Plausible Deniability

I was watching closely (albeit from afar), the observations and epiphanies emerging from the the Burton Group’s Catalyst conference last month. One of the more interesting conclusions is that identity management is at a crossroads where even the outlines of the intersection are unclear — what I like to describe as a paradigm vacuum, although there are others who view it as a journey where the next destination is uncertain. So the situation can probably be described as somewhere between groping in the dark for the next step forward and standing at the edge of an abyss. Still, the realization that the model is broken - putting everything into a big silo where it’s hard to take out again - is gradually but surely becoming the consensus position and thanks to need for visibility and control mandated by compliance, it’s become obvious identity management is at an inflection point.

One element of the evolution (or revolution) is sure to be architectural, but also how the components of the new architecture speak to each other, establish trust and exchange policy information is where the real hard work lies. Another of the themes at Catalyst that many people seemed to pick up on was the notion of ‘relationships’. Relationship is a useful concept in defining the attributes of identities that are distributed between directories that do not share a domain but I would take the idea one step further- identity is relative.

Identity only has any real meaning if its in the context of a resource request at authentication, an action in the context of authorization and interaction with data if its in the context of policy management. This is not authentication and provisioning in the traditional sense - it is invoking a policy decision based not just on information stored in a directory, but also the relationship between the user (who they are and what they are in a organizational context) and the resource. Clearly there is another facet of the relativity: what is the relative sensitivity of the resource or data that the user is trying to get at - which must be defined in business terms and and again expressed in terms of policy. Relativity also means that the relationship can change over time and place, which immediately need to express policy that can handle variables. How does this relate to the paradigm vacuum? Because it implies the need for an abstracted policy management layer that establishes what the parameters are for resource access, incorporates variables in decision making and enforces authorization consistent with a policy requirement. Now we can see identity management from a different angle — it’s not a matter of putting human relationship into system terms but managing the intersection between human organizations and systems, data and resources. (I am still wrestling the idea that what’s implied here is a resource-based model since at some level the resource and identity have to be reconciled in terms of policy and business definitions).

There are a number of proposals on how we get there — the Internet Governance Framework’s CARML being one example - and we expect to see a lot more action in the directories realm than we have in years. My vote for protocol of the year goes to XACML, though. The language has its issues, is still too complex for developers to easily code policy and is verbose enough to create latency issues. However, of the vendors we have spoken to looking at being the logic and infrastructure behind that policy management layer - NextLabs, Axiomatics, Rohati, Jericho Systems, ObjectSecurity, BitKOO and Cisco Securent (in no particular order) - all use XACML to communicate policy. Having demonstrated it can work is evidence enough for the moment.