I am happy to see that Nishant Kaushik (@NishantK) has responded to the posts I've been doing on IdMaaS. Nishant has strong ideas, having led product architecture and strategy within the Identity Management & Security Products group at Oracle for many years. Nowadays he is with a startup called Identropy and writes the blog TalkingIdentity.
Nishant's main concern in his first post was that I've gone as far as I have without discussing the importance of governance controls. I'm going to save this issue for my next piece, since Nishant also ended up in a spirited conversation with Craig Burton that is really worth following. He wrote:
Craig Burton thinks that this vision, and the associated work Microsoft is doing on Windows Azure Active Directory (as described in this post by John Shewchuck) is “profoundly innovative”. I’ll be honest, I’m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build/attach other Azure applications to that different from Oracle saying that deploying a Fusion Application will include an OUD based identity store that the enterprise can also use for other applications? Apart from being in the cloud and therefore far easier to use in federated identity (SAML, OpenID, OAuth) scenarios. But I’ll wait to hear more before commenting any further (though John Fontana and others have already weighed in).
Craig Burton, as is his trademark, includes a few lightning bolts in his response:
Nishant must not have read my post very carefully. In my explanation of why Microsoft’s vision for IDMaaS is so profound, he failed to notice that I never once mentioned WAAD (Windows Azure Active Directory) or Office 365. There is a reason for that. I am not applauding Microsoft’s — or any other vendor’s — implementation of IDMaaS.
What is so profound about this announcement is that Microsoft is following Kim Cameron’s directives for building a Common Identity Framework for the planet, not just for a vendor.
In section 5.4 of that document, the authors spell out the requirement for customer Freedom of Choice.
Freedom of Choice
Freedom of choice for both users and relying parties refers to choice of service operators they may wish to use as well as to the interoperability of the respective systems.
This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece. I posit that the Microsoft vision is so profound because it is built on a definition of Freedom of Choice that fits the above description and not where the customer is free to choose a particular captor.
And so I state again:
Freedom of Choice != Your Choice of Captor
Microsoft’s vision has changed the playing field. Any vendor building IdMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone — but mostly the customer.
With these remarks Craig starts really getting to the bare bones of what it takes to be trusted to manage identity for enterprises and governments.
It didn't take long before Nishant fired off a second dispatch accepting Craig's points and clarifing what he saw as the real issues:
I want to be clear: I am not questioning the vision that Kim Cameron has started to talk about in his posts about IDMaaS (though I was bringing up a part – the governance controls – that I felt was missing and that I believe has a major impact on the architecture of a Common Identity Framework, as Craig called it). And I am completely in agreement with what Craig described in his original post in the section “Stop Gushing and Lay it Out for Me”.
Craig talks about how Freedom of Choice necessarily includes Freedom from Captor. He then says “This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece“. I’m not sure why he thinks that, because what I am saying is exactly in line with what Craig and Kim are saying. It is what I have been saying since back in 2006 when I first started talking about the Identity Services Platform, which talks about the framework through which identity-enabled applications (essentially any application) consume identity from standardized services that can plug into any identity system or metasystem.
What I was pointing out was that John Shewchuck’s post about WAAD seemed to indicate a lack of Freedom of Choice in what Microsoft is rolling out, at least right now. Becoming an Office 365 customer would “automatically create a new Windows Azure Active Directory that is associated with the Office 365 account“, forcing you to store and manage your identities in WAAD. It should simply ask for the domain from which users could use this, and you could simply point to the Google Apps domain of your company, sign up for WAAD if needed, or grant access to contractors/partners using whatever identity they choose (traditional AD environment, Facebook or Twitter accounts, even personal OpenIDs). By the way, the governance controls I was talking about are essential here in order to define the process of granting, managing and taking away access in this deployment model.
When I said “I’m having a little trouble seeing what is so innovative about WAAD itself”, I was pointing out my opinion that the details in John’s post did not seem to match up with the vision being outlined in Kim’s post, representing the kind of disconnect that Craig himself called out as a risk at various times in his post, but most notably in the section titled Caveats. I guess I’m not quite ready to make the leap that Microsoft’s work will line up Kim’s vision, and was calling out the disconnect I was seeing. And when Craig said “Microsoft is not only doing something innovative – but profoundly innovative”, I assumed he was talking about WAAD and related work, and not just referring to what Kim is talking about.
Nishant goes on to give more examples of how he thinks Office 365 could be implemented. I won't discuss those at this point since I think we should save our implementation discussions for later. First we need a more thorough conversation about what IdMaaS actually involves given all the changes that are impacting us. It is these definitions that must lead to implementation considerations. I hope Nishant will bear with me on this so we can continue the discussion begun so far.
I also want, in deference to Nishant and others who may have similar concerns, make a few remarks on what we have rolled out right now. I want to be really clear that while I think we already do a number of things really well and in a robust way at very high scale, there are all kinds of things we still don't do that form an integral part of our vision for what must be done. Anyone who says they can do all that is needed just doesn't, in my view, have a vision.
On the other hand, I hope we can steer clear of overly simplified recipies for what complicated offerings like Office 365 require as identity management. For example, applications like Office need directories and places to store information about people in them, and nowhere is it written in stone that this should be done by sending realtime queries to dozens or thousands of systems. Enterprise users want directory lookup that is as fast and reliable when served from the cloud as it is on premises. And so on. My point here is not to argue for one solution versus another, but to invite Nishant and others who may be interested to zero in on the broad set of requirements before getting overly committed to possible ways of meeting them.