SSOCircle

Three days of conference plus a Workshop day packed full with IAM and GRC topics and even more. The KuppingerCole European Identity Conference EIC2010 was a great success. In my opinion the best EIC I have seen, although there were some confusion and unexpected changes that let me miss some of the presentations I was eager to visit. But that can be easily excused looking at the choice and quality of speakers. KuppingerCole again did a very good job in gathering many of the leading heads in Identity Management and GRC. The only thing I missed were people from Google like Eric Sachs, who did a lot in the OAuth and OpenId space the last years.

This year EIC was combined with Cloud 2010 and the “Mittelstandsdialog Informationssicherheit 2010”, the latter was held in German. I have counted the occurrences of the word “cloud” in the presentation and panel topics and compared it to the frequency of the word “identity”.  The result was: cloud vs. identity 36:39. So the conference was still more of an identity conferences than a cloud conference, although my impression was that the most used word was “cloud” and the most seen slide was the one on NIST’s cloud computing definition.  When counting the words, I noticed that there are lots of companies that carry the word “identity” and there was no presenting company with “cloud” in its name.  My bet that this will change next year.

Here are some of my impressions, as always 100% subjective and far from being complete.

4th of May – 1st day. Keynotes first part. Martin Kuppingers Opening
Keynote as usual gave us an overview on the key topics and top trends this year.

The key topics:

• How to make value out of the cloud
• How to deal with privacy
• How to mature to Enterprise GRC
• How to benefit from convergence
• How to optimize your investments
• How to improve information security

The five hot topics in IAM

• User-Centric, privacy, national eID cards
• privileged access management integrated
• versatility and context
• externalization of all 4 A’s
• IAM in enterprise architectures

Five hot topics in GRC

• Closing the loop – from detective to preventive controls
• information governance – beyond access
• extending governance for a hybrid IT
• Enterprise GRC Architectures – bridging the gap between business and IT
• Organizational development for enterprise GRC

Five hot topics in Cloud Computing

• Understanding what’s really in for you in Cloud Computing
• Hybrid Clouds
• Cloud Mesh-Ups, community clouds, industry clouds
• cloud governance – services, risks, security and identity
• cloud resource planning based on service management

The keynotes began with several moments of reflection on non-technical IT topics by presenters like Peter Ligezinzki, CIO of Allianz Investment Bank and Rainer Janssen, CIO od Munich Re. Interesting to note that the first two keynotes were held by customers not vendors or visionaries – my impression was that this year the customer site had much more weight, and this was good. Both speakers did not tell us technology but business or even philosophical lessons. Their presentations titled “It is not enough” and “What business has to learn so that IT can align”.
The next presentation was held by John Hermans, KPMG “Trust in the Cloud”. He mentioned that cloud is really the first business driven shift in computer paradigm, the shift from CAPEX to OPEX. He also mentioned the difficulties that auditors have with auditing cloud providers because of missing standards as SAS70 type II is not applicable to services like Salesforce.

Then Dave Kearns gave an overview of the development of access control from the 70’s til now. From a control by a person sitting at the entrance who knows you, a badge with photo still checked by a real human in the 80’s, a badge with no photo and automatic control by card readers in the 90’s to all the access control technology the 21st century gave us. He described the convergence of data governance and access governance to information governance but pointed out that convergence is not the answer to everything – but worth a try.

After the coffee break Kim Cameron, Microsoft, announced that ADFS 2.0 will be released on 5th of May and gave us an outlook to the next frontier: the federated directory which he named “federated interscalar directory”.

Daren Rolls, SailPoint, described the next generation provisioning which is more business centric: “Learn from BPM more than just workflow”. Provisioning will be model based: “build models – you have to know what you want to achieve, not just build a role model”. The next generation should also be last mile agnostic and should support multiple fulfillment processes. Bridging the business process to the technical process, no matter which provisioning product is used. He also said he wishes to replace the overloaded term “provisioning” with “identity change management process” . These thoughts were present in many talks and underlined that identity management is trying to climb the next level:  farther away from technology and approaching business.

Sabine Erlinghagen from Siemens gave an overview on the opportunity national ID documents have in driving eBusiness applications.

Gerry Gebel, former identity analyst at Burton Group – now president of Axiomatics in the US, vgave interesting thoughts to IAM governance as a Six Sigma oriented business management strategy which aims to improve quality of process output, providing discipline for IT planners and speeds up the decision making process. He also mentioned that with XACML 3.0, a delegation model will be defined that is of particular interest for SaaS applications. XACML 3.0 will be finished later this year. Gebels “architecure anywhere” will be build upon XACML, SAML and STS.

5th of May – 2nd day

Today I followed the tracks “Mitigating Risk” and “Linking IDM & GRC to corporate performance” moderated by John Hermans from KPMG in his special way of challenging the panelists. He was asking questions like “Can you do GRC without IAM” , which was answered with yes, you can do that but manually process can be effective but not efficient, it is a matter of cost. Another question was  “When will the IDM & GRC product vendors be rich ?” Panelists agreed that it depends on  education and on the mandating of law. One speaker quantified the time span to 2 years others to 7 years and more … In most of the presentations on IDM & GRC people agreed that the way to go is a more business process oriented way and not a technically focused.

In the afternoon I visited the track “Authenticaton and Authorization” with presentations of Fulup Ar Foll and Vittorio Bertocci. Two kind of characters you should not miss when visiting EIC. Both talking about “Attribute Centric Identity Architecture” or in Microsoft parlance “Claims based Identity and the Cloud”. Fulup was provoking the audience with statements  like “If the IT were architected correctly you don’t need provisioning software”. What he meant is that a better way would be to deliver user attributes with each request and just deliver as much of information you need for your access. 

One of the highlights of EIC2010 was the a very motivating keynote of André Durand from Ping Identity. I remember his words from EIC2008 when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: “we will see whether we are still here in 2-3 years”. After he was missing last year at EIC2009, he returned this year and in what a self-confident way with statements like “Our business is eliminating passwords. We will be long in business as there are many passwords” or “Enterprises must stand up for standards” that let http://twitter.com/winemaker twitter “Andre Durand for president”. Beside these strong quotes his presentation  “Identity in the Cloud – Finding Calm in the Storm” pointed out that federation is the solution with saml & openid for Authentication and SSO

• WS-Trust for delegation
• XACML & Oauth for Authorization
• SPML & PoCo for provisioning
• A6 for Audit

Unfortunately I wasn’t able to talk to him as it seems he flew in to deliver his fulminate keynote, celebrate a Ping Party and then flew out.

In the next keynote Dale Olds of Novell described 3 trends:

1. identity-based security is increasing in importance
2. SaaS and IaaS is converging to PaaS
3. cloud provider are getting identity providers (federation hubs)

He also presented a survey that showed the customer demands in SaaS. The survey to the question “which security capabilities customers are asking SaaS providers about” resulted in the top three topics:

• Single Sign On
• Audit tracking in SaaS
• Provisioning of users to SaaS apps

with all three requested by around 50% of respondents.

The last keynote of the day was held by Dirk van Rooy. Head of Sector Trust and Security of the European Commission who presented the programs the EC is working on and planning in the future like the European internet future portal and a digital agenda for Europe, of which a draft can be found through googleing. He also mentioned the European Comission ICT conference 27 September 2010 in Brussels. 

It is really a great achievement of KuppingerCole and a demonstration that they succeeded to put together very interesting speakers not only from the vendor space.

The day finished with the presentation of the Winners of the European Identity Award 2010:

Category: Best Innovation
Shared by Microsoft and IBM for their solutions “U-Prove” and “Idemix” and Wipro Technologies for their IAM appliance solution based on Novell software.

Category: Best Internal Project
Shared by Şekerbank T.A. of Turkey for a solution developed together with Smartsoft and Oracle,
Hannover Municipal Works based on a product supplied by Voelcker Informatik,
Schenker AG in conjunction with IC-Consult and technology from IBM.

Category: Best Project B2C
Shared by University of Washington together with Microsoft,
Catholic University of Leuven for a solution linked to SAP,
Kassenärztliche Vereinigung Bayerns with the help of Devoteam Danet

Category: Best Project B2B
Shared by BMW together with Omada and Microsoft,
Thomson Reuters solution based on Microsoft Identity Foundation,
Finnish State Railways Group with the help of RM5 Software

Category: Best IAM Project in Cloud Computing
Shared by Orange FT Group of France, BasisOne from South Africa and
Piaggio Group

Category: eHealth and eGovernment
University Clinic Munich solution developed with Siemens,
German Ministry of the Interior’s electronic identity card project (“neuer Personal-Ausweis”, or “nPA”).

More on awards http://www.kuppingercole.com/articles/award2010

6th May – 3rd day

The last day started again with very interesting keynotes held by Tim Dunn from CA who presented a world wide survey on cloud computing.  One of the questions 1000 enterprises were asked was about the reasons for migrating IT to the cloud: 70% of the respondents answered “reduced costs”, 57% “faster deployment time” and 56% “increased efficiency”.  The survey also pointed out the difference between European and US customers in their approach to cloud computing: Europeans do more sandbox testing of cloud apps and have more of a controlled preproduction manner. In the US it is more business driven. Customers are finding services almost by accident.  He concluded with “cloud computing is on the hype curve and it will happen fast with or without security. We better hurry and do it WITH security”.

Jackson Shaw from Quest Software presented “The most valid wins of IAM” which are

• Save money, REAL ROI != vendor roi table
• Generate money
• improve efficiency of the majority != IT staff
• improve compliance, anything which reduces the time to audit is good

He developed an IAM Report Score Card:

For me the day continued with tracks on “Roles & Attributes”, “Single Sign On Identity Federation” and “Identity Assurance”. Lots of interesting best practices and customer experience but I should stop writing here as this is a blog and not a book …

Just one additional thing. The conference ended with another provoking keynote by Sachar Paulus. One point of his presentation was his answer to “Cloud – What is in it – for YOU, Personally?”:

• For corporate users: prepare for a big storm
• For vendors: prepare for a much smaller market
• For integrators: prepare for more work to do

Which is good news for the consulting business, isn’t it ? The last word has Tim Cole who did a very excellent moderation. Who counted his and his colleagues takeaways:

• IAM and GRC escaping from technical to business
• ID assurance getting exposure it deserves
• Cloud computing becomes reality
• Cloud changes both business models and technology

7th May – Workshop day.
As usual the week of IAM & GRC ended with a day of workshop

Wrapping up: It is obvious that identity and cloud computing are hot topics that cannot be separated. KuppingerCole European Identity Conference 2010 again was a must for people interested in Identity and Access Management & GRC and Cloud Computing. The conference is a “feed good” conference in very good surroundings. We are looking forward to EIC or better EICC 2011 (European Identity and Cloud Conference) which will held in Munich but not in the Deutsche Museum, since the conference rooms will be closed for renovation.