IBM's identity management becomes user-centric: HP's identity management exit strategy
Courtesy of InternetNews on Tuesday I learned that IBM has added support for OpenID, Windows CardSpace and Eclipse's Higgins Identity Framework to its Tivoli Federated Identity Manager (FIM) offering. As one of the enterprise identity management heavyweights, IBM's announcement is an important endorsement of user-centric identity approaches. Such approaches are still in the formative phase of the adoption curve, particularly in the enterprise, so I see this is an investment for the future for IBM. IBM's significant installed base should help to increase awareness, particularly for organisations supporting external user communities.
IBM's
press release provides more details on the user-centric credentials (
no pun intended!) of FIM. It also discusses the product's SOA Identity Service, which is designed to address some of the challenges associated with identity lifecycle management and audit where service-oriented approaches are applied to siloed applications with siloed security. These challenges are something
I highlighted back in February 2006 and are a barrier to the realisation of the value of SOA as it moves out of project-level deployments. I see the SOA Identity Service as the more important aspect of this announcement, with SOA being a more pressing IT (and hopefully business) concern than user-centric identity.
As an aside, the InternetNews article mentions that the enterprise identity management market
is becoming increasingly competitive with offerings from HP, CA and Oracle.
Can't fault the journalist on CA and Oracle ... but HP! Earlier in the year the company announced that it was no longer going to be selling its Identity Center products to new customers: hardly a competitive force. As part of this (hopefully for its customers) graceful retreat from the market,
HP announced that it has established an exclusive agreement with Novell whereby the two companies will
jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology
When HP originally announced that it was exiting the market, it stated that it would continue to support and develop Identity Center for its existing customers so I was somewhat surprised to see it offering a migration programme. I wonder whether those customers didn't see this as an effective way forward for what is critical infrastructure. Whilst the programme was a surprise, the partner wasn't. Where else could HP have gone? BMC, CA or IBM: hardly, given the competition in the IT service/systems management markets (and numerous others in the case of IBM). Sun: difficult given competition in the hardware space. Oracle: would have made things difficult for HP's SAP alliance team. Microsoft: lacks the heterogeneous environment support and breadth of functionality that HP's customers need. So, whilst I am sure the sentiments behind Ben Horowitz's (VP and GM, Business Technology Optimization, Software, HP) statement that HP chose Novell
because of its outstanding set of technologies, recognized market leadership and tremendous commitment to working with HP customers
are real, the company didn't have too many others to chose from!
Labels: BMC, CA, CardSpace, Eclipse, Higgins, HP, ibm, identity, Microsoft, Novell, Oracle
A privacy-enhancing acquisition for Microsoft
Microsoft has acquired Canadian cryptography specialist
Credentica. This news sees Microsoft reverting back to its more traditional approach of acquiring small (Credentica is a team of three) specialist technology vendors to plug very specific gaps. In this case, Credentica brings its U-Prove technology to Microsoft's Identity & Access Group to enhance the privacy assurance capabilities of Microsoft's CardSpace and Windows Communication Foundation (WCF).
Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to service providers directly without the involvement of identity providers. They also limit the disclosure of personally-identifiable information to prevent accounts being linked across service providers and provide resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:
The SDK is ideally suited for creating the electronic equivalent of the cards in one’s wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.
This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are more at least 12-18 months away.
Businesses and public sector organisations offering B2C/G2C services should be following Microsoft's integration strategy closely as privacy becomes a more significant concern (and thus a differentiator).
Labels: CardSpace, Credentica, Microsoft, privacy, WCF
Experian partners with Microsoft to develop an identity selector proof of concept
Perhaps it's because we're in the run up to the holiday season or because
the press release came from the UK that accounts for the lack of commentary on the announcement that Experian has developed a CardSpace proof of concept with Microsoft. This is notable for a couple of reasons.
First it's another of what is still a comparatively rare breed of "real-world" adoptions of CardSpace (Otto in Germany, which
I commented on back in September, being another).
Second it sees Experian exploiting the wealth of information it has gathered about individuals, together with its relationships with commerce service providers due to its position as the largest credit checking agency in the UK (it claims to process over 70% of all UK credit applications), to position itself as an identity provider.
In a nutshell Experian plans to issue individuals with a 'Experian Card' information card. When the individual visits a CardSpace-enabled site, they will be able to present the 'Experian Card' when challenged to provide credentials and other identity-related data. CardSpace (and presumably non-Microsoft identity selector alternatives, such as the
Bandit Project's DigitalMe) would then send a request to Experian to validate the identity and return a signed token to be used by the site to determine whether the individual is who they claim to be.
Having a proof-of-concept is one thing but Experian is in a similar position to the first person to invest in a fax machine. They need others to participate if the technology isn't to languish as just an interesting experiment. Experian, because it is already trusted by service providers, is well positioned to get the identity selector ball rolling and according to the press release is
already in discussion with a number of organisations and
will be in a position to demonstrate it to organisations, with the ultimate intention of launching an Identity Management Service in the near future.That's only half the story though. The customers of those service providers also need to come on board. Whilst the wallet metaphor of CardSpace is intuitive, we have all grown too accustomed to the username/password/PIN/mother's maiden name ... approach to authentication and I am not convinced by Experian's claims that
there will be enormous demand for such a service from ... consumersRather, I think Experian is going to have to encourage service providers to actively promote the identity selector approach, not least because individuals (unless they are using Windows Vista) are going to have to install CardSpace or a non-Microsoft alternative.
I definitely don't want to pour cold water on the announcement. It's encouraging to see the adoption of "user-centric" (a term that I think is going to bandied about less in 2008) alternatives to traditional authentication mechanisms, given the enhanced usability and security, and I hope we do see a launch with a healthy group of service providers in the near future. Definitely something to watch.
Labels: Bandit, CardSpace, Experian, identity, Microsoft
Has CardSpace become Passport?
Ben Laurie of The Bunker Secure Hosting has a
provocative post about the two emerging (and that's important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID's:
popularity is entirely on the provider side. There are no consumers of note.and that CardSpace:
appears to live in its own little world, supported only by Microsoft productsI think this is to be expected given that we are still in the early stages of both.
Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:
So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there’s no practical difference between Cardspace and Passport right now.Ben's right about the implications for privacy when the those consuming identity information collude with those providing it but that's not an issue peculiar to CardSpace.
Even Microsoft would (and indeed does) agree that Passport was a failure due to the company's control of identity data, I think Ben doesn't tell the whole story. It wasn't just down to control of an individual's identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft's business partners and customers. The same can not be said of CardSpace and that's why I believe there is a difference between CardSpace and Passport. There are already examples,
Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it's still early days.
Labels: CardSpace, identity, Microsoft, OpenID
Realising the identity metasystem
It's perhaps unsurprising, given all the brouhaha surrounding
Microsoft's claims that open source software infringes on 235 of its patents (which incidentally I take to be largely 'sabre rattling' from Redmond in the face of the implications of the GPLv3 for its deal with Novell, as discussed in
the Risk Factors of the latter's recent 10-K filing), that
some recent news regarding the Redmond company's very positive collaboration with the open source community has not received the attention it deserves.
The news in question concerns a series of announcements the company made at last week's
Interop conference in Las Vegas. These announcements, as the title of the post suggest, all revolve around Microsoft's vision for an Internet-scale, interoperable
identity metasystem and range from additions to the
Open Specification Promise (OSP) through to support for OpenLDAP with
Microsoft's Identity Lifecycle Manager.
So, what did they announce? First, Microsoft is
making the Identity Selector Interoperability Profile available under the OSP to enhance interoperability in the identity metasystem for client computers using any platform. An individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft, nor will it need to worry about future patent concerns related to the covered specifications for that technology In other words, third parties are free to build the equivalent of Microsoft's CardSpace, following the likes of the
Higgins project, Ian Brown's Apple
Safari Plug-In and Chuck Mortimore's
Firefox Identity Selector. This is important not only because it extends the reach of CardSpace-like capabilities beyond Windows but also because it facilitates the consistent user experience (I know because I have used CardSpace, the Safari Plug-In and the Firefox Identity Selector) which helps to reduce errors and misunderstanding by users.
Second, Microsoft
is starting four open source projects that will help Web developers support information cards, the primary mechanism for representing user identities in the identity metasystem. These projects will implement software for specifying the Web site’s security policy and accepting information cards in Java for Sun Java System Web Servers or Apache Tomcat or IBM’s WebSphere Application Server, Ruby on Rails, and PHP for the Apache Web server. An additional project will implement a C Library that may be used generically for any Web site or service. These implementations will complement the existing ability to support information cards on the Microsoft® Windows® platform using the Microsoft Visual Studio® development environment.Or, to put it another way, doing for back end servers what the first announcement is doing for the front-end: enabling web sites and enterprises running a wide variety of web server infrastructure to support authentication using CardSpace and the other identity selectors.
The cyncical amongst you might be forgiven for thinking that these two announcements are just Microsoft paying lip service to interoperability.
This post should help to allay your concerns: at the Internet Identity Workshop earlier in May the Open Source Identity Selector (OSIS) group demonstrated interoperability amongst 5 identity selectors, 11 relying parties (the party relying on authentication to prove an identity), 7 identity providers (the party asserting the identity), 4 types of identity token (the mechanism for conveying the identity assertion), and 2 authentication mechanisms. Also, on the same day as the Microsoft press release, Internet2
announced plans to extend
Shibboleth, a federated web single sign-on solution based on SAML that is widely used amongst educational institutions, to support CardSpace and compatible identity selectors.
The third piece of news from Redmond last week, concerned the new
Identity Lifecycle Manager product and is thus primarily focussed behind the firewall. Microsoft is going to be working with KERNEL Networks and Oxford Computer Group to enable bi-directional synchronisation of identity data between
OpenLDAP, an open source implementation of the ubiquitous directory standard, and Microsoft's Active Directory. Identity Lifecycle Manager already supports a wide range of the commonly-deployed identity data repositories so I think this move is primarily in the "playing well with open source" category - but valuable nonetheless.
These announcements are further evidence that the likes of
Kim Cameron, Microsoft's chief identity architect, and
Mike Jones, the company's Director of Identity Partnerships, have been working hard to foster the relationships and commitment (both from Microsoft and third parties) required to help make the identity metasystem a reality. That reality is too important for the results of those efforts to be diluted by political shenanigans around patents and GPLv3.
Labels: CardSpace, Higgins, identity, Microsoft, SAML, Shibboleth
