Do we have a round wheel yet? Part 2 of my musings on identity standards

Yesterday I talked about the state of identity standards with regards to authentication and authorization. Today I’ll cover attributes, user provisioning, and where we ought to go as an industry.

Attributes

The wheel of attributes is roundish. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to need a protocol that enables workers in the modern web to access attributes… and LDAP ain’t it.

As for a standardized representation, we have one. Name-value pairs. In fact, name-value pairs might be the new comma. And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.

 User Provisioning

User provisioning is nearly round. Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a step away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll.

So what about SCIM? I’m bullish on it. Some really smart people worked on it, including my boss. We (saleforce.com) are supporting it. Others such as Cisco, Oracle, SailPoint, Technology Nexus, and others are supporting. We hope you support it too. In fact, hopefully, at the end of this week it might just get a final version of the 2.0 draft at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something.

And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition. Continue reading

Do we have a round wheel yet? Musings on identity standards (Part 1)

Why do human continually seem to reinvent what they already have? Why is it that we take a reasonably functional thing and attempt to rebuild it and in doing so render that reasonably functional thing non-functional for a while? This is a pattern that is familiar. You have a working thing. You attempt to “fix” it and in doing so break it. You then properly fix it and get a slightly more functional thing in the end.

Why is it that we reinvent the wheel? Because eventually, we get a round one. Anyone who has worked on technical standards, especially identity standards, recognizes this pattern. We build reasonably workable standards only to rebuild and recast them a few years later.

We do this not because we develop some horrid allergy to angle brackets – an allergy that can only be calmed by mustache braces. This is not why we reinvent the wheel, why we revisit and rebuild our standards. Furthermore, revisiting and rebuilding standards isn’t simply a “make-work” affair for identity geeks. Nor is it an excuse to rack up frequent flyer miles.

Identity in transition

We reinvent the wheel the tasks needed of those wheels change. In IAM, the shift from SOA, SOAP, and XML to little s services, REST, and JSON was profound. And we had to stay contemporary with the way the web and developers worked. In this case, the technical load that our IAM wheels had to carry changed.

But there is a more profound change to the tasks we must perform and the loads we must transport and it too will require us to examine our standards and see if they are up to the task.

It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? And not just right people but also right “things” – did they get the experience (or data) they needed at the right time.

There is another transition underway. This transition is closely related to IAM’s transition from delivering and managing access to delivering and managing experience. We are being asked to haul more and different identities

We are pretty good as an industry at managing a reasonable number of identities each with a reasonable number of attributes. Surely, what is “reasonable” has increased over the years and it is fairly safe to say that no longer is a few million identities in a directly a big deal.

But how well will we handle things? Things will have a relatively few number of attributes. Things will produce a data stream that really interesting but their own attributes might not be that interesting. And, needless to say, there will be a completely unreasonable number of them: 20 billion? 50 billion? a whole lot of billions of them.

The transition of IAM isn’t just from managing identities of people carbon-based life forms to silicon ones. This transition also includes relationships. Today we are okay at managing a few relationships each with very few attributes. But what we as an industry must do is manage a completely unreasonable number of relationships between an unreasonable number of things and each of these relationships has a fair number of attributes of their own.

That, my friends, is a heavy load to haul. And so it is worth spending a little time considering if our identity standards wheels are round. Let’s look at 4 different areas of IAM to see if we have round wheels:

  1. Authentication
  2. Authorization
  3. Attributes
  4. User provisioning

Continue reading

The Laws of Relationships (A Work in Progress) In Progress

A few weeks back I had the pleasure of delivering my ideas for the Laws of Relationships. The Laws are meant to be design considerations to everyone building, deploying, or consumer identity relationship management services. The team at ForgeRock, our hosts at the IRM Summit, were kind enough to video the talks. What follows is both a video of my delivery as well as the slides themselves. I am very much interested in getting feedback on this. I want to channel the response into the Kantara Initiative Working Group that is forming around IRM.

 

Anyone can kill off a protocol a.k.a XACML isn’t dead

There’s a little bit of a kerfuffle going on in XACML-land. A non-Gartner analyst made the claim that XACML is dead. Such a claim doesn’t go unnoticed; so Gerry, Anil, Danny, and Remon have all responded that no, XACML isn’t dead. It is not pining for the fjords. It isn’t even zombified.

Anyone can declare a protocol dead. Last year it was SAML. This year, apparently, it’s XACML. Now as someone who killed off the entire IAM industry, I think I’m in a position to comment about this.

It’s easy to say X is dead. SAML, SPML, DSML – doesn’t matter – you declare it dead, write your blog post, and call it a day. But what’s hard to do, and what is necessary to do, is, if you kill something off, you have to offer an alternative. In the case of IAM, I believe we are seeing the hazy outline of what it will become reborn as start to emerge: something more nimble, developer-friendly, and more indistinguishable from business services.  In the case of XAMCL, no alternative was provided.

Just a few things to keep in perspective when thinking about XACML. First, separate externalized authorization management (EAM) from XACML. Enterprises have been doing EAM for decades. The pattern of using something like RACF as a decision-as-a-service facility is a well established practice. Although enterprises may not be using XACML, they are doing EAM and that will only continue.

Continue reading

Google Glass, Privacy, and a Book Recommendation: It’s all in the post-processing

I saw my first pair of Google Glass at the IAPP’s Privacy Summit a few weeks back. I can’t say for certain but I’ve got a feeling that the wearer was not only loving the utility his pair of Glass provided but also the circumspect looks shot his way by hundreds of privacy professionals. This got me thinking about how societal privacy issues are born – not just with Google Glass but with any technology.

As Glass debuted, people have been raising multiple privacy concerns including the concern that Glass could send images of people’s faces back to the Googleplex for post-processing such as facial recognition. This concern is rooted in the asymmetric relationship between the people in the line of sight of the Glass wearer, with whom they may not have a relationship, and Google who could collect their image and use it for whatever purpose it sees fit.  The random stranger might not have a relationship with the Glass wearer and she most certainly does not have a relationship with Google (or whoever makes the next Glass-like widget) in this context. The concern, I believe, is not just of asymmetric relationships and power imbalances but also one of post-processing.

Continue reading

How to Provision a Pope in 6 Easy Steps

Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it – white smoke wafting up from the chimney. It’s time to provision a new Pope!

Step 1 – Meet the new Pope

First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)

Step 2 – Don’t wait for HR

You can’t leave the Pope just to sit on his mitre and wait for access to business systems. The new Pope has got to be productive minute one of his Popehood. But unfortunately, the new Pope won’t be in the HR feed until the next payroll run, which isn’t for another 12 days. Mussolini might have made the trains run on time but not even he could do anything about HR. To be fair, a new Pope isn’t really a new hire but a strange combination of a transfer and a new persona; needless to say, HR is going to need to take their time. This means you cannot wait for the HRMS to signal the user provisioning system to kick into action. Time for the manual bypass! Hand register the new Pope in the user provisioning system, but be ready for some strangeness when the new Pope does finally show up in the HR feed – misspellings, wrong job codes, and missing data will lead to odd provisioning events.

Continue reading

How to Deprovision a Pope in 6 Easy Steps

Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.

Step 1 – Listen to HR

In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2

Step 2 – Disassociate said Pope from super-user accounts

Assuming the user provisioning system knows that your Pope is abdicating, the next step is make sure the he doesn’t “own” any god-like, privileged accounts such as root, domain administrator, SYSOPER, etc. You’d hate it if, whilst processing the deprovisioning event, the user provisioning system wipes out a crucial (often really hard to recover) account. Run a report, check to see if your Pope has some privileged accounts, and if he does, reassign ownership to someone else.

Continue reading