This year’s European Identity & Cloud Conference took place from 17.-20. April with the last day being a workshop day to deepen some of the topics. The event is one of the most important IAM meetings in the world and continues to increase its impact. Almost 600 visitors from allover the world and 40 exhibitors constituted to a 35% growth. As every year the vendor landscape showed some dynamics with NetIQ acquiring Novell’s IAM business, ATOS taking over Siemens IT Solutions and Services (DirX), new rising stars appearing like ForgeRock, Symplified and The Dot Net Factory to name a few, Ping Identity expanding its presence and big companies like VMWare participating for the first time.
The most discussed new topics this year have been “The Open API Economy” and “Life Management Platforms” (Personal Cloud).
API economy: most presenters agreed that open APIs are important to the businesses today as they can bring new business opportunities and allow cloud users to orchestrate their applications into MashUps delivering the service that the business really needs. And even more for some companies it will be crucial to provide APIs to stay in business. In Andre Durand’s speak: “A business without a cloud API is like a door without doorknob”.
Life Management Platforms provide more than personal data store. They offer an answer to the need of people to share data in a very controlled and secure way. An example mentioned is the insurance contract number that is needed to be accessed from abroad in case of a car accident. These platforms follow a minimum disclosure approach which is totally different from those of social networks a la Facebook as we know them today (Remember: as soon as you entered your information, the data belongs to Facebook) . Life Management platforms are expected to replace the existing social networks in a 10-15 years time frame.
For me one of the main take-aways of the conference is the fact that now identity and information security really matters. Finally it has arrived on the agenda of the boards.
As usual the conference started with a set of pre-conferences on Tuesday morning: Kantara Initiative Summit, OASIS and ISACA workshops and the OpenId community reviewing the status of OpenID Connect, OAuth 2.0 and Account Chooser.
The actual conference itself began in the afternoon with Martin Kuppinger’s keynote. The KuppingerCole team itself changed with Craig Burton, Fulup Ar Foll and Alexei Balaganski joining as analysts and Tim Cole stepping back due to health reasons. In absence of the charming, entertaining Cole the moderator’s task was taken over by Nigel Cameron bringing a more rigid timeliness the the conference schedule.
The IAM world today is not characterized by fundamental new aspects but undergoes a more evolutionary development. In his keynote Kuppinger describes these changes as a development process from manufacturing to industrialization which manifests itself in the need of IT departments to meet changing requirements. IT departments feel that they now must compete against external (cloud) offerings. This is similar to the pressure that we know from outsourcing considerations but with cloud computing becoming more prevalent the rivalry is more tangible. Kuppinger describes the new demand in his “IT Paradigm”, a standardized model for building future IT. The paradigm illustrates how IT departments can provide the services the business really wants by enforcing information security, mitigating risks and being compliant by enforcing an enterprise-wide Governance approach.
According to KuppingerCole the Trends 2012 are:
- Data Loss Prevention which will be the number one topic for IT departments
- BYOD (Bring Your Own Device) will continue to be an issue in 2012
- Cloud computing standards like SCIM (Simple Cloud Identity Management) need to be supported by providers as cloud users demand for standards increases. But standards for authorization and auditing in the cloud are still missing
- IAM will move to the cloud more than ever before
- Continued breaches of trust providers which will not be limited to digital certificate authorities
- GRC, data governance and data loss prevention will merge as business realize that DLP includes data loss mitigation (what to do when things happened)
- Ubiquitous encryption will become a hot topic (encryption of all data everywhere)
- Companies will start to redefine their IAM infrastructure to become future-proof
- all mobile platforms will remain under attacks of all forms
- regulatory pressure is still pushing IAM and GRC
In the reminder of the first day the agenda’s tough schedule provided for a number of keynotes (9 keynotes without a break …) which brought the known and highly valued mixture of business and academical thought leaders as well as keynotes by sponsoring vendors. Speakers, some of them known from previous years, presented their viewpoints and vision. Enrico Mordini postulated “the new gold is identity” , Reinhard Posch reported on eID projects and their challenges especially in the cross border usage (see STORK https://www.eid-stork.eu), Kim Cameron (“through a series of bizarre events and the fact that it is hard to retire” he returned to Microsoft) stated that the new cloud requires a new identity model. IDMaaS (Identity Management as a service) is needed to assemble claims from multiple sources and organizations will selectively expose their directories to other applications. “The cloud motor runs on identity”, he said. Supporting concepts: Microsoft U-Proove https://connect.microsoft.com/site1188 (Remark: and IBM Idemix http://www.zurich.ibm.com/idemix/details.html). Speakers from Cyber Ark presented on PxM, Shireif Nosseir, CA on the transformation of the security model, Peter Weierich of IC Consult on externalized authorization, Laurent Liscia of OASIS on evolving cloud standards, ID-Cloud (ID in the cloud) and TOSCA (portability for the cloud), Jonathan Sander of Quest, Barbara Mandl of Daimler on consumerization of IT, Doc Searls about “free customers are the new platform” in contrast to the old captured customer (See: http://lockerproject.org/, http://www.kynetx.com/ – Kinetic rule engine and KRL the cloud programming language), Mike Neuenschwander now with Oracle and Patrick Parker, CEO of The Dot Net Factory completed the spectrum.
The second day started early at 8:30 with three keynotes by speakers mainly from the banking sector and then split up in five tracks, one being a track dedicated on legal topics and one a round table discussion on consumer identity. As last year the cloud audit track elaborated the need for cloud audit standards which are required so that the customer is able to compare providers and otherwise stays unclear in what he really buys. A statistics was shown which measured the cloud readiness of countries concerning their legal and regulatory structure. The result ranks Japan, Australia and Germany as the first three countries. (Some references: Cloud Services Measurement Initiative – CSMIC, http://www.cloudcommons.com/, ENISA http://www.enisa.europa.eu/activities/application-security/test/, ISAE3402 replaces SAS70 http://isae3402.com/, ISO/IEC WD TS 27017 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43757) .
In the afternoon and the following day several successful examples of large scale federations were shown which came mostly from the educational sector (The Danish Federation with their own profile OIOSAML, WAYF best practice in out sourced federation in Denmark, REFEDs with astonishing 27 federations, 1815 IDPs and 2755 service providers (Reference: https://refeds.terena.org/index.php/Main_Page).
Craig Burton moderated a session with the provoking statement “Is SCIM a Scam?” A very lively track with statements like “SOAP is dead”. Burton and the other participants came to the conclusion that SCIM is not a scam because it is simpler than SPML (basically providing only CRUD operations and not trying to reflect the whole provisioning object model) and the specification work involved big names in the cloud like Google and WebEx who are expected to implement SCIM for their services contributing to make 2012 the year of SCIM.
In the Life Management track, Drummond Reed (http://connect.me) and Marcel van Galen (http://www.qiy.com/) presented on their services, VRM (Vendor Relationship Management), the personal cloud and relationship as a service.
The evening of day two concluded with keynotes from Andre Durand, Ping Identity “IT problems are fractal: your job is never done” and “a business without a cloud API is like a door without a doorknob”, Eberhard Faber on challenges security managers should watch (bring your own device = bring your own vulnerability), Stephan Bohnengel of VMWare and the European Identity Award Ceremony.
European Identity Award Winners 2012
- “Best IAM Project”: Siemens AG, Project HRS DirX, a IAM project that involves international deployments and leveraging hybrid cloud environments.
- “Best Access Governance and Intelligence Project”: Europol, the European law enforcement agency, received the award for a stategic IAM project with central auditing in a very sensitive environment.
- “Cloud Security Project”: In this category two projects received the award: Daimler AG, consulted by IC-Consult, for a project that involves hybrid cloud by reuse of existing infrastructure and Sanofi S.A. for a federation project which was successfully implemented in a very short time frame using Ping Identity solutions.
- “Best Approach on improving Governance and mitigating Risks”: Aeroport de Paris S.A., a Privileged Account Management project using Cyber Ark and Qualys.
- “Best Innovation/New Standard in Information Security”: OpenID Connect for its elegantly simple design.
- A new category was introduced in this year’s EIC: “The Lifetime Achievement Award for Identity” business: Prof. Dr. Reinhard Posch. CIO for the Austrian Federal Government.
- Special award “Mobile Security”: Swisscom with MobileID, a product which uses SIM card security build on ETSI mobile security standard. (Remark: in Germany a similar product was announced by Vodafone with “Secure SIM”.)
My unofficial award for the acronym of the year goes to a very old and known acronym “API”. I have never expected that API’s will get such an ineffable importance for businesses not just application developers.
The third conference day started with presentations given by ATOS, Jacques Bus of Digital Enlightment Forum and Kai Rannenberg of University of Frankfurt (http://www.m-chair.net). Rannenberg lectured on a more privacy friendly Internet. (References: ABC4TRUST https://abc4trust.eu/ a EU Project on attribute-based credentials for trust, and partial identities, ISO/IEC JTC 1/SC 27/WG http://www.iso.org/iso/iso_technical_committee.html?commid=45306) STORK https://www.eid-stork.eu/, Microsoft U-Proove https://connect.microsoft.com/site1188 based on blind signature and IBM Idemix http://www.zurich.ibm.com/idemix/details.html. based on zero knowledge proof, ISO/IEC 24760 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57914).
The tracks of day three gave insight on best practice experiences of IAM projects (e.g the Province Trentino), the use of open source in IAM, a real IAMaaS solution provided by Swisscom and an interesting panel with Craig Burton, Martin Kuppinger, Kim Cameron, Fulup Ar Fol and Steven Willmott from 3scale on “IT model and the API economy” describing the openness cycle of APIs:
Raw Data → internal reuse → customer reuse → partners and distribution
with all steps providing values.
To summarize the conference all in all was a very interesting and informative event and as always organized perfectly by the KuppingerCole team.