Both of my regular readers have pointed out to me that my abysmally low blog posting frequency has recently sagged. That has been somewhat due to the state of my current project, Novell Cloud Security Services (NCSS). NCSS was released last August, and since then we have been working with current and prospective customers to make sure it’s what they need, and to enhance it as usage of the cloud evolves. That has meant a lot of travel and meetings for me — much of which I can’t blog about. However, sometimes I am involved in events that allow said loyal readers to see what I do. One such event was last week.
Last week I attended the Cloud Connect conference in Santa Clara. As I arrived at the conference about an hour late, I got a message from my colleague Gary Ardito that a camera crew was there waiting to record an interview with me and a demo of NCSS. I assumed he was kidding. He wasn’t.
They were from InformationWeek. The interviewer was Fritz Nelson, with David Berlind and a quietly competent camera guy. As Fritz mentions in the interview, we did have a great time reminiscing about Novell history as I scrambled to set up for the demo. I didn’t get completely set up and there were some errors in the demo. It was a crowded space behind the counter and Fritz kept moving in and I kept moving away. At one point he stepped on my microphone cord and I couldn’t back up any more.
Nevertheless, these guys did a great job with the interview and editing the video. They only had one take on a very noisy, crowded show floor. They were quite kind to me and cut out a spot where I inadvertently showed the demo password screen, and glossed over one part where I couldn’t get the demo to work. The screen zooms they added are really good to show the context of various features. I didn’t know about Fritz’s closing comment about running NLMs at ring 0 until I saw the video. Right on. Writing NDS as an NLM on NetWare, man, that was real code.
Recently I have been trying, yet again, to understand social networking and its tools. I figure that, if people like Ben Goodman and Paul Madsen find that stuff useful, there must be some value there that I just haven’t found yet. In my current efforts, I came across this tweet from Anil Saldhana. It points to my submission last month of a set of use cases that I’d like to see considered by the OASIS Identity in the Cloud technical committee. The use cases are some that we have encountered while developing and deploying Novell’s Cloud Security Service.
Not only did I think Anil’s tweet showed a positive use for twitter – I’d like to see more quick updates when standards documents are submitted or updated – but it also served as a reminder that I needed to update the use cases after I got some feedback from the committee. Which I have now done. I may even tweet about it.
Anil’s tweet also made me think to write this blog post. The revised use cases have been provided as input into the Identity Cloud Technical Committee in hopes that we can agree on some standard solutions. However, it’s only the beginning of the process and I’d appreciate your advice and input, so I’m going to post portions of the use cases here and ask for your input. These use cases describe problems we have seen in the interaction of enterprise federated identity systems with cloud services. We are not trying to solve the problems each use case describes (yet), we are seeking clear descriptions of the problems.
Do you see these as issues that need to be addressed in standard ways so that enterprises can securely use cloud services?
Use Case 1: Per Tenant Identity Provider Configuration
Description/User Story
Multi-tenant service providers, whether they are SaaS, PaaS, or IaaS vendors, benefit from quick and easy addition of new customers – anyone with a credit card can add themselves on demand. However, to benefit from federated authentication, SSO, and other mechanisms that can improve security for their users they need to configure how their users can authenticate to the system, where and what kind of IdP they use, exchange meta-data, etc. Currently this is commonly done by the administrator via web forms that are unique to each service. As adoption of cloud services increases, this will become a significant management burden.
Goal or Desired Outcome
A tenant can quickly and securely manage their use of many cloud services using automated tools rather than navigating and manually configuring each service individually.
Process Flow
A departmental manager in an enterprise (a tenant administrator) wants to configure all of the SaaS applications In use by that department to authenticate users via the enterprise IdP.
Using an automated tool to manager her SaaS usage, she enters the IdP information once.
The tool contacts the IdP and each SaaS application and uses standard protocols to communicate the configuration.
Use Case 2: Delegated Identity Provider Configuration
Description/User Story
Enterprises are outsourcing more of their applications and management of their IT infrastructure – including their identity provider services – to managed service providers or identity-as-a-service vendors. This results in a situation where an enterprise administrator which owns the business relationship with the service provider (the tenant administrator) does not manage the identity provider service. The identity provider service is controlled and managed by another company (the IdP administrator). This becomes a significant management burden when the tenant administrator needs to manage the identity services configuration (such as the exchange of metadata) between the identity provider and many cloud services.
Goal or Desired Outcome
The tenant administrator should be able to delegate access to their identity services configuration within a multi-tenant cloud service to the identity provider service. The identity provider service should be able to manage configuration issues such as meta-data exchange to all connected cloud services on behalf of a tenant. This should not require the identity provider to had access to the tenant administrator’s authentication credentials.
Process Flow
A tenant administrator pulls out a credit card and signs up for a new cloud service for her users. Her identity services are provided by a third party – an identity as a service provider.
She notifies the identity provider that she wants her users to have access to the new services.
The identity provider can exchange whatever configuration and meta-data is required with each new service on behalf of the tenant administrator without authenticating to each service as her.
Use Case 3: Association of a User and Tenant during Authentication
Description/User Story
NOTE: this is a rough idea of a use case. It’s a situation we have seen many times, but there may not be a discrete set of viable solutions. Perhaps guidance is the best possible outcome.
When a user accesses a multi-tenant cloud service, the service needs to be able to associate the user with a tenant account. This may or may not be the same as associating the user with an IdP – there are many efforts to try to solve that issue as well and this use case may in fact be a variant of it.
Currently applications handle this issue in a variety of ways. For example, each tenant may essentially get their own application service instance by embedding the tenant identifier in the domain name or path of the URI. Some applications pass it in as a parameter and some store it in a cookie.
This multitude of application variations further aggravates the problem of identity provider association, and makes it much more difficult to provide consistent federated identity services to multi-tenant systems.
A sample scenario:
A manager in the sales department of AcmeWidgets wants her team to have access to a new SaaS application, WidgetTracker. She opens a new account with her department credit card. She wants her team to use their corporate user accounts for authentication – so they are provisioned, deprovisioned, and application access can be audited by the IT department. However, she’s paying for the application from her departmental budget, so she only wants her team members to be able to use the service on her account. A manager in the design department has a similar need to sign up her team members for an account in WidgetTracker.
The problem is that tenant boundaries for cloud services are based on the pay-per-use model which often corresponds with departmental cost centers. In contrast, the corporate user accounts – the IdP – are usually built on corporate boundaries.
It has been suggested that this problem could be overcome by using attributes in the corporate directory to distinguish between departmental tenants. However, the explosive growth of SaaS applications is attributed in part to the low-friction, instantaneous addition of new tenants. Asking each department to submit a work order to the IT department for configuration changes in the corporate directory before they can access a new SaaS application would defeat this key characteristic.
Goal or Desired Outcome
That clear guidance be available from a respected authority (e.g. OASIS) to help cloud service providers provide multi-tenant capabilities in ways that can be more effectively integrated with federated identity services.
Process Flow
For developers:
Read OASIS document
Save time and produce better cloud service by structuring their application to associate users with tenant accounts in accordance with the document.
Profit!
For users and administrators:
Start to see consistency in service access
more easily consume more services with less errors
A few weeks ago I had a great conversation with Matt Grant over at the Trusted Cloud Initiative. It was a lively conversation and Matt did a great job of turning it into a blog post. I’m not sure if I ever stated the main point of our conversation as succinctly as Matt captured it in the title, but he nailed it: “Hosters Need to Think about Identity as a Platform Play”.
When I read it today I noticed one idea I’d like to clarify a bit. The post contains this paragraph:
You see, people can move an application from one host to another without much trouble. The hosters want to be able to hold on to relationships with specific SaaS customers and the idea of identity services is one of the stickiest things possible. Why? Because where people have their user accounts is a very sticky thing.
The point I’d like to clarify is that, while user accounts are certainly sticky, convincing enterprise customers to move the control of their identity management systems into the cloud would be very difficult – and it’s unnecessary for hosters to get the sticky benefits. They can provide essential identity services such as secure authentication from enterprise accounts, and federated authentication, authorization and audit services to their application marketplace — all without physically holding the user accounts.
Such identity services are a key part of a platform on which application marketplaces can be built. They are a key part of any platform offered by hosters who want to build a SaaS marketplace.
The Rise of the App Marketplace: This was one of the forward-looking things that really hit me, but may have slipped under the radar a bit. The meme of the app marketplace is coming to the enterprise. Installing collaborative, emergent environments is not enough. What we’re really driving toward is an opening up of the enterprise data layer — exposing APIs, if you will — and driving toward a world where the employee (or partner or customer) is not only consuming IT applications, but BUILDING them. The IT “app marketplace” is coming. Bank on it.
To support any such marketplace there must be a platform, whether it is in an enterprise or in the cloud, and a key part of that platform is identity services.
I’ve had many conversations with Dave Kearns over the years in hallways, a few beer halls, and conference panel discussions at events like the Internet Identity Workshop and the European Identity Conference. The conversations have been lively and often pushed my thinking in new directions. We’ve followed a similar path from the directory services of the 90s to Internet identity systems, and now on to cloud computing as it accelerates the adoption of identity services and the identity provider model.
In a recent newsletter Dave riffs on my presentation at the European Identity Conference and then concludes with this paragraph:
“The cloud is a reality. Cloud-based computing is a reality. Platform-as-a-service, application-as-a-service and, yes, identity-as-a-service will soon be as pervasive as client-server computing became in the last century. This will mean fundamental changes in the ways we think about identity and security. Get on that train, or be left at the station.”
Earlier this month I attended the European Identity Conference in Munich. The conference is put together by Kuppinger Cole + Partner and they do a great job. As I’ve posted before each year it gets better, and this year was no exception. This year there were great sessions with cutting edge content, really good food and beer, and vibrant interaction between vendors and customers. It all added up to a very productive week. Oh, and there was really good beer.
Last year, Martin Kuppinger and I led a workshop on cloud computing, and we did it again this year much more in depth – but that’s another post. This year, there was a whole content track devoted to the cloud. As I see it, cloud computing has evolved to become just “the cloud” and is a set of technologies and business models which have the requisite force to drive adoption of identity-based security. So combining an identity conference with a cloud conference is a Very Good Idea.
I gave a keynote in the Cloud 2010 track. KCP were kind enough to post the video of the session . You can also download the presentation. One advantage of my occasionally-derided “Wall of Words” presentation style is that you can easily get the main points by scanning through the presentation. I took all the photos in the presentation in Munich a few days before the session, which made it more relevant and fun for me.
The concepts in the presentation have emerged in the last year while working on Novell’s Cloud Security Service . Supporting insights and statistics came from a survey initiated by our own Anita Moorthy. Basically the presentation covers how business drivers affect the security needs of enterprises, SaaS vendors and cloud providers.
Here’s a brief overview.
A survey of some current market forces and players:
We have seen many times how a disruptive force in information systems is departmental autonomy pulling in products and services under the enterprise IT radar. This is again a significant factor in the adoption of SaaS applications.
The adoption of SaaS applications is accelerating a shift by traditional hosting companies and telcos to IaaS and PaaS models, and they are increasingly moving to attract SaaS vendors in addition to enterprises.
The business and security interactions in the cloud involve enterprises, SaaS vendors, and cloud providers – each with different motivations. From this current cloudscape, I identified 3 trends and possible traps in each:
Identity-based security is increasing in importance. Cloud services are pushing enterprises to emphasize identity based security rather than network security
SaaS and IaaS are converging on PaaS. Infrastructure providers are moving up stack and applications need to be extensible… converging on platform services, including identity services.
Cloud providers are increasingly offering identity services – and becoming identity providers. Identity services provide much needed security, and stickiness. Application marketplaces are a powerful paradigm growing around identity provider hubs.
We concluded with some recommendations for enterprises, SaaS vendors and cloud providers.
For years, we have been working on standardizing, implementing, and deploying the identity provider model – which separates the sources of authentication and identity information from services that use identity information. It is clearly a better model for humans than separate accounts in every service. However, as Jeff Bohren succinctly said, “Change is hard. Passwords are easy.” More than ever I see trends in cloud computing that are finally providing the business model and incentives for enterprises, SaaS vendors, and cloud providers to move to the identity provider model. EIC 2010 further accelerated those trends.
I very much enjoyed the conference, working with the KCP team, and the interaction with customers, competitors and partners.
As always, I’d appreciate any feedback on the presentation, offers of presentation rewriting, coaching on public speaking, etc.
Not for the first time, I have found a post by Gunnar Peterson to be very useful and insightful. This time, I followed his lead to a post by Chris Hoff. It’s a piece called “Cloud Providers and Security ‘Edge’ Services – Where’s The Beef?“. I highly recommend the whole of both posts. Mr Hoff’s post is a discussion of what it might mean to integrate security services to the edge of the cloud, and his questioning about what the edge of the cloud could mean. The common answer is that it is securing from services in the cloud to the edge of an enterprise, location, or … something. Something inside a boundary that can be surrounded by some model of security that happens at the network level. Which leads to this statement:
None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.
Chris Hoff, Gunnar and others have been decrying for years that network level security is insufficient. Sometimes the recognition that network level security is insufficient (and often counter productive) has pushed people to make a goal of ‘deperimeterization’, which is a cool word but certainly has not helped move the industry from it’s predilection for network level security. It is much more likely that the term that will finally precipitate a movement from network level security to identity-based security will be “Cloud Computing”.
In Mr Hoff’s post he emphasizes this point:
So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.
For access control purposes, security is fairly straightforward, its a game of subjects (like users, user agents, claims, and web services), objects (like resources, URIs, data, and service providers) and what Hoff calls metastructures (like identity and policy). Security is a word that is meaningless by itself, you always have to qualify it: data security, application security, network security and so on. So when people talk about “edge” security, what is it they propose to “secure” an edge device? That’s fine as far as it goes, but its important to note that providing security services to device on the edge doesn’t do much of anything to either side of the edge. Too often people assume that securing the edge means everything “inside” the edge is also “secure” but this is smoke and mirrors for auditors not security for your enterprise assets.
I think of that type of security (with subjects and objects) as identity-based security. An identity is what you apply policy to — it is the subject or object of an access control policy. It’s the base type of the concepts of subjects and objects. The metastractures are processes of authentication and authorization based on those identities. It’s much higher level than SSL and the network layer, but it’s much closer to what’s necessary for business processes and security needs in the cloud.
Gunnar concludes:
Whenever you evaluate security and especially Cloud security, its important to enumerate the subjects, objects and metastructures that you are extending security services to, instead of just describing some security service in the abstract. This problem is a pandemic in information security the whole point of SOAP is that it was a firewall friendly protocol designed to go through the firewall, that was 10 years ago, yet today information security still relies on SSL and network firewalls as primary protection mechanisms (what are they protecting?).
Indeed, what are they protecting? While network level security can enable a secure transmission of data from point A to point B, it does not prevent the vast leakages of passwords and personal information that have become common. Perhaps the growth of Cloud Computing will finally push the industry to systems in which users don’t have passwords, or at least systems which can securely serve their users without receiving their password or storing personal information. If a SaaS application doesn’t have the information, there’s one less place that it needs to be secured. Such identity services have been viable for some time, but have needed a push to get broader adoption. Cloud Computing.
We appear to be on the edge of a nervous breakthrough.
I attended the first two EICs and, while I greatly enjoyed them, each conference has been better than the last. EIC strikes a good balance between providing a forward looking vision of what identity management technology should provide for business, and what practical solutions are available now.
In previous years I have noticed great contention about what identity system had the best design, had the correct name, was the most open, was favored by which group, etc. I asked other vendors why there seemed to be much less of that contention this year. All of them answered that there is not much to debate; there are valid use cases for the classic federation protocols, as well as OpenID, OAuth, and information cards — and all are open standards. So we’ve all been implementing products that use these protocols. However, as the products are deployed most system designers also recognize that we are far from done. What we have available now in open standards are valid systems that are a leaps forward, but are still not sufficient – there is still more to be done to make the systems more intuitive, more usable, more functional.
I presented my thoughts on these issues in an early OASIS session. The presentation was “Gaps and Overlaps in Identity Management Solutions”. The gist of the talk was that we don’t need to dumb down identity systems for people; we need to provide more intuitive, nuanced and contextual systems so that people can express the richness of relationships online. I illustrated this point with a stereotypical Granny who commonly handles delicate interactions with complex forms of indirect speech as she navigates many kinds of relationships in real life. We have too long focused on trying to make her use a single user name and password, rather than than allowing her to manage relationships. Our users do not need us to dumb down online identity systems – they need us to allow them to intuitively handle the richness of relationships. Online systems need to perform transactions within various contexts, unequal power levels, third party sources, etc. To bring the point home – so to speak – the presentation featured photos of my mom as the stereotypical Granny.
Over the next few days there were many presentations and lively panel discussions, including the one led by Dave Kearns and discussed in his newsletter. I greatly enjoyed participating in 3 panels and moderated a 4th. One thing I really like that seems to happen frequently at EIC is that the audience participation with a panel can get quite animated and extend into the expo area after the session.
The expo also was expanded this year. What I particularly liked about Novell’s booth was that it highlighted customers and their innovative use of Novell products – it seemed much more interesting and less like a sales pitch. As always, it was good to get to meet my Novell colleagues there: Marina Walser, Ulrike Beringer, Klaus Hild, Aleš Kučera, et al. Marina gave a great keynote (which was much discussed over the next few days, especially the customer survey results) and also recorded an interview with the ubiquitous Tim Cole.
With Marina and Ulrike, I participated in some press interviews. Being a typical unilingual American, I can’t actually read some of the resultingarticles. Nevertheless, they appear to be quite interesting based on the (sometimes humorous) automatictranslations.
It was a very busy week. I sometimes could only listen to part of a session before going to another commitment. One of my favorite (unfortunately partial) sessions was “Access Control in the Cloud” by André Koot. Rather than theory of identity systems or analysis of protocol families, André focused on using claims and information cards as a basis for flexible and manageable access control from an enterprise or university to cloud based services.
There were many other great discussions and presentations by visionaries and curmudgeons. Apparently attending a conference in Europe is the only way to see Jackson Shaw these days – well worth the effort.
The final EIC highlight was particularly significant to me because it involved my new area of focus – identity and security services for Cloud Computing. On the last afternoon I led a workshop about Enterprise Identity in the Cloud. It had been a long and intense conference, so we expected light attendance and decided to keep it as just an open discussion. The best part about this was that we had a small, but tightly focused conversation with customers, systems architects, and representatives of a few vendors. It was particularly great to have Martin Kuppinger join us to share his deep insights into cloud computing, and provide some adult supervision.
Overall, I noticed three themes at EIC this year:
Open standards-based multi-domain identity systems are shipping in real products from many vendors, and solving real problems.
There is more to do to make identity systems rich enough for online relationship management.
Cloud computing is an important concept, a valid trend, and it provides strong use cases for multi-domain identity systems.
I am left with one question: did the beer taste so good because I was in Germany, or was it just the beer?
As my last post shows, I’ve been thinking a lot lately about the evolution of identity services over time. I’m currently researching and thinking about how identity services should integrate with the emerging cloud computing paradigm. However, sometimes we get working in the daily grind, the months and years go by, and we can miss significant milestones, like this one:
I guess it could be said that OpenSUSE 11.0 was the first Linux distribution to support an identity selector, but it wasn’t in the main repository when 11.0 was released, so I’m going with OpenSUSE 11.1.
What this means is that users of OpenSUSE 11.1 can install and run DigitalMe as easily as Firefox or Open Office or any other package. Just open up the package manager, search for digitalme and install. There are actually two packages that start with digitalme. One is the identity selector itself and the other is the Firefox addon. If you install the digitalme-firefox package, the selector is installed automatically. And you are automatically notified of updates!
Thanks to Andrew Hodgkinson for making DigitalMe happen, and getting it packaged for OpenSUSE!
(Andy, I think you may be due to update your blog. Your regular rate of one post every 1.5 years appears to have slowed.)
As always, thanks to the Higgins project for hosting most of the source code used to build digitalme, and for their support and collaboration.
Eric and Dave have recently written about their views of the waves of identity. Dave’s post gave me a wave of nostalgia since it mentioned both the NetWare Bindery and Novell Directory Services. Sometimes it feels like I’ve been around as long as Dave.
Mr Peabody, set the Wayback Machine for somewhere near 1990…
My first server-side coding assignment at Novell was to show that the Bindery could be separated from the core NetWare OS and into a loadable module (NLM) — thus showing that a directory services NLM could be developed by another team of engineers in parallel with the next version of NetWare. I think my prototype was initially done on the NetWare 3.0 codebase, but it was a long time ago. I do remember that, after my prototype worked, the task of doing it “for real” was assigned to a member of the core OS team, and they threw out my code. Sigh. Nevertheless, what became known as the “name services” interface in NetWare 3.1 enabled a team of misfits to start coding something called Global Directory Services. By the time it shipped it was called NetWare Directory Services, then Novell Directory Services, then eDirectory. I worked on that code for most of the 90s as it changed to support new upstart protocols like LDAP, and new platforms like Windows NT and Linux.
Now I work on Identity Services, including newfangled concepts like federation, information cards, OpenID, and OAuth, and projects like Bandit, Higgins, OSIS, etc.
I think I can see both Eric’s and Dave’s perspectives.
I don’t know how or if the waves should be divided up, but it seems to me that in the 90s we were working on Directory Services — i.e. a standard model for identity data (generally around x.500) and systems to access that identity data (LDAP, meta/virtual/directories). This roughly corresponds to Dave’s first 3 waves. With the appearance of federation protocols and the Liberty Alliance, the industry started layering an Identity Provider Model on top of Directory Services. Information Cards and OpenID are more recent additions to that model. This could be Eric’s first wave of Identity after 3 waves of Directory Services.
But what really matters to me is Eric’s point about identity state vs identity action. Right on. It may be useful to make a distinction between Directory Services (which allow applications to access identity data), and Identity Services (which perform identity actions). The Identity Provider Model was necessary to get to identity services, if for no other reason than that it externalized authentication — but that’s a post for another day.
To do is to be – Nietzsche
To be is to do – Sartre
Do be do be do – Sinatra
The Bandit project has built an identity services interface layer called OTIS (Onramp to Identity Services). We have been asked how it differs from a virtual directory, and the answer is exactly relevant to this discussion. OTIS provides open interfaces to identity services (actions). A virtual directory gives access to identity data. Both have valid uses, and, in fact, identity services are generally layered on directory services (identity actions based on identity data).
So we have moved from Directory Services, to an Identity Provider Model. Now we need to determine what identity services are needed to enable network services to focus on doing useful things, rather than handling identity data, regardless of whether it’s wave 2 or 5.
There have been a number of articles in the press over past few weeks about the release of Novell’s Access Manager 3.1. The articles by John Fontana at NetworkWorld and by Sean Michael Kerner at InternetNews.com are well worth reading. Both articles mention new features in the product, it’s interoperability with Microsoft products via open standards, and (my favorite) how code from the Bandit project relates to the product.
The real breakthrough for me, at least in terms of Microsoft services, was Novell’s inclusion of Windows CardSpace as an authentication type for its multifactor authentication. Novell, through its sponsorship of the Bandit Project, has been in the forefront of information card technology, and this release of Access Manager makes it easy for identity technology managers to add this factor to their risk-based authentication schemes.
This may well be the first CardSpace implementation in a business-focused product by a non-Microsoft vendor. Now that is “ground breaking”.
A solid enterprise product, supported by a leading IAM vendor, and implementing open standards in conjunction with open source implementations — this does seem to me to be another significant step in moving to new-paradigm identity systems.
I've done a variety of things in my career, but always seem to return to issues of identity and technology. Most of what's written here will be about such things. I work for VMware, but this is my
personal blog. The views expressed on here are mine alone and do not necessarily represent the position of my employer.
A few weeks ago I had a great conversation with 
When 
What this means is that users of OpenSUSE 11.1 can install and run DigitalMe as easily as Firefox or Open Office or any other package. Just open up the package manager, search for digitalme and install. There are actually two packages that start with digitalme. One is the identity selector itself and the other is the Firefox addon. If you install the digitalme-firefox package, the selector is installed automatically. And you are automatically notified of updates!
