{"id":1213,"date":"2012-06-11T08:27:17","date_gmt":"2012-06-11T16:27:17","guid":{"rendered":"\/?p=1213"},"modified":"2012-11-08T09:36:55","modified_gmt":"2012-11-08T09:36:55","slug":"freedom-of-choice-your-choice-of-captor","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1213","title":{"rendered":"Freedom of choice != Your choice of captor"},"content":{"rendered":"<div class=\"entry\">\n<p>I am happy\u00a0to see that Nishant Kaushik\u00a0(<a href=\"https:\/\/twitter.com\/#!\/nishantk\">@NishantK<\/a>)\u00a0\u00a0<a href=\"http:\/\/blog.talkingidentity.com\/2012\/06\/how-do-governance-controls-fit-into-idmaas.html\">has responded<\/a>\u00a0to <a href=\"\/?p=1205\">the<\/a>\u00a0<a href=\"\/?p=1209\">posts <\/a>I&#39;ve been doing on IdMaaS.\u00a0 Nishant has strong ideas, having led product architecture and strategy within the Identity Management &amp; Security Products group at Oracle for many years.\u00a0\u00a0Nowadays he is\u00a0with a startup called <a href=\"http:\/\/www.identropy.com\/\">Identropy<\/a>\u00a0and writes\u00a0the blog <a href=\"http:\/\/blog.talkingidentity.com\/\">TalkingIdentity<\/a>.<\/p>\n<p>Nishant&#39;s main\u00a0concern\u00a0in his first post was that\u00a0I&#39;ve gone as far as I have without discussing\u00a0the importance of <em>governance controls<\/em>.\u00a0 I&#39;m going to save this\u00a0issue for my next piece, since\u00a0Nishant also\u00a0ended up in a spirited conversation with\u00a0<a href=\"http:\/\/blogs.kuppingercole.com\/burton\/2012\/06\/10\/freedom-of-choice-your-choice-of-captor\/\" class=\"broken_link\">Craig Burton<\/a> that is really worth following.\u00a0 He wrote:<\/p>\n<blockquote><p>Craig Burton thinks that this vision, and the associated work Microsoft is doing on Windows Azure Active Directory (as described in <a href=\"http:\/\/blogs.msdn.com\/b\/windowsazure\/archive\/2012\/05\/23\/reimagining-active-directory-for-the-social-enterprise-part-1.aspx\" class=\"broken_link\">this post <\/a>by John Shewchuck) is \u201cprofoundly innovative\u201d. I\u2019ll be honest, I\u2019m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build\/attach other Azure applications to that different from Oracle saying that deploying a Fusion Application will include an OUD based identity store that the enterprise can also use for other applications? Apart from being in the cloud and therefore far easier to use in federated identity (SAML, OpenID, OAuth) scenarios. But I\u2019ll wait to hear more before commenting any further (though John Fontana and others <a href=\"http:\/\/www.zdnet.com\/blog\/identity\/microsoft-unveils-ad-azure-strategy-id-management-reset\/507?tag=search-results-rivers;item1\" class=\"broken_link\">have already weighed in<\/a>).<\/p><\/blockquote>\n<p>Craig Burton, as is his trademark, includes a few lightning bolts in his response:<\/p>\n<blockquote><p>Nishant must not have read my post very carefully. In my explanation of why Microsoft\u2019s vision for IDMaaS is so profound, he failed to notice that I never once mentioned WAAD (Windows Azure Active Directory) or Office 365. There is a reason for that. I am not applauding Microsoft\u2019s \u2014 or any other vendor\u2019s \u2014 implementation of IDMaaS.<\/p>\n<p>What is so profound about this announcement is that Microsoft is following Kim Cameron\u2019s directives for building a Common Identity Framework for the planet, not just for a vendor.<\/p>\n<p>In 2009 <a href=\"https:\/\/www.identityblog.com\/\">Kim Cameron<\/a>, <a href=\"http:\/\/www.digitalenlightenment.org\/index.php\/about\/item\/110-reinhard-posch\" class=\"broken_link\">Reinhard Posch<\/a> and <a href=\"http:\/\/www.digitalenlightenment.org\/index.php\/about\/item\/111\" class=\"broken_link\">Kai Rannenberg<\/a> wrote <a href=\"\/wp-content\/images\/2009\/06\/UserCentricIdentityMetasystem.pdf\">Proposal for a Common Identity Framework: A User-Centric Identity Metasystem<\/a>.<\/p>\n<p>In section 5.4 of that document, the authors spell out the requirement for customer Freedom of Choice.<\/p>\n<p style=\"padding-left: 30px;\"><strong><em>Freedom of Choice<\/em><\/strong><\/p>\n<p style=\"padding-left: 30px;\"><em>Freedom of choice for both users and relying parties refers to choice of service operators they may wish to use as well as to the interoperability of the respective systems.<\/em><\/p>\n<p>This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece. I posit that the Microsoft vision is so profound because it is built on a definition of Freedom of Choice that fits the above description and not where the customer is free to choose a particular captor.<\/p>\n<p>And so I state again:<\/p>\n<p align=\"center\"><em><strong>Freedom of Choice\u00a0!= Your Choice of Captor<\/strong><\/em><\/p>\n<p>Microsoft\u2019s vision has changed the playing field. Any vendor building IdMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone \u2014 but mostly the customer.<\/p><\/blockquote>\n<\/div>\n<p>With these remarks Craig starts really\u00a0getting to the bare bones of what\u00a0it takes to be <strong><em>trusted <\/em><\/strong>\u00a0to manage identity for enterprises and governments.\u00a0<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/The_Comedy_of_Errors\"><img src=\"\/wp-content\/images\/2012\/06\/DaveKearnsTweet.jpg\" alt=\"\" \/><\/a><\/p>\n<p>It didn&#39;t take long before Nishant\u00a0fired\u00a0off a second dispatch\u00a0accepting Craig&#39;s \u00a0points and\u00a0clarifing what he saw as the real issues:<\/p>\n<blockquote><p>I want to be clear: I am not questioning the vision that Kim Cameron has started to talk about in his <a href=\"http:\/\/bit.ly\/KLJP00\" target=\"_blank\">posts<\/a> about IDMaaS (though I was bringing up a part \u2013 the governance controls \u2013 that I felt was missing and that I believe has a major impact on the architecture of a <em>Common Identity Framework<\/em>, as Craig called it). And I am completely in agreement with what Craig described in his <a href=\"http:\/\/ow.ly\/bpRlg\" target=\"_blank\">original post<\/a> in the section \u201cStop Gushing and Lay it Out for Me\u201d.<\/p>\n<p>Craig talks about how <em><strong>Freedom of Choice<\/strong><\/em> necessarily includes <em><strong>Freedom from Captor<\/strong><\/em>. He then says \u201c<span style=\"color: #333333;\">This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece<\/span>\u201c.\u00a0 I\u2019m not sure why he thinks that, because what I am saying is exactly in line with what Craig and Kim are saying. It is what I have been saying since back in 2006 when I first <a href=\"http:\/\/bit.ly\/3obVvL\" target=\"_blank\">started talking about<\/a> the <strong>Identity Services Platform<\/strong>, which talks about the framework through which identity-enabled applications (essentially any application) consume identity from standardized services that can plug into any identity system or metasystem.<\/p>\n<p>What I was pointing out was that John Shewchuck\u2019s <a href=\"http:\/\/bit.ly\/L4rXyF\" target=\"_blank\" class=\"broken_link\">post about WAAD<\/a> seemed to indicate a lack of Freedom of Choice in what Microsoft is rolling out, at least <span style=\"text-decoration: underline;\">right now<\/span>. Becoming an Office 365 customer would \u201c<span>automatically create a new Windows Azure Active Directory that is associated with the Office 365 account<\/span>\u201c, forcing you to store and manage your identities in WAAD.\u00a0 It should simply ask for the domain from which users could use this, and you could simply point to the Google Apps domain of your company, sign up for WAAD if needed, or grant access to contractors\/partners using whatever identity they choose (traditional AD environment, Facebook or Twitter accounts, even personal OpenIDs). By the way, the governance controls I was talking about are essential here in order to define the process of granting, managing and taking away access in this deployment model.<\/p>\n<p>When I said \u201cI\u2019m having a little trouble seeing what is so innovative about WAAD itself\u201d, I was pointing out my opinion that the details in John\u2019s post did not seem to match up with the vision being outlined in Kim\u2019s post, representing the kind of disconnect that Craig himself called out as a risk at various times in his post, but most notably in the section titled <em>Caveats<\/em>. I guess I\u2019m not quite ready to make the leap that Microsoft\u2019s work will line up Kim\u2019s vision, and was calling out the disconnect I was seeing. And when Craig said \u201cMicrosoft is not only doing something innovative \u2013 but profoundly innovative\u201d, I assumed he was talking about WAAD and related work, and not just referring to what Kim is talking about.<br \/>\n<!-- AddThis Button BEGIN --><\/p><\/blockquote>\n<p>Nishant\u00a0goes on to give more examples of how he thinks Office 365\u00a0could be implemented.\u00a0 I won&#39;t\u00a0discuss those at this point since I think we should\u00a0save our\u00a0implementation discussions for later.\u00a0 First we need a more thorough conversation about what IdMaaS actually involves given all the changes that are impacting us.\u00a0 It is these definitions that must lead to implementation considerations.\u00a0\u00a0I hope\u00a0Nishant will bear with me on this so we can continue the discussion begun so far.<\/p>\n<p>I\u00a0also want, in deference to Nishant and others who may have similar concerns, make a\u00a0few remarks on what we have rolled out right now.\u00a0 I want to be really clear that while I think we already do a number of things really well and\u00a0in a robust way at\u00a0very high\u00a0scale, there are all kinds of things we still don&#39;t do that form an integral part of our vision for what must be done.\u00a0\u00a0Anyone who says they <em>can<\/em> do all that\u00a0is needed just doesn&#39;t, in my view, have a vision.<\/p>\n<p>On the other hand, I hope we can steer clear of overly simplified recipies for what complicated offerings like Office 365 require as identity management.\u00a0\u00a0For example, applications like Office\u00a0need directories\u00a0and places to store information about people in them, and nowhere is it written in stone that this should be done by sending realtime queries to dozens or thousands of systems.\u00a0\u00a0 Enterprise users want directory lookup that is as fast and reliable when served from the cloud as it is on premises.\u00a0\u00a0And so on.\u00a0 My point here is not to argue for one solution versus another, but to invite Nishant and others who may be interested to zero in on\u00a0the broad set of\u00a0requirements\u00a0before getting overly committed to\u00a0possible ways of meeting them.<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Craig says any vendor building IdMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,86,8,87],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1213"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1213"}],"version-history":[{"count":1,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1213\/revisions"}],"predecessor-version":[{"id":1324,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1213\/revisions\/1324"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}