Jamie Lewis, from the Burton Group, is giving today's first keynote. I remember enjoying Jamie's talk last year, although I didn't realize how much was there. I ask him for the slides and recently went back and reviewed them and realized how many concepts I hadn't gotten at all a year ago that now seem very important.
Jamie defines the virtual enterprise network (VEN) as the corporate network along with the connections to employees, partners, customers, and suppliers. Jamie's first thesis is that tightly coupled systems won't enable large-scale interoperability. The most important benefit of Web services is that it turns the network into a platform. Businesses are just starting to map out Web services strategies.
Jamie's second thesis is that exclusionary business models (read: firewalls) do not enable business. Identity enables an inclusive model that goes beyond the necessary but insufficient perimeter security models that are common today.
The same market pressures that are driving Web services are driving digital identity management (IdM). We have made significant progress in the last year in the deployment of real implementation of specifications and standards that were just ideas a year ago. To manage identity, you need to build process and infrastructure at the same time. Process is about managing the life-cycle (registration, propagation, maintenance/management, and termination). Infrastructure manages the actual IDs, entitlements, and so on.
The Burton Group has a reference architecture for IdM. The reference architecture provides a goal state. Each organization can build their own reference architecture to define their own goal state. It seems to me that this is a part of the Enterprise Architecture. The reference architecture is centered on the idea of a "security domain" which is different the intranet and corresponds to the VEN mentioned earlier.
Much of the Internet's potential is untapped because the infrastructure doesn't support the necessary functionality. Enterprises are interested in leveraging and integrating what they have, not buying new things. Jamie says they've had all the "technology cheeseburgers" they can stand; they're full and want to digest some of it. Web services is a move in the right direction.
Why will Web services work where other's have failed?
- Markets have changed
- We've learned out lesson about tight coupling
- Technology and politics have changed with more vendor buy in and lots of standards work.
Standards and open source implementations of those standards are allowing us to create a true network platform. Still, the reality is that we've only taken baby steps toward the goal. Right now, you can count on XML and SOAP. WSDL is almost baked. The rest is in some disarray. The incentives are there to solve the problems, but they need to be solved.
Most early efforts at solving IdM problems tried to legislate homogenization dictating how developers with handle identity and security. X.500, Kerberos, X.509 are examples. They also placed inappropriate burdens on developers. The next step was to build heavyweight integration products and middleware. These steps are necessary for creating the intra-organizational infrastructure, but don't address the inter-organizational issues.
Inter-organizational IdM will ride on top of the network bus created by Web services. If Web services doesn't work, we'll need to invent something just like it to provide that functionality. Internal federation can enable interoperability and consolidation after M&A.
The fact that the product we buy aren't secure means that we've been forced to buy security products.
There's lots of interest in provisioning, but it can be a big project with lots of political pitfalls. Password management is the low-hanging fruit of provisioning and can provide the quickest route to ROI. Still, its not full-blown provisioning. Web access management is still a bedrock solution for portals. Delegated administration, self-service, password management, and other tools provide real differentiation.
Right now SAML is gaining momentum with lots of early adoption. There are multiple products in release or development, some of them open source. SAML has a simple , narrow focus. Liberty is entering early adoption with some implementation underway in consumer facing apps. The WS-* standards raise the convergence issue and looks like a polite war. WS-* has an ambitious scope, but eventually the concepts behind WS-* will be necessary. Burton's advice is don't let the conflict stop you from meeting business needs. Eventually vendors will support all of them. SAML is a safe starting point.
- Centralized like Passport and AOL ScreenName
- Industry-base and proprietary: SecuritiesHub/Bond Hub, Verified by Visa, etc.
- SAML-powered like Shibboleth
- Liberty powered like Neustar's Land Records Exchange Network
- PingID has announced that they will build a gateway that translates between SAML, Liberty's ID-FF, and the WS-* standards
Jamie sees us going through a long, but inevitable transition. Web services and federated IdM have enormous potential, but we're several years away. We've mde more progress in the last 2 or 3 years than we have in the past 2 or 3 decades. Understand what you can do today and get started building the most general purpose architecture you can.
You should also read AKMA's excellent write-up on Jamie's talk.