Impressions from European Identity Conference 2011

English on May 15th, 2011 No Comments

This year’s European Identity Conference (EIC2011), a fixed star in the digital identity world took place in Munich, Germany, from 10.-12. May and a supplemental workshop day on the 13th. As last year the conference also hosted the Cloud 2011. In terms of venue the conference made a leap into the future from the venerable Deutsche Museum to the Dolce Ballhaus-Forum, a modern hotel and conference center north of Munich. Needless to say that the conference was well organized by KuppingeCole and newly introduced supplemental offerings like the World Cafe unconference or a crash course in international privacy and IT security law.

Before diving into details my overall impression was that the identity community is finally reaching a state of reflection. Compared to last year, where I experienced a more enthusiastic atmosphere and speakers, the 2011 conference was strongly influenced by academics and organizations. Keynote topics like “where will identity be next year” and personal changes like that of Kim Cameron who recently left Microsoft inspired Jackson Shaw to present a retrospect bolstered thoughtfulness.

In addition the human part of identity is coming more and more into consideration. At EIC2011 we had the chance to listen to speakers like Emilio Mordini, a psychoanalyst and founding director of Centre of Science, Society and Citizenship or Stephan Humer, a sociologist from Berlin University of Arts whose presentations demonstrate that sociological aspects play a very important role in acceptance and success of digital identity and internet security.

We finally reached the social human being and not only the user account. identity acceptance development cycle, shown below, demonstrates these iterations which might lead to new rethinking and specifications.

This is a great achievement. In other areas it seems we are not at that point yet. Looking at the evolution of OpenID which is finally approaching a new level with OpenID Connect reinventing the wheel that SAML 2.0 already did but with less complexity replacing SOAP and XML security with REST and JSON. That looks to me like taking the first shortcut in the identity acceptance development cycle due to missing implementation acceptance at least in the consumer identity space. Listening to Barbara Mandl from Daimler revealed that there are also several instances of shortcut 2 caused by business not technical reasons. In summary there is still a lot to do for the identity community, despite that most technologies are mature, the digital identity in a social world is very complex and subject to change.

In my eyes the most dynamic fields are:

  • OpenID Connect
  • OAuth 2.0
  • XACML 3.0
  • SCIM

the integration of mobile devices as a whole and the formation and establishing of Trust Frameworks.

But continuing with details of the conference in chronological order. As always it is subjective due to my interests and the selection of presentations visited.

Day 1:

Preconferences:

The conference started similar to the years before with a set of preconferences. One of these was an update and overview of OpenID staffed with Eric Sachs, Google, David Recordon, Facebook, John Bradley, Nat Sakimura and Don Thibeau, OpenID Foundation, Mike Jones and Anthony Nadalin, Microsoft; The upcoming version of OpenID is expected for IIW in November and will be named OpenID Connect, the AB for artifact binding will be removed from the name. It’s goal is to make “easy things easy and harder things possible”. Its design is modular with focus on integrating mobile devices. It will replace the 3.5 years old OpenID 2.0 spec and will introduce some advanced concepts known from the SAML spec, like level of assurance similar to SAML auth context and session management, like single logout, but less ambitious than the one known from SAML 2.0. OpenID connect is based on OAuth 2.0 which itself will be finalized in the next months.

Announcements:

In a press conference Drummond Reed, known from his work on XRI, XDI, Information Card, OIX and OpenID foundation, launched a new start-up called connect.me. Connect.me is the first personal respect trust network in which you can vouche/vote for a person in a specific respect. With joining the network people agree to 5 principles called promise, permission, protection, portability and proof. Connect.me is not a new social network but constitutes a layer above other social networks. By vouching for a person at http://vote.connect.me you are giving a person “trust points” for a specific respect. For me this is comparable to the seller rating in ebay. I am curious to see how this will develop and if we all get personal ratings in the new future. I expect that in next year’s EIC agenda there will be the rating mentioned right behind the speaker’s name. We will see if leaving Microsoft will change Kim Cameron’s rating from AAA to AAA+ or AAA-.

Keynotes:

As usual Martin Kuppinger gave the opening notes with an overview on the the hottest topics which are:

  • Cloud Computing
  • Information Security
  • Business-driven service management (far more than ITIL)
  • Make BYOD secure

BYOD stands for “bring your own device” and reflects that many employees nowadays want to use their own private devices (iPad, iPhone etc) in business. This poses a new thread on corporate security.

Cloud: In cloud computing more standards will evolve and there will be no success without security. Recent security breaches like SONY or Amazon give us a new awareness of users, company CIOs and politics that accelerates the development.

GRC: continuing progress towards one GRC for business and IT. Regulatory pressure will reach other industries.

IAM: PxM, privileged x=(Access,Account,Identity, User) Management, is the important topic in 2011. Externalization of authorization is becoming reality and versatile authentication will become more widespread. The RSA breach as one of the reasons.

Mobile:

BOYD as a new phenomena and the circumstance that the built-in security is not sufficient. Kuppinger compared the security of mobile devices to the security standard of PC in the 80s.

CIO key topics in 2011 will be

  • How to make the cloud part of the IT
  • How to enforce and privacy protect data (SONY)
  • How to reach enterprise GRC maturity
  • How to reach governance
  • How to optimize investments and close gaps
  • How to improve information security

First day keynotes on “the future of identity” continued with presentations by Laurent Liscia, executive director of OASIS, Wolfgang Hirsch of Siemens IT solutions, Maurizio Griva of Reply. Kim Cameron’s keynote was canceled and replaced by an interview in which Tim Cole eagerly tried to get information about Cameron’s real reasons for leaving Microsoft. Was it Microsoft’s recent strategy? No answer from Cameron except a comment expressing his feelings: “hey man, I am feeling so free”. Jackson Shawn (Quest Software) keynote directly influenced by Cameron’s “retirement” gave a retrospective of the development of identity from 1991, 1996, 1999 and a forecast how it may look like in 10 years from now. Illustrated with photos from Cameron and him as they were close fellows all these years. Shawn said that the start-up companies he is watching right now are Oka, Biznet3, SecureAuth and Symplified.

Prof. Reinhard Posch, CIO for the Austrian Government, presented on eID cards and the cloud and Jörg Asma from KPMG gave his view on future hot topics: Facebook as an identity manager and application hoster. Cloud computing driven by the use of devices like iPad etc. BYOD, the use of private devices for business purposes. Interesting his statement from HR on attracting new talent: today you don’t need a fancy car to attract new hires but cool lifestyle devices like the iPad or iPhone.

Day 2:

Starting with three keynotes from Dave Kearns on integrated identity management, Rolf von Rössing, VP of http://isaca.org. ISACA is an independent , nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Framework examples are: Cobit 5 bringing the GRC frameworks to the public, Risk IT, Val IT and BMIS. Professor Eberhard von Faber presented on froward strategies to protect corporate data in the cloud: Encryption is important to protect data in the cloud but has its limitation in server side batch processing for example in BI systems.

Alternatives are homomorphic encryption, not now but maybe in 10 years, or peudonymisation which can solve some problems. [Remark: fully homomorphic encryption is a encryption in which a service provider can operate (add, multiply) on the encrypted data without being able to decrypt data. That means a cloud service can work on data without knowing it.] Other means to secure the data are database encryption and database activity monitoring. Access restriction only protects from outside. Most service provider lack in protection from inside attacks. Limiting access to data (e.g. by terminal server or not having full access to “data files”) and EDRM (enterprise data right management) as well as VPN against eavesdropping and protection against access of data from other tenants are important. Securing the cloud isn’t easy. It still need to be easy to use. User awareness, control and monitoring are key for successful cloud deployments.

Breakout:

The conference offered four parallel tracks from which I selected the Directory & Federation track. Martin Kuppinger gave an introduction with the statement: you cannot make federation which relies on data quality if you do not have your directory in order. Federated directories are a solution to that problem as the single directory does not work due to complexity and privacy. Here comes virtual directories or cloud directories into play, whereas use cases for the latter are authentication of customers, directories for specific applications or the migration of in house directories to the cloud. Kuppinger expects directories in 2020 being similar as they are today.

I was surprised seeing an overcrowded room when visiting “How to authenticate for the cloud”. A panel discussion lead by Sebastian Rohr with Judith Little, CloudID, Mark O’Neill, Vordel, Travis Spencer, Ping, and Tom Stewart, SecureAuth. The better way to do the authentication to the cloud is to authenticate internally and then federate to outside. This will increase adoption as too much different methods lack user acceptance. Authorization to the cloud is still difficult to handle as there are mainly proprietary methods used.

“Federation lessons learned” with Matthew Gardiner, CA & Kantara, Nishant Kaushik, Oracle and Travis Spencer, Ping, concluded that federation is now main stream. Success of facebook connect demonstrates that federation still profits from the federated SSO use cases but that reinventing over and over with new technology is problematic. A business sponsor and a aligned strategy is needed. One question asked by Mike Small was if there is a reason to not use federation. Spencer answered that there is no reason except there are some use cases for mobile devices with limited capability that can be overcome by OAuth or WS-*. Cloud business becomes a major driver for federation which does not stop at SSO. Provisioning, authorization and audit are getting more and more important.

Cloud standards adoption track: in the absence od Laim Lynch, eBay, Mike Small gave an introduction to the topic. Analyzing the risks in cloud computing. Starting with the risk of vendor locking which is more prevalent with SaaS than with PaaS or IaaS. Other risks are “Legal risk: contract”: we need a trusted standard for a provider contract; “Loss of governance”: standards for provider certification and auditing required; “Privacy legislation”: standard how well a provider meets privacy laws; “Impersonation”: is user name/password sufficient?; “Insider abuse of privilege”, “Management Interface”; “Ineffective data deletion” ; “Poor authorization model”;

Mike Small also pointed out that current cloud provider assurance frameworks are far too complex with 148 control points. He introduced a star rating method scoring the major controls reducing the list to 5 basic and 11 risk factors.

In the evening Kuppinger and Cole presented the annual European Identity in several categories:

  • Cloud provider offerings
    • WSO2: multi tenant identity as a cloud service with OpenID and XACML support build on open source
  • On premise to cloud migrations
    • NHS Trust/ King’s College London: Secure infrastructures for researchers
  • Identity and Access Management
    • BrokerGate : Secure federation broker for insurance brokers to manage federations instead of managing all users
  • Integrated identity & access management
    • Telefonica O2 Czech Republic: successful deployment of a large scale IAM implementation covering provisioning, sso, audit, efficient application on-boarding and more
  • GRC
    • BT managed fraud reduction service: shared service providing real-time assessment of online transactions and analyzing fraud
  • Privacy
    • Qiy: Innovative approaches to manage the personal identity in the internet
    • connect.me: recommendation network
  • Identity related e-government project
    • Postecom CECPAC: certified, free email platform open to all Italian citizens for their communications with public administrations
    • Finland: Tunnistus.fi/KATSO: government to citizen/business services established in Finland now used by more than 70% of the Finnish companies
  • Influential standardization efforts
    • XACML 3.0: standard driving the externalization of security out of application for centralized management and control
  • Special award entitlement management
    • State of California: tax service based on external authentication and authorization using XACML 3.0

Day 3:

Three keynotes from Niels von der Hude, Beta Systems, Emilio Mordini, CEO of Centre for Science, Society and Citizenship, and Barbara Mandl from Daimler.

Mordini, a psychoanalyst, presented on the secrecy in the post wikileaks era. He elaborated the meaning of secrecy, s.th. hidden, kept separate from other things and invisible or unspoken. He asked the question: Do we still need secrecy in modern information society? His answer: we need secrecy and publicity and compared that to the life in a small village: everybody knows where you are, who you are what you are doing. But people do that with discretion: they pretend to ignore knowing the information. He concludes that ICT should address access rights. But strong data protection and security are often useless. True power is not to remember and to be remembered but forget and to be forgotten.

Back to reality: Barbara Mandl pointed towards the real problems a global corporation is confronted with. Data protection requirements in Germany, the US or Japan are total different. For example in Japan the working counsel supports to store and evaluate log in and log out times in active directory. Federation itself is not a solution as a whole. Contracts with every supplier and contracts for special applications pose challenges to legal departments. Both on Daimler and supplier side.

She also pointed out that things that work perfectly in private space, (e.g. security awareness in private online banking) due to protecting own belongings. But: the same people do not care about these things at work.

Legal track:

EIC offered a three hour crash course on international privacy and IT security law for IT professionals which compared the data protection legislation in the EU, the US and China and gave an introduction to the European legal requirements for data protection, IT security, encryption and audit. I remember a tweet saying: “It seems like two words can dissolve all the reputedly strong EU privacy & data security protections: contract or consent “. And that is exactly the point: opt-in rather than opt-out.

In another track on privacy Stephan Humer, Berlin University of Arts, presented on the sociological aspects of eID cards: technical people are problem centered. Normal people are not necessarily, they might act chaotic …

A talk from Maarten Wegdam, Novay, and a panel discussion analyzed topics like “Consumer and citizen identities; Governmental issued or trust frameworks? and “Identity assurance frameworks are now upon us. But what are they good for?”.

In the best practice track the winner of the EIC award “BrokerGate” reported from their project setting up a SAML identity provider service for 10.000 brokers and 20 insurer (final goal) in Switzerland with versatile authentication methods. In a final presentation Vassilia Orfanou from EUReID, the pan-european network of eID practitioners introduced the platform to consolidate documents and information, support networking and exchange of information related to eID projects in Europe: http://ePractice.eu.

Final words: a very successful conference and thanks to KuppingerCole for a perfect organization and composition of interesting topics. For interested readers: the European Identity Conference 2012 will be held on 17-20. April. So the fixed star has moved a little bit.

Tags: , , , , ,

Service-now.com: On Demand IT Service Management supports SAML 2.0

English on November 29th, 2010 No Comments

ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.
As we have seen in many cases customers of SaaS providers are increasingly asking for identity and access management features for convenience and security. To meet this requirements Service-now.com added SAML v2 support to their Spring 2010 release. This is in line with what we have seen at other important SaaS players like Salesforce.com who added SAML 1.1 support in the Summer 2008 release and SAML 2.0 later. Demonstrating once more that SAML 2.0 is a must-have in the enterprise SaaS world.

If you go to wiki.service-now.com you’ll find an article on “Embedded:SAML 2.0″ the functionality added by the SAML 2.0 Single Sign-On plugin. The article explains in detail how to configure Service-now.com to use SAML authentication and outlines the Single Sign On and Single Log-out request flows in sequence diagrams.

Service-now.com uses SSOCircle as the sample Identity Provider. One more time a service provider is using our free SAML 2.0 identity provider service as a test platform of choice. Ensuring that their service is compatible and runs out of the box with SSOCircle.

Citing from the wiki the next release of Support-now will support deep linking with SAML 2.0 and processing of signed SAML requests.
Looking forward for more to come …

Tags: , , , , ,

Single Sign On to the Game Portal Spellenmug

English on September 30th, 2010 No Comments

The board game portal www.spellenmug.nl offers several options for single sign on.  Most of them are OpenID based. Only one  leverages SAML v2:  the only free, open and public SAML V2 Identity Provider SSOCircle.

SSOCircle IDP has now more than 250 integrated SAML v2 service providers in its SSOCircle of trust. Although many of them are developing and testing applications and some do not allow us to use them as a reference, we believe that this is one of the largest and most active circle of its kind.

Tags: , , ,

Market Profile Identity Management 2010

English on August 4th, 2010 No Comments

Burton Group, acquired by Gartner, Inc., recently published their IdM Market Profile report: “Identity Management 2010″. A very interesting report that not only described the current market but outlines the changes and the future trends IdM is or will be going through.

As there is still unclaritiy on what we generally understand by “IdM Market”, Burton group’s report starts with the definition of what the “IdM” Market is composed of:

  • Active Directory Bridge
  • Directory services
  • Enterprise single sign-on (ESSO)
  • Federation
  • Fine-grained authorization
  • Identity and access governance
  • Identity assurance
  • Privileged account management (PAM)
  • Provisioning
  • Stronger authentications
  • Web access management

IdM is now a wide portofolio and not, like some people still may think, only account provision software. When it comes to delivery options for software, Burton Group stated that new options are becoming more commodity. Citing from the report “Vendors have begun to become more creative in their delivery of product to customers. Vendors have begun to offer:

  • Subscription licenses
  • Appliance (both physical and virtual) delivery options
  • Software as a service or hosted delivery options”

and important to mention from our perspective:

“A few vendors have begun to focus on the problems of using identity services from the cloud as well as identity services to and in the cloud.”

Burton’s conclusion:
“The growing identity management market is vibrant. Constantly consolidating yet never consolidated, the IdM market is mature, but that maturity is unevenly spread across the market’s sub-markets. New entrants and approaches have continued to appear, and a number of them are focused on the emerging problems that the cloud poses from an identity perspective. …”

One part in “Burton Group’s Opinion” is exactly what we experience in real life projects:
“Although enterprises have expressed to Burton Group that their needs have outgrown the most mature parts of the IdM market, Burton Group has observed fantastic growth in those same market segments. This indicates that even though architects and identity teams can be fascinated with newer, shinier technologies, their enterprises still have basic identity needs such as user provisioning and WAM.”

When describing the market landscape Burton Group’s describes what SSOCircle propagates as a very important aspect for a while: Idm Is increasingly seen and preparing itself to work in concert with other markets, namely of:

  • Business process management (BPM)
  • Data leakage prevention (DLP)
  • Risk management
  • Security information and event management (SIEM)
  • Service management

Read the detailed report at “http://www.burtongroup.com/Research/PublicDocument.aspx?cid=1990″

Tags: , , ,

frrry is using SSOCircle as Identity Provider

English on July 11th, 2010 No Comments

Ferry Meewisse, a dutch bag designer, who runs the web site frrry.com, bags & fashion accessories, is using SSOCircle as a login option for partners and employees.

Beside Google, Yahoo!, MySpace.com, myOpenID and generic OpenID, they have the option to log in via SSOCircle and leverage several strong authentication options like X.509 certificates, USB tokens and OTP options like Yubikey or Swekey.

Tags: , , ,

Impressions from European Identity Conference 2010

English on May 16th, 2010 1 Comment

Three days of conference plus a Workshop day packed full with IAM and GRC topics and even more. The KuppingerCole European Identity Conference EIC2010 was a great success. In my opinion the best EIC I have seen, although there were some confusion and unexpected changes that let me miss some of the presentations I was eager to visit. But that can be easily excused looking at the choice and quality of speakers. KuppingerCole again did a very good job in gathering many of the leading heads in Identity Management and GRC. The only thing I missed were people from Google like Eric Sachs, who did a lot in the OAuth and OpenId space the last years.

This year EIC was combined with Cloud 2010 and the “Mittelstandsdialog Informationssicherheit 2010″, the latter was held in German. I have counted the occurrences of the word “cloud” in the presentation and panel topics and compared it to the frequency of the word “identity”.  The result was: cloud vs. identity 36:39. So the conference was still more of an identity conferences than a cloud conference, although my impression was that the most used word was “cloud” and the most seen slide was the one on NIST’s cloud computing definition.  When counting the words, I noticed that there are lots of companies that carry the word “identity” and there was no presenting company with “cloud” in its name.  My bet that this will change next year.

Here are some of my impressions, as always 100% subjective and far from being complete.

4th of May – 1st day. Keynotes first part. Martin Kuppingers Opening
Keynote as usual gave us an overview on the key topics and top trends this year.

The key topics:

  • How to make value out of the cloud
  • How to deal with privacy
  • How to mature to Enterprise GRC
  • How to benefit from convergence
  • How to optimize your investments
  • How to improve information security

 

The five hot topics in IAM

  • User-Centric, privacy, national eID cards
  • privileged access management integrated
  • versatility and context
  • externalization of all 4 A’s
  • IAM in enterprise architectures

 

Five hot topics in GRC

  • Closing the loop – from detective to preventive controls
  • information governance – beyond access
  • extending governance for a hybrid IT
  • Enterprise GRC Architectures – bridging the gap between business and IT
  • Organizational development for enterprise GRC

 

Five hot topics in Cloud Computing

  • Understanding what’s really in for you in Cloud Computing
  • Hybrid Clouds
  • Cloud Mesh-Ups, community clouds, industry clouds
  • cloud governance – services, risks, security and identity
  • cloud resource planning based on service management

The keynotes began with several moments of reflection on non-technical IT topics by presenters like Peter Ligezinzki, CIO of Allianz Investment Bank and Rainer Janssen, CIO od Munich Re. Interesting to note that the first two keynotes were held by customers not vendors or visionaries – my impression was that this year the customer site had much more weight, and this was good. Both speakers did not tell us technology but business or even philosophical lessons. Their presentations titled “It is not enough” and “What business has to learn so that IT can align”.
The next presentation was held by John Hermans, KPMG “Trust in the Cloud”. He mentioned that cloud is really the first business driven shift in computer paradigm, the shift from CAPEX to OPEX. He also mentioned the difficulties that auditors have with auditing cloud providers because of missing standards as SAS70 type II is not applicable to services like Salesforce.

Then Dave Kearns gave an overview of the development of access control from the 70′s til now. From a control by a person sitting at the entrance who knows you, a badge with photo still checked by a real human in the 80′s, a badge with no photo and automatic control by card readers in the 90′s to all the access control technology the 21st century gave us. He described the convergence of data governance and access governance to information governance but pointed out that convergence is not the answer to everything – but worth a try.

After the coffee break Kim Cameron, Microsoft, announced that ADFS 2.0 will be released on 5th of May and gave us an outlook to the next frontier: the federated directory which he named “federated interscalar directory”.

Daren Rolls, SailPoint, described the next generation provisioning which is more business centric: “Learn from BPM more than just workflow”. Provisioning will be model based: “build models – you have to know what you want to achieve, not just build a role model”. The next generation should also be last mile agnostic and should support multiple fulfillment processes. Bridging the business process to the technical process, no matter which provisioning product is used. He also said he wishes to replace the overloaded term “provisioning” with “identity change management process” . These thoughts were present in many talks and underlined that identity management is trying to climb the next level:  farther away from technology and approaching business.

Sabine Erlinghagen from Siemens gave an overview on the opportunity national ID documents have in driving eBusiness applications.

Gerry Gebel, former identity analyst at Burton Group – now president of Axiomatics in the US, vgave interesting thoughts to IAM governance as a Six Sigma oriented business management strategy which aims to improve quality of process output, providing discipline for IT planners and speeds up the decision making process. He also mentioned that with XACML 3.0, a delegation model will be defined that is of particular interest for SaaS applications. XACML 3.0 will be finished later this year. Gebels “architecure anywhere” will be build upon XACML, SAML and STS.

5th of May – 2nd day

Today I followed the tracks “Mitigating Risk” and “Linking IDM & GRC to corporate performance” moderated by John Hermans from KPMG in his special way of challenging the panelists. He was asking questions like “Can you do GRC without IAM” , which was answered with yes, you can do that but manually process can be effective but not efficient, it is a matter of cost. Another question was  “When will the IDM & GRC product vendors be rich ?” Panelists agreed that it depends on  education and on the mandating of law. One speaker quantified the time span to 2 years others to 7 years and more … In most of the presentations on IDM & GRC people agreed that the way to go is a more business process oriented way and not a technically focused.

In the afternoon I visited the track “Authenticaton and Authorization” with presentations of Fulup Ar Foll and Vittorio Bertocci. Two kind of characters you should not miss when visiting EIC. Both talking about “Attribute Centric Identity Architecture” or in Microsoft parlance “Claims based Identity and the Cloud”. Fulup was provoking the audience with statements  like “If the IT were architected correctly you don’t need provisioning software”. What he meant is that a better way would be to deliver user attributes with each request and just deliver as much of information you need for your access. 

One of the highlights of EIC2010 was the a very motivating keynote of André Durand from Ping Identity. I remember his words from EIC2008 when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: “we will see whether we are still here in 2-3 years”. After he was missing last year at EIC2009, he returned this year and in what a self-confident way with statements like “Our business is eliminating passwords. We will be long in business as there are many passwords” or “Enterprises must stand up for standards” that let http://twitter.com/winemaker twitter “Andre Durand for president”. Beside these strong quotes his presentation  “Identity in the Cloud – Finding Calm in the Storm” pointed out that federation is the solution with saml & openid for Authentication and SSO

  • WS-Trust for delegation
  • XACML & Oauth for Authorization
  • SPML & PoCo for provisioning
  • A6 for Audit

Unfortunately I wasn’t able to talk to him as it seems he flew in to deliver his fulminate keynote, celebrate a Ping Party and then flew out.

In the next keynote Dale Olds of Novell described 3 trends:

1. identity-based security is increasing in importance
2. SaaS and IaaS is converging to PaaS
3. cloud provider are getting identity providers (federation hubs)

He also presented a survey that showed the customer demands in SaaS. The survey to the question “which security capabilities customers are asking SaaS providers about” resulted in the top three topics:

  • Single Sign On
  • Audit tracking in SaaS
  • Provisioning of users to SaaS apps

with all three requested by around 50% of respondents.

The last keynote of the day was held by Dirk van Rooy. Head of Sector Trust and Security of the European Commission who presented the programs the EC is working on and planning in the future like the European internet future portal and a digital agenda for Europe, of which a draft can be found through googleing. He also mentioned the European Comission ICT conference 27 September 2010 in Brussels. 

It is really a great achievement of KuppingerCole and a demonstration that they succeeded to put together very interesting speakers not only from the vendor space.

The day finished with the presentation of the Winners of the European Identity Award 2010:

Category: Best Innovation
Shared by Microsoft and IBM for their solutions “U-Prove” and “Idemix” and Wipro Technologies for their IAM appliance solution based on Novell software.

Category: Best Internal Project
Shared by Şekerbank T.A. of Turkey for a solution developed together with Smartsoft and Oracle,
Hannover Municipal Works based on a product supplied by Voelcker Informatik,
Schenker AG in conjunction with IC-Consult and technology from IBM.

Category: Best Project B2C
Shared by University of Washington together with Microsoft,
Catholic University of Leuven for a solution linked to SAP,
Kassenärztliche Vereinigung Bayerns with the help of Devoteam Danet

Category: Best Project B2B
Shared by BMW together with Omada and Microsoft,
Thomson Reuters solution based on Microsoft Identity Foundation,
Finnish State Railways Group with the help of RM5 Software

Category: Best IAM Project in Cloud Computing
Shared by Orange FT Group of France, BasisOne from South Africa and
Piaggio Group

Category: eHealth and eGovernment
University Clinic Munich solution developed with Siemens,
German Ministry of the Interior’s electronic identity card project (“neuer Personal-Ausweis”, or “nPA”).

More on awards http://www.kuppingercole.com/articles/award2010

6th May – 3rd day

The last day started again with very interesting keynotes held by Tim Dunn from CA who presented a world wide survey on cloud computing.  One of the questions 1000 enterprises were asked was about the reasons for migrating IT to the cloud: 70% of the respondents answered “reduced costs”, 57% “faster deployment time” and 56% “increased efficiency”.  The survey also pointed out the difference between European and US customers in their approach to cloud computing: Europeans do more sandbox testing of cloud apps and have more of a controlled preproduction manner. In the US it is more business driven. Customers are finding services almost by accident.  He concluded with “cloud computing is on the hype curve and it will happen fast with or without security. We better hurry and do it WITH security”.

Jackson Shaw from Quest Software presented “The most valid wins of IAM” which are

  • Save money, REAL ROI != vendor roi table
  • Generate money
  • improve efficiency of the majority != IT staff
  • improve compliance, anything which reduces the time to audit is good

He developed an IAM Report Score Card:

password sync, self service A  
websso A needs to work smarter, it is a biz enabler, vendor lock in, prop authz, federation?
consolidation B+ consolidate into central directory like AD, true SSO
strong auth B not paying attention
federation C+ shows promise – still long way to go, why buying if ADFS is free ?
provisioning C+ needs improvement, his opinion: still 1.0 ? not so good in
complicated scenarios and high costs for implementation, just-in-time provisioning needed – still lack in that area
privileged account management C good in unix (starts with sudo) become mainstream because GRC play, cloud makes it difficult,what to do with scripts and apps with passwords inside
entitlements, authorization, rbac, it-grc incomplete  

For me the day continued with tracks on “Roles & Attributes”, “Single Sign On Identity Federation” and “Identity Assurance”. Lots of interesting best practices and customer experience but I should stop writing here as this is a blog and not a book …

Just one additional thing. The conference ended with another provoking keynote by Sachar Paulus. One point of his presentation was his answer to “Cloud – What is in it – for YOU, Personally?”:

  • For corporate users: prepare for a big storm
  • For vendors: prepare for a much smaller market
  • For integrators: prepare for more work to do

Which is good news for the consulting business, isn’t it ? The last word has Tim Cole who did a very excellent moderation. Who counted his and his colleagues takeaways:

  • IAM and GRC escaping from technical to business
  • ID assurance getting exposure it deserves
  • Cloud computing becomes reality
  • Cloud changes both business models and technology

7th May – Workshop day.
As usual the week of IAM & GRC ended with a day of workshop

Wrapping up: It is obvious that identity and cloud computing are hot topics that cannot be separated. KuppingerCole European Identity Conference 2010 again was a must for people interested in Identity and Access Management & GRC and Cloud Computing. The conference is a “feed good” conference in very good surroundings. We are looking forward to EIC or better EICC 2011 (European Identity and Cloud Conference) which will held in Munich but not in the Deutsche Museum, since the conference rooms will be closed for renovation.

Tags: , , ,

Integrate your Seam application with SSOCircle

English on March 22nd, 2010 No Comments

As part of project PicketLink Marcel Kolsteren, Seam Integration Lead, developed a  module that allows developers to easily connect their seam application to external identity providers. The module supports SAML and OpenID. It also  ships with an out-of-the box integration with SSOCircle.  You will find a preconfigured saml-entities.xml file which includes the meta data for SSOCircle public IDP.

In his article External authentication example using SSOCircle he describes how to deploy the application, login via SSOCircle – either by choosing the IDP explicitly (see screen)

or by automatic redirection – and logout – either by local logout ( only from the seam application) or by global logout ( destroying the local session and the session at SSOCircle IDP).

Please note: if you need a private IDP to integrate with, check out our white label hosted IDP offering called IDPee. The private IDP has its own user database, can be customized to your branding and can be configured for several strong authentication methods. For more information:  /en/portfolio/idpee-plans/

We liked the comment he sent to us during his test work:
“I’m glad that SSOCircle exists … it’s very handy for developers and good promotion for SAML in general!  For OpenID it’s very easy to find lots of free identity providers in the cloud, but for SAMLv2 SSOCircle seems to be unique.”

About PicketLink (Quote from http://www.jboss.org/picketlink )

PicketLink is an umbrella project that aims to address different Identity Management needs. PicketLink is an important project under the security offerings from JBoss and includes the following components:

  • IDM: Provide an object model for managing Identities (Users/Groups/Roles) and associated behavior using different identity store backends like LDAP and RDBMS.
  • Federated Identity:  Support SAMLv2, WS-Trust and OpenID.
  • AuthZ: Developer friendly authorization framework
  • XACML:  Oasis XACMLv2 implementation.
  • Negotiation: Provide SPNego/Kerberos based Desktop SSO.

Tags: , , , , ,

SSOCircle celebrates its 3rd anniversary

English on January 28th, 2010 No Comments

It is already 3 years ago when SSOCircle, the free public multi protocol IDP, went into production. What happens in the past year ? We added new  devices to our strong authentication options:  The Yubikey and the Swekey, two new innovative OTP tokens. Users do not need to type in the one time passwords. In case of Yubikey you just have to push a button and in case of the Swekey the password is read by a tiny piece of JavaScript.

We also added some new demos like the one with Salesforce (which includes Google Apps SSO), the downloadable award winning Fedlet and last not least our SAML enabled WordPress Blog.

On the other side we saw a decline of interest at the end of 2008 and the first months of 2009. Less users subscribed to the IDP and visited the web site. An impact of the economical downturn ? The good news is that the numbers came back to the values of mid 2008 in the second half of 2009.

We also anticipated analyst attention as the Burton Group published a report called “New Direction in Federation“. Read our blog here. The report introduced “Federation identity hosted services” and gave a good market overview about the offerings.

The new Spring Security SAML modul was released and many developpers tested it against SSOCircle SAML IDP. And there are other very intereting services testing …

So, please stay tuned this year. There are many new things coming this year. We are quite sure that 2010 will see the
breakthrough for “new directions in federation”.

Tags: , , , , , , , ,

Burton Report “New Directions in Federation”

English on November 1st, 2009 No Comments

In the recently published report Burton’s Gerry Gebel describes “new directions” in Federation. Not only in the light of new protocols but rather concerning delivery models.   Compared with open source or proprietary on-premise software the real new thing are “federation identity hosted services”.  The report also includes a  comprehensive list of  these hosted services with SSOCircle/IDPee as one of them. In fact SSOCircle was one of the first non industry aligned federation hub on the market.  Citing Gerry: “This type of service should be useful for ad hoc or permanent arrangements, particularly for industries that do not already have a vertically aligned hub”. One thing to point out is that SSOCircle through its openness as a public idp has proved to be  compatible with many services and toolkits. In our opinion a critical criteria when choosing an IdaaS offering. In fact in the last weeks we noticed a lot of interoperability testing on SSOCircle.

Tags: , , , ,

Single Sign On to Salesforce online demo

English on October 11th, 2009 1 Comment

Recently Salesforce.com added SAML 2.0 support. We have launched a sample that allows users to single sign on to Salesforce with their exisiting SSOCircle account.  The individual account is mapped to a group account (due to our limitation in salesforce users).

Just click on the IDP initiated SSO link and you will be prompted to sign on to SSOCircle (if not already in session).

Great to see is the integration of Google Apps into Salesforce.com. Just click on the sign on link in the chat window and SSOCircle is doing the SSO magic behind the scenes (sure – you need to have a SSOCircle Google Apps  account created before)

Salesforce.com is checking for your IP address for additional security. Access from IP addresses not explicitly allowed must be confirmed by the user. If you experience this in the demo, please contact us.

Tags: , ,