Joris Evers at CNET wrote a piece that captures my presentation to the recent Digital Identity World.
In a session called “Understanding Cardspace in the Enterprise”, Partrick Harding from Ping Identity went through a series of use cases and scenarios at a very practical and convincing level, and then Ashish Jain gave an amusing and clear demo of how Active and Passive technologies could be used together to solve the Enterprise's identity problems. I'll try to get links to those presentations for the blog.
To build on this at a more theoretical level, I talked about where all of this is going within a longer term perspective, and in terms of fundamental dynamics.
The main idea I tried to convey was that if we made access control natural and easy enough that everyone could control it – and understand it – we wouldn't need to delegate nearly as much to layers of professional configuration experts as we do today.
That isn't to say there shouldn't be corporate oversight or purely automated systems, but if the technology works well enough, oversight can be done in as it is in other fields – by setting behavioral procedures and auditing them.
One thing that Joris didn't pick up on – it seems I wasn't clear enough about it – is that I'm not saying we solve all these problems in Vista.
We make big strides with information cards, but need to get the access control side of things up to the same standard in terms of visualization and natural interface. So I hope everyone understands I was expressing a vision that we could begin discussing, not doing a sales pitch for a specific product.
By using technology known as Windows CardSpace, formerly code-named InfoCard, individuals in an organization could grant access to outsiders without having to involve the IT department, Kim Cameron, identity and access architect at Microsoft, said in a presentation Wednesday at the Digital ID World Conference here.
“The main role of information cards in the enterprise is to devolve access control to the resource owners,” Cameron said. “Setting access control policies becomes a naturalistic and intuitive and visual process.”
With today's systems, granting a third party access to a corporate resource has become fraught with red tape, stifling business, Cameron argued. With CardSpace, owners of certain information resources at an organization can easily unlock those to specific outsiders by making their own risk assessment, he said.
“My belief is that trust is local,” Cameron said. “Make the granting of access easy enough so that users can do it, albeit under adult supervision.”
Layers of bureaucracy have arisen from the lack of efficiencies in today's identity management technologies, Cameron said. Typically, any kind of access control is handled by a specific department in an enterprise because the technology is very complex, he said.
“Business people can't actually do directly the kinds of things that they want because it is too hard,” Cameron said. “If we continue to organize this by doing it all in a centralized, bureaucratic way, then you end up with solutions that are increasingly complex.”
CardSpace is a component of the Microsoft .NET Framework version 3.0, which was formerly called WinFX. Microsoft has been promoting the technology as a way to make using digital identities easier and safer and replace username and password as the means of verifying identity on the Internet.
Microsoft envisions the use of CardSpace and granting access in Windows Vista to be as simple as using a Word processor. Vista, the successor to Windows XP, is due to be broadly available in January. (Kim's note: this is where I want to make it clear that making access control as simple as we've made identity assertion still requires a lot more research.)
“Nowadays nobody has to go and learn how to do word processing; everybody knows how to do it. That is the kind of approach that will allow us to really have secure controlled access that works for business purposes,” Cameron said.