Trust will make or break cloud ID management services

ZDNet’s John Fontana has written about the Webinar on Identity Management as a Service hosted last week by Craig Burton of Kuppinger Cole.  The session began with a presentation by Craig on the revolutionary impact of the API economy in shaping the requirements for cloud identity.  Then I spoke about the characteristics of Identity Management as a Service as they were shaping the industry and, especially Azure Active Directory, while Chuck Mortimer gave a good description of what we will be seeing in Salesforce.com’s emerging cloud directory service.  The Webinar is available to those who want the details.

John highlights a number of the key emerging concepts in his piece, titled “Trust will make or break cloud ID management services”:

If identity-management-as-a-service is to take hold among enterprises it will need to be anchored by well-crafted rules for establishing trust that incorporate legal parameters and policy requirements, according to a pair of identity experts.

“Where we have seen trust frameworks be really successful in the past is where member organizations have some means and motivation for cooperation be that altruistic, economic, etc.,” said Chuck Mortimore, senior director of product management for identity and security at Salesforce.com. He cited the Shibboleth Project deployed in academia that highly incents universities to collaborate and cooperate.

“We are seeing both the U.S. government and the British government selecting trust frameworks for their respective identity initiatives,” said Kim Cameron, Microsoft’ identity architect. “You need a bunch of people who share the interest of having a trust framework.”

Trust frameworks ensure trust between those issuing an identity and the providers that accept that ID for authentication to access services or data, and in increasing cases, to tap application programming interfaces (APIs).

To wit, 62% of the traffic on Salesforce.com is API calls, mobile clients and desktop clients.

Mortimore and Cameron appeared together Tuesday on a Webinar hosted by Kuppinger Cole analyst Craig Burton.

The identity-management-as-a-service (IdMaaS) concept is rising in importance due to an emerging “API economy,” according to Burton. That economy is characterized by billions of API calls to support services sharing data on a massive, distributed scale that stretches across the enterprise and the cloud.

IdMaaS defines a cloud service that manages identity for an organization’s employees, partners and customers and connects them to applications, devices and data either in the enterprise or the cloud.

“This won’t be a point-to-point situation,” said Cameron. He said existing systems can’t handle the identity, security and privacy requirements of the cloud and its API economy. “The domain-based identity management model of the ‘90s and early 2000s is a non-starter because no one will be staying within the enterprise boundary.”

Cameron said the only way all the requirements can be met is with an identity service that fosters simplification and lower costs. And the only way that gets off the ground is through the use of trust frameworks that simplify the legal and policy requirements.

Cameron pointed to a number of current trust frameworks certification programs including Kantara and the Open Identity Exchange.

Mortimore said end-users need to start with a “baseline of security and trust” and go from there.

He said he believes most enterprises will use a hybrid identity management configuration – enterprise infrastructure plus cloud.

“We firmly believe we will see that architecture for a long time,” said Mortimore. “If you look at the core imperatives for IT, cloud and mobile apps are forcing functions for IT investments, as well as, people looking at existing IDM infrastructure that is running up against friction like how do I expose this API.”

Mortimore said cloud identity management services represent a nice transition path.

Salesforce.com backed up that idea last month when it introduced Salesforce Identity, a service baked into its applications, platform, and development environment.

Mortimore ran the list of features: a directory that anchors identity management, reliance on standard schemas and wire protocols, extensibility and programmability.

“We are not running this as a Salesforce identity service, we are running it on behalf of customers. That is a critical part of these identity cloud systems. We need to facilitate the secure exchange of identities, federation, collaboration and attribute exchange,” said Mortimore.

Cameron concurred, saying “the identity management service operates your directory for you, that has to be the model.”

Microsoft’s service is called Azure Active Directory, and it offers the cloud-based services in a similar fashion to what Active Directory and other Microsoft infrastructure products (authentication, federation, synchronization) do within the enterprise.

“You need to use the efficiencies of the cloud to enable new functions in identity and provide more capability for less money,” he said.

While they are giants, Microsoft and Salesforce.com represent just a handful of providers that offer or are building cloud identity services. (Disclaimer: My employer offers a cloud identity service).

 

The cloud ate my homework

In mid-August I got an email athat made me do a real double-take.  The subject line read:  Legacy Service End of Life – Action Required. 

Action Required:

Legacy Service End of Life

Dear Kim,

We’ve been analyzing customer usage of Joyent’s systems and noticed that you are one of the few customers that are still on our early products and have not migrated to our new platform, the Joyent Cloud.

For many business reasons, including infrastructure performance, service quality and manageability, these early products are nearing their End of Life. We plan to sunset these services on October 31, 2012 and we’d like to walk you through a few options.

We understand this might be an inconvenience for you, but we have a plan and options to make this transition as easy as possible.  We’ve been developing more functionality on our new cloud infrastructure, the Joyent Cloud, for our customers who care about performance, resiliency and security.  Now’s the time to take advantage of all the new capabilities you don’t have today. Everyone that’s moved to our new cloud infrastructure has been pleased with the results.

As a new user to the Joyent Cloud, you are eligible to take advantage of Joyent Cloud’s 30-Day Free Trial using this promotional code… [etc. – Kim]

Sincerely,

Jason Hoffman
Founder and CTO
Joyent
jason@joyent.com

Of course I spend a lot of my time thinking about the cloud: people who’ve heard me speak recently know that I’ve increasingly become a zealot about the new capabilities it opens up, the API economy and all that..

So I suppose that getting a pail of cold salt water thrown in my face by joyent was probably a good thing!  Imagine telling customers their infrastructure will be shut down within three months in an “action required” email!

We understand this might be an inconvenience for you.

Or even more surrealistic, after the hurricane,

We want you to take the time you need to focus on your personal safety, so we are extending the migration deadline from October 31, 2012 to the end of day Wednesday, November 7, 2012.

By the way, don’t think I was using a free service or an unreasonably priced plan.  I had been on a joyent “dedicated accelerator” for many years with an upgraded support plan – on which I only ever made a single call.  This site was the very one that was breached due to a wordpress cross-site scipting bug as described here [note that my view of Joyent as a professional outfit has completely changed in light of the 2 month fork-lift ultimatum they have sent our way].

Anyway, to make a long and illuminating story short, I’ve decided to leave joyent in the dust and move towards something more professionally run.  Joyent served up what has to be one of the nightmare cloud scenarios – the kind that can only give the cloud a bad name.  Note to self:  Read fine print on service end-of-lfe.  Tell customers to do same.

Meanwhile, I’ve taken advantage of the platform change to move to the latest version of wordpress.  This meant paying the price for all the modifications to wordpress I had made over the years to experiment with InfoCards, OpenID, U-Prove, SAML, WS-Trust and the like on a non-Microsoft platform.

So friends, please bear with me while I get through this – with a major goal of keeping all the history of the site intact.  There are still “major kinks” I’m working out – including dealing with the picture in the theme, re-enabling comments and porting the old category system to the new wordpress mechanisms [categories now work – Kim].  None the less if you see things that remain broken please email me or contact me by twitter or linkedin.

OK – I now “throw the big DNS switch in the sky” and take you over to the new version of Identityblog.