Earlier this year I talked with some leading identity and access management (IAM) solution providers after some notable movement in the sector.
I spoke with Scott Morrison, CTO and chief architect of Layer 7 Technologies about some of these topics, specifically about the Jericho Forum's suggested changes earlier this year that people should control their identity.
The guidelines also suggested that a person's own username and password should be accepted universally, I asked Morrison if this is workable or something that is impractical as each site needs to know who is logging in with the credentials they provided.
He said: “This was the dream of OpenID, a credential that could be used across a range of websites. At first look it seems counter-intuitive as traditionally, owners of a service have always issued credentials to access a service.
“For example to get your corporate email, you need to use corporate-issued IDs. But if you stop and consider the lack of ceremony and validation that most websites demand for creating an account and issuing an ID (usually little more than the hoop of getting past a CAPTCHA), it becomes logical to think that maybe we should just accept credentials that come from another identity service. In the end, these are as valid as credentials issued locally by the website and from an architectural perspective, has a nice elegance to it.
“Of course, identity provisioning remains an issue. If I show up as Scott Morrison with credentials issued somewhere else, most sites still need to create some record of me in a database to run effectively; it may just no longer need a local password and this is a pretty big step forward.
“So the idea is certainly practical and technically feasible; the real barriers to adoption are cultural. Web developers aren't accustomed to developing sites that use this idea. An awful lot of web development is template driven and if the template you are using already has a user signup section that includes local passwords, that's what is usually used.
“What is interesting is that six months ago I would have maintained that OpenID was dead, just another good idea that failed to take off. But interestingly enough Oauth seems to be giving it a new lease on life.”
It had been suggested to me in some meetings that ‘identity' and ‘access management' should be considered separately. I asked Morrison if he felt that if they are separate, do they need to co-exist as you cannot have one without the other?
He agreed, saying that identity is about ‘the claims we use to prove who we are who we say' while access management uses identity by running authentication (validation of security tokens and thus establishment of claims) and authorisation (is an identity allowed access to a resource).
“They are linked, but it helps to consider them separately because they are each important concepts in their own right,” he said.
Talking with other providers this summer about hosted IAM solutions led me to wonder if this is something businesses should be demanding from their service providers.
He said: “Business should look for the cloud access management solution that meets their unique needs. A specific cloud provider may not offer the best of breed access management system. However, I do think it is reasonable to push cloud providers to accommodate existing standards such as security assertion mark-up language (SAML) and emerging standards like Oauth on their access control.
“For example, many SaaS providers, such as Salesforce.com or Google docs can use SAML to allow federated sign on with enterprise IAM equipment on premise, or with cloud-based solutions. In 2011 this should be a pretty basic requirement.”
Finally, a conversation I had with Extreme Networks and Courion earlier this year said that businesses should look at Active Directory settings and privileges as a simple method of ensuring that users have access to the right applications and services.
Morrison said that businesses with an existing investment in Microsoft technologies and ActiveDirectory should look closely at what IAM capabilities this technology offers.
He said: “Certainly the latest versions of Active Directory Federation Services have offered a very rich and capable federation model that works well in Microsoft environments. However there are certainly non-Microsoft equivalents that might be a better fit with a businesses' existing technology infrastructure.”
As people are forced to consider their online identities more and more, perhaps it is worth knowing that there is concepts and solutions ready to solve the dilemma.