Not for the first time, I have found a post by Gunnar Peterson to be very useful and insightful. This time, I followed his lead to a post by Chris Hoff.  It’s a piece called “Cloud Providers and Security ‘Edge’ Services – Where’s The Beef?“. I highly recommend the whole of both posts. Mr Hoff’s post is a discussion of what it might mean to integrate security services to the edge of the cloud, and his questioning about what the edge of the cloud could mean. The common answer is that it is securing from services in the cloud to the edge of an enterprise, location, or … something. Something inside a boundary that can be surrounded by some model of security that happens at the network level. Which leads to this statement:

None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.

Chris Hoff, Gunnar and others have been decrying for years that network level security is insufficient. Sometimes the recognition that network level security is insufficient (and often counter productive) has pushed people to make a goal of ‘deperimeterization’, which is a cool word but certainly has not helped move the industry from it’s predilection for network level security. It is much more likely that the term that will finally precipitate a movement from network level security to identity-based security will be “Cloud Computing”.

In Mr Hoff’s post he emphasizes this point:

So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.

Gunnar’s commentary on Mr Hoff’s post makes some equally insightful points:

For access control purposes, security is fairly straightforward, its a game of subjects (like users, user agents, claims, and web services), objects (like resources, URIs, data, and service providers) and what Hoff calls metastructures (like identity and policy). Security is a word that is meaningless by itself, you always have to qualify it: data security, application security, network security and so on. So when people talk about “edge” security, what is it they propose to “secure” an edge device? That’s fine as far as it goes, but its important to note that providing security services to device on the edge doesn’t do much of anything to either side of the edge. Too often people assume that securing the edge means everything “inside” the edge is also “secure” but this is smoke and mirrors for auditors not security for your enterprise assets.

I think of that type of security (with subjects and objects) as identity-based security. An identity is what you apply policy to — it is the subject or object of an access control policy. It’s the base type of the concepts of subjects and objects. The metastractures are processes of authentication and authorization based on those identities. It’s much higher level than SSL and the network layer, but it’s much closer to what’s necessary for business processes and security needs in the cloud.

Gunnar concludes:

Whenever you evaluate security and especially Cloud security, its important to enumerate the subjects, objects and metastructures that you are extending security services to, instead of just describing some security service in the abstract. This problem is a pandemic in information security the whole point of SOAP is that it was a firewall friendly protocol designed to go through the firewall, that was 10 years ago, yet today information security still relies on SSL and network firewalls as primary protection mechanisms (what are they protecting?).

Indeed, what are they protecting? While network level security can enable a secure transmission of data from point A to point B, it does not prevent the vast leakages of passwords and personal information that have become common. Perhaps the growth of Cloud Computing will finally push the industry to systems in which users don’t have passwords, or at least systems which can securely serve their users without receiving their password or storing personal information. If a SaaS application doesn’t have the information, there’s one less place that it needs to be secured. Such identity services have been viable for some time, but have needed a push to get broader adoption. Cloud Computing.

We appear to be on the edge of a nervous breakthrough.

From May 5^th to May 8^th I attended the 3^rd European Identity Conference (EIC). As a testimonial on the front page says, it was “a wonderful and informative event, well run and useful in so many ways.” (If I quote a page quoting me, is that recursion or delegation?)

I attended the first two EICs and, while I greatly enjoyed them, each conference has been better than the last. EIC strikes a good balance between providing a forward looking vision of what identity management technology should provide for business, and what practical solutions are available now.

In previous years I have noticed great contention about what identity system had the best design, had the correct name, was the most open, was favored by which group, etc. I asked other vendors why there seemed to be much less of that contention this year. All of them answered that there is not much to debate; there are valid use cases for the classic federation protocols, as well as OpenID, OAuth, and information cards — and all are open standards. So we’ve all been implementing products that use these protocols. However, as the products are deployed most system designers also recognize that we are far from done. What we have available now in open standards are valid systems that are a leaps forward, but are still not sufficient – there is still more to be done to make the systems more intuitive, more usable, more functional.

I presented my thoughts on these issues in an early OASIS session. The presentation was “Gaps and Overlaps in Identity Management Solutions”. The gist of the talk was that we don’t need to dumb down identity systems for people; we need to provide more intuitive, nuanced and contextual systems so that people can express the richness of relationships online. I illustrated this point with a stereotypical Granny who commonly handles delicate interactions with complex forms of indirect speech as she navigates many kinds of relationships in real life. We have too long focused on trying to make her use a single user name and password, rather than than allowing her to manage relationships. Our users do not need us to dumb down online identity systems – they need us to allow them to intuitively handle the richness of relationships. Online systems need to perform transactions within various contexts, unequal power levels, third party sources, etc. To bring the point home – so to speak – the presentation featured photos of my mom as the stereotypical Granny.

The tireless Felix saw the presentation and posted an interview with me about it.

Over the next few days there were many presentations and lively panel discussions, including the one led by Dave Kearns and discussed in his newsletter. I greatly enjoyed participating in 3 panels and moderated a 4^th. One thing I really like that seems to happen frequently at EIC is that the audience participation with a panel can get quite animated and extend into the expo area after the session.

The expo also was expanded this year. What I particularly liked about Novell’s booth was that it highlighted customers and their innovative use of Novell products – it seemed much more interesting and less like a sales pitch. As always, it was good to get to meet my Novell colleagues there: Marina Walser, Ulrike Beringer, Klaus Hild, AleÅ¡ Kučera, et al. Marina gave a great keynote (which was much discussed over the next few days, especially the customer survey results) and also recorded an interview with the ubiquitous Tim Cole.

With Marina and Ulrike, I participated in some press interviews. Being a typical unilingual American, I can’t actually read some of the resulting articles. Nevertheless, they appear to be quite interesting based on the (sometimes humorous) automatic translations.

It was a very busy week. I sometimes could only listen to part of a session before going to another commitment. One of my favorite (unfortunately partial) sessions was “Access Control in the Cloud” by André Koot. Rather than theory of identity systems or analysis of protocol families, André focused on using claims and information cards as a basis for flexible and manageable access control from an enterprise or university to cloud based services.

There were many other great discussions and presentations by visionaries and curmudgeons. Apparently attending a conference in Europe is the only way to see Jackson Shaw these days – well worth the effort.

The final EIC highlight was particularly significant to me because it involved my new area of focus – identity and security services for Cloud Computing. On the last afternoon I led a workshop about Enterprise Identity in the Cloud. It had been a long and intense conference, so we expected light attendance and decided to keep it as just an open discussion. The best part about this was that we had a small, but tightly focused conversation with customers, systems architects, and representatives of a few vendors. It was particularly great to have Martin Kuppinger join us to share his deep insights into cloud computing, and provide some adult supervision.

Overall, I noticed three themes at EIC this year:

1. Open standards-based multi-domain identity systems are shipping in real products from many vendors, and solving real problems.
2. There is more to do to make identity systems rich enough for online relationship management.
3. Cloud computing is an important concept, a valid trend, and it provides strong use cases for multi-domain identity systems.

I am left with one question: did the beer taste so good because I was in Germany, or was it just the beer?