Looking back to look forward: Thoughts on HP acquiring of Trustgenix

So another player in the identity market has been absorbed. HP
is acquiring Trustgenix Reading Andre’s blog entry on this subject got me a nostalgic. Maybe its the season. Maybe its the leftover turkey’s tryptophan.

Being part of the 1st generation of user provisioning tools in the market, and having been acquired by a “suite” vendor, I’ve had a ringside seat to watch the industry expand and contract. There was the first wave of expansion with Access360, Business Layers, Waveset, BMC for provisioning and Oblix, Netegrity, Securant, DASCOM, Entegrity for web access control. There was Courion and M-Tech for password management. Among the meta-directory group you had iPlanet, Novell, Siemens, Zoomit. OctectString and RadiantLogic were there for virtual directory services. Then there was the first major market contraction. The bubble had burst. We had blown through our cash. The dreams we had of making a squillion dollars vanished… now we had to actually work for our money. In this first major contraction, we saw CA eat Netegrity who ate Business Layers. IBM swallowed Access360, DASCOM, and Metamerge while Sun consumed Waveset. RSA bought Securant. Microsoft got Zoomit. Oracle bought Oblix and, recently, Thor and OctectString. (The ink has barely dried on this one but I consider the tail end of the first market contraction.)

As the first market contraction was going on, the second wave of expansion was beginning. This centered around web services, federation, SOA, and the like. In this second wave, there are players like: Trustgenix, PingIdentity, Sxip, SOA Software, Layer 7, Symlabs. We have started to see the second contraction as HP acquires Trustgenix. There will be more to come. The real question is will the identity suite vendors buy companies from this wave, or more traditional middleware vendors snatch these players up? Federation and web services deals more with a business interaction as it happens. They deal with identity issues on the fly. Vendors from the first wave focused on the setup and tear down of identity around the business interaction. The BEA Weblogics and IBM Webspheres of the world deal with business interactions in flight and probably are more interested in the second wave vendors than the pure identity suite vendors.

What’s going on now? The third wave of identity is rolling along now. The third wave focuses on activity in applications, information governance, identity in the network, and role / privilege analysis. Here we find us, Eurikify, Bridgestream, Prodigen, TIzor, Consul, Virsa, and others. This wave brings a new perspective, an identity-focused perspective, to old subjects like network and application activity. This new perspective was long in coming.

Where is this market going? We have yet to see a second and third wave of contraction in the market, and we are bound to. The quest for the complete identity suite is winding down as vendors realize how hard it is to stitch together all the peices they need. Instead of unifying policy tools, we’ll get unified reporting in the name of compliance. Business orchestration tools will consume a lot of the federated and SOA players out there.

As one vendors gets absorbed into another, new ones spring up. We are starting see a lot of activity reputation, portable identity, Identity 2.0, etc. As this market matures, it keeps getting more and more interesting.

Technorati Tag:

Attack of the YAMS: Thoughts on the Role Management Panel at Digital ID World

I was thinking about the role management panel at Digital ID World in New York this weekend. My first reaction to the panel discussion, which consisted of BearingPoint, Prodigen, Bridgestream, and Thor, was that roles are finally growing up. The idea that roles require lifecycle management just as identities do is, at first, a little shocking but then makes a great deal of sense. Working in the enterprise provisioning market for years, I got used to hearing how hard it was to complete a role deployment. At the same time you had Burton Group and others professing the value of roles. Customers were fighting both the difficulties in deploying identity management solutions as well as the difficulties in understand and leveraging roles. As the industry provided better automation for the provisioning problem, we saw deployment times go down. But, roles were still tough to deal with. We are now seeing tools to help truly automated the role lifecycle management problem.

One of the points that was agreed upon by the panel members was that business roles are separate from IT roles. Who I am in a company is very different than my privilege sets in target systems. Some provisioning products attempt to make this distinction. By elevating roles to a discipline that truly needs its own tooling, we will be able to manage that distinction far better than we can today. I do wonder if potential customers will still look at roles as too difficult and not address them appropriately. “Roles are hard. See… they have to have tools to deal with them,” I can hear a potential buyer say. To this, I often respond with a wink, “IT would be simple if we didn’t have end-users.”

My concern with role lifecycle management is not with the concept itself. I think this is a space that was long in coming. My concern is role lifecycle management is yet another “Management” or YAM. Our industry is full of YAMs. We’ve got the access YAM, provisioning YAM, strong authentication YAM, network security YAM, federation YAM. As we look forward to 2006, I think we are going to see pushback against YAMs. Customers are growing weary of yet another policy tool, yet another reporting tool, and another YAM. I think that some of the false hope in the past market consolidation and the IdM suite vendors was that they would cut down on the YAMs. The dream of a single tool that translated business goals and regulations into their various IdM components: access, privacy, provisioning, etc, has yet to be realized. I worry that the number of YAMs keeps increasing without unfiying language and tooling. I worry that the industry is over-specializing without having generalist tools to link these specializations together.

It’s good to see these vendors working together to tackle the role lifecycle management problem from different sides. In their own way, they are fighting the YAMs. We need more impromptu collaborations between solution vendors, deployment specialists, and visionaries. We need less YAMs.

With Thanksgiving fast upon us, I leave you with a yam recipe that will leave your guests in a food coma. If we can’t help fight YAMs in our products, we can at least fight yams one fork at a time!

Technorati Tags:

A me shaped hole in the web and other thoughts from Internet Identity Workshop 2005

There’s a hole in the web
The web has a hole in it. That hole is shaped just like me. Anyone, with sufficient time and desire, could find the scattered bits that make up my composite identity and pour them into the hole. Between Google, Zabasearch, Technorati, del.icio.us and others you could fill the me shaped hole in the web.

But then again, I can do the same with the you shaped hole in the web.

And if we can do this with free or nearly free tools, just imagine what you can get with a little cash and some research. (Maybe this thought ought to be titled, “How I learned to stop fearing Eschelon.”)

So how can I prevent you from filling the me shaped hole in the web? I could attempt to change the shape of the hole. The problem is that in order to do that I have to change myself. Since this isn’t a self-help blog and we really don’t have time to delve into the vast array of my quirks, let’s move on to another approach. What if I could somehow generate more scattered bits about me than could fit in the hole? More me than is really me? If I could flood the usual channels with bogus identity information that was close enough to me to fool systems that you use to triangulate me and fill the me shaped hole, then I could make it impossible to tell the bogus bits from the real ones. You couldn’t be sure that you really filled the me shaped hole with real me bits. (By the way, I am in no way endorsing some sort of strange identity-based breakfast cereal… Me Bits, Now with more self-asserted claims!) The best place to hide something is in plain sight.

In order to mask myself from the web, instead of trying to remove all my bits from the web, I flood it with more me than is me. (This is starting to sound a bit like Smith from the second Matrix.) What I am rambling about here is a pink noise generator for identity. On an individual basis this is a little impractical. I’d have to spend a bunch of time and effort trying to create the systems to generate a me-flood. That isn’t going to happen any time soon.

But what about communities I belong to? Would the hosts of my various communities create the technology to mass produce its members on web as a value-add? Would you join a group which offered the ability to mask you or your membership from the web by making a you-flood?

I have to thank Jan Hauser for impetus for this one.

I don’t get it
Why are the identity problems of the enterprise so different from the individual? It became immediately obvious to me that my past experience in enterprise identity management was not going to be directly applicable to the issues and use cases that IIW2005 was addressing. The identity needs of the individual are clearly different than those of an enterprise comprised of individuals. Fair enough. But why is there such a gap?

If you examine an employee in an enterprise do they have similar identity problems to private citizens? An employee and a citizen (I am using citizen here to represent a regular user like my grandfather) clearly operate in different contexts. I think the SocialPhysics gang would say that this difference in context is the root of the difference in identity needs.

It just strikes me as odd that all good work of Sxip, NetMesh, OpenID, and their kin don’t seem to merge with the hard work of Sun, IBM, Novell and their kin. This inside versus outside of the enterprise context really eats at me. This division between the two seems artificial.

Make identity issues meaningful
It’s great that there are groups like the Identity Gang. They care about real meaningful issues.

But those issues that are meaningful to those familiar with them are often hard to explain to outsiders. (And let’s not forget that the outsiders here at 99.999% of web users.) Sometimes you have to turn to outside sources to help explain issues that mean a lot to you. I think that Dick’s presentation is great for doing just that. I also think that this video from Red Versus Blue (sorry for the wmv file) does much the same… with the added bonus of guns, herbal Viagra, and Halo goodness. Enjoy.

Technorati Tags:

Thoughts on the Internet Identity Workshop 2005 Day 1

Overall, I am really enjoying this workshop. It serves as a great high speed primer for a variety of identity issues and technologies.

Some highlights from the presentations so far:

Doc Searls – Identity in the marketplace: The Rise of Fully Empowered Customer
It’s always good to hear Doc give a talk. His belief that the web is a marketplace, a place for business and culture definitely has a Diamond Age feel to it. His example of customer freedom from vendor CRM shackles is an interesting one. Though his example of renting car is certainly valid and demonstrates the reverse nature of our world today, I’d love to get the vendors’ perspective on this. There are a few people from Yahoo in the audience and I am sure that they have some strong opinions about the freeing of identity.

Brad FitzpatrickOpenID

Brad put on the best show of the day, by far. It was a very Dada affair full of self-criticism. It was a simple talk about how OpenID works and why it does what it does. A simple tool for a specific problem… frickin’ brilliant. OpenID is a way to prove you own a URL using an identity provider you trust. Fairly simple. I sat there wondering why, when we see a simple solution, we say, “That’s all it does?” Why is it that we seem to always want some grandiose solution to a massive problem. What happened to elegant, simple solutions to problem? For that matter, what happened to problems that can be expressed in a few words and not an onslaught of slides?

Paul TrevithickSocial Physics and The Higgins Trust Framework

Paul and co’s work has lead them to the conclusion there is no identity independent of context. Context is the real king here. Not individual demographic attributes. Not roles. Not protocols. It the the context of interaction between users, trusted parties, vendors, etc that is the real domain of identity.

I applaud the group’s work around creating the Framework. It is an abstraction layer that helps tie the vast array of user information to contexts appropriately. Paul’s honesty on the subject of implementation are hard was definitely a welcome admission.

After hearing his presentation, I was a little annoyed that I hadn’t heard of this before. You’d think if you have read my Shadows of Identity piece that I would have already been an versed in Higgins. Nothing could be further from the truth. Strange how things happen sometimes.

Other thoughts:
Although these presentations today do not represent the entirety of the identity world, they are a sketch of the problems and solutions out there. It seems to me that there is so much attention to possible solutions, technologies, protocols, and the like that we are losing sight of the problems we have set out to solve. To me, there are two general classes of problems. First, there are the problems of an individual. How do I manage my identities out there? How do I describe what data about me I will allow to be disclosed? Who can get that data? The second class of problems are relationship-based where the relations involve more than two parties. How do I share my perferences and needs with an entire market? One question I keep coming back to is, if we figure out a way to solve both classes of problems, who is going to pay for it?

Technorati Tags: