Today was the first full day of the Burton Group Catalyst Conference. I missed the opening reception last night because I flew in late from a customer meeting in the Midwest. This blog entry summarizes the highlights of the sessions I attended in the Identity Management Track.

Jamie Lewis (Burton) - Identity in Context: The Evolving Business and Social Infrastructure

• We must challenge our assumptions about Identity Management and explore the consequences of what we build.
• Strong authentication only succeeds when it is backed up by an assurnance process.
• Provisioning products have matured; provisioning is going mainstream.
• Role are not a silver bullet. They are one tool among many.
• "Trust" is one of the problems that plagued PKI and now plagues federation.
• Are we too fixated on Identity when it's relationships that matter?

Mike Neuenschwander (Burton) - Identity Management Market Landscape 2006: Finding a Space in Everyone's Market Place

• Identity Management is not a winner-take-all market - customers use multiple vendors.
• Identity is not a one time purchase; it is a life style choice.
• IdM has so far resisted centralization of rewards. There are many vendors, in spite of recent acquisitions.
• Some suite vendors (e.g. CA, IBM, HP) are attempting to sell broad suites that encompass Systems Management and Identity Management.
• "Managization" was his coined word of the day - a spoof of just about everything.

Hans Gyllststrom, Steven Roach (Citigroup) - The Architecture of Change

• Citigroup used formal modelling languages and methods to prepare Identity Management deployment and building Identity Services into a SOA infrastructure.
• Formal modelling was used to construct a reference architecture that enabled change.

Mark Diodati (Burton) - Identity Assurance: A Requirement for Identity Management

• The best access management policies are worthless without Identity Assurance.
• Identity Assurance provides a level of confidence that the authenticating user is legitimate.
• Identity proofing methods such as IVR and out-of-band single use passwords have proven effective.
• Identity assurance seeks to bring risk down to a leve we can quantify and manage.

Panel Discussion: Bill Gebhart (UBS), Gerry Gebel (Burton), Mark Diodati (Burton) - Challenges and Lessons Learned in Deploying Authentication

• Consumers want simple, easy and secure - and expect vendors/institutions to provide those qualities.
• Usability is a big consumer issue.
• Employ risk analytics to detect fraud patterns.
• Smart cards are gaining momentum because support is maturing in Windows and contact-less smart cards are emerging.

Martin Vant Erve (TransCanada) - Implementing Enterprise Single Sign-On with Two-Factor Authentication

• Problem: too many digital identities and user authentication systems.
• Implemented Passlogix V-Go for E-SSO and RSA SecurID for Windows for two-factor authentication.
• Deployed to all 3,000 end users in nine months.

Lori Rowland (Burton) - Provisioning: The Vortex of Identity Management

• Identity Management has "crossed the chasm." We are now selliong to the pragmatists.
• Compliance is the #1 driver, but we overselling Compliance?
• Compliance is how provisioning is sold to uppermanagement, but that is not necessarily how it is actually used. The biggest benefit may be operational efficiency.
• We can now begin do document best practices, based on experience implementing Identity Management.

Kevin Kampman (Burton) - Role Management: Bridging Business and Technology

• Compliance and audit are the primary drivers for roles
• Role Goals: Simplify adminstration and improve match of privileges to responsibilities.
• The real challenge is managing access across multiple environments over some period of time.
• Organizational structures beyond hierarchies, including teams, matrix organizations, and networks should be considered in creating a role framework.
• Focus on simplicity and flexibility.
• Increased role granularity often has diminishing returns.

Q&A: Lori Rowland, Kevin Kampman, Gerry Gebel, Mark Diodati

• Don't put roles on the critical path.
• Learn to say know when users want more role complexity.
• The size of an organization may not be as important as the complexity of an organization in role definition
• There has been a definite spike in interest in SPML.
• Will SPML V2 become the "esperanto" of the provisioning world?

Case Study - Mike Drazan, Steve Watne (Toro Company) - Provisioningand the Road to Role Refinement

• Used Prodigen Contouring Engine to discover roles.
• Used Sun Identity Manager System to provision privileges
• Reduced roles from 2,000 to 400, primarily by analyzing who really used applications.
• This analysis also sharply reduced the number of people who actually needed access privileges.
• One job type typically included multiple roles (permission sets).

Jamie Lewis (Burton) - Identity Frameworks, Tools and the Emerging Meta System

• Lack of suitable development frameworks and tools for Identity is a substantial obstable to further growth of the Identity Industry
• "It's the Applications, Stupid." The real issue is making it easier for developers to create Identity-enabled applications without having to re-create Identity infrastructure.
• Current frameworks, tools and IDEs lack Identity services
• Microsoft has a tradition of strong development tools, but they don't currently include Identity
• Where is Identity in LAMP?
• Web 2.0 - lots of protocols, no frameworks.
• Liberty Alliance and SAML - no development framework.
• Java Community Process (JCP) - currently at too low level of abstraction.
• Will Higgins emerge as the "Java Rebel Framework?"

The following are remarks by the named persons in an interview session led by Jamie Nelson:

Paul Trevithick (Higgins Project)

• Higgins, an open source project, will produce a framework for developers.
• User centricism implies that a user is in the protocol.
• The reference implementation is in Java. There is pressure from the open source community to implement in C.
• Version 1.0 is expected in mid 2007.
• The project has substantial support from IBM and Novell.
• Shibboleth is an Identity System, not a development framework like Higgins.

Tony Nadali (IBM)

• IBM is involved with the Higgins project because customers are interested in multiple Identity systems.
• IBM is contributing WS* components, context provider components for IBM Directory Services and Lotus Notes directory, Firefox browser extension and IDE components.
• Is the browser a secure placeto have an Identity Selector?
• Some of the browser pieces are being developed in C. Other existing code is Java.
• User-centric applications should provide a 360-degree view of your life without compromising privacy.

Dale Olds (Novell)

• Bandit is an open source project.
• It is collection of software components, not a developer framework.
• Some components are also present in Higgins.
• Internal Novell developers are beginning to consume open source components as part of the normal product-development process.
• Novell expects to leverage Bandit technology in its own Identity projects.
• If developers include Bandit components in their applications, those apps will be more easily managed by Novell's Identity Management products.

John Shewchuk (Microsoft)

• InfoCard is the concept. Windows CardSpace is a specific selector, using the InfoCard concept.
• Security Token Service (STS) is a new way to access database from the Active Directory repository.
• The Declarative Programming model used in the Windows Communications Framework is designed to free developers from underlying details, hopefully leading to higher development productivity and higher code quality.
• Microsoft's motivation is to enable interoperability, which will allow them to sell more products into the enterprise space.
• SSO needs to merge with User-centric Identity - allowing user partcipation in federation.

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, Burton Group