Ferry Meewisse, a dutch bag designer, who runs the web site frrry.com, bags & fashion accessories, is using SSOCircle as a login option for partners and employees.
Beside Google, Yahoo!, MySpace.com, myOpenID and generic OpenID, they have the option to log in via SSOCircle and leverage several strong authentication options like X.509 certificates, USB tokens and OTP options like Yubikey or Swekey.
Three days of conference plus a Workshop day packed full with IAM and GRC topics and even more. The KuppingerCole European Identity Conference EIC2010 was a great success. In my opinion the best EIC I have seen, although there were some confusion and unexpected changes that let me miss some of the presentations I was eager to visit. But that can be easily excused looking at the choice and quality of speakers. KuppingerCole again did a very good job in gathering many of the leading heads in Identity Management and GRC. The only thing I missed were people from Google like Eric Sachs, who did a lot in the OAuth and OpenId space the last years.
This year EIC was combined with Cloud 2010 and the “Mittelstandsdialog Informationssicherheit 2010”, the latter was held in German. I have counted the occurrences of the word “cloud” in the presentation and panel topics and compared it to the frequency of the word “identity”. The result was: cloud vs. identity 36:39. So the conference was still more of an identity conferences than a cloud conference, although my impression was that the most used word was “cloud” and the most seen slide was the one on NIST’s cloud computing definition. When counting the words, I noticed that there are lots of companies that carry the word “identity” and there was no presenting company with “cloud” in its name. My bet that this will change next year.
Here are some of my impressions, as always 100% subjective and far from being complete.
4th of May – 1st day. Keynotes first part. Martin Kuppingers Opening
Keynote as usual gave us an overview on the key topics and top trends this year.
The key topics:
The five hot topics in IAM
Five hot topics in GRC
Five hot topics in Cloud Computing
The keynotes began with several moments of reflection on non-technical IT topics by presenters like Peter Ligezinzki, CIO of Allianz Investment Bank and Rainer Janssen, CIO od Munich Re. Interesting to note that the first two keynotes were held by customers not vendors or visionaries – my impression was that this year the customer site had much more weight, and this was good. Both speakers did not tell us technology but business or even philosophical lessons. Their presentations titled “It is not enough” and “What business has to learn so that IT can align”.
The next presentation was held by John Hermans, KPMG “Trust in the Cloud”. He mentioned that cloud is really the first business driven shift in computer paradigm, the shift from CAPEX to OPEX. He also mentioned the difficulties that auditors have with auditing cloud providers because of missing standards as SAS70 type II is not applicable to services like Salesforce.
Then Dave Kearns gave an overview of the development of access control from the 70’s til now. From a control by a person sitting at the entrance who knows you, a badge with photo still checked by a real human in the 80’s, a badge with no photo and automatic control by card readers in the 90’s to all the access control technology the 21st century gave us. He described the convergence of data governance and access governance to information governance but pointed out that convergence is not the answer to everything – but worth a try.
After the coffee break Kim Cameron, Microsoft, announced that ADFS 2.0 will be released on 5th of May and gave us an outlook to the next frontier: the federated directory which he named “federated interscalar directory”.
Daren Rolls, SailPoint, described the next generation provisioning which is more business centric: “Learn from BPM more than just workflow”. Provisioning will be model based: “build models – you have to know what you want to achieve, not just build a role model”. The next generation should also be last mile agnostic and should support multiple fulfillment processes. Bridging the business process to the technical process, no matter which provisioning product is used. He also said he wishes to replace the overloaded term “provisioning” with “identity change management process” . These thoughts were present in many talks and underlined that identity management is trying to climb the next level: farther away from technology and approaching business.
Sabine Erlinghagen from Siemens gave an overview on the opportunity national ID documents have in driving eBusiness applications.
Gerry Gebel, former identity analyst at Burton Group – now president of Axiomatics in the US, vgave interesting thoughts to IAM governance as a Six Sigma oriented business management strategy which aims to improve quality of process output, providing discipline for IT planners and speeds up the decision making process. He also mentioned that with XACML 3.0, a delegation model will be defined that is of particular interest for SaaS applications. XACML 3.0 will be finished later this year. Gebels “architecure anywhere” will be build upon XACML, SAML and STS.
5th of May – 2nd day
Today I followed the tracks “Mitigating Risk” and “Linking IDM & GRC to corporate performance” moderated by John Hermans from KPMG in his special way of challenging the panelists. He was asking questions like “Can you do GRC without IAM” , which was answered with yes, you can do that but manually process can be effective but not efficient, it is a matter of cost. Another question was “When will the IDM & GRC product vendors be rich ?” Panelists agreed that it depends on education and on the mandating of law. One speaker quantified the time span to 2 years others to 7 years and more … In most of the presentations on IDM & GRC people agreed that the way to go is a more business process oriented way and not a technically focused.
In the afternoon I visited the track “Authenticaton and Authorization” with presentations of Fulup Ar Foll and Vittorio Bertocci. Two kind of characters you should not miss when visiting EIC. Both talking about “Attribute Centric Identity Architecture” or in Microsoft parlance “Claims based Identity and the Cloud”. Fulup was provoking the audience with statements like “If the IT were architected correctly you don’t need provisioning software”. What he meant is that a better way would be to deliver user attributes with each request and just deliver as much of information you need for your access.
One of the highlights of EIC2010 was the a very motivating keynote of André Durand from Ping Identity. I remember his words from EIC2008 when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: “we will see whether we are still here in 2-3 years”. After he was missing last year at EIC2009, he returned this year and in what a self-confident way with statements like “Our business is eliminating passwords. We will be long in business as there are many passwords” or “Enterprises must stand up for standards” that let http://twitter.com/winemaker twitter “Andre Durand for president”. Beside these strong quotes his presentation “Identity in the Cloud – Finding Calm in the Storm” pointed out that federation is the solution with saml & openid for Authentication and SSO
Unfortunately I wasn’t able to talk to him as it seems he flew in to deliver his fulminate keynote, celebrate a Ping Party and then flew out.
In the next keynote Dale Olds of Novell described 3 trends:
1. identity-based security is increasing in importance
2. SaaS and IaaS is converging to PaaS
3. cloud provider are getting identity providers (federation hubs)
He also presented a survey that showed the customer demands in SaaS. The survey to the question “which security capabilities customers are asking SaaS providers about” resulted in the top three topics:
with all three requested by around 50% of respondents.
The last keynote of the day was held by Dirk van Rooy. Head of Sector Trust and Security of the European Commission who presented the programs the EC is working on and planning in the future like the European internet future portal and a digital agenda for Europe, of which a draft can be found through googleing. He also mentioned the European Comission ICT conference 27 September 2010 in Brussels.
It is really a great achievement of KuppingerCole and a demonstration that they succeeded to put together very interesting speakers not only from the vendor space.
The day finished with the presentation of the Winners of the European Identity Award 2010:
Category: Best Innovation
Shared by Microsoft and IBM for their solutions “U-Prove” and “Idemix” and Wipro Technologies for their IAM appliance solution based on Novell software.
Category: Best Internal Project
Shared by Şekerbank T.A. of Turkey for a solution developed together with Smartsoft and Oracle,
Hannover Municipal Works based on a product supplied by Voelcker Informatik,
Schenker AG in conjunction with IC-Consult and technology from IBM.
Category: Best Project B2C
Shared by University of Washington together with Microsoft,
Catholic University of Leuven for a solution linked to SAP,
Kassenärztliche Vereinigung Bayerns with the help of Devoteam Danet
Category: Best Project B2B
Shared by BMW together with Omada and Microsoft,
Thomson Reuters solution based on Microsoft Identity Foundation,
Finnish State Railways Group with the help of RM5 Software
Category: Best IAM Project in Cloud Computing
Shared by Orange FT Group of France, BasisOne from South Africa and
Piaggio Group
Category: eHealth and eGovernment
University Clinic Munich solution developed with Siemens,
German Ministry of the Interior’s electronic identity card project (“neuer Personal-Ausweis”, or “nPA”).
More on awards http://www.kuppingercole.com/articles/award2010
6th May – 3rd day
The last day started again with very interesting keynotes held by Tim Dunn from CA who presented a world wide survey on cloud computing. One of the questions 1000 enterprises were asked was about the reasons for migrating IT to the cloud: 70% of the respondents answered “reduced costs”, 57% “faster deployment time” and 56% “increased efficiency”. The survey also pointed out the difference between European and US customers in their approach to cloud computing: Europeans do more sandbox testing of cloud apps and have more of a controlled preproduction manner. In the US it is more business driven. Customers are finding services almost by accident. He concluded with “cloud computing is on the hype curve and it will happen fast with or without security. We better hurry and do it WITH security”.
Jackson Shaw from Quest Software presented “The most valid wins of IAM” which are
He developed an IAM Report Score Card:
| password sync, self service | A | |
| websso | A | needs to work smarter, it is a biz enabler, vendor lock in, prop authz, federation? |
| consolidation | B+ | consolidate into central directory like AD, true SSO |
| strong auth | B | not paying attention |
| federation | C+ | shows promise – still long way to go, why buying if ADFS is free ? |
| provisioning | C+ | needs improvement, his opinion: still 1.0 ? not so good in complicated scenarios and high costs for implementation, just-in-time provisioning needed – still lack in that area |
| privileged account management | C | good in unix (starts with sudo) become mainstream because GRC play, cloud makes it difficult,what to do with scripts and apps with passwords inside |
| entitlements, authorization, rbac, it-grc | incomplete |
For me the day continued with tracks on “Roles & Attributes”, “Single Sign On Identity Federation” and “Identity Assurance”. Lots of interesting best practices and customer experience but I should stop writing here as this is a blog and not a book …
Just one additional thing. The conference ended with another provoking keynote by Sachar Paulus. One point of his presentation was his answer to “Cloud – What is in it – for YOU, Personally?”:
Which is good news for the consulting business, isn’t it ? The last word has Tim Cole who did a very excellent moderation. Who counted his and his colleagues takeaways:
7th May – Workshop day.
As usual the week of IAM & GRC ended with a day of workshop
Wrapping up: It is obvious that identity and cloud computing are hot topics that cannot be separated. KuppingerCole European Identity Conference 2010 again was a must for people interested in Identity and Access Management & GRC and Cloud Computing. The conference is a “feed good” conference in very good surroundings. We are looking forward to EIC or better EICC 2011 (European Identity and Cloud Conference) which will held in Munich but not in the Deutsche Museum, since the conference rooms will be closed for renovation.
As part of project PicketLink Marcel Kolsteren, Seam Integration Lead, developed a module that allows developers to easily connect their seam application to external identity providers. The module supports SAML and OpenID. It also ships with an out-of-the box integration with SSOCircle. You will find a preconfigured saml-entities.xml file which includes the meta data for SSOCircle public IDP.
In his article External authentication example using SSOCircle he describes how to deploy the application, login via SSOCircle – either by choosing the IDP explicitly (see screen)
or by automatic redirection – and logout – either by local logout ( only from the seam application) or by global logout ( destroying the local session and the session at SSOCircle IDP).
Please note: if you need a private IDP to integrate with, check out our white label hosted IDP offering called IDPee. The private IDP has its own user database, can be customized to your branding and can be configured for several strong authentication methods. For more information: /en/portfolio/idpee-plans/
We liked the comment he sent to us during his test work:
“I’m glad that SSOCircle exists … it’s very handy for developers and good promotion for SAML in general! For OpenID it’s very easy to find lots of free identity providers in the cloud, but for SAMLv2 SSOCircle seems to be unique.”
About PicketLink (Quote from http://www.jboss.org/picketlink )
PicketLink is an umbrella project that aims to address different Identity Management needs. PicketLink is an important project under the security offerings from JBoss and includes the following components:
It is already 3 years ago when SSOCircle, the free public multi protocol IDP, went into production. What happens in the past year ? We added new devices to our strong authentication options: The Yubikey and the Swekey, two new innovative OTP tokens. Users do not need to type in the one time passwords. In case of Yubikey you just have to push a button and in case of the Swekey the password is read by a tiny piece of JavaScript.
We also added some new demos like the one with Salesforce (which includes Google Apps SSO), the downloadable award winning Fedlet and last not least our SAML enabled WordPress Blog.
On the other side we saw a decline of interest at the end of 2008 and the first months of 2009. Less users subscribed to the IDP and visited the web site. An impact of the economical downturn ? The good news is that the numbers came back to the values of mid 2008 in the second half of 2009.
We also anticipated analyst attention as the Burton Group published a report called “New Direction in Federation“. Read our blog here. The report introduced “Federation identity hosted services” and gave a good market overview about the offerings.
The new Spring Security SAML modul was released and many developpers tested it against SSOCircle SAML IDP. And there are other very intereting services testing …
So, please stay tuned this year. There are many new things coming this year. We are quite sure that 2010 will see the
breakthrough for “new directions in federation”.
In the recently published report Burton’s Gerry Gebel describes “new directions” in Federation. Not only in the light of new protocols but rather concerning delivery models. Compared with open source or proprietary on-premise software the real new thing are “federation identity hosted services”. The report also includes a comprehensive list of these hosted services with SSOCircle/IDPee as one of them. In fact SSOCircle was one of the first non industry aligned federation hub on the market. Citing Gerry: “This type of service should be useful for ad hoc or permanent arrangements, particularly for industries that do not already have a vertically aligned hub”. One thing to point out is that SSOCircle through its openness as a public idp has proved to be compatible with many services and toolkits. In our opinion a critical criteria when choosing an IdaaS offering. In fact in the last weeks we noticed a lot of interoperability testing on SSOCircle.
Recently Salesforce.com added SAML 2.0 support. We have launched a sample that allows users to single sign on to Salesforce with their exisiting SSOCircle account. The individual account is mapped to a group account (due to our limitation in salesforce users).
Just click on the IDP initiated SSO link and you will be prompted to sign on to SSOCircle (if not already in session).
Great to see is the integration of Google Apps into Salesforce.com. Just click on the sign on link in the chat window and SSOCircle is doing the SSO magic behind the scenes (sure – you need to have a SSOCircle Google Apps account created before)
Salesforce.com is checking for your IP address for additional security. Access from IP addresses not explicitly allowed must be confirmed by the user. If you experience this in the demo, please contact us.
Visit our new SAML 2.0 enabled WordPress blogging system, where we moved all our articles from the former news section. You have to log in with your SSOCircle account to leave a comment. We also added some newsfeeds from interesting blogs on identity. We hope that it will be a usefull source for all identity-minded. The WordPress plugin is a derivation of the simpleSAMLphp plugin of David O’Callaghan. Thanks to him for getting us started.
SSOCircle is now available in German language www.ssocircle.de. We will add more support for more languages as demand grows.
European Identity Conference 2009
Listed in reverse chronological ordering and with focus on SSO, federation and authorization topics.
My conclusions:
A very well organized conference from Kuppinger Cole and partners. Many distinct persons attended, presented and discussed in panel sessions. Visiting the conference is a must as it is the leading identity conference in Europe. Many thanks to Kuppinger Cole for organizing it.
After returning home my personal impression this morning is that I had been traveling to Babylon. I heard many people speaking about GRC ( governance, risk, compliance ), claims and attributes, authorization and externalization of authorization decisions, RBAC and ABAC and XACML, not to mention DABBOPDS (differentiated app behavior based on permission data sharing). Is this the way to go ? In most of the keynotes I visited on GRC the presenters were giving their best to answer what GRC is, especially in the context of IAM. Have we seen a satisfying answer ? In the presentations on Geneva it was always necessary to clarify what “claims” are and how claims differ from attributes, if they differ at all. I noted the best definitions I heard:
I guess we are somehow away from mutual understanding. I’ll be with Tim Cole’s ruminative closing note where he asked: how can the identity challenges be solved for the cloud if today there are so many unanswered questions in the “small” enterprise world. Elaborating it a little bit more, I would say we are giving ourselves a hard fight, if we will not come to a more simple and clear approach. I guess simplicity is key, more then ever.
Looking in more detail on the SSO and federation field. When we started SSOCircle in 2006 we were convinced that the federation protocols finally converged into SAML 2.0 and that it is just a matter of time for the mainstream breakthrough. Basically SSOCircle has always had the ambitious goal to help accelerating the take-off process. Reflecting the last three years we saw OpenID sky rocketing from scratch which had good reasons: simplicity. With OpenID 2.0 we notice this advantage going away and becoming even more complicated as SAML. Now we are facing interesting times with the coming Geneva server which plugs into Active Directory pushing the infocard technology and with Microsoft getting collaborative supporting SAML 2.0. Considering the market share of Active Directory and the very pragmatic approach of Microsoft which keeps a lot of problems unsolved for the moment (thinking of the missing solution of storing infocards for roaming users or that there is no way of combining claims from different infocards) there is a good chance for success. I am comparing this to the discussions around https and shttp protocols in the mid 1990s. Were many people had many reasons that shttp is the better solution for securing web traffic but Netscape pushes https through due to their browser market share at that time and the simplicity http over SSL had and still has. Without https the commercial internet would not be where we are now. I am curious to see the impact the release of Geneva will have. RTM is expected for the second half of 2009. Maybe the European Conference 2010 will be the right moment to make up an early benchmark.
Now you’ll find some comments on some of the sessions I have visited in reverse chronological ordering:
day 4: workshop day
Friday was dedicated to workshops on serveral topics. One of them was on XACML held by Bakak Sadighi and Ludwig Seitz from Axiomatics. A very didactically structured training that started with an introduction on access control lists, capability lists, group based, role based and attribute based access control. Sadighi pointed out the difference between role and group based authentication is “role activation” which means that you can dynamically decide to act in a specific role. They then further dig into the XACML 2.0 standard and the additions XACML 3.0 (currently in draft) will bring, basically the concept of hierarchical administrative policies that help leverage administrative delegation.
day 3
Dipping into the world of Identity Systems and Claims: Vittorio Bertocci from Microsoft, answered the question of the definition of “claims” with: A claim is the answer to a question somebody would ask you to allow you access to a specific task. It can be a privilege or a simple attribute. Ariel Gordon, Microsoft, detailed that after asking him for the difference of a claim and a attribute. He said a claim is a rated attribute. In a presentation of Liam Lynch and Upendra Mardikar described the shift from identity 1.0 to identity 2.0 where in their understanding behavioral checks and reputation play a major role in authentication and authorization. He mentioned that Ebay has to evaluate 20 TByte of logfile a day to do risk analyzes. A “real time” behavioural analyses might ease this problem. He is motivating to participate in cloud security efforts that you can find in cloudsecurity.org.
A panel session moderated by Dave Kearns discussed the topic of authentication beyond passwords: tokens, biometrics and others. These methods have all their pros and cons. From case to case one has to decide on what the value of the protected resource is to justify the method used. A good way would be to have a single sign on solution protected by strong authentication to limit the number of tokens used and to reduce the overall costs, Jackson Shaw of Quest Software mentioned. By the way this is one idea behind SSOCircle. You can find authentication methods from user name/password, X.509 certificates in software or hardware tokens, OTP tokens, Swekey’s and soon the award winning Yubikey. The topic leads to the next panel on context based authentication where Dave Kearns was asking the 6W+1H question of who, what, when, where, which, how and why that may have influence on the decision of authorizing access. As the first six may be answered by technical means there is still the question of why a user is doing a specific action. Another proof that the big questions of IAM cannot only be answered by technical means.
In Tim Cole’s closing note he asked the question: how can the identity challenges be solved in the upcoming cloudy IT be solved if today there are so many unanswered questions in the “small” enterprise world. He is asking who will be the Google in identity context. Google ? A little pity that Google wasn’t present and demonstrated their vision of cloud identity. We are all looking forward to find answers to the open questions. A great conference. Well done Kuppinger Cole & Partners.
day 2
Felix Gaethgens gave an overview on the mess of authorizations and entitlement management today which starts at role based authorization (RBAC) to Attribute based authorization (ABAC) in which XACML ist the most prominent representative. His presentation was the foundation for the succeeding talk and a very interesting panel discussion. It was emphasized that the role based model is to coarse to be applied to all business rules, one example was given: an employee of an insurance company who is also a customer became ill and a colleague of her sitting next in the same office had access to their medical record in her business role as insurance consultant). Their is a need to take context into account to decide whether a person should be authorized to a particular action. This is what leads to a very fine coarse definition of elementary claims/attributes and not to the definitions of uncountable roles by combining all variants of claims to new roles. Another eye-catching aspect is the externalization of entitlement management from within an application to a central system. This is a point all speakers agreed but obviously such an architecture brings up the questions of performance. How can an application performantly work if for a single task the application has to request hundreds of attributes and policies ? This is where things become unclear and unsolved. The same applies to the question how XACML can solve the problem, as it is a policy language but doesn’t solve how to access the policies. There need to be different solutions according to the problem and the audience. There should be a solution for simple internet based web2.0 applications in a very simple say restful way and there must be more sophisticated solutions for environments like financial industries etc. APIs are definitively not the preferred way here. But all participants agreed to that there would be at least an improvement if all vendors would work together and put their applications on the same foundation of a policy language like XACML. Seems like a simple obvious first step. But in reality it seems to be a difficult one.
In his presentation of real life federation deployments Chris Harvison from Scotiabank explained the difficulties they faced on utilizing federation in the Canadian banking sector and how difficult it is to convince service providers to implement federation protocols as these companies do not see this as their core business. He mentioned that only an agreement between the Canadian banks (fortunately there are only 4 chartered banks) finally forced the service providers to do so. The same applies to an effort withing the German automotive industry where companies formed the SESAM project as Wofgang Jodl, BMW, mentioned in his session. Harvision also mentioned how the virtual federation concept of OpenSSO and the Fedlet eased there efforts. Daniel Raskin added that the Fedlet is supported through OpenSSO enterprise support. So if a company with support contract gives out the Fedlet to a partner, the partner can call Sun and receives support. By the way: a SSOCircle Fedlet is soon downloadable from our download site. Beside our CGI and lightbulb samples this is another way to easily integrate with SSOCircle.
Joost van Dijk gave another presentation of a successful deployment: the SURFfederatie project. A Federation service for the Dutch Higher Education. As they formerly developed their own federation protocol A-Select and they didn’t want to limit the federation to a single protocol, they deployed a federation protocol gateway based on Ping Federate. They provide their offering as “identity as a service” which leads to the next panel session on IaaS. Up to this point I was missing participants of Ping. Last year Andre Durand and Patrick Harding were attending but I remember Andre Durand’s words when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: we will see whether we are still here in 2-3 years. With contentment I noticed Marc LLerandi from Ping Identity was taken part in the IaaS panel session. Actually IaaS is something SSOCircle is pushing since more than a year by introducing IDPee, a hosted IDP. The advantages are obvious: leave the complexity of operating and managing an identity provider to specialized providers and save money and hassle. We will see how this business evolves when people get used of the idea to outsource there identity management. Good luck to all these pioneers.
European Identity Award winners:
day 1
Tuesday morning I am faced with two problems: a long 4 hours drive from Frankfurt to Munich early in the moring and then, after arrival, the decision where to go at the conference. For the first point it might appeal to Kuppinger Cole to change the conference location to Frankfurt. The latter is certainly nothing I can blame Kuppinger Cole for an excellent conference program with many choices.
At the OpenSSO community meeting Daniel Raskin is showing the OpenSSO roadmap. He is emphasizing that OpenSSO is the software that manages enterprise SSO, federation and web services security with one product. This sounds like a message to Oracle and its bundle of point products. But no word on the future of OpenSSO under Oracle’s flag. I guess nobody can say something about the way Oracle is going – or did I miss it ?
OpenSSO is now at express build 7 which brings a new configuration wizard for Google Apps on the task panel of the administration GUI. The task panel is something which will be extended in the next releases. Raskin is mentioning wizards to configure Salesforce.com and SugarCRM. In progress of development are improvements for a better entitlements management. Although OpenSSO has XACML request/response, PDP and PEP functionality it lacks an intuitive management GUI and a scalable policy engine. In one of the next builds a new authentication module will provide one time passwords without the need of a hardware token. OpenSSO will generate OTP through OATH and send out the password by SMS to your mobile. This sounds cheap, but keep in mind that you either will need hardware to send SMS or adopt the module to use an API of a SMS provider. Further development work is done on OAUTH integration into OpenSSO.
SSOCircle introduces a new one time password strong authentication device with USB interface. If you are tired of reading and typing one time passwords from conventional tokens, this is the device for you.
The Swekey is a one time password token that works with a challenge/response. SSOCircle offers two authentication modules: Swekey and Swekey&Pin. Use of an additional pin augments securityi and gives you a higher authentication level compared to Swekey (without pin) and should be used for applications that need stronger protection. Get your Swekey here.
Kuppinger & Cole