My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Wednesday, June 25, 2008, are included below:

Jamie Lewis: Identity Management - Are We There Yet?

• Business transformation collides with IT transformation. A more unified approach is needed.
• The chasm between enterprise identity management and consumer-oriented ideas of Identity on the Internet will be bridged with elements of both.
• Federation isn't magic, but it is still valuable. Customers are beginning to really see the need for it.
• More provisioning projects are successes than failures, but failures tend to be spectacular.
• Relationships provide context for Identity.

Lori Rowland: Identity Management Overview: A New Era in Identity Management

• The Identity universe is expanding in scale, control and focus dimensions.
• Service Oriented Identity (SOI) and Identity Services are emerging.
• Compliance is still the main driver for Identity, but there is a shift towards risk management.
• Customers should seek to understand Identity vendor roadmaps.
• Oracle has the most market momentum, with Sun, CA and Novell following with positive momentum.

Gerry Gebel: Federation and Distributed Control

• Sun's introduction of the Fedlet and Ping's introduction of Autoconnect are key product advancements - addressing ease of implementation and use.
• OpenSSO is an example of advancements in open source federation technology.
• Federation services and hosted federations models, such as those offered by Fugen are accelerating broader consumption.

Gerry Gebel: Entitlement Management

• Product offerings from IBM, Oracle and Cisco have expanded, but demand hasn't grown as quickly.
• Existing questions about this space include adequacy of XACML or other standards, performance and interoperability testing.
• Applications developers need tools, open source access and communities in this area.

Mark Diogati - Authentication

• Functions lacking in authentication products include general customization flexibility and provisioning capabilities.
• Personal, portable security devices such as USB devices and wallet cards are gaining popularity.
• Authentication control for privileged account management often falls through the cracks, leaving dangerous security risks.

Kevin Kampton - Roles and Provisioning

• The market is reaching maturity. Success predominates, usually as a result of realistic expectations.
• Companies are receiving benefits from expanding expertise in this area.
• Provisioning and roles may not converge into one product. They address parallel, complementary endeavors.

Kevin Kampton - Identity 2.0

• OpenID and InfoCard have much more activity from providers than consumers.
• What is the business model for Identity? How will the industry pay for it?
• Data sharing models such as OpenSocial and others have no trust sharing or security models.

George Sherman (Managing Director, Morgan Stanley) - Discovering the Iceberg of Identity Management in a Large Integrated Financial Services Firm

• Morgan Stanley's main drivers for Identity are regulatory compliance and security.
• Key success factors for an Identity program are program sponsorship, governance and program management.
• Cost justification and funding for an Identity program require more than spreadsheets. It depends highly on the trust and confidence of champions for the program.
• The industry need to provide better security for the provisioning engine itself, more expert developers and the integration of certification and provisioning tools.

Bob Blakley - Relationship Layer for the Web

• Accurate Identity models are needed to predict others' behavior.
• Identity models are built through relationships between people or between people and businesses.
• A well understood object model is needed to clarify relationships and use them in automated systems. Bob proposed such an object model.
• The main types of relationships are Custodial, Contextual and Transactional.
• Companies with billing relationships with their customers will win in the marketplace over those without such relationships.

Gail Reynolds (Aetna, Security Architect) - Who are you, how do I know, and why do I care?

• Impersonating others to gain access to their private information is a large problem in the health care industry.
• Identity Assurance is required to create a high level of confidence that credentials indeed match the person using them.
• Identity Assurance has implications in protecting intellectual property, privacy, corporate reputation and ecommerce profits.
• A strong registration process is essential to Identity Assurance.
• Identity providers that deliver high levels of Identity Assurance are required to meet industry needs.

Eve Maler - The care and feeding of online relationships

• The common area in the venn diagram of intersecting Identity Management, Vendor Relationship Management and Social Networking encompasses personalized, access-controlled application behavior based on data sharing.
• Two major areas of online applications requiring Identity relationships are enterprise/e-government (applications are chosen for you) and free agent applications (you choose).
• The term "user-centric Identity, which comes from human factors design, is giving way to "user-driven Identity."
• The Vendor Relationship Management movement (projectvrm.org) is focused on empowering user interactions with online vendors.
• While some degree of self-revelation is essential to online relationships, users will come to trust applications that require less Identity information to be revealed.

Mark Diodati - Siusyphus' Rock: Why is Authentication So Hard?

• Identity Assurance is the strong end goal. If you don't have Identity Assurance in place, your system is not secure.
• Passwords remain the dominant authentication method because they are easily portable and specialized software is needed.
• Biometric authentication is not broadly deployed.
• Smart cards have seen increased interest, but deployments are few. They rarely replace tokens.
• Privileged account management is a huge problem. Run, don't walk to address risks with privileged accounts.

Mark Diodati, Doug Simmons - Physical and Logical Convergence, Approaching Singularity?

• Physical and logical convergence (PACS) projects are significantly costly, justified for security, not cost savings.
• The workflow of assigning credentials, etc., is a difficult process for physical and logical convergence
• The FIPS Standards are provided underpinnings for vendors and agencies for response to Homeland Security directives
• These projects are inherently heterogeneous, requiring much integration.
• Executive leadership is required to facilitate bridging between groups having responsibility for physical and logical access.

Knowledge-based Authentication (KBA)
Panel participants:

• Chris Young (VP and GM, RSA)
• John Dancu (President and CEO, Idology)
• Peter Tapling (President and CEO, Authentify)

• Three types of KBA include Static (e.g. specify mother's maiden name), Dynamic (user doesn't have to remember specific attribute) and Out of Band (requires strong registration; used for high risk transactions or temporary access)
• Dynamic KBA may be beneficial for consumers who don't visit a specific application or account frequently.
• Dynamic KBA pulls the evaluation of private information away from the enterprise
• No single authentication method is foolproof. You must layer technology to reach acceptable level of risk.

Mark Diodati - Identity Assurance Framework: The Path to Scalable Trust
Panel participants:

• Frank Villavicencio (Citigroup)
• Robert Temple (British Telecom)
• Andrew Nash (PayPal)

• The Liberty Alliance is developing an Identity Assurance Framework
• Four assurance levels are defined, from a level of little or no confidence in the asserted Identity's validity to a very high level of confidence.
• What is the business model for an Identity Provider (IDP)? For the consumer?
• An independent IDP with a sustainable business model isn't really available.
• Questions of liability must be worked out for IDPs.

Gina Montgomery (AVP and Manager of IT Project Management, MFS Investment Management) - The Privileged Account: IT's Dirty Little Secret

• Privileged accounts have much potential for abuse because they are poorly controlled and often violate the least user privilege principle.
• It is a large challenge to discover and manage hundreds or thousands of existing privileged accounts and to understand the impact if passwords are changed.
• Recommended actions include 1) education of users on risks, 2) identify existing accounts, deploy accountability and control mechanisms.
• Password Access Management (PAM) systems are available to help support this effort.

Bob Blakley: Conference Announcements

• Bill Mann (CA): CA Federation Manager, CA SiteMinder support for CardSpace, expansion of CA IAM and CA to resell Arcot's WebFort
• Eric Goldman (CEO, Symplified): "On Demand Identity includes Identity as a Service, Identity Cloud and Identity Router.
• Dieter Shuler (Radiant Logic): Release 5.0 of virtual directory
• Paul Trevithick (Information Card Foundation): InformationCard.net

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, BurtonGroupCatalyst08