Posted September 10th, 2010 These are my raw notes put here for reference purposes.
–
Attendees
- Peter A
- Mary R
- Ian G
- Gerry B
- others
What is mean by identity oracle?
* An oracle provides an answer to a question but not a specific attribute
** If you ask an Oracle, is Peter over 21 it says yes. It does not hand back an attribute – birthdate
Peter: The Federal Govt is authoritative for very few attributes – State Dept – passport #, citizenship. State govt are authoritative for driver’s license number. SSA for SSN.
eVerfify is an example of an oracle, says Gerry.
Peter – what will drive this is the requirement for LOA3 credentials needed to access to medical records.
P – “We do not have an attribute infrastructure.” A lot of attributes are simply issued via IdP’
I – our examples so far have shown organizations that are authoritative for identifiers but not attributes
P – raises need for back end attribute exchange
Gerry – Problem with authoritative attribute provides is that the PDP makes a decision as to what is truly authoritative for a given context. Authoritative data source must provide SLA or MOU so that relying party can establish trust.
P – BAE is 1/2 of the equation and attribute provider (market?) is the other half
A – is there a business model for attribute providers? Continue reading "Notes from the “Government as Identity Oracle” session at IIW East"...
Posted April 12th, 2010 I’ve been a bit quiet on Tuesdaynight lately… sorry – it has been a bit crazy around here lately.
At any rate, we are 7 days away from Burton Group Catalyst EU! In the 7+ years that I’ve been involved in one way shape or form with Burton Group, I’ve never been to a Catalyst EU – so I am very excited. For those of you joining us, you are in for a treat – John Seely Brown will delivering the keynote for us. Besides Mr. Brown, the IdPS team has got some great content waiting for you:
- Bob will kick things off with a look to the future identity architecture
- I’ll be talking about the IdM market as a whole
- Lori and I will have a serious conversation with our dear friend – provisioning
Fun for the whole family…
For those of you not heading to Prague, follow the conversation on Twitter. We’ll be using the #cat10 for the conference and the identity conversation will be on #idps.
See you there either in person or virtually…
Posted November 17th, 2009 A friend in the industry recently asked me for my thoughts on OpenID, InfoCards, and the US federal government’s work to consume non-government issued credentials. Letting the question rattle around in my head for a while, here’s what I’ve got so far.
My hope is that the overall ICAM initiative is successful—not because I have been eagerly waiting to interact with the federal government using some form of authenticated credential—but because we (citizens, enterprises and government) are at a pivotal moment in the history of the web. With the US government working with both the OpenID and InfoCard Foundations, there exists an opportunity to change how individuals interact with large organizations, both public and private. For the first time, individuals would be able to (even encouraged to) interact with a large organization (such as the US federal government) using an identity asserted, not by the large organization, but by the individual. In this case, the State is no longer the sole provider of identity. This breaks the monopoly that the State has had on credentials and is indicative of the future to come.
But there is a long road to walk before getting there. There are numerous concerns with these plans. Among these are notable security concerns, especially with OpenID, that the identity community is not blind to. These are not my primary concerns. Continue reading "Hopes and concerns for identity"...
Posted June 29th, 2009 Last week I was at the recent Department of Homeland Security’s Government 2.0 Privacy and Best Practices conference. Not surprisingly the subject of transparency came up again and again. One thing that definitely caught my attention was a comment by one of the panelists that efforts towards government transparency are too often focused on data transparency rather than process transparency. While we have Data.gov as one of the current administration’s steps towards furthering government transparency, we do not have an analogous Process.gov. Said another way – we get the sausage but don’t get to see how it is made. This isn’t transparent government but translucent government.
From what I’ve seen I’d say that enterprises have achieved the opposite kind of translucency with their identity management programs. Though enterprises have achieved some degree of process transparency by suffering through the pains of documenting, engineering, and re-engineering process, they haven’t been able to achieve data transparency. Identity information has yet to become readily available throughout the enterprise in ways that the business can take advantage of. Identity information (such as entitlements) has yet to achieve enterprise master-data status. Worse yet, the quality of identity data still lags behind the quality of identity-related processes in the enterprise.
For those of you attending the Advanced Role Management workshop at Catalyst this year, you’ll hear me and Kevin present the findings from our recent roles research. Throughout our interviews we heard identity teams discuss their struggles with data management and data quality. Finding authoritative sources of information, relying on self-certified entitlement information, and decoding arcane resource codes were just some of the struggles we heard. No one said that identity data transparency was easy, but without it enterprises can only achieve identity translucency and not true transparency. Continue reading "Transparent or Translucent?"...
Posted May 13th, 2009 Ian Yip’s take on access management versus entitlement management can be partially summed up with this equation:
Entitlement management is simply fine-grained authorisation + XACML
I have four problems with this.
First, definitions that include a protocol are worrisome as they can overly restrict the definition. For example, if I defined federation as authentication via SAML, people would quickly point out that authentication via WS-Fed was just as viable as a definition. So in terms of an industry conversation, we need to make sure that our terms are not too narrow.
Second, I fear that this definition is a reflection of products in the market today and not a statement on what “entitlement management” is meant to do. Yes, most of today’s products can use XACML. Yes, they facilitate authorization decisions based on a wider context. But who’s to say that these products, and the market as a whole, have reached their final state? Along these lines, I wonder if externalized authorization stores are a required part of an “entitlement management” solution?
Third, there is something missing from the definition – the policy enforcement point. A fine-grained authorization engine provides a policy decision point, but that still leaves the need for an enforcement point. This holds true whether an application has externalized its authorization decisions or not. Continue reading "Nailing Down the Definition of “Entitlement Management”"...
|
|
what others say