Another highlight of DIDW each year is Jamie Lewis' keynote. Jamie is the CEO of the Burton Group (and, incidentally, wrote the forward to my book on Digital Identity).
He believes that the market has moved beyond the products and suites stage to the services stage. Good news for the people I've met at the conference this year who are hoping to build service-based businesses.
Stronger authentication is not going to solve most of the problems we see in the identity space. User IDs and passwords are still around and replacing them would solve a lot of tough problems. He uses the theft of the Veterans Administration laptop as an example.
Provisioning is the vortex of IdM. In theory provisioning is crucial to compliance, but in practice is difficult, expensive, and tricky. The politics and organizational dynamics are tripping points here. At the same time, provisioning is going mainstream. Products have matured and deployments are succeeding. While products don't always deliver on their promise, they aren't the reason projects fail.
Federating is building slowly. The elephant in the road is a combination is assurance, liability, and reliability. There's less internal federation than Burton Group anticipated--more external. Andre Durand, CEO of Ping told me yesterday, they're seeing about 50-50.
A lot of the IdM problems that arise today are a result of projects being developed in an identity vacuum. When we get to the point where there are services we can reuse, then we will see progress. There's reason for hope. Emerging frameworks, like CardSpace, OSIS, Higgins, and Bandit promise to create an access layer.
Jamie's recommendations haven't changed much
- Relate the problem to core business objectives
- Begin by cleaning up your identity house. Understand identity in your organization before you start buying products.
- Companies who succeed at this are the ones who don't try to solve the problem in one fell swoop. Stay focused, pick something small, and take many small steps.
- Buy Windley's book. Ok, he didn't really say that--he recommended a Burton Group paper. :-)
He moves on to Internet identity. He asks "Are we focusing too much on identity?" We shouldn't mistake authentication for recognition and other social interaction. Relationship, recognition, and reputation will have to share the burden.
Conflating user-centrism and federation is like confusing voting machines and democracy. They're related, but shouldn't be conflated or we confuse the picture. When Jamie talks about Federation, he's talking abut agreements, standards, and technologies that make identity and entitlements portable across autonomous domains. It's highly tolerant of asymmetry. Allows parties to disagree or agree on certain things at certain times in a just-in-time fashion.
It's fair to say that current enterprise federation models were design without giving the user a seat at the table. The topology needs to change. Topologies should make it impossible for the system to violate a user's privacy rather than merely making it possible to respect that privacy.
Jamie believes that there is no single center except, perhaps, reality. We need to acknowledge the reality that there are multiple needs and identity is dynamic depending on the conditions in which it's being used. There are multiple parties and to scale, identity systems have to negotiate the power sharing among these parties. That's the job of the identity meta system.
With respect to the various Internet identity systems, Jamie says that planets appear to be forming in the vacuum of space. He points out CardSpace, Higgins, Bandit, and URL-based identity systems. He placed the URL-based identity systems close to the Sun because he's not sure that the heat on those planets will support life.
Neuenschwander and Rowland have proposed a Limited Liability Persona. Each LLP is a container for a limited set of identity info and resources. Individuals can have multiple LLP for different modes and roles. They can he shed, sold, and have value. LLPs help enforce civic responsibility, criminal liability, can suffer reputation damage. The idea is that consequences echo the physical world.