{"id":1211,"date":"2012-06-05T15:01:10","date_gmt":"2012-06-05T23:01:10","guid":{"rendered":"\/?p=1211"},"modified":"2012-11-08T09:38:38","modified_gmt":"2012-11-08T09:38:38","slug":"craig-burton-on-microsofts-identity-management-as-a-service","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1211","title":{"rendered":"Craig Burton on Microsoft's Identity Management as a Service"},"content":{"rendered":"

Craig Burton<\/a>\u00a0first\u00a0achieved prominence\u00a0as the Senior Vice President of Corporate Marketing and Development who drove Novell's innovation and market strategies in the days when it was aggressively turning computing upside down.\u00a0Some years later he founded the Burton Group with Jamie Lewis.\u00a0 Today he is a Distinguished Analyst for Kuppinger Cole, where he just published an intriguing\u00a0response to the blogs\u00a0John <\/a>and I have been doing: \u00a0Microsoft is Finally Being Relevant<\/a>.<\/p>\n

For now I'll refrain from comment and just offer up the goods:<\/p>\n

Microsoft is Finally Being Relevant<\/span>
\nSurprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant<\/a>. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative \u2014 but profoundly innovative.<\/p>\n

In a dual post by Microsoft\u2019s John Shewchuk<\/a> and Kim Cameron<\/a>, the announcement was made about what Kim Cameron alluded to at the KuppingerCole EIC in April \u2014 Identity Management as a Service (IDMaaS).<\/a> This is not trivial, and does not suck. It ROCKS.
\nWhy is Identity Management as a Service a Big Deal<\/span>
\nFrom a technical perspective, the place where innovation really makes a difference is the place where the rubber meets the road \u2014 infrastructure. Infrastructure is not only fundamental\u2014as it provides the technical framework and underpinning to support big change \u2014 but infrastructure is hard.<\/p>\n

It\u2019s also hard to get funded and hard to sell both outside and inside of companies that make infrastructure.<\/p>\n

This is because there is little possibility of showing a direct ROI in core infrastructure investment. It takes vision and guts to invest in infrastructure.<\/p>\n

Nobody wants to buy identity infrastructure. In fact no one should have to pay for identity infrastructure. It should be ubiquitous, work, and be free to everyone and controlled by no one. Infrastructure at this level is as fundamental as air. You don\u2019t think about it, you don\u2019t buy it; you just breathe it in and out and get on with the details.<\/p>\n

Metaphorically, when it comes to the maturity of identity infrastructure today\u2014we are all sucking on thin air from teeny tubes of infrastructure veneer connected to identity silos (Facebook Connect, Twitter, Federated Identity and so on.)<\/p>\n

It\u2019s much like the other core suite of protocols of the Internet \u2014 like TCP\/IP. TCP\/IP is free as far as a piece of software goes. No one ever pays for the transport anymore.<\/p>\n

So should be the protocols and infrastructure for doing Identity Management.\u00a0 With this announcement Microsoft is showing that it understands Identity Infrastructure is fundamental to everything in the hybrid world of social-mobile-cloud networking that we are stumbling towards.<\/p>\n

Further, Microsoft is making it clear it understands that the current identity provider-centric world we live in now is broken and simply will not work for the future. Significant movement forward from this wretched state requires massive change \u2014 which is what Microsoft is proposing.<\/p>\n

From a political and business perspective, Kim Cameron\u2019s vision of a ubiquitous Identity Metasystem has somehow prevailed inside Microsoft and is starting to emerge. This is a big deal. Finally a company with lots of talent that has been wallowing from lack of leadership has stepped up and put a stake in the ground about Identity. Bravo!<\/p>\n

Everybody else of significance that could be doing something significant with identity infrastructure \u2014 Google, Facebook, and Amazon for starters \u2014 are trapped in their current business models of trafficking your identity for short term profit. For each of them, the little piece they hold captive of your identity is the product by which they are making money. This is both short sighted and unsustainable.<\/p>\n

Microsoft\u2019s plan is much grander. Invest in the hard stuff, solve the really tough identity infrastructure problems across the board\u2014simple, private, and scalable. By taking this high road, Microsoft is betting it can take the leadership role by increasing the size of the pie for other SaaS services and apps that organizations and individuals want and are willing to pay for. Much more visionary that continuing to fight over whatever crumb you can get based on the current broken model.<\/p>\n

If Microsoft is allowed to pull this off, it is a good thing.
\nStop Gushing and Lay it Out for Me<\/span>
\nTo understand the significance of IDMaaS, it\u2019s useful to take a quick look at how identity management systems have evolved.<\/p>\n

Figure 1 shows how identities started out being managed within the boundaries of a domain. Domain-based identity managed need hardly be mentioned here as it can\u2019t possibly meet any of the requirements for identity management in today\u2019s organizational environments. For its day, it worked and it was a good place to start.<\/p>\n

\"\"<\/a><\/p>\n

Figure 1: Domain Contained Identity<\/em><\/p>\n

Figure 2 illustrates the first generation of federated identity management systems. This is a powerful model and was a big step forward from the domain model. In this model there is a service provider that accepts claims from an identity provider. A person can then prove who they are to the identity provider and present claims to the service provider to assure proper access to services and resources. This model works when these a relatively small number of parties involved. But as soon as there a diverse number of parties, it quickly breaks down.<\/p>\n

\"\"<\/a><\/p>\n

Figure 2: Identity Federation Model<\/em><\/p>\n

Figure 3 shows the scenario with diverse people with diverse relationships with different IPs. When you add diverse and numerous types of devices \u2014 cell phones, tablets, laptops and so on \u2014 it even makes the case stronger as to why the current federated identity model is reaching its limits.<\/p>\n

\u00a0\"\"<\/a><\/p>\n

Figure 3: Diverse People and Devices<\/em><\/p>\n

So if the Federated Identity model doesn\u2019t work, what will? Figure 4 shows one school of thought were a single IP can somehow grow big enough and inclusive enough, it can manage all of the identity claims of all entities. This architecture is both frightening and poorly thought out. People and organizations need to have the freedom of choice of how their identities are managed and not be locked into an identity management silo of a single provider.<\/p>\n

\"\"<\/a><\/p>\n

Figure 4: Omni Identity Provider<\/em><\/p>\n

Figure 5 is another \u2014 simpler \u2014 graphic showing how a single organization could have federated relationships with multiple constituents. Again, this approach works to a point, but as soon as you consider the impact of the identity explosion brought on by \u2014 cloud computing, social computing, mobile computing, and the API economy \u2014 this approach simply won\u2019t do the job.<\/p>\n

\"\"<\/a><\/p>\n

Figure 5: Organization Federated to Many Constituents<\/em><\/p>\n

Figure 6 then, shows the simplified notion of the IDMaaS architecture. Any number of organizations, constituents or entities can generate and consume claims through the service in the cloud.<\/p>\n

\"\"<\/a><\/p>\n

Figure 6: Any Entity and Any Number of Entities<\/em><\/p>\n

Of course Figure 6 doesn\u2019t very effectively illustrate what the three black dots really mean. With the identity explosion we are talking about, the number of entities that are inevitable are several orders of magnitude bigger than anything we have even thought about up to this point.<\/p>\n

We are in new territory, it is very unclear what is going to happen as a result all of this.<\/p>\n

The fact that Microsoft seems to be acknowledging this fact and is working with vision to address the matter is highly encouraging.<\/p>\n

We are not seeing this kind of vision \u2014 or anything close to it \u2014 from any other major vendor to date.
\nCaveats<\/span>
\nThe biggest problem I see here is Microsoft itself. It isn\u2019t like Microsoft has the reputation of always taking the high road to enhance technology to the benefit of all. To the contrary, Microsoft has the reputation of pretending to take the high road with an \u201cembrace and extend-like\u201d position while executing an exacting and calculating \u201cembrace and execute\u201d practice. Microsoft has become the arrogant elephant to dance with that IBM once was. Microsoft\u2019s past is going to be difficult to shed and it will be a significant effort to convince others that the elephant won\u2019t trample on everyone when it gets the chance.<\/p>\n

\"\"<\/a><\/p>\n

Figure 7: The New Microsoft?<\/em><\/p>\n

(Source: Craig Burton, drawn on the iPhone with Autodesk SketchBook Pro)<\/em><\/p>\n

So the tough questions are:<\/p>\n