Moving Digital Identity to the Cloud, a Fundamental Shift in Rethinking the Enterprise Collaborative Model.
- TYPE: Combined Session DATE: Wednesday, 05/06/2009 TIME: 15:00-16:00 LOCATION: ANTARES
In light of current technologies most businesses of today tend to abandon their legacy centralised organisation for some form of a distributed model. As a result, the hard identity border that was present in enterprises (customers/patterns/employees) or in governments (citizens, foreigners, residents) has moved from what used to be a clear and strong separation wall, into some form of a wide and foggy zone.
While it is still very popular to discuss and promote Identity: compliance, roles, certification, provisioning... it is quite amusing to notice that most of those concepts were inherited from a very centralised vision or the world. As a result most previous Identity concepts do not fit very well within a distributed model, especially when the model needs to scale at Internet speed.
The term "Role" provides a solid example; while "Roles" work very well on a white board and are a perfect topic for a management dinner, they are very difficult if not impossible to implement in the real world. Even worse, if you succeed in your own internal implementation, your semantic will differ from your partners, sub-contractor, customers, .... This discourages any hope of Internet scale level of distribution and interoperability. Alternatively , mobile operators have addressed a massive scale of identity works. For example: If you decided to spend a vacation in Istanbul or any other nice destination, you do not have to call your telecommunication provider to provision your identity in your next vacation country. In fact, your phone will even work for a few seconds after you land. This is the ultimate goal of Internet scalable Identity. It should work where ever you go and whenever you want. All while maintaining a compliant level of privacy and security toward the targeted businesses.
Why is "laziness" the most important part of your identity architecture? Simply because it’s the only workable method to implement the level of distribution that Internet businesses are looking for. To maximise your liberty of action, your business needs to minimise external dependencies. Nevertheless, you still need to be ready to work with any new patterns, governments, banks, etc,... and hopefully with no extra “IT” integration cost or delay. As pre-provisioning every single partner’s employees, susceptible to access one of your IT application is out of scope. It means, you need to provision them on the fly, at first usage. Exactly in the same method as your mobile operator does when your plane lands in a country foreign to that operator. Doing so does not mean you're ready to abandon any security and privacy concerns. You still need some form of Identity Assurance Framework to manage the appropriate Level of Assurance of the incoming Identity on your system. However, all the supplementary information needed by your policy decision points can also be discovered and retrieved in a "lazy" mode at the first usage instance.
While some technology pieces are still at early stage of development, the main building blocks for implementing a "lazy" identity framework, are currently available and production ready. SAML2 automatic or “behind the door” federation allows you to federated user on the fly; Liberty Assurance Framework allows you to implement a multiple authentication security model; Liberty Personal Profile and SAML2 authentication attributes allow you to carry information from the authentic source toward your policy decision point. Last, but not least, the Liberty IAF (Identity Assurance Framework) will allows you to complete your "lazy" identity architecture. Interoperable technologies based on open standards, and supported international organisations, are now mature and stable. Products are available in both the open source and commercial environments. Early adopters, like telecommunications operators and some governments, have proven it works. Finally, this may be more a question of the mentality to accept a new model where a given enterprise is not the centre of the world anymore than any other entity type..