The big (as in could not miss it) news yesterday was the launch of the Higgins project -- an open source instantiation of the WS-Trust framework within the Eclipse foundation. Several tech news articles got the take *way* wrong - pitching it as open source vs. microsoft story. In reality, that's not what it is at all.
In brief, the Higgins project (which is apparently named for some "long-tailed" tasmanian mouse, and NOT the guy from "Magnum P.I." -- and, really, wouldn't it be much more interesting if it was named after the guy from Magnum P.I.?) means the following:
1. This is, net-net, a *win* for Kim Cameron's Identity Metasystem. In the past few weeks, Kim has had Verisign announce support, and now an open source project building out a WS-Trust framework for application developers. So, make no mistake about it, Higgins equals more momentum for the Metasystem.
2. However, the move by IBM and Novell *appears* to be a move designed to pressure Microsoft and ensure that their instantiation of the metasystem (InfoCards) remains "open."
3. That move is being done in response to one very big (and obvious) realization: InfoCards is going to ship in Vista (probably early) and it is going to be a game-changer in the user-centric identity space.
4. But more importantly, it may *also* be a game changer in the enterprise space, as well. There is a tremendous amount of enterprise interest in using InfoCards as a central metaphor for enterprise identity management.
5. So think about this for a second: InfoCards on a huge number of desktops, enterprises upgrading to Vista for its security features (like BitLocker), and InfoCards needs to have an identity credential issued. Where might that be issued from? Active Directory. It is no mistake that (as John Fontana observed), Active Directory is now the hub off of which all of Microsoft's enterprise identity management offerings hang.
6. ergo InfoCards will drive even more adoption of what is quickly becoming the Active Directory juggernaut.
7. Therefore, if I'm a company selling products that are competitive to Active Directory (say, like, for instance IBM or Novell), and I believe that the identity metasystem has gained enough critical mass, then it is absolutely in my best interest to push forward an open source project for the metasystem. Not doing so is to hand over my market to Active Directory.
8. Higgins is good for the community at large (the more Identity Metasystem things we get going the better), and necessary for the vendors involved.
Stay tuned, Phil will have much more to say about this in his newsletter this week.
We heard about the Higgins announcement last week -- and, frankly, are still thinking about it...
In the meantime, its interesting how the above article tries to position it as "against" InfoCards, while Kim Cameron talks about how positive a development it is.
What if you throw a conflict and nobody shows up? ;-)
[Later: More on this story from Infoworld.]
Ahhnold (excuse my bad Austrian accent ;-) is talking about identity theft (quoting):
"The effects of identity theft can be devastating and take years to recover from. The cost of identity theft impacts individuals, businesses and the economy -- fighting it will take a team effort," Schwarzenegger said in the statement.
See and I was hoping it could be solved with Arnold on a motorcycle and a sawed off shotgun. ;-)
Kim's laws are now the stuff of identity legend -- and John Merrells and Dick Hardt of Sxip are contributing their Fourteen Design Principles for identity systems, which (at first glance) would appear to adhere to the 7 laws.
My question: would these apply to Enterprise Identity Management systems as well? It would seem not, but then we're reinforcing the divide between "inside" of the enterprise and "outside" of the enterprise. If these *are* meant for the enterprise, then the user always consenting for identity information release may not be entirely appropriate.
Last week, Verisign announced its Identity Protection network - formally known as "VIP." Now, Neogent has announced their Velocity Identity Package, which they have named "VIP." So now when I refer to VIP, I'll have specify the Neogent VIP or the Verisign VIP (which is redundant).
Which reminds me: Phil and I constantly joke about how every single company touts itself as the "leader" in X. I'm always wondering how every single company is the leader (or "industry-leading"), when (by definition) a "leader" can only be a single point of data. I'm also publicly stating that I will write about the first company that sends me a press release advertising themselves as "middle of the pack," "industry lagging," or some such equivalent.
Lastly: everyone should welcome Approva (the "leader" in enterprise controls management) to the identity party - as they've just released their BizRights Identity Management integration kit.
All kidding aside, Approva's "automated compliance provisioning" solution and its direct integration into IdM suites speaks more broadly to the market's ongoing need for improvement of solutions.
Robin Wilton points us to a NYT op-ed piece that advocates a national ID card.
The irony of the NYT piece is, of course, that the REAL ID Act gave us a default national id card (at least as a standard). In essence, the REAL ID act said that ALL states have to comply with a standard for driver's licenses, or lose DMV federal funding. This standard includes stricter procedures for enrollment and the use of *some biometric* on every driver's license.
The standardization of driver's licenses to the federal level *is* a default national id card. Its just been done very quietly and under the covers - mostly because of work the AMVAA (american motor vehicle adminstrators association) started several years ago just after 9/11.
There are only two parts about the "driver's license as default national id" that aren't inclusive of a real national id:
1. Smart Card capabilities: your driver's license can't store health care information, etc. Then again - do you really want that on a magstripe in the wallet you just lost at the airport?
2. Enrollment enforcement: America's illegal immigration statistics are staggering. A national id card won't cover the millions that aren't of legal immigrant status - and enrollment nationwide would be something beyond a nightmare.
Mr. Fontana does a nice job of pulling together all of the pieces in the Microsoft universe:
Active Directory
Windows Server
MIIS
Certificate Lifecycle Manager
InfoCards
and points to Active Directory as the hub of it all...quoting:
While the directory has been a core piece of Microsoft's identity infrastructure, it will become the platform for strong credentials, access control, single sign-on, federated identity, information-rights protection, process automation and auditing.
Its important to note HOW much Microsoft is altering the identity landscape this year. Take Active Directory, Windows server, and MIIS -- now take BMC's suite of .NET stuff -- now throw in some bolt-ons from the AD ecosystem (ie, NetPro) -- and you've got a *universe* of product sets for everything from the midsize business up to the large enterprise.
Active Directory has been getting tons of traction. I'd expect Microsoft's identity offerings to do the same.
Ian has posted his thoughts on RSA -- and is focusing on the problem of policy management. Quoting:
Combining some trends I have seen in the market and reflecting on my post about Yet Another Management, I think it is time to highlight another problem with the P word - the management of policy. Quick, vendors, count how many policy management interfaces you have? I spent last week asking a variety of vendors how many different policy management interfaces they have for their products. I think the average for a decent sized identity management vendor is around 5. (One vendor told me of over 10 different policy management interfaces for their suite of products.)
Customers are being overwhelmed with different policy tools. Multiple policy management interfaces from multiple vendors. This wouldn't be so bad if:
All of the tools could link back to some overall IT Governance policy management system.
They talked to each other.
They used consistent names for their operations and subjects.
Of course I realize the effort required to address the previous points is huge and would require monumental work among competing vendors. But, playing the long game, we as an industry are going to have no other choice. We have to keep in mind that no one is in business solely to learn how to use a myriad of policy management interfaces; they are in business to fly planes, manage people's money, provide healthcare, etc. I have started to see the market, especially the mid-market, begin to push back against adding more and more policy tools into their environment. I don't think the villagers are at the gate with pitchforks and torches yet, but they are starting to grumble in local bars. Around mid-2007 I think the villagers will reach the gates, demanding unified policy tools that use consistent language throughout. We had better start working on this now.
Standards-based policy management? Is policy the proprietary arena which vendors are using to extract value and differentiate product sets?
Good questions, all.
Look for more thoughts from RSA, as Phil and I recount our experiences over the coming week...
Macrovision has long been in the "content management" space (you can see their logo at the beginning of some DVDs). Now, however, with their acquisition of eMeta (a privately held, NY company) - they're (you guessed it) an Identity company!
The press release says thusly:
With the acquisition of eMeta, Macrovision gains the ability to respond to its customers’ changing needs with a more extensive set of digital content management solutions. The acquisition extends the breadth of Macrovision’s portfolio to include a broad spectrum of access control, usage entitlement, e-commerce and subscription management solutions, which will enable companies to monetize and deliver all forms of digital content to their customers whenever and wherever they want.
But it all becomes much clearer, if you simply look at eMeta's Right Access product -including the following features:
Authentication
Authorization
Delegated Administration
Integration
hmmmm....sounds like identity management to me. Shall we add "digital content management" to the list of niches that find themselves waking up in the identity world? I think so.
Last night you could've overheard this conversation between Kaliya (identity woman) and me:
Kaliya: I don't like Art Coviello's thing about passive authentication. I don't want them watching me. I want control.
Eric: ok - but passive authentication is already happening all the time - and its *preventing* identity fraud.
Kaliya: yea - but that's not the way it should be done.
Eric: I agree, but would you have them turn it off immediately and watch fraud go up?
Kaliya: No, I'd have them change the way they do it.
Eric: I agree, but that can't happen overnight - so in the meantime, would you have them turn it off and have fraud go up?
Kaliya: ugh.
Scott McNealy's keynote yesterday included a "Top Ten list of IT Security Nightmares." One of them was "needing a patch for a patch."
And then there's this.
Sometimes life does imitate keynotes ;-)
Day 2 of RSA is kicking off -- and things are in full swing.
If you're at the show, be sure to show up at room J3 in SJCC at 3:25 to watch Kim Cameron, yours truly, and Todd Innskeep (of Bank of America) talk about "Infocards in the Identity Universe."
Topics covered will include: Natural law, aristotelian dialectics, ancient indian theories of the void via Nagarjuna -- oh, and probably some stuff on digital identity. ;-)
RSA is off and running, and the river of news is everywhere (I won't re-chronicle that here -but check press releases and/or coverage from Microsoft, RSA, Sun, HP, Ping Identity, AEP networks, etc, etc.).
The three opening keynotes were Bill Gates, Art Coviello (CEO of RSA) and Scott McNealy from Sun. Briefly:
1. Bill Gates highlighted identity, identity and more identity in his keynote. From Info Cards (with a neat demo) to Smart Cards to Trust Ecosystems to Enterprise identity - it was all covered. And it appears that Kim Cameron really has been bending Bill's ear ;-)
2. Art Coviello spent his time talking about a spectrum of layered authentication (from anonymity to pseudonymity to absolute identity) -- a talk that was especially interesting in light of RSA's recent purchase of Cyota. Bottom line: RSA is now positioning themselves as the company to provide consumer-facing layered authentication solutions.
3. Scott McNealy gave a humorous (if rambling) view into a bunch of Sun pieces. Their identity management solution had its due time (if not center stage).
One common theme that both Phil and I noticed was that this was the *first* RSA show where we saw the keynoters talking about how security was derived from identity versus identity being a subset of security (as it has been seen in the past). This is a BIG (if subtle) shift that should signify just how important identity is becoming.
Additional evidence of this can be seen on the expo floor - where 5 out of 6 companies have the words "identity" or "authentication" in their marketing materials...
Identity is beginning to come of age...
Here we are kicking off RSA and we have three things of note already:
1. The Trusted Computing Group is releasing the Trusted Software Stack v1.2 - which includes hard drive encryption specs and direct anonymous attestation.
2. Simultaneously, Sun is ending production of its Trusted Solaris system (which was largely used in government applications).
3. Versign's Identity Protection (VIP) network - with Yahoo, eBay and PayPayl (and Motorola and SanDisk on the backend) is a *federated stong auth network* that has some real possibilities....ie, can you smell the "protected content areas" of the Net coming?
Eve Maler (of Sun) has listed her short descriptions of the "long tail" of identity work. Quoting:
OpenID: A system for supporting URL-based identifiers, allowing for a confirmation to prove that it’s your URL (a la email confirmation loops)
LID: A system for supporting URL-based identifiers, now coordinating closely with OpenID so as not to compete unnecessarily
YADIS: A policy protocol to let a relying party discover whether an authority uses OpenID or LID and adjust its behavior accordingly
SXIP: A company that has built identity solutions and protocols with an intended focus on easy integration with existing web apps
DIX: A proposal for IETF identity protocol work driven by SXIP; a BOF is scheduled soon to consider WG creation
Pubcookie: A classic cookie-based system for non-federated single sign-on within a single domain
XRI: An effort within OASIS to build a new URI scheme for use in creating identifiers and resolving information about identities
i-names: Simple XRI-compatible identifiers, which for people take the form of =name
Identity Commons: An organization developing stock sets of policies for identity information usage, a la Creative Commons
SAML: An OASIS standard for representation and federated exchange of identity information, with a focus on human-facing interactions
Liberty: A set of technology standards and business guidelines for privacy-enabled identity interactions, both human-facing and machine-to-machine
WS-Federation: A privately produced protocol for identity federation, with current product support focusing on human-facing interactions
Infocard: Microsoft’s new UI component for a client that can mediate identity interactions, similarly to LECPs/ECPs (see below)
I'm sure we'll have plenty to talk about, as we're at RSA this week, but for good measure here are two more identity companies:
Identicentric - an SOA bus for identity management products
Identyx - with an open source virtual directory
Our man on the street (okay - our man who lives in Boston), Aldo, is at the invite-only Harvard-Berkman center Identity conversation gathering and brouhaha (Johannes has attendees here)....
We'll dish the dirt as he delivers it...
I'm never quite sure who reads what part of Digital ID World, so I wanted to point out a few things....
First off, if you like to surf *to* the site, you can find a new article from yours truly and the online version of Phil's email newsletters.
Alternatively, those that want their feeds (like me), can find them (articles, this blog and email newsletters) here.
Every day I wake up and discover new identity companies that I didn't know about the day before.
Dave Kearns highlighted Iotum in his newsletter...
...and sorting through my pile of press releases (buried in Liberty's announcement of fifteen new members), I find two more (heretofore unknown) identity companies:
and
What all of this is actually indicative of is a very interesting point in the market's development:
1. The stack vendors are lining up for trench warfare -- battling it out to see who can nail the most "enterprise-wide" licenses from the Fortune 500. These are big ticket purchases that provide *tremendous* leverage to the vendor that wins them, as once the stack is in, it is a monster to remove. See Sun, Oracle, CA, IBM, HP, Novell, (and to some extent Microsoft).
2. The mid-market is being sought after by some folks that believe they can carve out a real niche. See BMC, Microsoft, RSA. This is just barely beginning, but if companies like BMC and Microsoft can get a head start on this via their partnered offerings, they can gain a huge advantage going forward in this market.
3. The Best-of-Breed guys are fighting the "architectural battle" -- essentially a continual argument about why you should architect for best of breed versus buying your entire suite from the stack vendors. In addition, these folks are in the acquisition sweet (or "suite") spot. Here see Radiant Logic, Courion, Ping Identity, Trusted Network Technologies (aka TNT), etc.
4. The start-up, smaller guys, VC-funded (or self funded) types are growing, popping, expanding and innovating every single day. You'll see me linking to a ton of them here - and some of them are becoming commonly known names: Sxip, A10 Networks, Identity Engines, etc. Their game is still developing...
Add ALL of that together and you get a market that is really clicking on all cylinders - with every major segment expanding or heading into rapid expansion.
And we're still just building infrastructure - we haven't even gotten to applications ;-)
Several weeks ago, I talked about EpicTide - Kurt Long's new company (Kurt started OpenNetwork, which was acquired by BMC). And at that time, I stated that I thought that EpicTide, though it talked about being a "compliance solution," would soon find itself firmly in the identity dance.
EpicTide's announcement about partnering with Imprivata would seem to indicate that Kurt has brought his new company out onto the dance floor. ;-)
We're swimming in acronym soup over here...
Take Phil Windley's post on Google's Universal Authentication Engine (UAE based on XMPP)
and
Mix it (or mash it, as the case may be) with this post on Mashups as a Service
and you might find yourself living in a Mash-up world with an easy API for authenticating people *across* web2.0 applications...
Now where'd I put that buzzword generator ;-)
Its the week before the RSA conference, which if you're working at Digital ID World means you'll be receiving 400 company pitches a day every day from here to the show. Yep, the signal to noise ratio begins going up at the beginning of the week, and by the end of the week, things are pretty much just constant white noise.
We will be there next week (phil, myself, and a bunch of others) - walking the floor, speaking on panels, talking with companies, etc.
In the meantime, a couple of things:
1. From the Demo conference - an ID launch, specifically, GuardID - with ID Vault.
2. In case you haven't noticed, there's actually a bit of a heated discussion going on around URL-based identity systems, Identity metasystems, etc. Main players: Johannes Ernst (Netmesh), Dick Hardt (Sxip), Kim Cameron (Microsoft), Drummond Reed (Cordance) -- and various unnamed folks from the YADIS and Identity gang email lists. Much of the discussion centers around techhnical points (what can and can't be done by what), or around what proposed architectures can do (Will the Metasystem work with URL-based stuff?).
For an interesting example of what's going on - check out this post by Michael Graves over at Verisign.
This is really interesting -- aside from RSA's ClearTrust product being given the gold medal in IdM products by Tech Target -- the write-up talks specifically about how RSA's strong auth (SecureID) played into the purchase of ClearTrust.
You might remember that I've brought this up before in reference to the "stack" vendors (Oracle, CA, Novell, Sun, etc)....RSA does stand in a slightly different position here - 1. Because they can play the "smaller player/best of breed" game and 2. Because they can claim a native strong auth component in the IdM solution...
Conclusion: Oracle, CA and the rest haven't stopped their acquisitions just yet...
Neogent (a new identity company?) has announced a packaged portal and content management system with built in identity management features (which would only seem to make sense)...quoting:
VEP gives organizations the ability to provision, de-provision and manage passwords throughout an organization with the Sun Java System Identity Manager. This allows the customer to control roles and permissions throughout the organization, reduce the time to grant users access to systems, and ensure users are deleted from systems promptly.
This solution also gives customers the ability to manage web, digital assets and documents through Day's content management solution, Communique 4.0, by providing a user friendly content management system that reduces organization's IT needs, allows users to manage content in familiar applications (e.g., Microsoft Word), and introduces a full workflow management system that allows you to fully control the business processes associated with data throughout the organization. In addition, VEP offers customers the ability to store and access content through the first JSR-170 repository.
Question: will BEA be getting into the identity business soon?
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
March 2005
February 2005
January 2005
November 2004
October 2004
September 2004
June 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
