But what path to follow? For existing installations, technical auditing may be the right answer in order to determine the true current status of access rights and protections. Based on the results, appropriate measures can be decided on and taken. Technically, these may consist in implementing Identity Federation between the three parties involved so as to reduce administration overhead. In the case of new applications, the best strategy is probably to switch to claims-based rights management which does away with individual user and rights management, substituting one-time definition of access privileges for certain resources using challenge-response instead, thus enhancing the federation concept.

One thing is clear, however: In compliance, it never pays to underestimate the potential complexity. For instance, there are data protection issues and information leakage risks, as well as everyday garden-variety IT security problems. If you plan to outsource, these all need to be resolved. And while this may appear simple when dealing with a single outsourcing provider, it may prove a nightmare when a multiplicity of "cloud computing" providers are involved.

Which GRC approach to choose?

First of all, I believe that we have to use the potential of GRC for better interfacing Business and IT. There are business controls, there are IT controls. These have to be mapped. Thus, we should end with solutions which support as well the business as the IT requirements. That will never ever be a single solution, but a combination of some. High level controls and dashboards, CCM approaches and more specific solutions for different groups of IT controls. It should as well be an approach which isn't only "detective" or, more correct, "reactive" but finds the balance between proactive/preventive and reactive/detective.

The big picture is relatively easy to describe, like we have done in our reference architecture.

The way towards that is much more difficult. There are many influencing factors like the industry and size of the organization, the current organizational structure (especially around the responsibility for GRC issues), the process maturity of the organization, the maturity of IT management approaches, and so on. Thus there can be different (and more than one) starting points. But in any case, there should be a well agreed (but coarsely described) "big picture", as the guideline for building a GRC roadmap.

I personally believe that three factors are most important:

• Providing quick wins
• Providing a business view which, from the beginning, starts in integrating with IT - only manual controls are't sufficient, it is always about the appropriate mix of manual and automated controls
• Closing the loop - don't focus only on the reactive part (like with pure "access certification") but start acting on the results, for example by integrating provisioning to fix the detected problems

These are some of the most important criteria to choose solutions in the GRC space.

Have a look at our event website for upcoming events and webinars around GRC.

And, for sure, don't hesitate to ask for our advice on building your GRC "big picture".

GRC – Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond “we have to manage risk, we have to be compliant”) largely undefined. We’ll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more appropriate segments. Like every valid and successful emerging market, GRC will move from a large set of different solutions towards a market with some well defined segments of vendors.

There are the so called “Enterprise GRC” vendors like Mega, OpenPages, or Bwise. But even between these there are significant differences. There are vendors working more at the level of CCM (Continuous Controls Monitoring), including companies like Approva. There are IAM-GRC vendors like Aveksa, BHOLD, Engiweb, Sailpoint, and several others. There are IAM solutions with added GRC capabilities – in the meanthime most of them. There is GRC support in BSM (Business Service Management) applications. And, and, and… I don’t want to unveil to much from the upcoming reports which you will find at our website but like to focus on another aspect:

Which GRC approach to choose?

First of all, I believe that we have to use the potential of GRC for better interfacing Business and IT. There are business controls, there are IT controls. These have to be mapped. Thus, we should end with solutions which support as well the business as the IT requirements. That will never ever be a single solution, but a combination of some. High level controls and dashboards, CCM approaches and more specific solutions for different groups of IT controls. It should as well be an approach which isn’t only “detective” or, more correct, “reactive” but finds the balance between proactive/preventive and reactive/detective.

The big picture is relatively easy to describe, like we have done in our reference architecture.

The way towards that is much more difficult. There are many influencing factors like the industry and size of the organization, the current organizational structure (especially around the responsibility for GRC issues), the process maturity of the organization, the maturity of IT management approaches, and so on. Thus there can be different (and more than one) starting points. But in any case, there should be a well agreed (but coarsely described) “big picture”, as the guideline for building a GRC roadmap.

I personally believe that three factors are most important:

• Providing quick wins
• Providing a business view which, from the beginning, starts in integrating with IT – only manual controls are’t sufficient, it is always about the appropriate mix of manual and automated controls
• Closing the loop – don’t focus only on the reactive part (like with pure “access certification”) but start acting on the results, for example by integrating provisioning to fix the detected problems

These are some of the most important criteria to choose solutions in the GRC space.

Have a look at our event website for upcoming events and webinars around GRC.

And, for sure, don’t hesitate to ask for our advice on building your GRC “big picture”.

Please join me tomorrow for a free Webinar on the topic “Beyond Role Based Access Control – the ABAC Approach“.

Many – if not most – organisations are not getting as much value as they thought from RBAC (role based access control). In fact, many RBAC projects start with high expectations, but quickly get bogged down due to many issues and problems. Eventually it turns out that the initial expectations were too ambitious. But why? Is RBAC making promises that are difficult to keep?

Many in the industry (Babak and myself included) think that this is due to the fact that the real world just happens to be too complex to model efficiently with RBAC. This means that organisations must be realistic about what they can achieve with RBAC, and mitigate some of its shortcomings. But isn’t there a better way? There certainly is, and that’s what we’ll be speaking about tomorrow. There’s nothing wrong about roles per se, but we need to add more context to them. Then finally, we can reap the full benefits of agile access management, reach and even surpass the value that was expected from troubled RBAC projects.

I am delighted to speak again on a Webinar with Babak Sadighi, CEO and one of the founders of Axiomatics. Babak and his colleagues are an extremely smart bunch of people who are very passionate about access control. They have researched the topic for many years. I’ve interviewed Babak at the last European Identity Conference, which you can see here. So if you’re interested in access and role management, please join us tomorrow, I promise that you will not be disappointed

It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.

VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.

The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.

Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.

To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.

During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren’t really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term.

One ob the obvious shortcomings are accounting periods which are too long and thus don’t provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within a calendar month are not what we need for the cloud. Over time, customers will expect the ability to switch their provider quickly and to pay-per-use. For sure there are services where customers aren’t that likely to move ever or on short-term (salesforce.com, SAP BusinessByDesign). But I’ve seen that model as well at the platform and infrastructure level.

But pay-per-use models can be critical as well. If there are either too many elements in or elements which can’t be predicted, these models don’t provide the advantage of reliable cost models which are as well a key advantage that cloud services can and should provide. That is the same like with ISPs in the past – there will be a logical move to flatrate models. Noone likes to become bankrupt because he is too successful.

The reason for these sometimes inadequate business models are obvious:

• Many vendors in the cloud are experienced with classical, license-based business models and have no experience and sometimes little understanding of new cloud business models. They are insecure and have to learn.
• Customers currently frequently accept these business models – but that will change.

However it is very interesting to observe the change in these business models over time. In the cloud, business models are always under stress test. The impact of actions of other vendors is strong. For example, Microsoft in fact has defined an maximum price tag for hosted Exchange services with their own offering. Providers which want to earn more will have to very clearly show the added value to their customers.

That will not automatically lead to a situation in which the cheapest provider wins. But for sure cloud service providers will have to react on what others are doing. Thus, flexible business models and an efficient production of cloud services are mandatory. Vendors who are not able to pick up the pace of these changes in business models are likely to disappear from the market.

With the current squeeze on cost and corporate spending, many IT departments find themselves in a true quagmire. On one hand, the IT industry is focusing on efficiency like never before - elaborating new approaches and processes to increase efficiency and do more with less. Governance and risk management is a big issue whose lack has greatly contributed to the current crisis. IT is under scrutiny to be more of a business enabler and less of a cost center. All of this requires change, new technology, and strategic vision. But as IT spending is reduced or even capped, this creates a Catch 22 situation. Under pressure, some IT departments try for more tactical approaches that can eventually be expanded into a broader strategy. Quick wins are needed to get there.

So what are the quick wins that can be made in identity and access management? In order to get projects approved, many IT directors have to demonstrate a return on investment that must be almost immediate. I have heard of projects not getting approval unless ROI can be demonstrated in six months or in some cases even less. The good news is that there are some pockets of “low hanging fruits” in identity management that have a very immediate ROI. But keep in mind the old wisdom of "think big – start small – grow big". Ideally your "quick wins" should be stepping stones in a broader, transformative strategy to deliver more value.

Consolidation

A good start is always consolidation. This can save money in staff time,server resources, license and support costs. For ROI calculations, the license and support costs will usually not translate into savings until a later date, but savings in staff time and server resources are usually immediate. Consolidation projects are also a vital step to get your house in order for a broader strategy to improve efficiency. Besides, consolidation is just a good practice and is usually easy to get approved when the ROI case can be made. The key here is to get the maximum while spending the minimum of time and money.

In identity management, this is a good time to review the number of identity data silos in your enterprise and think about eliminating some through consolidation. A good way to do this is with virtual directories. Often applications are installed with their own directory server. Identity data is then duplicated through provisioning systems or synchronization mechanisms. Virtual directories can help eliminate some of those extra directory servers by allowing multiple applications to have multiple “views” of the data whilst connecting to the same physical data source.

The Evergreen: Login and Password simplification

It is a well known fact that most users have a problem with passwords. Not only do they tend to forget them and then need to be helped by service desks to reset passwords. It becomes exponentially worse when users have multiple different passwords that need to be remembered and changed at different intervals. It therefore should come as no surprise that projects that simplify the “password mess” are highly visible. The ROI is also well documented. However, comprehensive single sign-on is complex, lengthy and expensive to implement.

When password simplification is done in smaller steps however, the value and can be immediate. Because this has a high visibility from the standpoint of the users, the perceived value is usually significant. Focus on eliminating either additional passwords or sign-ons. For example, if two systems are using different passwords, you can think about a password synchronization between the two. If you already have a single sign-on system in place, there might be the possibility to add additional applications.

Role Management

Roles and groups are used to give access to resources and allow users to do things. As more applications are deployed, the number of roles increase. Often, roles are created for one purpose and then subsequently re-used for another purpose by another department or application which can create unwanted entitlements. Sometimes roles are forgotten and never reaped. After some time, it becomes difficult to tell who actually has access to what, and who authorized the access. This can - and usually is - a be a big problem. For those organizations that are regulated – for example by the Sarbanes Oxley Act or Basel 2 – lengthy reports must be provided to auditors that contain information about access to high-risk and high-impact applications.

Role management projects can address these shortcomings and enforce proper controls, set up workflows for entitlements and attestation of access. For these projects, ROI can be quick to materialize and implementation time can be fairly short when – and this is important - priorities are set to focus on the most critical applications first. Once the initial quick wins are demonstrated, additional systems and applications can be added subsequently to the role management system.

Final words

As usual, those who take a good long-term view are usually rewarded most in the long run. But when strategic initiatives are out, and the thinking is tactical, the above mentioned areas have shown the potential for quick wins. These quick wins have additional benefits because they can be everybody, but that cannot be an excuse to do nothing – those who are smart and creative will be able to push ahead in front of others. Hopefully these ideas will help you delivering value in these tough times.

Cloud computing is generating much interest. A recent statistic by Google has shown that hits for the phrase "cloud computing" are growing steadily. Why? In search for productivity and efficiency, enterprises are looking to offload non-core processes. The same reasons that fueled outsourcing in the last decades is now driving cloud computing. The promises are enticing, yet there are many open issues and worries - especially in terms of security and privacy. That (amongst other things) keeps many potential cloud computing customers sitting on the fence.

Novell has focused a large share of its brainpower extensively on cloud computing over the past year and has come up with a strategy and a set of products and partnerships. In fact, Novell's CEO Ron Hovsepian made the bold move to summon the company's development managers together at the time when the economic crisis was at its worst. Instead of talking to them about cost savings (just like everybody else), he rallied them to make an aggressive push forward to become a leader in the hot cloud computing infrastructure segment. This seems to have paid off - by focusing a large part of Novell's research on development in this area, the company has not only submitted 63 patents within the area, but also solve major issues around cloud computing security that until now held back investment by customers.

The recently announced "Cloud Security Services" seems like the pinnacle of Novell's focus. It provides a secure framework that cloud providers can use to connect to their customers. What's so special about it, compares to traditional federation technology? For the first time, Novell solves important parts of governance and auditing associated with software-as-a-service (SaaS) and other cloud services.
 
Who will buy this product? Cloud providers, and therefore end customers in an indirect way. Cloud providers will need to prove to their customers all details about access, usage and entitlements. Before Novell taking a stab at this, there hasn't been much. When it comes to accountability, the cloud has been murky at worst, or cloudy at best.

Implementing proper controls to ensure regulatory compliance and proper business practices is essential. But how can this extend off premises? As things become distributed - as in the case with cloud computing - audit logs are distributed as well, with no clear vision how to collect, combine and analyse this data in a comprehensive way. Novell seems to have solved this in an innovative way. The CSS product combines federation technology with SIEM, also known as "Security Information and Event Monitoring".

An invariable question is what to do with this data, now that it is available and can be collected. Novell has partnered with a company called PivotLink that provides software for a complete online analysis of the collected information. This fits in with Novell's CSS like a glove - CSS will collect and correlate events and audit trails, and the PivotLink software acts as a dashboard to provide extensive reporting and analysis.

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.

The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.

Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.

Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.

However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.

Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

These days, there were several articles in different media stating that eBay might discard its Skype service. The reason is that they haven’t acquired the underlying P2P core technology. This is still owned by Joltid. And Joltid plans to terminate that license agreement. One doesn’t need to be a prophet to guess that the real reason behind that situation is about money…

However, eBay definitely is in a difficult situation. They might find a deal with Joltid. They might discard the Skype service with its 16 million users – which probably won’t be that lucky about. They might develop an own P2P technology. Or they might replace the P2P technology. Given the limited time eBay has to solve the problem they the most likely options are that eBay either will find a new agreement with Joltid or will have to acquire another P2P technology. There are several P2P providers out there, some supporting phone capabilities, like Collanos Phone. There are Open Source projects like Gizmo. Thus there are some options. It will require some intense technical due diligence for eBay to choose the technology which allows to continue the Skype service with somewhat equal features and not too much of disruption for existing users. But there are solutions out there.

It will be interesting to observe which option eBay chooses. Given that I’m a Skype user, I’m really interested in. I’m as well interested from a perspective of an analyst for the Cloud Computing market, because the situation eBay is in shows the inherent complexity of Cloud Computing with many different relying parties. Think about a situation where, just as an example, a database isn’t provided any more by the cloud computing platform it has been run on before, because the company providing the platform has terminated the agreement with the database vendor. That would be somewhat the same story. Thus, think about these dependencies and look at the potential problems…

A good year ago, Microsoft acquired an innovative company called U-Prove. That company, founded by visionary Stephan Brandt, had come up with a privacy-enabling technology that effectively allows users to safely transmit the minimum required information about themselves when required to – and for those receiving the information, a proof that the information is valid. For example: if a country issued a digital identification card, and a service provider would need to check whether the holder over 18 years of age, the technology would allow to do just that – instead of having to transmit a full data set, including the age of birth. The technology works through a complex set of encryption and signing rules and is a win-win for both users who need to provide information as well as those taking it (also called “relying parties in geek speak”). With the acquisition of U-Prove, Microsoft now owns all of the rights to the technology – and more importantly, the associated patents with it. Stephan Brandt is now part of Microsoft’s identity team, filled with top-notch brilliant minds such as Dick Hardt, Ariel Gordon, Mark Wahl, Kim Cameron and numerous others.

Privacy advocates should (and are) happy about this technology because it effectively allows consumers to protect their information, instead of forcing them to give up unnecessary information to transact business. How many times have we needed to give up personal information for some type of service without any real need for this information? For example, if you’re not shipping anything to me… what’s the point of providing my home or address? If you are legally required to verify that I’m over 18 (or 21), why would you really need to know my credit card details and my home address? If you need to know that I am a customer of one of your partner banks, why would you also need to know my bank account number? Minimum disclosure makes transactions possible with exactly the right fit of personal details being exchanged. For those enterprises taking the data, this is also a very positive thing. Instead of having to “coax” unnecessary information out of potential customers, they can instead make a clear case of what information they do require for fulfilling the transaction, and will ultimately find consumers more willing to do business with them.

So all of this is really great. And what’s even better, Microsoft’s chief identity architect, Kim Cameron has promised not to “hoard” this technology for Microsoft’s own products, but to actually contribute it to society in order to make the Internet a better place. But more than one year down the line, Microsoft has not made a single statement about what will happen to U-Prove: minimum disclosure about its minimum disclose technology (pun intended!). In a post that I made a year ago, I tried making the point that this technology is so incredibly important for the future of the Internet, that Microsoft should announce its plans what do with the technology (and the patents associated for it).

Kim’s response was that Microsoft had no intentions of “hoarding” the technology for its own purposes. He highlighted however that it would take time to do this – time for Microsoft’s lawyers, executives and technologists to irk out the details of doing this.

Well – it’s been a year, and the only “minimum disclosure” that we can see is Microsoft’s unwillingness to talk about it. The debate is heating up around the world about different governments’ proposals for electronic passports and ID cards. Combined with the growing dangers of identity theft and continued news about spectacular leaks and thefts of personal information, this would really make our days. Unless you’re a spammer or identity thief of course.

So it’s about time Microsoft started making some statements to reassure all of us what is going to happen with the U-Prove technology, and – more importantly – with the patents. Microsoft has been reinventing itself and making a continuous effort to turn from the “bad guys of identity” a decade (in the old Hailstorm days with Microsoft Passport) into the “good guys” of identity with its open approach to identity and privacy protection and standardisation. At Kuppinger Cole we have loudly applauded the Identity Metasystem and Infocards as a ground-breaking innovation that we believe will transform the way we use the Internet in the years to come. Now is the time to really start off the transformative wave of innovation that comes when we finally address the dire need for privacy protection. Microsoft has the key in its hands, or rather, locked in a drawer. C’mon guys, when will that drawer finally be opened?

Whilst at the Burton Group’s Catalyst 2009 conference, I ran into Prateek Mishra from Oracle who told me somewhere between the lines of our conversation that a new XACML API that has just been posted to the OASIS XACML TC. It was a “soft launch” that was announced at the Kantara meetings on Monday at Burton Catalyst (which very unfortunately, I missed). When Prateek mentioned it to me, it stopped me dead in my tracks, because I find it really significant news – a very important step towards flexible access control policy based on XACML. Before I get in the details, let me step back a bit and explain what this is, why I find this so significant and why it got me so excited.

XACML, the eXtensible Access Control Modeling Language is an XML-based standard for authorization and access control. It is based on the Attribute Based Access Control (ABAC) model that is hailed as the next generation of access control models. According to many, ABAC will ultimately replace RBAC (Role Based Access Control). Instead of only using a role as the determining factor whether to grant access or not, many attributes can be used. Of course roles can be used in ABAC as well – since ABAC can use multiple attributes to make access control decisions, the “Role” can be one of those attributes – so ABAC can emulate RBAC perfectly while adding many additional advantages. This means that it is possible to add context to the access control decisions and adds for a finer granularity, tighter controls and more flexibility for the business.

Here’s an example: I might be authorised to make bank transfers from an application. In RBAC, this would usually mean that I would have a role enabled for my account, for example “Make_Transfers”. Simple, right? Well, perhaps not so. As the need for control gets tighter, I may be authorised only to make transfers up to a value of 2000 EUR without any approval. Anything else above that requires the approval of at least two of the financial supervisors. So how would you do this with RBAC? Not really so easy. And with ABAC? Piece of cake. With RBAC, the bank transfer application would have to have some hardwired piece of logic implementing the “max 2000 EUR without approval”. With ABAC, the policy could just express that if I have the role “Make_Transfers” and “transfer_amount <= 2000” the operation is approved. ALso approved is an operation if I have the role “Make_Transfers” and “transfer_amount <= 2000” and “valid_approvals >= 2”. Everything else is denied.

So let me get back to the XACML API. There has been adoption by XACML, and I could even see it for myself here at Burton Catalyst 2009 just by meeting the sheer number of vendors that are actively supporting it and using it it for policy enforcement and access control. What has really been missing however was a ready-to-use API that would allow developers to make an access control request in their application and get a decision. Now we finally have an API that allows developers to do just that. I’ve spent over an hour yesterday hunched over my brand-new netbook with Prateek and Pat Patterson, poring over the API and can only say: thumbs up!

So what can this API be used for? Is it easy enough for developers to jump on and enable their applications for externalised access control? Well, not really. XACML is a very powerful and expressive policy modeling language, and also defines a request/response protocol. This creates a certain level of complexity. Whilst of course it is possible for application developers to use this API in their applications, I think that higher-level authorisation APIs are still needed that make it “dead easy” for developers to externalise access control. For matters of comparison, I was very impressed at how easy it is to .NET developers to harness the Geneva Framework (which is now called WIF or Windows Identity Foundation). Microsoft has made it truly “dead easy” for developers to make their applications ready for externalised authentication and claims – with just a few lines of “plumbing code”. Externalising authorisation must be made just as simple. The XACML API is a great start to provide a foundation that can be used to connect simpler APIs and existing access control frameworks to XACML.

Kudos for Cisco and Oracle for having contributed this. Great work, guys!

These days I have learned that Fischer International Identity has trademarked to pretty generic terms:

• Identity as a Service (TM)
• IaaS (TM)

I wondered (and still wonder) about that. Fischer declared that they have invented that type of business (”a services-based architecture built from the ground-up for the express purpose of cost-effectively delivering identity management capabilities via the Software as a Service (SaaS) model”), built on a SOA architecture, supporting multi-tenancy, being able to work across firewalls. Honestly: Yes, they are an innovator in that space.

Unfortunately, that isn’t the only technology to which the terms mentioned above are applied. There are many different identity services. External identity providers for OpenID, strong authentication services, SSO for the cloud,… – to all these services the terms IaaS (TM) and Identity as a Service (TM) are frequently applied. And if you look at Application Security Infrastructures, then it is as well about providing identity services.

Thus, I agree with Fischer that they are sort of a pioneer in providing “provisioning as a service” (which would be PaaS) but I don’t agree with their view on that they have invented they entire market space for which these terms are used today. Anyhow, it is a little like Daimler having trademarks on “car”, “Automobil”, and other related terms, isn’t it!?

On the other side: Maybe I shouldn’t bash on Fischer for trademarking (why not try to get them?), but the ones on the governmental side which have agreed to trademark these very common terms. What will be next? SaaS (TM)? Cloud Computing (TM)? I really can’t understand that such common terms are trademarked (and I will use some related but somewhat different terms in the future). However, anyone who uses these terms has to attribute ownership of the mark to Fischer International Identity, like they have stated. Let’s look how they deal with the trademarks in practice. And be careful when using these terms.

To comply with the trademarking stuff: Identity as a Service (TM) and IaaS (TM) are trademarks owned by Fischer Internation Identity.

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers – the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or – in my case – one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media – but a netbook does not have an optical drive, and maping the DVD burner in my home Vista machine is not acceptable use of the software – and thus deactivated) I killed XP home anyway and installed Win 7 fresh of a 8 GB USB flash (see here for a geek howto, or here for the DAU help with prepping the USB stick). All worked well – even a complete Office 2007 and Visio2007 found its way on the device – no driver problems, except… for the 3G!

I spent way too much time to figure this out, so here are the resources needed:
Driver handling & tweaking plus driver links
http://www.itgrl.de/2009/03/31/aspire-one-3g-treiber-fur-umts-modem/
Driver Links Acer
http://global-download.acer.com/GDFiles/Driver/3G/3G_Option_5.0.12.0_XPx86_A.zip?acerid=633776034442008284&Step1=Netbook&Step2=Aspire One&Step3=AO531h&OS=X01&LC=de&SC=EMEA_8
Driver Links Option (IMEI required!)
http://www.option.com/en/support/software-download/product-list/

After trying desperately to use the T-Mobile web´n´walk software for a while (even the EMBEDDED Version taken from the mysterious FTP server in Czech Republic) did always UNINSTALL the Option drivers leaving my netbook without connectivity.
Using the ACER Software DOES the trick though, but yu have to tweak it:
the Acer 3G Connection wil fail to connect (it finds the device, SIM is entered, network is acquired) but the it get stucks while “connecting” aka “Verbinden…”.
Again, calling the friendly mobile provider support, we quickly analyzed that we are only one step away. Simple solution:
create a new modem connection with *99# as the number to be dialed and all works well suddenly!

Now, back to real work… message me if you have a working setup with w´n´w software on Win 7 and internal Option MOx40 cards… or actual stand alone drivers for Win 7 that are NOT deleted when installing w´n´w

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.

For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued - and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.

Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).

It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.

As someone actively covering directory services and virtual directories, several innovations have caught my attention. The players within the virtual directory space are (in alphabetical order) Optimal IDM, Oracle, SAP, Radiant Logic, Red Hat, and Symlabs. When it comes to product development and innovation within the last year, you can split those vendors right down the middle. – Optimal IDM, Radiant Logic and Symlabs have been actively developing their product and churning out new features in new versions. The others have not been adding any features, but instead spent time changing logos, product names, default file locations and otherwise integrating the virtual directory products into the respective Oracle/RedHat/SAP identity management ecosystems. In fact, in some of the latter cases I ask myself whether it is likely to expect any virtual directory product innovations anymore.

So what’s new? Where’s the innovation happening?

Optimal IDM: New connectors have been added for Microsoft SQL Server 2008, eDirectory. A special version for Microsoft Sharepoint integration has also been released, as well as “automated compliance features” that monitor for changes that violate definable rules and alert administrators.

Radiant Logic: Its flagship product, formerly Radiant VDS (Virtual Directory Server) has been split up into to new products: The VDS Proxy Edition and the VDS Context Edition. The former is a classical virtual directory product that falls into the same category than Oracle VDS and the Symlabs Virtual Directory products. The latter is a mix of meta-directory and virtual directory features. Radiant Logic has rewritten major parts of the virtual directory core to make it more efficient in order to overcome performance problems that used to be a weak point in the product.

Symlabs: A full virtual tree functionality has been added. This makes the product easier to configure. In the past, a virtual tree had to be constructed by manually configuring plugins to filter and route requests. This had made configuration more difficult compared to other virtual directory products. This used to be a weak point in their products, like the performance used to be a negative point in Radiant Logic’s virtual directory server. Symlabs has also added a complete web-based remote administration interface that can be used instead of, or side-by-side with the local Java configuration interface.

What else is new? The latest piece of news comes from Symlabs who have released a competitive benchmark paper that contains the results of a comprehensive benchmark of the virtual directory servers from Oracle, Radiant Logic and Symlabs. The numbers speak for themselves. Of course, comparative tests by vendors must always be taken with a grain of salt. In the report, Symlabs encourages companies to do their own benchmarks to verify the results in the Symlabs study. However, the numbers are credible and document what has already been known for some time. The Symlabs product comes out as the fastest virtual directory. This is unsurprising, due to a very efficient internal design and a small footprint that this translates to a level of efficiency that surpasses other virtual directory servers.

At second place in the competitive benchmark comes Radiant Logic’s VDS Proxy Edition server, which is also interesting. Until end of last year, Radiant Logic’s virtual directory product was at the tail end of all performance benchmarks, beaten by both Oracle and Symlabs by – at least – a scale of magnitude. Radiant Logic has done some hard work last year to catch up, and it shows by surpassing the Oracle product in the benchmarks and coming in second place.

The virtual directory segment continues to be innovative. This is good for customers that are increasingly adopting virtual directories as simple point solutions to solve integration issues between applications and directory servers. However, innovation does not happen everywhere. It has been very quiet around Red Hat’s, SAP’s and Oracle’s virtual directory products for a long time – up to now, little has happened with those products. Optimal IDM, Radiant Logic and Symlabs have done some serious enhancements to their products and compete head-on in the virtual directory arena. Remember the old stereotype that smaller companies tend to be much more innovative than the larger ones?

These days I had a discussion with a vendor who sells different security tools which make up sort of an Endpoint Security “suite” about my and his view on that market. He was sort of offended by my critical view on today’s endpoint security market and claimed that his company and many of his competitors are selling large amounts of licenses to customers. Thus I must be wrong when telling people that the market isn’t really mature today.

My view on endpoint security is, by the way, not as sceptic as the one I have on the DLP market (Data Leakage Protection/Prevention). I think that well integrated, feature-rich endpoint security solutions are an important element within security strategies. But the bar is set high. Endpoint Security solutions have to fully protect different types of endpoints. That includes AV, local firewalls, WLAN security, encryption, device control, and other elements. All these features have to be well managed. And well managed means centrally managed, integrated with existing and potential other new elements of the overall strategy. Active Directory integration is key in Windows environments. Integration with SIEM tools or at least open interfaces are a required feature. For sure, there needs to be one set of policies for all security features of the endpoint. Existing system-level features should be as well integrated, starting with Bitlocker on new Windows versions and for sure as well including interfaces to Windows Group Policies. To name just a few of the expectations I have on Endpoint Security Suites.

Endpoint Security thus goes well beyond the point solutions in the DLP market which I see even more critical.

Unfortunately, no vendor today fully supports all requirements I have on Endpoint Security solutions. That might change over time. But even then, Endpoint Security will be only one element within a security strategy, which has to be combined with IAM (Identity and Access Management) as the foundation for most parts of security, with more advanced information protection solutions (shielding information not only at rest, but as well on move and on use), centralized solutions (which might even overlap with endpoint security to some degree – look at what Finjan provides) and so on.

Thus this mean that you shouldn’t invest in Endpoint Security tools? No, for sure not. But a customer should be aware of the shortcomings of today’s offerings. And he should understand that he addresses only part of the overall problem (even while Endpoint Security at least might address a larger part of the problem, compared to many of the point solutions offered under the label of DLP). And vendors might use the bar I have set as sort of benchmark for their solutions and sort of advice for their product management instead of complaining that the bar is set to high. The fact that they are selling their products only proves that there is a strong demand for endpoint security solutions and that customers are even willing to buy immature solutions – it doesn’t prove that their solutions are mature.

My advice for customers: Understand the strengths and shortcomings of today’s offering in endpoint security, understand endpoint security as part of a larger IT security initiative, and define your selection criteria according to that.

My advice for vendors: Don’t rest on your current success but go a step back and think about what will be needed tomorrow and in some years from now. The Endpoint Security market will evolve, there will be significant changes. And it will be more and more understood as part of a bigger IT security approach.

More than 250.000 people have watched “ethical hacker” Chris Paget cruising the streets of San Francisco gathering RFID data from the new U.S. PASS cards and “enhanced” chipped drivers licenses. All it took him about $250 for a scanner and an antenna, as well as a piece of software he downloaded from the Internet. The new “e-passports” are now mandatory for U.S. citizens entering the United States from Canada, Mexico, Bermuda and the Caribbean, though conventional passports will be accepted as long as they are valid. Paget was able to read and clone the information of the chips within minutes. While only tag numbers were intercepted, not the personal data on the chip, this is enough to identify and track individuals, which brings us a step closer to my favorite nightmare scenario: As I leave the airport in, say, Tunis or Cairo on my way to a nice sunny vacation I am picked up and followed by jihadists bent on killing any American capitalist swine they can find.

This may not be news to most of us, but what struck me was a comment by Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, quoted in today’s edition of the “International Herald Tribune”, who believes that “Americans aren’t that concerned about RFID” in a time when “tracking an individual is much easier through a cellphone.”

Is this simply a brainless bureaucrat talking twaddle, or is she being cynical? Then again, maybe she has a point: If people did care a lot about “little brother”, as the global surveillance web is now being referred to, wouldn’t they do something about it? Like switch off their mobiles?There have been rpeorts of German tax dodgers being caught because they said they were at home when in fact their phones were in the offices of a bank in Zurich.

In Germany, supposedly a country obsessed with privacy concerns and boasting the strictest data protection laws on the planet, a law calling for issuing RFID-enabled passports passed with hardly a murmur, and they are now gearing up to issue each and every one of their 80-some million citizens a mandatory personal ID card that will also carry a chip.

Maybe cynicism does help. How about this: If everybody is naked, nobody will be bothered by nakedness. Just blend in with the crowd. Implant an RFID chip in every forehead. There’s safety in numbers, after all. Or then again, maybe not…

We would like to present a “design refresh” of our web sites: www.kuppingercole.com, blogs.kuppingercole.com, and www.id-conf.com.

We hope that a common header style will increase recognition and ease navigation between the sites.

You are welcome to visit anytime, there is always something new waiting for you

The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed)

Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled “The Personal Data Eco-System” which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data.

The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee of identitycommons, held at a recent West Coast VRM Workshop and which is also intended as an introduction to the Kantara workgroup where they hope to explore these scenarios more deeply. The focus of the piece is on what Iain and Drummond describe as “Personal Data Stores”, a slightly confusing term for a kind of data warehouse in which to store all the personal data available about me (or you) so that it can be used for anything from paying a credit card bill to scheduling a doctor’s appointment or even planning a home move.

But where it gets really exciting is when the two start to discuss what kind of data there is about me (or you) , what the relationship is between the different kinds of data and how they interact. Basically, they divide all personal data into five categories:

• My Data (information about me that I, and only I, own and control)
• Your Data (information about me that someone else – e.g. an organization or the government – owns and controls)
• Our Data (information about me that is accessible to both me and them, e.g. buyer and seller)
• Their Data (information about me that is owned and sold by third parties such as a credit card company)
• Everybody’s Data (information about me that is in the public domain, e.g. my postal address or an electoral roll)

Iain and Reed have created the absolutely fascinating flower-like Venn diagram pictured above explaining how and where these separate sorts of data intersect to create what they describe as a “Basic Identifier Set” in the middle. This for them is the “core personal identity data and they believe it will enable a working “personal identity eco-system” for providing services and ensuring transactions sometime in the future, with the individual functioning as the “un-knowing point of integration” of data about themselves.

They describe in detail the various dynamic flows of data between the different categories, such as from My Data to Your Data where individuals provide information about themselves under certain conditions (think the “tick boxes” on web forms indicating whether I want to receive your newsletter if I buy your product) or from Your Data to Their Data as an organization shares information about me with another organization, something which can happen legally (as in identity federation) or illegally (then it’s called identity theft).

I find the Henderson/Reed Diagram an extremely illuminating intellectual achievement since it illustrates the huge complexity involved in addressing issues of identity, both digital and analog. I’m not so sure whether I agree with Iain’s conclusion and forecast that over time (”in 10 years”) some 80% of customer management processes will be driven from a “My Data” perspective. He argues that the rush for user-generated content, as well as economic reasons, will cause organizations to move to a user-controlled model of identity management.

Well, I’ve been around long enough to know you can multiply a given prognosis involving a ten-year timeframe by a factor of between two and ten and still wind up way out in left field. But I do think they are right in assuming that there is a business case for moving towards user-controlled identity. Whether it will be, as they suggest, that allowing a vendor to mine my Personal Data Store for my consumer habits, and especially my buying intentions, will be incentive enough, or whether the prevalent model will be a simple upfront deal – give me your personal information and I will give you a rebate or cash in hand – I don’t know, but until we find out it might be a good idea to contenplate the wonderfully symmetric flower petals of the identity eco-system diagram and ponder it’s implications.

Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle.

Soeren is VP SaaS at Parallels, a company that describes itself as “worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers”. His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision is to create a large-scale cloud computing ecosystem where software vendors and cloud operators together deliver a wide variety of services to businesses and consumers.

To achieve this goal, Parallels has written what they call the “Application Packaging Standard” (APS) which they describe as a new application packaging format designed to help implement a Software-as-a-Service (SaaS) business model. I guess you could call is “SaaS 2.0″ (or maybe “ASP x.0″), because it enables almost all industry hosting providers – Parallels’ traditional customer base – to team up with almost any application provider to offer their apps as a rental web service.

Once packaged in the APS format – basically just an XML feed – by a software vendor, an application can be easily “plugged” into an infrastructure of any hosting provider that implemented the standard “socket” for the APS applications.

Soeren thinks this is a real win-win situation, since it gives hosting providers a new, higher-value business model while providing a new distribution channel for ISVs. Parallels is touting their standard as an open plattform, and rumor has it that they will be founding a non-profit organization to push the specification in the public domain., so check out their website at www.apsstandard.org for updates.

The reason I was interested in APS is that it contains full-fledged IdM capabilities, from Single Sign-on through provisioning, payment & billing, and since recently even license management, too. Since everybody is heading for the Cloud these days, I thought it would be intersting to know if APS might be a quick fix to the IdM problem in web-based applications. Soeren seems to think so. And technically, he may be right. But of course, to make ASP a “real” standard he’ll have to generate a lot more interest in the IdM community.

Right now, Parallels is big in the provider and hosting market. Their boast is that, out of about 200 million domains in the world, between 30 and 40 million are powered by their software. Or putting it another way, just aboiut every major Internet Provider in the business is a customer of theirs. But simple hosting and plumbing isn’t all that sexy anymore, and big cloud operators like Amazon, Google, 1&1 or Strato are on the lookout for extra sources of income. By hitching them up with ISVs and SaaS vendors like Salesforce et al. they could conceivably tap into some pretty substantial new revenue streams, especially SMEs who find it appealing to rent IT infrastructure and applications instead of buying.

I asked Soeren if APS could also work as a platform for providing identity as a service, and he liked the idea. After all, if the platform can handle SSO and payment in a safe and scalable fashion, why not use it as a kind of universal identity provider for the Cloud instead of building IdM capability directly into the app?

On the other hand, Parallels still has its work cut out for it convincing the thousands and thousands of ISVs out there to plug their existing solutions – whether already SaaS-enabled or legacy – into APS.

Yeah, it makes sense businesswise, but anyone who has every tried to push a standard knows just how innovation-resistant people in the IT industry can be. But with Soeren living right around the corner now, I’ll be able to check back every time we run across each other at Cafe Wienerplatz, so stay tuned.

I was delighted when I saw that LDAPcon is happening again this year. I went to the first event in Cologne, Germany 2007, and was very impressed. When you have the “creme de la creme” from the LDAP community talking about their favourite topic, you’re guaranteed an interesting and exhiliarating time – assuming that LDAP and directories are your thing.

I still remember last time how Howard Chu gave us a musical demonstration of how a well-performing directory should perform – on the violin! I don’t think anybody forgot that. We also got a very good overview of the different open source projects around directories, and about how to make good use of some of the LDAP extensions.

This time, we’ll also have two action-packed days, and the call for papers is open. I encourage everybody to share their best practises, vision and thought and make this an unforgettable event as well. I’ll be submitting for sure

LDAPcon takes place in Portland and starts on September 20, a day before LinuxCon. The second day will be shared with LinuxCon, it seems. Might as well stay for LinuxCon as well! This is a good event not just for directory vendors and project maintainers, but especially also for those who deploy and run LDAP directories in challenging environments, and those who develop software that talks to LDAP servers. Kudos to the Symas guys for helping organise it (and they are just helping to organise it – it’s not at all an OpenLDAP conference, if that what you’re thinking). I’m definitely looking forward to it!

BTW I just saw that Ludo wrote about it as well, and even posted some photos from the 2007 event.

I recently received a press release from UnboundID announcing the availability of a new “synchronization server”. This software keeps two LDAP servers in sync (as the name suggests) – bidirectionally. In theory very useful, and it’s free too. But there’s a small trick: the synchronization server supports both Sun’s DSEE (Directory Server Enterprise Edition) and the new Unbound ID Directory Server. In the release, Unbound ID makes no secret of what this software should be used for: to migrate away from Sun’s directory toward Unbound ID’s competing solution.

UnboundID is a start-up based out of Austin, TX. It was founded by several ex-Sun employees, including Neil Wilson, author of the “slamd” load generation engine, and formerly one of the key people behind Sun’s OpenDS. I have already raved about their new LDAP SDK for Java, in my opinion the finest and most complete LDAP development kit for any language ever written.

The company is going after the very lucrative Telco and large service provider market, and launched a frontal attack on Sun Microsystems, who is the market leader in that space. UnboundID is offering a 30-40% reduction in yearly maintenance costs if customers switch from DSEE to their solution. Of course there is the usual fine print, and this offer is limited to medium-sized directories with less than two million entries. Why should Sun customers switch from DSEE to UnboundID Directory? According to UnboundID, their server is faster, has less footprint and is supported on a wider platform range.

It is not really obvious to me however why Telcos and large service providers would want to switch. For one, DSEE has been the de-facto market leader for massive-scale directory services, and customer satisfaction is high (not just if you believe the marketing – I’ve personally heard the same from Telcos using the product). A directory server running in a Telco is an absolutely super-critical component, and ripping it out and replacing it is akin to heart surgery. DSEE is very mature after having been around for many years and the kinks have been ironed out in many very large deployments a long time ago already (in fact, I was in one of those deployments in 2002 – that was fun). UnboundID would obviously need to make a very good case and give organisations a high level of assurance for them to switch over. The Telco sector is much more innovative than others, and tends to be on the bleeding edge of technology – but even so, there is a reluctance to switch from a very mature product that “just works” to a brand-new product.

That’s why UnboundID offers the “synchronization server” in order to try to entice organisations to run both directory servers next to each other for a longer period – to evaluate and eventually become comfortable enough with the UnboundID server to make the switch. It seems that the “synchronization server” has been written specifically for this purpose.

Which, personally speaking, I think is a bit of a pity, but hopefully UnboundID will realise the immense value that this synchronisation server could have once they’ve gotten over their frontal attack on Sun. A generic synchronization server that would keep multiple directories from multiple vendors synchronised is a fantastic value proposition, and I’m sure many organisations would jump at it. Especially when it comes from such brilliant minds like Neil Wilson’s who is known for his awesome LDAP stuff.

A few more short interviews from the conference

Interview with Kim Cameron, Microsoft

Today we’ve been finally able to get our hands on a tape we almost believed to be lost forever. But thanks to our video technicians we can now present you a few more interviews from the EIC 2009.

Interview with Marina Walser, Novell EMEA

Interview with Fulup Ar Foll, Sun Microsystems (yes, another one!)

Stay tuned for more.

The Road to Claims: From Vision to Reality
Kim Cameron, Microsoft

SAP-GRC-IdM – What is the Problem?
Marina Walser, Novell EMEA

Enterprise IT-enabled Cost Avoidance & Reduction: The Role of Identity & Access Management
John Aisien, Oracle Corporation

We’re planning to upload selected EIC 2009 keynotes to YouTube and here is the first one.

The Care and Feeding of Online Relationships
Eve Maler, Sun Microsystems

Just like last year, registered participants of the EIC 2009 have access to all presentations and keynote videos in the special area of Kuppinger Cole web site.

We have sent a personal direct link to that area in an e-mail to every participant, so please check your inbox!

If you haven’t received such an mail from Kuppinger Cole, it could be that we do not know your address yet. In this case please contact Mr. Levent Kara.

You can follow @kuppingercole on Twitter to get the latest news from Kuppinger Cole web site in real time.

Or maybe you’ll be interested to follow our employees’ own accounts: @TCole1066, @balaganski, @Lefti09, @joergresch, @BettinaButhmann. I’m sure others will join soon

I know it’s funny, but in fact it’s me, by far the oldest guy at KCP, who is actually the greatest fan of Twitter. Perhaps if you don’t have as much time left to waste as some of my younger colleagues you learn to appreciate abbreviation.

Anyway, the European Identity Conference which ended yesterday here in Munich produced a bumper crop of Tweets which I have been browsing through this morning at my leisure (first time in a week I’v had any), and I thought I would share a few with those of you who do not yet fully appreciate just how powerful this new medium actually is.

Summing up of a large multinational conference like EIC running over many days and featuring some of the finest speakers in the industry, and doing this in a format that restricts the writer to 140 characters max, is a challenge, of course, but many of those present not only rose to it, but proved themselves past masters of terse, to-the-point, no nosense (well actually, sometimes a bit of nonsense) communication.

Kudos to Bavo de Ridder of Acerta, a Belgian IdM specialist, who ran away with the title “Most Prolific Twitterer” at EIC. Not only did he produce approximately twice as many Tweets as even I, no mean Twitterer myself, managed to thumb into my Palm Treo. We actually at times managed to engage in a twittered dialog, for instance when I posted “Fulup Ar Foll (Sun): ‘Roles will not fly in the Cloud’”, to which his immediate response was: “@TCole1066 those cases where roles do fly (elegantly) are mostly those cases where roles have a simple attribute relation”

Sometimes our online conversations took a twirky turn, like when Martin Kuppinger gave his keynote and Bavo twittered. “Attending “Beyond the hype – a strategical approach to cloud computing” (I see hype in that title)”, leading me to ponder on the “Philosophical question: Is hyping hype a double positive or a double negative?”.

The runner up, by the way, was Heide Groshelle of Groshelle Communications, a San Francisco based PR consultancy who helped KCP get thge message about EIC out to the masses and who turns out to be at least equally at home in both the old media and the new.

Tweets turned up from many of the “big guns” in our industry such as Sun’s Eve Maler (”@xmlgirl”), Novel’s Dale Olds (”@daleolds”) and Quest’s Jackson Shaw (”@jacksonshaw”). And some like @vibronet, another non-stop Twitterer, chose to remain anonymous, which anyone is perfectly entitled to do on Twitter (one of the rapidly dwindling number of places on the Internet where you still are allowed to wear a mask in public).

Anyway, for what it’s worth, I give you here, dear reader, my personal list of favorites culled from 32 pages of conference postings as my very own

Top Ten Tweets From EIC 09

1.  “not sure who of you is currently at #eic in munich, but it’s the #1 identity conference in europe and def worth checking out.”

2.    ” Fulup “user centric for me is a joke” … thank god Dick Hardt is not at this conference … would have been a good fight though”

3.    “Falling cows are a huge risk since the outcome is fatal, but the probability is low. GRC is about weighing the two. Thanks Dave Kearns!”

4.    “If personal information dealers would care about your consent they’d ask – they’ve got my email…”

5.    “Can IdM create risk? Yes, says Niels v.d. Hude of Beta Sys. It’s a single point of failure and itself should be monitored and audited”

6.    “Kim Cameron states Microsoft will make Active Directory the “motor” for accepting and emitting claims via the Geneva STS server…cool!”

7.    “OMG, I’ve been working on enterprise spaghetti for the last twenty years!”

8.    “Google mentioned in the keynote … where is google in this conference ???”

9.    “As long as compliance is treated as a burden, there is a systemic risk that will periodically result in (catastrophic) failures”

10.    “Thanks all for a great #eic C u all next year!”

Dear readers, the following post is provided bi-lingual but does not represent a one-to-one translation. Most information is for German speaking readers, so the English version is comparably short! Still, there is some general info in the English part, so please make sure you read both parts…
The ICF German Chapter Inauguration Meeting
www.informationcard.de
Participants: Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo, KuppingerCole and MANY more!

Initiated by Jens Fromm of Fraunhofer FOKUS in cooperation with Axel Nennker, Deutsche Telekom Labs, a local German speaking chapter of http://informationcard.net/ was established. The founding members and supports of www.informationcard.de will try to align their efforts as much as possible to establish an interoperable and easily to adopt exchange network, where not only cross-testing but also fully operational systems can be deployed. Goal: to foster the adoption and usage of infocards in the German speaking countries by bringing together stakeholders such as card-providers, infrastructure providers, service providers and possibly providing info to consumers.
A number of member presentations on technology, background, usage-scenarios and development provided a deeper insight to what is happening in the ICF and between partners. In brief, there where presentations of Deutsche Telekom of a mWallet with Nokia Symbian (NFC, functional) or Apple iPhone (just a UI, not yet fully functional) that showed a P2P (mobile2mobile two Nokias, touching…). Other use-cases besides money transfer comprise cinema ticketing and POS payment in a canteen. There also was a demo on hotel booking again with Nokia/iPhone, that visualized the goal of having the same look & feel on all devices. Additional (and excellent!) demos where provided by Corisicio and fun Communications, showing different ways and methods to access the KuppingerCole Site with IdentityCards. Microsoft rounded it up with showing how to authenticate to special online workspaces using Windows 7 and IE8.
The next month will show how the participants will create their network and infrastructure that will provide a continually usable test-bed and also an environment for real applications. Especially, it will be interesting how removing the language barrier will contribute to creating best-practices that can be handed back to larger InformationCard Community in the ICF. KuppingerCole supports these efforts by serving as a live-site to authenticate with IdentityCards as well as promoting the use of IdentityCards in a broader, more open and public community.

DE
Eine der ersten großen Teilsessions auf der European Identity Confernce in München war das Treffen der deutschsprachigen Abteilung der InformationCard Foundation http://informationcard.net/, das weit über 20 Teilnehmer bewegt hat, sich schon vor den Keynotes am Vormittag des ersten Konferenztages zusammen zu finden. Unter Mitwirkung einiger amerikanischer Vertreter haben sich Mitarbeiter von Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo und von KuppingerCole getroffen, um den derzeitigen Stand der Entwicklung zu zeigen. Wichtigster Punkt war die voll-funktionale Demonstration der Anmeldung an der KuppingerCole Site mit einer InformationCard.
Das Ziel des Treffens war es, alle Beteiligten und Interessierten zusammen zu bringen, die entweder aktiv an der Entwicklung von InformationCard Technologien, Kartenselektoren oder Anwendungsszenarien arbeiten. Neben der bereits angesprochenen live-Demonstration der KCP-Anmeldung wurden mehrere Ansätze zur Verwendung auf Mobiltelefonen (iPhone und Nokia Symbian) mit NFC Anbindung vorgestellt, die insbesondere dem Anwender viele Möglichkeiten zur Mehrfachnutzung bieten. Die Teilnehmer waren sich einig, dass das allgemeine Problem die bisher fehlende Adaption durch die Anwender sei – ein Weg diese Adaption zu verbessern ist eine möglichst niedrige Einstiegshürde. Im Detail bedeutet dies, ein weit reichender Support diverser Endgeräte, eine möglichst einfache Installation und Konfiguration der notwenigen Software auf den Endgeräten und eine ebenfalls möglichst hohe Portabilität bzw. Nutzbarkeit in vielen Anwendungsszenarien. Exzellente Live-Demonstrationen von fun Communications und Corisecio (ebenfalls Anmeldung an der KCP Site, jedoch über Mobiltelefone) untermauerten den hohen Anspruch, den Gruppe an sich selbst stellt.
Die kommende Monate werden zeigen, wie sich die deutschsprachige entwickelt und welche speziell auf den zentraleuropäischen Wirtschaftsraum abgestimmten Konzepte und Lösungen als best-practise an die Mutterorganisation weiter gegeben werden können. KuppingerCole unterstützt die Initiative nach Kräften – unter anderem mit der Möglichkeit zur Anmeldung an der KCP Site mit IdentityCard und natürlich mit allen zur Verfügung stehenden Mitteln um Anwender für die Technologie zu begeistern.

Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?”

Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares?

Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only here. The EU Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) mandates that personal data may only be transferred to third countries if that country provides an adequate level of protection – something the U.S., just to name one, does not, at least not according to European standards, especially since foreigners do not benefit from the US Privacy Act of 1974.

Martin Buhr, the European head of Amazon’s Web Services (@tallmartin on Twitter) and the champion of Amazon’s Elastic Compute Cloud (EC2), with whom I shared a recent panel on Cloud Computing, has a pragmatic solution to the question of where to store data in the Cloud and whether or not location matters. Amazon operates separate Cloud Computing centers in the States and in Ireland, so problem solved. Or is it?

Operating what are essentially two Clouds (called “Availability Zones”), each running on its own physically distinct, independent infrastructure, makes sense from a data center perspective. Common points of failures like generators and cooling equipment are not shared across AZs. This sounds similar to the common practice of data center redundancy, but normally this is done to ensure operational security. Data are mirrored back and forth constantly so if one center goes down, the other can pick up immediately. But in this case, at least theoretically, there is no redundancy since these are essentially two separate systems.

Only, of course, they aren’t. So Amazon has added a system whereby EC2 assigns regional IP addresses to its customers, so presumably it is easy to determine which data can travel across the Atlantic and which can’t. I don’t want to get into a long discussion about IP spoofing and similar technologies developed to foil state-run censorship systems like the Great Firewall of China, but you get the general idea. Okay, they use IPv4, but Version 4 addresses are a scarce resource. And yes, they claim they have compliance options that will make hosting data in the Cloud both safe and legal.

Maybe I’m cynical, but I’ve been around too long and heard too many tales of supposedly fail-safe systems being compromised by whiz-kids or Russian Mafiosi to really believe that quick fixes on the infrastructure level will hold out forever. I would prefer to see Amazon and others in the Cloud community discussing user-centric identity-based approaches to the problem instead of essentially saying: “Trust us” I’m pretty sure my elderly colleague won’t. He’d like to be able to check out for himself exactly where somebody put his data.

PS: Maybe we’ll hear more on this at EIC 09 which starts tomorrow in Munich. If you’re interested, stop by my panel on “(User Centric) Identity in the Cloud” which is scheduled for 2 pm on Tuesday.

Sun Microsystems has just announced at the annual MySQL Conference that it is adding extended support for MySQL into its Identity Management stack. That’s great, but what does it mean? For one, MySQL is hugely popular – starting off as an embedded open source database, and slowly but surely pushing into the enterprise RDBMS area over the years. Most enterprises use MySQL somewhere – some of them use MySQL strategically (i.e.: if you need a database, consider MySQL as one of the option, or even as the default option).

So what does this have to do with identity management? Most databases are used by applications, and many of these application have some user schema in their databases. This means that identity information is widely dispersed through very many different databases throughout the enterprise, like a mosaic. Identity management over the years has been making the promise to consolidate, bind together and manage identity information, and Sun Microsystems has an extensive identity management offering that does exactly that. Sun’s added support for MySQL with their entire identity stack takes this to a new level by allowing organizations to bind together data regardless of whether it is stored in an classic directory or relational database.

For one, Sun Microsystems has enhanced and strengthened the links between MySQL and the two directory servers: DSEE and OpenDS. DSEE (Directory Server Enterprise Edition) is Sun Microsystems’ flagship directory server that combines essential enterprise features with carrier class scalability. OpenDS started off as a project to be Sun’s next generation directory product line, and is very successful as an embedded directory. In several years, OpenDS is due to replace Sun’s current flagship directory server, DSEE (Directory Server Enterprise Edition).

The enhanced integration brings numerous advantages to both enterprise and telco directory scenarios, and I’ll go through them briefly. Let’s start with the Telcos, as it is always impressive to talk about massive scalability, availability and speed. MySQL can be used as a back-end data store for OpenDS, Sun’s open source directory server. According to an announcement made yesterday, OpenDS Standard edition can be integrated with MySQL Cluster.  When used together, the OpenDS provides the LDAP directory front-end to a rock-solid, clustered relational database. This is really interesting for Telcos, service providers and other very large directory users that need scalability and have very high availability requirements. Using a clustered relational database such as MySQL Cluster as a back-end for OpenDS allows administrators to gain extra flexibility for data management which comes in really handy when the amount of data is massive. It also give more options for providing a on-stop directory service. LDAP Directory servers are typically deployed as a set of equivalent multi-master servers – each “master” managing an autonomous copy of the data set. A replication mechanism is then used to keep all masters in synch. Now add the clustering features, and the resulting mix is like a swiss army knife for those that need the ultimate flexibility and resilience in directory services.

In fact after this integration, OpenDS and OpenLDAP are the only directory servers that allows users to choose either a “traditional” Berkeley DB based embedded backend or a relational database backend to be used. The former is great for enterprises that prefer a maintenance-free zero-administration back-end, and because of this many directory servers have traditionally used Berkeley DB. The latter, using a fully-fledged relational database as a back-end for directory servers opens up many possibilities in terms of data management, but is more difficult to manage. Traditionally, users had to choose a different product depending on whether the priority was ease of maintenance or sophisticated data management features when choosing a directory server. Now OpenDS have a choice with the same product. But not just OpenDS, Sun is actually licensing MySQL cluster as “MySQL Cluster Carrier Grade Edition” to be used either with OpenDS or OpenLDAP. I know quite a few LDAP directory administrators working in large Telcos, and I’m sure they’re thrilled.

On the enterprise side, Sun has added virtual directory features to DSEE to easily link into MySQL databases. This means that data that used to be stashed away in MySQL databases can now be made easily through the LDAP protocol. Being an advanced feature of virtual directory servers, it shows Sun’s  commitment to extend their virtual directory offering.

But MySQL support has not just been enhanced in Sun’s directory servers. Sun Identity Manager can read and provision identity data to and from any MySQL database schema, and can now even use MySQL as its primary internal data repository. Role Manager can use MySQL as its identity warehouse. OpenSSO can also use MySQL as an identity repository. In a way this was to be expected when Sun acquired MySQL a bit more than a year ago – to start building on its acquired RDBMS platform and integrate it with its other offerings, in this case Identity Management. It is actually quite impressive how fast this integration has happened when compared to other vendors who take considerably longer “digesting” acquisitions and combining them to maximise value.

Since “Minority Report”, where Tom Cruise toted a squishy bag full of spare eyeballs around to hold up in front of iris scanners, thus fooling the access systems, biometrics has been a buzzword, if only a minor one, but it has failed to catch on in a meaningful way. A few years back I speculated that this is because every existing biometric method has serious drawbacks. Fingerprints fade as you grow older, and some people don’t have any because they are afflicted with a rare disease  called “Naegeli syndrome” or dermatopathia pigmentosa reticularis (DPR) that can cause vexing social problems. Recently, two identical twins were indicted for robbing the department store KdW in Berlin, but had to be released when the authorities found that it was impossible to determine which of them had been actually done the heist since they share the same DNA. And many people instinctively refuse to put their eye to an iris scanner because they worry that they may be blinded by a flash of light from a malfunctioning machine.

Now, the weekly newsmagazine The Economist has come up with what may prove to be the perfect biometric identifier: the human knee. According to the story, Lior Shamir, a geneticist at the National Institutes of Health in Maryland, has developed a knee-analysing mathematical algorithm for medical use. Knees, it seems, are unique in each individual human. By exploring X-ray images of the general structure of various knees and then using their brand-new algorithm to look at them in greater detail, for instance by measuring the texture of the bone through monitoring differences in individual pixels, the researchers found that the best identification was possible by concentrating on a smaller image of the centre of the joint rather than the entire knee. The team also points out that the algorithm can correctly identify a given pair of knees and match it to a specific individual in the database even if the original X-ray were taken several years earlier.

According to Mr Shamir, the success rate still needs to be improved. In the International Journal of Biometrics, his team reports it achieved a correct match 34% of the time. It was also able to pick the ten closest matches to a particular knee 56% of the time – still far from the degree of accuracy provided by established biometric systems. But as Shamir remarks, it’s early days yet for the science of knee identity management, and given time (and grant money) they hope to get there.

Naturally, this raises the question of how to build a viable world-wide identity infrastructure based on knee ID. Rumors have it that Samsung is secretly developing a “deskbottom” knee scanner (DKS) which fits comfortably under a table. Portable models can’t be that far away, and we can easily imagine laptops with built-in knee scanners.

Of course there are still numerous social issues which need attention. Baring one’s knees in public is frowned on in some cultures, and it may prove akward in places like airplane seats or boardroom meetings. However, over time we can expect to see a shift in cultural biases, given the obvious advantages of knee-based recognition systems. In the end, the Economist’s tongue-in-cheek sum-up may well prove prescient: not the ayes (or eyes), but “the knees have it”…

I recently had a cup of coffee with a couple of interesting youngsters from Hamburg, Christian Evers and Philipp Spethmann, who have set themselves a truly impressive goal. They are out to wrest nothing less than the control of German desktops from giants like iGoogle, T-Online, Yahoo! & Co. And they believe the way to do this is by providing consumers a safe and simple way to log onto their favorite websites.

Their company, founded two years ago with money from Ammer Partners, one of Germany’s big venture funds (yes, there still are functioning venture funds over here; many of them, in fact), is called “allyve” (pronounced “alive”), and they describe their product as “the keyring of the Internet.” What it boils down to is a set of widgets that provide single sign-on – they prefer the term “open authentication” – to a pre-defined list of favorite online sites. This in not the kind of OA that the OATH initiative is propounding; in fact allyve seems to be intent on doing things their own way instead of following the standards path (open or not). Good luck, I say.

However, that is beside the point here. What I found fascinating was Christian and Philipp’s approach to getting online authentication to market. Instead of trying to convince other vendors to help them spread the good word, they are putting their bucks (or rather, their venture capitalist friend’s bucks) into building up a partner network of big e-commerce companies. And they are actually going on national TV to plug their system – something not even the behemoths of Identity Management have had the guts to do yet, at least in Germany. (”Viral will only take you so far”, Christian says.)

The partner deals are simple: You let us program a widget that gets your customers online with a single click directly from the allyve website, and we’ll make sure they keep coming. Oh, and yes, it’s free! You don’t have to pay us a cent. We’ll find another way to refinance ourselves, possibly through ad revenues, possibly by charging some kind of a premium user fee (we’ll work out the details later; right now all we want is to achieve critical mass as quickly as possible).They also have plans to market a licensed B2B version of their system which will provide single-point authentication within Intranets and extended enterprize networks; Olympus already uses their system to log on 6,000 employees in Europe. However, the B2C space is where they are concentrating their efforts, and the one where they are achieving their greatest success.

That’s probably why their list of partners is already so impressive. They have gone after the big social communities like Facebook, Myspace and Xing, dating services (parship, firend-scout24), big-name web commerce sites like eBay (they’ll partner with anyone these days, it seems) and Amazon, and the leading German media companies and newspaper publishers like Axel Springer (”Bild.de”) and Spiegel-Online, as well as the leading customer bonus programs (”Payback”, “Happy Digits”) and the big German airline Lufthansa. These are all high-volume players in their respective fields, and joining allyve doesn’t cost squat, so hey, why not?

The result is that Christian and Philipp have more than 85.000 signed-up users, twice the number they had three months ago, and they plan to keep growing by double digits every month for the foreseeable future. They also have plans to grow outside of Germany. One of their first steps was to register patents on their key systems, one for the way that the user’s personal data is aggregated and the second on their “deep-link” technology that takes users straight to the desired content page instead of simply logging them in on the operator’s homepage. Negotiating the right to do this is the tricky part of each partner deal, but so far none of the big guys seems to be complaining. allyve has even managed to recruit providers like AOL, Yahoo!, 1&1, and Web.de who I would have assumed are competitors. No, says Philipp, they have other things to think about, and if someone wants to bring them oodles of eyeballs, who cares?

Technically, what allyve is doing may be “single sign-on lite” (after all, its simply a bunch of widgets, each one individually programmed to fit the vendor’s API), but the result is impressive. And these two young kids are way ahead of the pack in terms of market visibility. So maybe they’re doing something right. Who knows? Time will tell.

In early 2008, I asked my colleagues at Kuppinger Cole + Partner for leave of absence in order to take a “Sabbatical”, a kind of timeout. No, not because of burnout or anything dramatic like that, but rather because distance tends to sharpen your perspective, and I was worried that I was getting too wound up in the nitty-gritty of Identity Management as a specialized field.

As a more or less non-technical person, I had begun to believe that the issues addressed by this industry are much wider than many of us seem to realize. And in order to truly appreciate what is going on I felt I needed to take a step back.

In “Through the Looking-Glass”, Lewis Caroll describes a world on the other side of the mirror which closely resembles our own, but is subtly different.”How would you like to live in Looking-glass House?”, little Alice asks her kitten. While it appears to look just like the world on this side, “it may be quite different on beyond”, she speculates.

In fact, as it turns out the world beyond the looking-glass is very like our own, but often slightly different rules apply. In a game of chess, for instance, the king can move as often as he wants – but people still play chess (in fact, the entire book can be viewed as a complicated chess problem, as Martin Gardner famously proves in his immortal book, “The Annotated Alice”).

I have begun to view the Internet as a kind of world beyond the computer screen; one that, like Caroll’s Looking-Glass House, is strangely familiar, yet subtly different from ours. And as more and more people start to spend more and more time behind their screens, they become accustomed to how following a slightly different set of rules there.

One of the biggest differences is that it is much more difficult to prove who you are in the world beyond the screen. And while is exciting and fascinating to don a cloak of invisibility for a while, the anonymity and unaccountability originally associated with cyberspace (the place, as John Peter Barlow famously remarked, “where we are when we talk on the phone”) tends to create problems that grow greater the longer we live there.

As we stare at ourselves in the virtual looking-glass, many of us are beginning to ask the existentialist question: “Who am I when I’m online?” Am I the same person that is sitting in front of the computer typing on the keyboard, or am I someone else? And regardless of the answer: How do I prove I am who I am (or think I am)?

Simon Clatworthy, professor of Interaction Design at the Oslo School of Architecture and Design (AHO), uses the term “Digital Me” as a way of differentiating between the living, breathing me and the me that spends a significant part of his time accessing digital information, using digital products, communicating through digital media and playing digital games. I agree.

Consequently, I now strongly believe that it is the job of Identity Management to enable individuals to lead happy and fulfilling lives beyond the computer screen – and not to determine how many angels can dance of the head of the latest IdM product update. Hopefully, my Sabbatical will have made me more aware of the fundamental forces that are shaping the perception of digital identity and the drivers that will determine its future. And yeah, it feels good to be back.

I just came back from this year’s Expert conference, TEC 2009. Last year it was still called the “Directory Expert’s Conference” (DEC). This year the conference has been extended to include training on Microsoft Exchange as well, hence the name change. And of course not to forget that Quest has taken over Netpro – but has this really changed the scope or focus of TEC? Not at all, as was very immediately visible from the start, with a very funny introductory video. It started off just like a very glitzy marketing presentation that turned quickly into a hyperbole of fuzzy marketing buzzwords and photos of smiling executives. The initial bemusement turned into bewilderment, and quickly I could see some rolling eyes and frowns around me, just when the marketing fuzz stopped right in the middle of it, and into the video stepped the image of Gil Kirkpatrick, DEC’s founder and Quest’s Chief Architect who, looking annoyed, asked the marketing voice what all of this was about. Nothing at TEC was going to change from what DEC was – this was no marketing trade show, but rather a place for people to learn and exchange experience about Microsoft products – specifically Active Directory and Exchange. The video then stopped to make place for the real Gil Kirkpatrick coming on stage to a big applause and delivering the welcome speech.

As a sign of the times, the conference was somewhat smaller as last year – the organisers spoke about a difference of about 30% of attendees compared to last year’s DEC. When Gil asked the audience who had to jump through extra hoops to get to TEC, several hands flew up. Those who went however, had an excellent, varied and carefully balanced programme waiting for them. As with all conferences, it can sometimes be a challenge picking a presentation to go to from multiple presentations going on at the same time. I was ver pleasantly surprised to see that some key presentations were given more than once so that I could attend them even though I had missed them the day before. Also, presentations were recorded this time and will soon be made available to attendees which especially for me is an additional value.

The “day before” – i.e. Sunday, several pre-conference workshops had already been given. This was a tough decision for me, as I was torn between going to Laura Hunter’s workshop on ADFS and Bahram Rushenas’s workshop on codeless provisioning with ILM 2. I chose ILM and the workshop turned out to be very informative, as it gave me a very good glimpse into codeless provisioning with ILM. I still felt sad to have missed Laura’s ADFS workshop that has received high praises (which did not surprise me as Laura is an passioned expert on this topic, as well as a gifted speaker). But one can’t have everything!

The second workshop was again on ILM. Dave Lundell, a DEC veteran and one of the most knowledgeable sources on ILM that I have met to date, presented on the topic “Taming the Chaos – Building a Practical Lifecycle Mgt. Application in the ILM “2” Portal”. I knew it was going to be good because I already attended (and raved about) his ILM 2 workshop last year at DEC. This one turned out to be a truly wild ride! Dave and his colleague Brad Turner from Ensynch pushed the envelope by demonstrating what I’ve often heard but never really seen “in action”: that ILM 2 is more than just a provisioning tool, but in fact a whole platform that allows all kinds of lifecycle management for enterprise data. He took an excellent example out of the world of enterprise IT: the management of an OID (Object Identifier) management. Enterprises can receive an OID tree within the “private enterprise” branch by requesting it from IANA. This OID tree can then be used to number enterprise-specific schema extensions, SNMP objects and other things that need an OID and are used within an enterprise. The OID space should be properly managed in order to give it the correct structure and making sure that no OID is assigned twice. This unfortunately is very rarely done in any enterprise – perhaps because of its technical nature and because the negative effects are usually not visible immediately when the OID tree space not managed properly – and there are few who “do it right” and properly manage their OID space. Dave and Brad showed how to implement OID management with ILM 2. This was very interesting because it gave us participants a deep dive into the guts of ILM 2, its data structures and workflow possibilities. It also really pushed ILM 2 to its current limits. Ensynch has written several custom workflows and contributed them via the codeflow web site in order to get around some current limitations in ILM 2. Those guys continue to amaze me.

Of course, the news about Microsoft’s delaying ILM 2’s official release for a whole year put a bit of a damper on the party. Disappointment was tangible from customers and vendors alike. I can certainly understand that although ILM 2’s maturity has evolved since last year, Microsoft wants to play it safe and gain some more experience with deployments, and iron out some kinks that are still present in the current beta version. That however doesn’t help those partners of Microsoft who have made a significant investment for ILM 2’s supposed imminent release. Gemalto for example, was poised for a big launch and threw a big party that, well, was still a great party although with excitement rather muted because the cause for the celebration was gone. Attendees were also very disappointed, many of them having come to TEC specifically for the purpose of sharpening their skills in order to prepare for an imminent deployment of ILM 2.

But back to positive aspects of TEC 2009, which were many – an you obviously can’t blame Quest or TEC for Microsoft delaying ILM 2! The first presentation I went to was Brian Puhl presenting on his experience over the last few years rolling out federation agreements. As one can expect from Brian, it was interesting, funny and thoughtful. Of the lot of information provided I especially liked Brian’s experience with the entirely non-technical problem around creating trust agreements – and the multiple iterations of procedures that Microsoft went through until they had a model that actually works. In the beginning, there was the list of the “10 commandments” – you shall do this, you may not do that, and you must do it like this, and so on. The resulting list was probably bullet proof from the standpoint of mitigating every conceivable risk, but turned out to be so draconic that nobody, not even Microsoft’s departments could comply with it. The next iteration was an extensive questionnaire about the state of security and management of identities that a partner had to fill out. The problem there was that many partners certainly did not want to divulge all this information about their internal controls and security subsystems that they thought were confidential. The next iteration then was a definition of a lowest common denominator “bar” that a partner had to jump over in order to qualify for federation. Three “bars” were defined with diffierent classifications for non-critical, medium-value and high-value and confidentiality content. To qualify, a partner had to vouch that certain criteria were met. Each criteria then had a point score, and the resulting total score would determine which “bar” the customer had reached, and hence qualified for within the federation agreement. This turned out to be very workable.

Another TEC-veteran is Pamela Dingle, formerly of Calgary-based Nulli Secundus Identity Management consultancy. Pamela has just flown the coop and started a company called “Bonzai Identity” with the goal to help enterprises get to grips with identity management by carefully nurturing good practises, aligning business processes, making sure that data is correct, and helping organisations make the “right decisions” over time. She writes that “It is like gardening; you will have much better luck making small adjustments throughout the life of your garden than you will allowing a wilderness to grow and then wading in with a machete”. Her talk at TEC was entitled “A survivalist’s guide to identity management” and focused on the business process shortcomings and warnings signs that can really bog down identity management projects. A great overview and invaluable compilation of experience that can avoid very costly traps and maximise the value of those projects.

TEC is legendary for bringing out the best of Active Directory experts and get not just best practises from the real pros, but also hard-core technical info that you can’t find in other places. There is a gang of “usual suspects” whose presentation I always try to attend because it doesn’t get much better than that when you want to learn about Active Directory and dive deep into the technology. Apart from Brian Puhl, who is responsible for running AD in Microsoft’s IT department, there are Laura Hunter, Joe Kaplan and Dmitri Gavrilov. Interestingly enough, those AD Gurus have become quite turned on by ADFS and federation, and (except for Dmitri) presenting on that topic.

This has been the first time I’ve had the honour to speak at this TEC, and even twice! My first presentation was on the subject of authorisation: once you’ve authenticated the user, then what? How do, can and should applications decide how to allow (authorise) a user to do and see things? It is a subject that I’ve focused on quite a bit over the last months and something that I am dedicating a whole track to on May 6th at our European Identity Conference in Munich. I couldn’t help feeling that this particular presentation was a bit of an “odd one” at TEC, because I unfortunately could not just yet teach people how to use technology to do it: We are still early in the game because big vendors such as Microsoft and Sun have yet to commit to standards in this area, come up with frameworks and stipulate good practises. It’s not completely satisfying when at the end of the presentation you have illustrated the problems and pain, but can’t really point to a solution yet. However I see encouraging signs that vendors are taking this seriously and thinking about ways to tackle these problems. It is not just a lack of technology, but the fact that, well, there certainly is a lack of standardised technology and the current “best practises” that encourage application developers to just hardcode security into their applications just exacerbate the problem. I would obviously like to see more interaction between the vendors instead of everybody just thinking within their own box. At our European Identity Conference I am bringing some of the thought leaders, visionaries and experts together and will try to rally them into working together to find solutions together as an industry.

My second presentation was on the TEC’s equivalent of a “Friday afternoon” – on the last day of the conference shortly before lunch. I was very excited about the topic because I was presenting about “Cool LDAP Innovations”. As TEC is about Active Directory I thought it was important to share a different perspecitve on what is happening outside of AD with other directory servers. Since AD world is essentially closed (you can’t rip out AD from a windows network) there is no competition in this space, and in my opinion very little innovation. Compared to other directory servers, AD and ADAM has fallen behind in technology, so I felt a bit tongue-in-cheek, talking about some cool stuff that other vendors were doing. The evening before I managed to itercept Nathan Muggli and asked him if he’d attend, and he kindly did. I finished early and a lively discussion started. After a few minutes I was delighted to see the whole thing starting to look like a BoF session and I decided to sit down in the middle with the other participants and we continued disussing.

Kevin Kampman from the Burton Group (technically a competitor, but I prefer to see him and his co-workers as distant colleagues) gave a presentation entitled “the case for identity services”. Out of the pain points that he highlighted I could identity the same ones I talked about in the “authorisation” presentation the day before. It’s great when a smart experienced guy like Kevin arrive at the same conclusion – it means that we definitely have a case!

I’ve had to scramble after Kevin’s presentation, grab a quick lunch and then hop into the car to drive back to Los Angeles where I came from this time. I had thought that the drive through the desert would have been more exciting, but I’ve since been told that for things to get spectacular, Death Valley or Arizona would be the best option (both close, but I didn’t have time for the detour). Just having gotten back to Europe this morning, I am still thinking back about this intense and englightening experience and am definitely looking forward to the next one!

I’ve recently been to Sun’s directory labs in the the beautiful city of Grenoble, France to talk about what Sun has in store with their two directory servers: DSEE and OpenDS. I’ve used many predecessors of DSEE (starting with the good old Netscape Directory Server) on several projects over the last decade and used to know it inside out. I’ve grown quite fond of it, and so has everybody else I know who has used the product. I wasn’t exactly sure why Sun embarked on its OpenDS project. Why reinvent from scratch what is already a perfectly great product? This question was on my mind, and I was eager to find out why.

When it comes to directory servers, most analysts like to classify them according to the market segments they address. In no particular order, they are: operating system/network, telco and service provider, enterprise and embedded. When it comes to the operating system/network directory servers, Active Directory rules – not necessarily because it is the best for this purpose (and just to be clear: it’s not bad either!), but – well – it’s so intrinsically linked to Windows that you don’t really have a choice. When Novell Netware was around, NDS and e-Directory was another candidate in that area, but it’s pretty much down to AD at this point in time. It’s in the other segments where it gets really interesting because there is some very active development and strong competition.

The Telco/Service provider directory segment is particularly interesting because only the highest scalable directory servers can even attempt to survive in this area. Sun has been very strong in this area for many years, and for a good reason: experience and continuous improvement. I’ve been involved first hand in several very large deployments of Sun Directory Server 5.0 (I think it was during the time when Sun called it “iPlanet Directory Server”). At that time, in the early years of this millennium, we deployed the server for hosting several hundreds of millions of entries. Yes indeed, about 120 Million entries! This was 2002, and at the time the sheer scale was pushing the envelope quite a bit -  but it didn’t just work, it actually worked quite well! Performance, Multi-master replication, and resilience were absolutely key for these types of installations. And sure – in the early versions of 5.0 there were some kinks that had to be ironed out of the replication protocol, but even then it was quite amazing how scalable the directory was, and how well it could actually be managed with such an impressive number of entries. Over the last 7 years, the directory server evolved even further – multimaster replication is rock solid and Sun has tinkered continously with the software to increase scalability way beyond what was already impressive in 2002. Nowadays, there are quite a few reference customers who run Sun directory server with literally billions of entries (incidentally, many of them in China – why am I not surprised ), and this is considered perfectly normal.

When it comes to reliability, a key to deploying very large directories is redundancy, and the possibility to balance loads and fail over between multiple instances. In the early days, load balancing appliances were used to do this (Alteon was really good at this in its days), but unless those applicances had specialised proxy features to handle the instrinsics of the LDAP protocol, this by itself wasn’t a very good option for large deployments. Sun had acquired a company called Innosoft a decade ago, and with it came a product called “DAR” – Directory Access Router – a fully fledged LDAP proxy. Over the years, Sun has enhanced DAR and bundled its next generation into Directory Server (now known as “DSEE”, Directory Server Enterprise Edition”) at no additional cost. Being an important cornerstone of very large and complex directory deployments, it fits like a glove into the directory service and extends it by offering extensive request routing functionality, high availability and performance features and simple mapping features. Previously, only the CA eTrust directory had these features.

I can talk all day about deploying telco directory services, because I’ve used to do it for a living, and am still fascinated by the sheer volume and raw power involved But there’s another two very glorious aspects of directory services, and they can be found in the enterprise and in the still fairly recent embedded directory segment.

The enterprise directory segment is where most of the innovation is happening. Enterprises are typically not as focused on performance, and often more interested in integration, security and manageability. Integration is a very big topic, because the directory service is a crucial piece in any identity management infrastructure. And we’re usually not talking about “a” directory either – most enterprises have many different directory servers, containing either different user populations, or part of the same users but for different purposes. It is in the integration area where much innovation has happened in the directory area. Is doesn’t surprise me that most enterprise directories nowadays feature simple virtual directory functions. That was not the case five years ago, when I worked for a virtual directory vendor. At that time directory service vendors did not foresee virtualisation features as being an important part of their portfolio – perhaps because some of those vendors were also selling an “identity manager” type provisioning system and thought that any directory integration could be solved by deploying a full-blown provisioning system and brute force copying data around Well, this wasn’t really a feasible solution in all cases, so it is only natural that virtual directory companies such as OctetString and Maxware were acquired, and other vendors are “rolling their own” virtualisation features.

Some of the features that are not obvious, but extremely useful in the enterprise scenario are exactly those that allow a directory server to easily interoperate with provisioning, virtualisation and synchronisation products. Technically, the features in LDAP server that are relevant here are persistent queries, incremental updates and proxy auth. These are low-level features that are absolutely crucial when identity “managers” and provisioning services interface with directory servers.

Some other desired features within the enterprise directory segment are about password services and policies. In the vast list of featureds to be found in most modern directory servers are sophisticated access control lists that are expressive enough to configure a finely grained access control policy for deciding who gets access to what type of information. This used to be very important in the past but is getting less important as access control rules on the directory servers tend to be simpler nowadays, because changes typically ocurr through provisioning systems, and not that much any more directly to the LDAP server. Password policies are also a typical feature used in enterprise directory servers (you know – minimum length, character combination, auto-lockout,auto-expiry, and all those things). And of course, keeping track of when users last logged on – very helpful in order to identity dormant accounts.

Another important detail is also how passwords are stored, and how they can be migrated from one server to the other. As a general rule, it’s always good to offer administrators choice. Obviously passwords need to be well protected. But the approach of some directory vendors (specifically Microsoft and Novell) to “secure” their directories has backfired – the directory servers hoard the passwords and don’t even offer any possibility for administrators to export encrypted password hashes. You may wonder whether this “secure” feature is actually a hidden “lock-in trap”! That has created a secondary market around password “synchronisation solutions” in order to overcome the deficiency in the product itself, where the product’s designers thought they had to be smarter than the poor administrators who actually need to deploy, migrate and maintain them.

Last but not least, let’s not forget about one of the very important aspects of enterprise directory services. They need to be simple to deploy, administer and maintain! In the telco area it may be considered acceptable if the directory administrator team features several fully trained relational database administrators, but in enterprise environments that can be too much overhead. Directory servers that make use of relational databases for storing their directory data, such as Oracle’s OID and IBM’s Tivoli Directory Server can point to the advantages of running a directory services platform on a rock-solid database foundation (in these cases, Oracle and DB2 respectively). But the extra administration overhead can be considerable. CA has traditionally used the Ingres relational database for its eTrust Directory Server, but has now in the latest Version 12 switched to something called “DXgrid” – a revolutionary internal memory-mapped storage that not only offers incredible throughput, but also eliminated a significant portion of administration. Sun has since always used a simpler, but very fast and highly scalable data store for its directory server called BerkeleyDB – the same used also in most installations of OpenLDAP.

After mumbling on for quite a discourse I actually wanted to get to the point of Sun’s OpenDS, and the question that I wrote in the beginning of this entry. Why reinvent from scratch (OpenDS) what is already a perfectly great product (Sun DSEE)? As it turns out, there’s been a new segment for directory server that is steadily growing: the one of embedded directory services. For example, packaged solutions that require a directory server internally. Or “black box” appliances with a provisioning interface that contain – guess what – a directory server. A few years back, it was OpenLDAP that was typically shipped with those solutions, because it was free, open and could be embedded easier than other full-fledged directory server products. Now it is OpenDS that is continuously gaining ground, and for good reason. With its incredibly easy set-up, minimal administration, OpenDS epitomises what an embedded directory stands for. And on top of that, the scalability and performance are world-class. Development on OpenDS is, as the name implies, well – open. The development team features Sun employees and others outside Sun, just like OpenSSO. The release cycle is short and new features list is growing at an incredible rate.

So will OpenDS one day replace DSEE? Most likely. But this is still far in the future – for the next few years Sun is actively investing in DSEE as its flagship directory whilst continuing to nurture OpenDS and offering it as an embedded directory server, as well as to anyone interested in quickly deploying a directory server. Now, when I say “quickly” – I’ve managed to install it, extend the schema and load some data into it in less than fifteen minutes! Now that’s what I would call “quickly”. And once I had it up and running on my slow and overloaded laptop, I ran the “slamd” LDAP benchmark tool against it on the same laptop, and got back thousands of searches per second. Not bad at all! Now that’s what I call innovation in the world of LDAP

I’ll be speaking at TEC on Wednesday the 25th of March, on the topic “Cool LDAP Innovations”. OpenDS will definitely get a mention. On the presentation, I’ll also talk about some other real innovations that happened over the last few years in the directory services area. If you’re there, be sure to drop by!

Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.

I´m definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release, issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think.

The press release says, that two students of said faculty “broke” Microsoft´s CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session between a user authenticated with an InformationCard and Microsoft´s InfoCard sandbox in manipulating a DNS server. Reading through the description of this “attack” shows, that the sophisticated part of their work was to manually change the DNS settings of their client computer in a way, that it resolved webadresses through an internal DNS service within their institute (where they have admin access to) which they had manipulated before in adding a round robin entry for the sandbox server, redirecting every second client request to an evil system, which then stole the session token.

So, what are the learnings from this intended act of creative distruction? Yes, once again we learn (what we have known for decades now), that without a proper client certificate, man-in-the-middle-attacks are possible, independently from the authentication methods and tools used, and that SSL/TLS provide means to avoid the risk of such attacks, as well independently from the authentication methods and tools in place.

It is great that University Bochum is teaching their students how these things work and eventually, we may have a generation of well educated IT experts knowing how to make corporate IT infrastructures and the Internet more secure. Maybe, they should add some HTML training courses to their timetable as well. If you look at this description of a “hacker course” that university is offering, some nice error messages coming from malformed HTML are displayed, like this one:

System Message: WARNING/2 (<string>, line 11)
Block quote ends without a blank line; unexpected unindent.

But what is the message behind that press release saying that University Bochum students broke “Microsoft´s Identity Metasystem CardSpace”? Just to feed some outdated opinion about Microsoft producing error-prawn and insecure Software? To my opinion, this is not enough for some productive discussion on how to increase security.

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008. Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase.

I think it was Kevin who mentionned one important difference: Privacy and data protection for employees seem to be stronger regulated here in Europe than it is in the US. This may be true, although they don´t really play a role in reality, as recent espionage cases like the one within Deutsche Telekom impressively show.

It is absolutely impossible, that somebody in a position like Jerome Kerviel can hold trading positions for 50 bn Euros and burn 10% of that amount. It is impossible, because

• banks nowadays would never rely on simple password protection for their trading systems.
• they all have state-of-the-art identity management in place and manage business roles in a way that one single trader could not crash the whole bank
• such big deals would always be routed through acknowledgement processes where duties are segregated
• Strong Authentication techniques and strict authorization would let all employees of a bank feel, that it is impossible to operate with multiple identities falsifying acqunowledgement processes
• risk dashboards would turn red and start screaming long before such a damage occurs

And, just to be complete: no, it is not possible to attack PIN/TAN online banking transactions, ATM Cards cannot be falsified and it never rains in Hamburg.

In a recent post, I  wrote about those 25 Million British people, whose bank information had been “lost”. Jeremy Clarkson, a British TV presenter, wrote in his Sun newspaper column, that such a loss is of no value for somebody who may now own this data. To proof this, he published his own Barclays Bank account information. He now had to admit, that somebody exploited this information and transferred 500 GBP from his account to some welfare organization. So he either was lucky or didn´t have more on his account, I suppose.

Today, I had to put an end to a story lasting for months now, where I tried to change my mobile phone contract I have had at Vodafone since 1996, through cancelling any contract which may exist under my name/my address/my bank account number/my customer number(s).  It all started, when my employer was generous enough to take over my phone contract. Therefore, invoice address and bank account information had to be changed. I wanted to take this occasion and get rid of some add-ons I had been chased to subscribe to through aggressive telemarketing, which I actually never used and did not miss. And I wanted to change from one flatrated type to another one suiting better my phone habits.

As telcos in general may not be too famous in terms of customer service quality, I did not expect it to be easy.  But what happened was far beyond my imagination:

The first trial (phone, eMail) did not have any effect.
After the second trial, my contract had been changed, add-ons were not cancelled, bank account information was not changed, invoice adress was not changed.

Next attempt: they still cash my bank account with a rising amount of money. But I don´t get any invoices any more. When I phone them, they cannot trace any changes in their CRM database Everything up to now seems to have reached at some wrong place. They then sent me a form by post where I have to apply for bank account and invoice address change. Several days after I did so, I received a written confirmation to my private address, that

• They do not have a mobile phone contract under my customer number
• I signed the mobile phone contract in August 2003
• My bank information is (private bank account)
• My invoice address is (private address)

They enclosed a photocopy of my non-existent contract which they say was dated August 2003, but in fact contains August 1996 as contracting date. This photocopy is the only piece of correct information I received. Which does not help me too much, as I have it myself.

Today I received a call from a person from Vodafone service or telemarketing (I don´t know, and I don´t care anymore) who tried to explain, why invoices do not reach me anymore. The person phoning me did not know, that bank account information and invoice address had changed or should have been changed. Nor did that person know anything about contract changes. He then said, that he will call Vodafone and ask about the status. Hä?

I hope for the future of that company, that I am a grand exception.

According to BBC news, UK Chancellor Alistair Darling has admitted “loss” of 25m records by UK Revenue and Customs. 2 disks containing personal information including names, birth dates, National Insurance Numbers and bank account details of 25 million people, essentially of all families resident in the UK with at least one child under 16. He added, that there has been no evidence that this data has fallen into the hands of bad guys, but adviced those 25 million people to watch their bank accounts.

Translated from political into real world language, this means that those disks have indeed fallen into wrong hands, and that most probably some identity theft and fraud activity is already going on.

I don´t know much about how UK public services are dealing with IT governance, with compliance issues and wether they are aware of the risks related with large collections of identity information. But I assume that it is not so different to the situation over here in Germany, where governmental institutions

• are absolutely resistant against any external IT related expert advice
• have little or no internal expertise in that field
• always insist on having access to any kind of data collection, even if it does not make any sense and even if they do not have the manpower to extract identity  information from that data

Sad enough but true - governments themselves are amongst the biggest threats to modern civilization.

On this year´s Digital ID World in San Francisco, Doc Searls held a keynote on Vendor Relationship Management (VRM), a concept he has been contributing to as a Harvard (Berkman Center) fellow. According to Doc, VRM is the inverse of Customer Relationship Management (CRM) and provides methods and tools for individuals to deal with customers.

VRM being still quite early in it´s evolution, definately is extremely interesting, as it is one of the first initiatives to look into what can be done on top of User Centric Identity, besides decentralized authentication and some kind of Web-SSO. VRM puts customers into the lead position, and thus improves the relationship between demand and supply.

In the VRM mailing list, which is very interesting to listen to, there has been some discussion around the question, who actually owns identity related information. I posted the following contribution:

Information cannot be owned

I would like to point to the fact that information cannot be owned, because it is not kind of an object which may be attributed to a subject by law (which itself is information as well). There is a very good publication about the ownership of information from Jean Nicolas Druey: http://cyber.law.harvard.edu/home/uploads/339/Druey.pdf .

So, talking about the persistence and flow of identity information between parties and through market places, we should not try to think, that we can own that information. If I understand the VRM discussion and the concept of user centric identity right, it is about creating a more balanced position between parties taking part in whatever market place, where some kind of “rules layer” on top of the information layer gives me the power to influence it´s flow. I´m not the owner of my doctor´s diagnosis, even if it concerns me. But I may have some rights influencing the distribution of this diagnosis, because it affects me. We need a home for these rights, instead of trying to own information.

VRM, how I understand it, is about creating kind of a rules metasystem above or beyond the walled gardens we currently have.

Ariel Gordon and Aude Pichelin from France Telecom (FT) yesterday announced at the 6th Digital ID World in San Francisco release of an OpenID service to their 40 million subscribers. Congratulations to the OpenID community for this big success. It is not surprising that it is FT with it´s Orange brand being the first company running an internet scale OpenID service. On the one hand, it´s a smart company. They strongly contributed to the emergence of the SAML standard and pushed IBM into the Liberty Alliance some 3 years ago. On the other hand, if there is any industry which can make a business out of running OpenID services, it´s the telcos, because they are wired right through to our purses.

But OpenID was only a smaller part of FT´s advanced identity management strategy, which consumed less than 3% of their total project budget and therefore shouldn´t have been too difficult to give it a go. The rest of the budget went into something I would call the foundation of the future (post-UMTS) telco business modell, converging management of identities for voice and non-voice services through wireline and wireless and using the SAML v2 standard to open up the whole infrastructure for plug & play style partnership business.

Telcos on their own haven´t been too good in creating services needed or otherwise attractive enough to be broadly used, since they invented SMS. So they need partners taking care for this in order to survive.

Being more and more reduced to an IP tunnel provider, telcos at least should try to make the most out of it in offering a powerful infrastructure for mobile and wireline services. FT have done their homework in an obviously excellent way, clearly focussing on the improvement of the user experience through simplifying sign-on within their SAML based converged infrastructure. They pull authentication information from the DSL and appliance level, add available user information and use these to provide reliable identities even without forcing them through login and account creation processes.

Ariel described, that during downtimes of their identity system with users being forced to sign on manually, online service sales drop by 50%. Even if this does not necessarily mean, that they have doubled sales, because part of those 50% would just return after the service is back up, there seems to be space for a pretty quick return on investment and revenue growth.

I have invited Aude, Ariel and Hervé, the latter on being technically responsible, to come to Munich for next years European Identity Conference and talk about latest developments.