The 2013 edition of the European Identity & Cloud Conference just finished. As always KuppingerCole Analysts has created a great industry conference and I am glad I was part of it this year. To relive the conference you can search for the tag #EIC13 on Twitter.
KuppingerCole manages each time to get all the Identity thought leaders together which makes the conference so valuable. You know you’ll be participating in some of the best conversations on Identity and Cloud related topics when people like Dave Kearns, Doc Searls, Paul Madsen, Kim Cameron, Craig Burton … are present. It’s a clear sign that KuppingerCole has grown into the international source for Identity related topics if you know that some of these thought leaders are employed by KuppingerCole themselves.
Throughout the conference a few topics kept popping up making them the ‘hot topics’ of 2013. These topics represent what you should keep in mind when dealing with Identity in the coming years:
XACML and SAML are ‘too complicated’
It seems that after the announced death of XACML everyone felt liberated and dared to talk. Many people find XAMCL too complicated. Soon SAML joined the club of ‘too complicated’. The source of the complexity was identified as XML, SOAP and satellite standards like WS-Security.
There is a reason protocols like OAuth, which stays far away from XML and family, have so rapidly gained so much followers. REST and JSON have become ‘sine qua none’ for Internet standards.
There is an ongoing effort for a REST/JSON profile for XACML. It’s not finished, let alone adopted, so we will have to wait and see what it gives.
That reminds me of a quote from Craig Burton during the conference:
Once a developer is bitten by the bug of simplicity, it’s hard to stop him.
It sheds some light on the (huge) success of OAuth and other Web 2.0 API’s. It also looks like a developer cannot be easily bitten by the bug of complexity. Developers must see serious rewards before they are willing to jump into complexity.
OAuth 2.0 has become the de-facto standard
Everyone declared OAuth 2.0, and it’s cousin OpenID Connect, to be the de facto Internet standard for federated authentication.
Why? Because it’s simple, even a mediocre developer who hasn’t seen anything but bad PHP is capable of using it. Try to achieve that with SAML. Of course, that doesn’t mean it’s not without problems. OAuth uses Bearer tokens that are not well understood by everyone which leads to some often seen security issues in the use of OAuth. On the other hand, given the complexity of SAML, do we really think everyone would use it as it should be used, avoiding security issues? Yes, indeed …
A lot of talk about the ‘API Economy’. There are literally thousands and thousands of publicly available APIs (named “Open APIs”) and magnitudes more of hidden APIs (named “Dark APIs”) on the web. It has become so big and pervasive that it has become an ecosystem of its own.
New products and cloud services are being created around this phenomena. It’s not just about exposing a REST/JSON interface to your date. You need a whole infrastructure: throttling services, authentication, authorization, perhaps even an app store.
It’s also clear that developers once more become an important group. There is nu use to an Open API if nobody can or is willing to use it. Companies that depend on the use of their Open API suddenly see a whole new type of customer: developers. Having a good Developer API Portal is a key success factor.
Context for AuthN and AuthZ
Manye keynote and presentations referred to the need for authn and authz to become ‘contextual’. It was not entirely sure what was meant with that, nobody could give a clear picture. No idea what kind of technology or new standards it will require. But it was all agreed this was what we should be going to
Obviously, the more information we can take into account when performing authn or authz, the better the result will be. Authz decisions that take present and past into account and not just whatever is directly related to the request, can produce a much more precise answer. In theory that is …
The problem with this is that computers are notoriously bad at anything that is not rule based. Once you move up the chain and starting including the context, next the past (heuristics) and ending at principles, computers are giving up pretty fast.
Of course, nothing keeps you from defining more rules that take contextual factors into account. But I would hardly call that ‘contextual’ authz. That’s just plain RuBAC with more PIPs available. It only becomes interesting if the authz engine is smart in itself and can decide, without hard wiring the logic in rules, which elements of the context are relevant and which aren’t. But as I said, computers are absolutely not good at that. They’ll look at us in despair and beg for rules, rules they can easily execute, millions at a time if needed.
The last day there was a presentation on RiskBAC or Risk Based Access Control. This is situated in the same domain of contextual authz. It’s something that would solve a lot but I would be surprised to see it anytime soon.
Don’t forget, the first thing computers do with anything we throw at them, is turning it into numbers. Numbers they can add and compare. So risks will be turned into numbers using rules we gave to computers and we all know what happens if we, humans, forgot to include a rule.
Graph Stores for identities
People got all excited by Graph Stores for identity management. Spurred by the interest in NoSQL and Windows Azure Active Directory Graph, people saw it as a much better way to store identities.
I can only applaud the refocus on relations when dealing with identity. It’s what I have been saying for almost 10 years now: Identities are the manifestations of relationship between two parties. I had some interesting conversations with people at the conference about this and it gave me some new ideas. I plan to pour some of those into a couple of blog articles. Keep on eye on this site.
The graph stores themselves are a rather new topic for me so I can’t give more details or opinions. I suggest you hop over to that Windows Azure URL and give it a read. Don’t forget that ForgeRock already had a REST/JSON API on top of their directory and IDM components.
Life Management Platforms
Finally there was an entire separate track on Life Management Platforms. It took me a while to understanding what it was all about. Once I found out it was related to the VRM project of Doc Searls, it became more clear.
Since this recap is almost getting longer than the actual conference, I’ll hand the stage to Martin Kuppinger and let him explain Life Management Platforms.
That was the 2013 edition of the European Identity & Cloud Conference for me. It was a great time and even though I haven’t even gotten home yet, I already intend to be there as well next year.
It’s shocking but I am not surprised. IT history is riddled with cases of devices, protocols and standards that required solid security but failed. Mostly they failed because people thought they didn’t need experts to build in security. Probably the most common failure in IT security: thinking you don’t need experts.
The last link shows how simple sign & encrypt is not a fail safe solution:
Simple Sign & Encrypt, by itself, is not very secure. Cryptographers know this well, but application programmers and standards authors still tend to put too much trust in simple Sign-and-Encrypt.
The moral of the story is: unless you really are an IT security expert, never ever design security solutions yourself. Stick to well known solutions, preferably in tested and proven libraries or products. Even then, I strongly encourage you to consult an expert, it’s just too easy to naively apply the, otherwise good, solution in the wrong way.
[Blogged from the 2009 edition of the European Identity Conference]
Slowly I am getting the impression that Microsoft is going to use claims for everything even remotely related to identity. During discussions at EIC 2009 I understood that Microsoft is also positioning claims for authorization. This is not entirely new, in their Azure Cloud Services offering they positioned claims this way: for authorization.
I am not feeling a 100% comfortable with this. Without more and detailed information on how Microsoft will realize it, I can hardly judge their strategy but here are some of my worries:
- Is the claims request/response protocol capable of supporting authorization? XACML obviously has a more rich model that allows for fine grained context descriptions and nuanced responses (e.g. obligations). With claims it’s more simple.
- Using claims for authorization makes the solution attribute driven. That opens the door for a heavy dependency on roles: roles are easy to represent in a claim. As far as I know Microsoft doesn’t have a solution to manage roles. Perhaps they have something on the horizon?
- Microsoft already indicated that roles as we use them today are incomplete. They are looking for a standard way to accompany roles with predicates. For instance “The user has the role ABC but only between 9AM and 5PM”. I can agree with the usefulnes and semantics of this roles-predicates marriage but I smell a box of pandora: so many ways to mess this up.
- Claims are a powerful concept and we can thank Kim Cameron and Microsoft for defining and pushing this. But there is this saying in Flanders “if the only tool you have is a hammer, everything looks like a nail”. This is a real trap for Microsoft: using claims to solve every IAM problem. I see the first signs of claims semantics being stretched too far.
- Lastly, informally I heard some ideas on how they will align Sharepoint with the claims world (specifically in terms of authorization). Policies would not evaluate to authorization responses but might evaluate to query-like structures that can be used by Sharepoint to select the resources you have access rights for. I am not sure if I understood this correctly so I am going to hold back on commenting.
It will be interesting to see how all this will be evolving in 2009 and 2010. I assume more on this during EIC 2010.
I haven’t blogged about the European Identity Conference since it started. Although I have to say that I made up by using Twitter (@bderidder) during most of the keynotes and presentations. I was present at the very first EIC in 2007, skipped the 2008 edition and joined the 2009 edition again. That gives me a nice opportunity to see how this conference has evolved during it’s 3 first editions.
It has evolved … and mostly in a (very) positive way. Kuppinger Cole succeeded in creating a strong conference agenda with all important IAM and GRC topics covered. Even the catering is perfect! That was not really the case in 2007 during the first edition
I do see a difference though. In 2007 there was this “grassroots” atmosphere. We had a lot of people working on emerging standards like Bandit, Higgins, OpenID, VRM … There was this constant buzz during the presentations, breaks and evening visits to Munich. Everyone felt as if they were part of this new thing called “Identity”.
The 2009 edition is different. It’s definitely a lot more mainstream. There is less of a buzz (if at all). I think that can mean two things. One, EIC is scheduling more “serious” presentations and, two, Identity has matured into something … well … mainstream. As always in these cases, it’s a little of both.
Heavily scheduling presentations about GRC (Governance, Risk and Compliance) is bound to create a more professional (dare I say boring) atmosphere. But, and that is a good thing, Identity is also a lot more mature. Most of the bleeding edge topics in 2007 are now being presented as commercial products and consultancy offerings. The best example would be all the offerings you can see around claims and XACML. Topics like OpenID or SAML are not exotic anymore. They have become well accepted in the industry. One topic didn’t seem to make it though. “User centric identity” was lost somewhere in the last 2 years. It’s being recycled in the VRM (vendor relationship management) community but with less fanaticism.
Relating to my remark on GRC, hinting at it being a boring subject, I have to make a correction. It’s definitely not a boring subject. I would also say that Kuppinger Cole is absolutely right in scheduling it on the agenda. But you have to admit, it’s a more specialized subject with little to none “sexy” technical aspects.
The conference is not finished, it’s not even half way, yet I think I can make a couple of preliminary conclusions on what I will be taking home on Friday evening:
- Identity has matured, most of the exotic topics two years ago are now mainstream and being turned into products by Oracle, Sun, Microsoft, IBM … and numerous other larger and smaller players in the market. Clients also notice these offerings and buy them.
- It’s not clear if the current level of maturity of Identity is sufficient. There haven’t been any presentations on this and Kuppinger Cole is not making statements on this. Unless it’s about GRC of course, but what about other aspects? There are bound missing gaps in Identity right now and they are being forgotten in all the happiness surrounding claims, federation …
- There is a lot of talk about GRC, both in presentations and during breaks. Nevertheless, I personally still perceive it as something at a conceptual (hype?) level. That is at least the overall impression I got at this conference. Topics like these, high level business concepts, always carry a risk of remaining empty. It’s very easy to talk an entire day about GRC without knowing a thing about it, it’s a lot harder to do that with topics that have a direct technical link.
- Authorization is massively misunderstood and apparently has yet to reach the maturity level Identity currently has. Whenever the word “authorization” is dropped, people either go RBAC or think it’s about claims. It will probably take more then one year (and conference) to get this right.
I forgot some conclusions but since the conference is not over yet, I will get another chance to write about those.
For what it is worth, some advice for a 2010 conference:
- Try to create some of that 2007 “grassroots” atmosphere, there are plenty of topics that can do this, both in Identity, Authorization and hopefully GRC as well.
- Turn the GRC topics into something with real and tangiable content. It’s so easy to talk about GRC without actually saying anything.
- GRC brings IAM to the world of “Business ICT Alignment”, that means to the world of Enterprise Architecture. So … where are the IAM and Enterprise Architecture topics?
- Authorization definitely should come back and hopefully with the message that it is not about RBAC and not about claims. Those are merely tools and technologies that will have a much shorter lifespan then authorization itself. We have to dig deeper and unravel more of what authorization is really all about.
- And last, an Identity Award for the longest blog post about day 2 of EIC 2009. Thank you.