Jeff Jaffe’s Blog

In June of 2006, Novell with several partners launched the Bandit project, to provide Open Identity Services. In September, I posted an outline of our objectives. As the project has evolved and new requirements have arisen, the objectives have become clearer and broader. Earlier this month, at the 1st European Identity Conference in Munich, I had an opportunity to reformulate and clarify these goals.

The history of Identity Management Systems

In our work on identity services, we are focused on the fifth generation of identity management. Previous generations:

1. Simple access control to applications.

2. More sophisticated technologies for access control; including multi-factor authentication, biometrics, directories, and metadirectories with synchronization.

3. Development of technology that provides massive simplification for user provisioning. Examples include roles based access, policy management, integration into application workflow, and Application Programming Interfaces. This is the current generation of identity management that is prevalent in the field.

4. Integration between different identity management functions. Specifically, this includes support for federated identities (Liberty Alliance) for enterprises, as well as web access management (for example what we provide with our Access Manager product. A second example is Novell’s Identity Manager 3.5, which integrates identity management, access management, and security information event management to help with compliance management. This is the current generation being shipped and will be the prevalent generation in the field over the next several years.

The evolution to Identity Management Services

Now, the paradigm of identity management should change from a focus on authentication to a focus on a multiple services provided by identity management systems and consumed by applications in different ways – through a consistent interface.

Historically, identity management started by controlling access to resources. With the third generation of identity management, there was a subtle shift. Rather than focusing on the protection of resources as the major area of investment, the attention shifted to the application and to management. Consequentially, instead of adding additional authentication technology, the focus was on the ease of use and integration of the identity management system. The enhancements were role management and policy management (to simplify the management aspect of identity) and workflow and application programming interfaces (to make it more natural for the application).

To be sure, the identity management still related principally to authentication and authorization. The change related to which problem we were solving within authentication and authorization. We were recognizing a growing set of consumers of the authentication service.

With the fourth generation, however, we started to recognize that identity management systems were the best repository of information about users. And there is much more usage for user information than merely managing their identities. So with the fourth generation, with the growth of compliance concerns, identity management systems began to provide the base support for compliance systems.

The application to compliance systems is immediate and timely in an era of Sarbanne-Oxley and Basel II. But once you recognize the relevance of identity to compliance, you also recognize the power of identity management systems to deliver much more. While compliance systems consume identity for the very specific purpose of regulatory compliance, other applications will want to consume identity for more general purposes. What Web based application does not want to know more about its users? This would give the application the ability to personalize its services to the user.

Identity as a service

So suddenly, identity management is flipped over again in terms of usage. In the past, we managed a user’s identity in a bounded set of access control usages. There was usually a well defined, singular place where the system had the user’s identity defined. In the new model, there will be multiple consumers of identity. Each consumer is a different application with different personalization needs. Correspondingly, the user’s identity might readily be defined in numerous inconsistent fashions; different databases defined by different sources. Some of these sources might be the company’s definition of how a user accesses resources in the company. But other sources of identity might be a user’s self-definition of his/her identity to a Web based service or an application that is trying to provide personalized service.

The change is stark. Rather than a monolithic corporate identity management system, we have a lightweight collection of capabilities: identity sources and attributes that must be brought together, provided in a coherent fashion, and consumed by multiple users of this information. The relevant paradigm then is for an identity management system to be a service. It has means to collect data from disparate sources. It has means to harmonize that data. It develops the right abstractions to make that available to consumers.

Open source as a methodology to develop the idea of identity as a service

In an earlier posting, I already described how Open Source was the perfect methodology to introduce these services. I won’t repeat it here, but that was the next module of my conference presentation.

The Bandit project, revisited

When I previously described our objectives for the Bandit project, I focused on the key functional areas that we were working on (e.g. CASA, roles, Audit and compliance). As mentioned above, the goals and focus have evolved. While these functions continue to be important, we are equally focused on structure. So the Identity Interface Layer is primary.

In this layer, we provide architectural support to accept multiple simultaneous authoritative data sources. We support composable identity tokens to allow advanced features for applications that want to consume identity information. We provide architectural support to deal with enterprise specification of identity data and user specification; corporate notions of identity and Web access. We provide a clean abstract view of an identity store to allow multiple usages of identity. And we ensure that there is a clean context for reporting, auditing, and compliance.

The next steps

We continue to learn and evolve this project. We are far from done. As we add cleanliness and abstraction, we need to focus on more varied means of consumption of identity.

Personalization is a case in point. We have barely scratched the surface in ensuring that we have the flexibility in dealing with user attributes that applications will want. How will we address this? Well, this is an open source project. We hope that colleagues will jump in, and help us out!

There is a huge amount of innovation that takes place in the open source community. But not all stakeholders in the global I/T research community and funding agencies are as knowledgeable or as involved as they should be. As a result, I appreciated a recent opportunity to evangelize.

The National Academy of Sciences has a Computer Science and Telecommunication Board (CSTB) which advises the US government on policy issues related to I/T. They are currently looking at “The emerging I/T platform.” I was pleased to meet with them last month and share with them my view – that open source is the emerging I/T platform.

The presentation

Takeaways

The main perspective that I provided in my presentation was that open source has become the platform for I/T. I used many different angles to support this assertion, which I will summarize herein. Of specific interest were the three major takeaways that I gave them:

• The formal research community, supported by considerable government funding, needs to recognize that open source has become the research community. There are numerous ways that this should be recognized, such as requiring that research results be licensed using open source licenses. While I was talking to the US National Academy, the same could be said for other programs, such as EU framework programs.

• Since the future I/T industry will have open source as its underlying platform, governments need to assess policy and economic implications.

• The National Academy needs to learn about open source by being a user. Accordingly, I expressed objections that they required that I convert my OpenOffice presentation document to Powerpoint.

Proof points

In order to cogently argue the above, I needed to demonstrate that open source was the emerging I/T platform. I based this argument on the following – much of which has been posted here in the past:

• I shared with the CSTB panel the analysis that I had done of the movement of the business world to a virtual (or flat) world. In that analysis, I demonstrated that the move to a virtual world was anchored either on open source technologies or on technologies that related strongly to sharing that should become open source technologies. So open source is the emerging I/T platform for business transformation.

• I shared with the CSTB panel the evolution of operating environments in the I/T sector. Analyst data shows that Linux is the fastest growing operating environment. In previous posts, I have argued that, with SUSE Linux Enterprise 10, Linux has become the platform for the open enterprise: desktop to data center. Additionally, Linux is becoming increasingly pervasive in the embedded space. So open source is the emerging system level platform for systems, devices, and telecommunications.

• I shared all of the reasons that innovation increasingly takes place using open source (see earlier posts here and here). So open source is the emerging I/T platform for research.

• I shared all of the reasons that standardization increasingly takes place using open source (see earlier post here). So open source is the emerging I/T platform for standardization.