SSOCircle

Big Data, life management platforms, extended enterprise++, fusion drive, dead standards and  identity Silo relaunched. European Identity & Cloud Conference 2013 had lots of new and old topics. The 7th EIC was held for the 3rd time in the Dolce Ballhausforum from 14-17th May, gathering many digital identity thought leaders and making Unterschleissheim the Identity capital of Europe or even the World.

As always the conference was well organized in a pleasant environment with a noticeable Bavarian touch. Exhibitors and visitors from 33 countries, 5 parallel tracks and 150 speakers gave insight into new trends in identity, access management and cloud computing. The number of visitors were slightly increasing compared to last year, with end user representing the majority of visitors now.

As usually the conference started with some half day pre-workshops, continued with 2 ½ days of tightly packed conference and an additional workshop day at the end. KuppingerColes team of analysts again was growing with Peter Cummings and Rob Newby, proven experts with practical project implementation experience, joining the team.

As known from previous years the conferences started with a series of keynotes from sponsors, customers and academics. The first keynote delivered by Martin Kuppinger speaking about identity and cloud trends and on “setting the right direction”. The three biggest trends were called the “Computing Troika“, which is made of Cloud Computing, Mobile Computing and Social Computing. Information security receives more perception – it makes it to the 8’o clock news – and is now a business success factor. “Risk” is the common language which aligns IT and business viewpoints. Identity and privacy incidents can massively damage the reputation of a company. For that reason IAM is closer to business than ever. KuppingerCole BII is a business impact indicator for information technology which graphically indicates the value of a particular IAM technology in terms of: business alignment, business enablement, cost savings and compliance fulfillment. The KuppingerCole CIO GPS helps you finding your path in governance, privacy and data protection and security. It shows which technologies are the best for achieving specific targets. Another topic that he discussed was the API Economy also named the Extended Enterprise++, which reveals big potential for business enablement in the extended enterprise ( business partners and customers).

What were the main topics in the conference?

Data Privacy and Protection Laws
Due to Karsten Kinast, an attorney concentrating on data protection and IT law, joining the KuppingerCole analyst team, a stronger focus on legal topics were obvious. Presentations and discussions on EU regulation shaped one track of the conference.

Big Data

Another big topic was Big Data. What is meant by Big Data in the IAM context? There is no exact definition available – something that we already know from the “cloud”. According to a track session of Mike Small and Sachar Paulus it is s.th. like a big datawarehouse based on data that is publicly available. Big Data’s characteristics are

• Volume: according to a IDC report: 2.8 Exabytes of data have been created in 2012
• Velocity: lots of data events
• Variety: can be text, voice, photos, video

Technologies used to deal with Big Data:

• Hadoop: Map/reduce
• Elastic map reduce (amazon)

And to deal with velocity:

• Twitter storm http://storm-project.com
• IBM infosphere streams http://pic.dhe.ibm.com/infocenter/streams/v3r0/index.jsp
• Yahoo S4 http://incubator.apache.org/s4/

And with variety:

• natural language processing
• Graph stores
• XML stores

Why is Big Data handled in the conference? Transforming Big Data to smart data by analyzing and combining creates information and confidentiality problems. Existing access controls cannot be placed because you cannot define protection levels if you don’t know how and what will be processed and analyzed. Smart data becomes relevant as business can benefit from it by improving competitiveness or transforming products.

Life management platforms (LMP)

Life management platforms are the evolution of today’s social networks personal data stores. S.th. that might be the result of the user’s wish to get more control over his data. Something which becomes more prevalent in times were everyone has the feeling that too much of personal data gets collected by the Google’s, Facebooks etc and used for their consumption. In times where a SmartTV is able to track which programs you are viewing and Microsoft is reading your Skype messages checking hyperlinks that were sent, users see a need for a change. But the road to LMP also means a fundamental change in attitude from quick profit to trust.
According to a keynote from Craig Burton: the life management platform is not a product. It is extensible, API enabled with privacy by design (proxy façade). LMP is not a personal data store. LMP is not a social network. It follows the controlled push and informed pull with privacy controls. Controlled push means that a customer only provides controlled partial information of his data to a service which ensures privacy. Informed pull describes the concept where a user requests information from different sources guarantying confidentiality of the data towards competitors of the service. Issues on the success of LMPs arise with the need that vendors must cooperate in sensitive areas – a schema must be defined. According to Burton’s rule of thumb adding an element to a schema needs 1 year. Adding 10 elements lasts 10 years. A possible solution might be the Graph API. Microsoft cloud directory is schema independent.

---

European Identity & Cloud Awards:

One of the highlights of the conference is the Award Ceremony which was introduced with the 2nd conference and was now held for the 6th time. Martin Kuppinger noted that this year a significant number of nomination were available which emphasizes the increasing maturity in some of the IAM areas. He mentioned that a few years ago it was difficult to find successful mature projects.
This year prices in 11 different categories were awarded:

1. Best Identity and Access Management project
Winner: Virgin Media represented by Paul Edmondson from aurionPro SENA: “Infrastructure for the Olympic Games: WiFi for the tube with high numbers of authentications every time a train is entering a station”

2. Best Access Governance and Intelligence Project
Winner Deutsche Bank – represented by Carolin Pfeil: “Manage complex SOD rules in a very large institution”

3. Best access Governance and Intelligence Project II
Swiss Re represented by Daniel Frei: “Dynamic access management, based on DirectoryX and Axiomatics”

4. Best Cloud Security Project
Evry represented by Anne Bergersen: “Multitenant IAM infrastructure in the cloud which brings together a way of identifying customers and citizens in Norway. Based on NetIQ”

5. Best approach on improving governance and mitigating risks
Universtitäts Krankenhaus Hamburg-Eppendorf represented by Juerg Staebler – IBV Informatik AG:
“Privileged account management in health care industry leveraging Liebermann software. Now using one time password instead of plain text passwords. Project implemented in 3 days.”

6. Best innovation /new standard in information security
An obvious choice: OAuth 2.0 – the OAuth standard team represented by Mike Jones, Microsoft “new and influential it feels like it is around for a longer time”

7. Lifetime Achievement Award
Kim Cameron, Microsoft – Evidently being deeply affected by the reward.

8. Special award: Bridging the organizational gap between business and IT
Volkswagen Financial Services represented by Marek Bingel: “Well defining guidelines and processes which enables to move forward”

9. Special Award: Rapid and lean implementation of IAM/IAG
E.ON Global Commodities –represented by Carsten Mielke. “Governance project based on CrossIdeas”

10. Special award: Rapid re-design and re-implementation of the entire IAM
Schindler Informatik AG represented by Reto Tomasini and Gary Edward Stewart: “Identity provisioning infrastructure based on Quest Identity Manager”

11. Special Award integration of Provisioning and Access Governance in a complex banking environment
HypoVereinsbank represented by Ulrich Haumann: “Provisioning combined with Governance of a large number of applications based on Microsoft Forefront Manager”

---

In an interesting panel discussion by Craig Burton, Mike Neuenschwander, Gerry Gebel and Martin Kuppinger on the future of IAM, the panel quickly turned to a discussion on “dead standards”, a topic which became a running gag during the entire conference. Motivated by a blog article of Forrester’s Andras Cser this year’s “dead standard” candidate number one was XACML (as basically all XML based standards). Craig Burton stated that he does not expect to see a product deployment with XACML in its current form. Gerry Gebel retorted that AuthZ is very important and that XACML is working on JSON/REST profiles to move more towards APIs.

The topic on standards and its practical usage was continued in another panel session on the second day by Craig Burton, David Brossard of Axiomatics speaking for XACML, Daren Rolls of SailPoint for SCIM, Paul Madsen, Ping, for SAML and Michael B. Jones, Microsoft for OAuth. Jones pointed out the OAuth 2.0 was designed with simplicity in mind as the 1.0 spec turned out to be too complicated. OAuth 2.0 is designed to use existing security layers like TLS and by being REST-based the developer does not even need a library. Paul Madsen replied that the “S” in SAML does not stand for “simple” like in SCIM but for “security”. SAML sets the bar for the industry. And everything comes with a price – in that case with 800 pages of specification. For security SAML was historically designed to reflect the legal contract between parties. A question on the “liveliness” of AuthZ profiles within SAML was answered, that a few years ago it was recognized that SAML is more suited for authentication and attributes. XACML is the better fit for AuthZ – and that SAML and XACML work good together. David Brossard declined that XACML is losing attraction. He, as a XACML product vendor, is seeing more adoption and the focus is now more on developers and profiles to make XACML simpler. Daren Rolls replied on the question about SCIM versioning not being stable after transferring SCIM to IEFT that SCIM 1.1 can be implemented. A good conclusion was given by Paul Madsen on the question what he would recommend to customers if they were asking for a specific standard: What fits best depends on the use case. SAML is not optimized for mobile. Ping would not push it for mobile. OpenID Connect may be a problem if the partners do not support it. SAML is definitively more widespread (a quick poll in the audience initiated by Pamela Dingle confirmed that). The best measure of the mortality of a standard is the number of deployments. Someone of the audience added, that a measure could also be the open source implementations available. SAML has several, XACML mainly for the 2.0 version, SCIM with UnboundId – but as OAuth a simple REST based protocol does not really need a library implementation.

People like Craig Burton, Fulup Ar Foll and others are always good for some catchy quotations.  I noted some of them:

We need the hacker to stay in business.

If I BYOD, I have the right to install malware.

There are public APIs and DARK APIs.

OAuth and REST are the fusion drive for the API economy.

Banks and operators are too fat, lazy and rich to take the risk to compete with the Facebooks and Googles.

Some links worth mentioning:

Datownia, with an interesting developer use case demonstrating how APIs can be used to enable frictionless integration with Windows Azure AD and the Windows Azure Graph Store by using the Datownia system developed by Release Mobile Ltd.

Dutch authentication and authorization for legal entities: eRecognition

bwIDM: Federation on non web based services like HPC between Universities of the state of Baden-Württemberg. The solution is called FACIUS.

www.trustindigitallife.eu: Consortium focusing on TRUST in digital Life

FIDIS: Future of Identity in the Information Society

AZA – Native Authorization Agent: enabling mobile SSO cross native apps.

Topics I missed :
Not much about Cloud Crypto. New companies in this area were not represented at the conference.

My personal winner at EIC 2013:
OAuth 2.0: fast specification, quick adoption, feels like it has been around for much longer time.

Last but not least: The European Identity & Cloud conference 2014 will be held from 13.-16. May. Guess where? In the identity capital Unterschleissheim. See you there.