... you're waiting for an identity management acquisition and then along come three at once. This time it's IBM which has acquired 40-person, privately-held Encentuate. If you think that Ecentuate's size is indicative of gap-filling motivations from IBM then you'd be right. The 7-year old company is a specialist in enterprise single sign-on (ESSO), which until now has been provided through IBM's OEM relationship with Passlogix. Clearly, owning rather than OEMing technology gives IBM greater control of its ESSO destiny - particularly as Encetuate is Java-based which should help with integration with the broader Tivoli identity management portfolio. In fact, during the announcement briefing the two companies explained how Tivoli Identity Manager is already able to manage Encentuate provisioning (although there are no production customer deployments). This is presumably the result of work that IBM Global Services did with Encentuate at the Singapore Government: the two companies weren't technology partners.

Having said this is largely about filling gaps in the IBM identity management portfolio, Encentuate does bring more than ESSO to the IBM table. The company has done a good job of integrating with a variety of strong authentication solutions and has a rather nifty ability to take physical access tokens (door swipes and so forth) so that they can be used as second authentication factors. Encentuate also has some neat audit and compliance capabilities which IBM will undoubtedly tie into the Tivoli Compliance Insight Manager (based on the acquisition of Consul in late 2006). In addition to the technology upside, Encentuate could also help IBM in the healthcare market, where smaller players such as Imprivata and Sentillion have done quite well: there's a good smattering of healthcare customers amongst Encentuate's 80.

Overall a smart acquisition by IBM. I am not so sure whether IBM's Tivoli Access Manager for Enterprise Single Sign-on customers will be quite so happy though. The company has committed to continued support but the next iteration of the product is going to shift from Passlogix to Encentuate. IBM will make it attractive for them to move but replacing identity and security solutions is, by definition, a risky business and I am sure they will have to carefully balance the risks of moving against those associated with sticking with a product which is not going to see further development.

Hot on the heels of last week's acquisition of Credentica by Microsoft, Ping Identity (who I covered here in an On The Radar report) announced yesterday that it has acquired the Sxip Access business unit from Sxip Identity.

Sxip was early to spot the potential opportunity in providing organisations with a simple, easy-to-deploy single sign-on (SSO) solution for software-as-a-service (SaaS). Sxip Access was its response to that opportunity, combining provisioning capabilities with some Sxip hosted services and an appliance. The company had also cultivated relationships with the likes of Salesforce.com and Google (for Google Apps).

The acquisition of Sxip Access is a smart move by Ping Identity. Although it can be used to provide SSO for SaaS, PingFederate (the company's flagship multi-protocol federated identity offering) lacks some of the rapid implementation and deployment capabilities of Sxip Access. Part of the SaaS proposition is that organisations can get up-to-speed much more rapidly. Authentication and authorisation shouldn't hold you back: something that Sxip Access should help to prevent. Back in September Ping began to actively target the SaaS opportunity, allowing providers to sell PingFederate-based SSO to their customers and share the revenue with Ping. Yesterdays announcement should accelerate this.

(As an aside, I do wonder whether we might see Ping's SignOn.com user-centric identity offering heading in the other direction, given that Sxip is now fairly-and-squarely focused there).

Ping and Sxip, whilst they are comparatively small, punch above their weight when it comes to identity mindshare. I wonder whether this announcement might shake the much larger incumbent identity management vendors, none of whom have really articulated a credible SaaS proposition, into action. It should. SaaS buying decisions often bypass the IT organisation and the business buyers aren't (and in fact shouldn't be) interested in identity management: they want access. If a Salesforce.com recommends that the customer just needs to get their IT department to deploy this box and hook it up to the existing identity management solution so be it. Job done. With SaaS increasing in popularity, particularly in the SME segment where they have struggled to gain a foothold, the incumbents need a strong proposition or lose out to the likes of Ping.

Perhaps it's because we're in the run up to the holiday season or because the press release came from the UK that accounts for the lack of commentary on the announcement that Experian has developed a CardSpace proof of concept with Microsoft. This is notable for a couple of reasons.

First it's another of what is still a comparatively rare breed of "real-world" adoptions of CardSpace (Otto in Germany, which I commented on back in September, being another).

Second it sees Experian exploiting the wealth of information it has gathered about individuals, together with its relationships with commerce service providers due to its position as the largest credit checking agency in the UK (it claims to process over 70% of all UK credit applications), to position itself as an identity provider.

In a nutshell Experian plans to issue individuals with a 'Experian Card' information card. When the individual visits a CardSpace-enabled site, they will be able to present the 'Experian Card' when challenged to provide credentials and other identity-related data. CardSpace (and presumably non-Microsoft identity selector alternatives, such as the Bandit Project's DigitalMe) would then send a request to Experian to validate the identity and return a signed token to be used by the site to determine whether the individual is who they claim to be.

Having a proof-of-concept is one thing but Experian is in a similar position to the first person to invest in a fax machine. They need others to participate if the technology isn't to languish as just an interesting experiment. Experian, because it is already trusted by service providers, is well positioned to get the identity selector ball rolling and according to the press release is

already in discussion with a number of organisations

and

will be in a position to demonstrate it to organisations, with the ultimate intention of launching an Identity Management Service in the near future.

That's only half the story though. The customers of those service providers also need to come on board. Whilst the wallet metaphor of CardSpace is intuitive, we have all grown too accustomed to the username/password/PIN/mother's maiden name ... approach to authentication and I am not convinced by Experian's claims that

there will be enormous demand for such a service from ... consumers

Rather, I think Experian is going to have to encourage service providers to actively promote the identity selector approach, not least because individuals (unless they are using Windows Vista) are going to have to install CardSpace or a non-Microsoft alternative.

I definitely don't want to pour cold water on the announcement. It's encouraging to see the adoption of "user-centric" (a term that I think is going to bandied about less in 2008) alternatives to traditional authentication mechanisms, given the enhanced usability and security, and I hope we do see a launch with a healthy group of service providers in the near future. Definitely something to watch.

Back in September Oracle announced that it had acquired privately-held Enterprise Role Management (ERM) player Bridgestream continuing its "identity management-through-acquisition" strategy. With many eyes focused on the company's Oracle Open World shindig this week, Sun also entered the fray with its plans to acquire another leader ERM independent: Vaau. Role-based access control (RBAC) is hardly new: the US' National Institute of Standards and Technology (NIST) initiated standardisation efforts back in 2000 and an ANSI/INCITS standard (359-2004 if you're that way inclined) was published in 2004. So why all this acquisition activity?

As with many things identity management, it's primarily driven by compliance, with a small helping of increased operational efficiency and cost reduction. As well as promising to streamline the provisioning and de-provisioning of entitlements, roles can help organisations to define, enforce and demonstrate those entitlements to address regulatory compliance demands.
The realisation of that potential, however, has proved elusive. Organisations have struggled to identify (!) the roles that they need, and inconsistent management approaches have often resulted in an explosion of roles to the point where there are as many roles as users. The likes of Bridgestream, Eurekify and Vaau, whose offerings provide role discovery, analysis, allocation and provisioning, emerged specifically to address these challenges, creating the identity management sub-market of ERM along the way.

With compliance top-of-mind for many of their customers and prospects, the major identity management suite vendors who were unable to respond as rapidly as the nimble ERM start-ups quickly established partnerships and, in some cases, moved beyond the press release to actually provide pre-built integration. Sun, for example, provides bi-directional data integration with Vaau (which should help to speed up the integration process). With two of the leading ERM players now with competitors, this leaves the likes of CA and IBM in an interesting position. Their partnership teams no doubt have their eyes (and potentially their wallets) pointing in the direction of Israel, where Eurekify is based.

Some of you may wonder why I didn't include Novell in this list. Had I been writing this post straight after the Sun announcement it would have been. But not long after the announcement I came across this post from an identity management group blog at Novell, which discusses how the company has been building its own role management capabilities, focused on role provisioning, exploiting its directory heritage (discussed in more detail in our assessment here) and partnership with Eurekify for role discovery and analysis. The post's author claims no knowledge of acquisition talks. Then lo and behold, and far be it from me to suggest that Sun's announcement had anything to do with the timing, the next day Novell announced its new Roles Based Provisioning Module.

Of course, a Eurekify acquisition by Novell could still be on the cards, despite the blogger's ignorance of any such discussions, but it seems to me based on Novell's stated strategy that the Israeli company is more likely to end up in the arms of CA or IBM.

The implications for customers are varied. Bridgestream and Vaau customers, who have plumped for a vendor other than Oracle or Sun, should be a little nervous and seeking concrete assurances regarding ongoing support. Customers of the likes of CA, IBM and Novell who are considering ERM will have to think very carefully before plumping for Bridgestream or Vaau for similar reasons.

Ben Laurie of The Bunker Secure Hosting has a provocative post about the two emerging (and that's important) leaders in user-centric identity: OpenID and CardSpace. He quite rightly points out that at present OpenID's:

popularity is entirely on the provider side. There are no consumers of note.

and that CardSpace:

appears to live in its own little world, supported only by Microsoft products

I think this is to be expected given that we are still in the early stages of both.

Where I find myself disagreeing with Ben, however, is with his conclusion about CardSpace:

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there?s no practical difference between Cardspace and Passport right now.

Ben's right about the implications for privacy when the those consuming identity information collude with those providing it but that's not an issue peculiar to CardSpace.

Even Microsoft would (and indeed does) agree that Passport was a failure due to the company's control of identity data, I think Ben doesn't tell the whole story. It wasn't just down to control of an individual's identity data. It was also due to the fact that Passport and Hailstorm were designed from the outset to wrest control of identity data from Microsoft's business partners and customers. The same can not be said of CardSpace and that's why I believe there is a difference between CardSpace and Passport. There are already examples, Otto in Germany springs to mind, of organisations other than Microsoft using CardSpace and, as I said, it's still early days.

Microsoft agrees to participate in ID project ... For the first time representatives of Liberty Alliance and Microsoft are going to sit down together ... Microsoft is to meet this month with vendors and organisations that are backing several different identity management systems. The Microsoft meeting suggests that cooperation between the software giant and its peers is improving.

These are just a few examples of press excitement resulting from the formal announcement of the Liberty Alliance's Concordia project and the news that Burton Group's Catalyst 2007 conference will host a panel discussion between representatives from Liberty, Microsoft and OpenID about identity interoperability. Perhaps it's because I have been following identity so closely over the last few years but I can't say that this really justifies the implication of the headlines that this represents a significant change of heart for Microsoft. Microsoft has been an active participant (and arguably leading) the charge towards interoperable identity solutions for a number of years.

Far more interesting, as far as I am concerned, is what the panel will be discussing. Concordia is initially focusing on gathering real-world use cases some of which will be presented to the panel. With effective identity management so critical to many of the strategic challenges and opportunities that organisations are faced with today, it's time to move away from "vendor sports" and address the needs of those organisations.

Well, better late than never. SAP today announced the acquisition of privately-held MaXware, a supplier of identity management infrastructure. Back in June 2005, I discussed SAP Venture's (its VC arm) investment in another identity management specialist: Ping Identity and at the beginning of 2006 predicted that SAP would enter the identity management acquisition fray. My timing was off but SAP has finally done it. In light of the investment in Ping Identity I was somewhat surprised by the choice of MaXware rather than Ping Identity but I think geography may have had a part to play. It is going to be easier for SAP to integrate a Norwegian company than one based in the US.

MaXware is hardly a new entrant in the market: the company has been around for over 15 years, initially providing virtual directory solutions. The company has subsequently built on that foundation to add identity lifecycle management, provisioning and federated web single sign-on. As a result MaXware provides SAP with a pretty comprehensive set of capabilities to bulk up its NetWeaver and broader application proposition, particularly when it comes to competing with arch-rival Oracle which has done a good job with acquiring and subsequently integrating identity management capabilities as part of Fusion Middleware.

SAP still has some way to go, obviously, when it comes to actually delivering an integrated proposition. The fact that both companies are European should help. However, I note that SAP does not appear on the list of MaXware partners and the press release doesn't mention "building on the existing strong partnership" or "exploiting existing integration between the companies' solutions" (or other such press release-ese) so its difficult to gauge the extent of the technology integration work ahead. Customers and potential customers should look for detailed integration roadmaps.

Sun yesterday announced:

a new initiative around support for OpenID, a decentralized, web-friendly single sign-on mechanism that allows consumers to reuse a single login across different websites, tackling the "login explosion" problem. OpenID is currently limited to facilitating low-risk transactions such as blog comments. Through its new initiative, Sun is exploring what changes and practices are needed to make OpenID applicable to a broader spectrum of business and IT challenges. The company will actively encourage participation from customers and technology partners through a series of activities and real-life implementations that are initially driven by Sun's Chief Technologist's Office.

It would be all too easy to focus on vendor sports and discuss this announcement in the context of Microsoft's embracing of OpenID at the RSA Conference in February. But I will avoid the temptation (not least because I think the sport wouldn't be much of a spectacle).

I also don't want to join the ongoing debate (at least over at the Identity Gang) sparked by this statement in the press release:

People using Sun- based OpenID identifiers at an OpenID-accepting website can convey in this simple and secure manner that they are indeed Sun employees, a piece of information that can enable access to employee discounts and unlock other special services all across the web.

which confuses authentication with authorisation - contractors may be given OpenID identifiers to access particular services but they are not Sun employees; what happens in the future if Sun provides OpenID identifiers to partners in the future but a service provider is working on the assumption that OpenID identifiers have only been issued to employees?

No. It's this statement which captures my particular interest:

As enterprises increasingly open up access to data and services to wider audiences and improve usability, the use of a decentralized technology like OpenID will be an appealing way to manage account proliferation. Integration with existing deployments, which often involve enterprise-ready technologies like SAML and the Liberty Alliance's Identity Web Services Framework will become an essential consideration. Sun is working with customers and partners to combine and converge these technologies to maximize effectiveness.

I discussed the importance of convergence of user-centric and enterprise-centric approaches to identity in our report on identity management. Although there have been some very valuable discussions in the identity community, this has not resulted in much pragmatic guidance for enterprises assessing the implications of OpenID and other user-centric identity technologies behind the firewall. Sun's experiment should hopefully provide some valuable insight. I for one look forward to hearing more.

I just came across (well, Neil pointed me to it) this post from Todd Biske, an SOA Enterprise Architect at MomentumSI in which he discusses the implications of a service-oriented approach for identity. Todd raises an important question:

what ?identity? is in the context of service security

This is something I discuss in our identity management report

However, identities are not just important to humans?
interactions with IT systems. The advent of technologies such as RFID tagging,
the deployment of software services acting as proxies for real people, the
proliferation of digital media assets and so forth are leading to the
realisation that identity applies equally to the management of access to digital
resources.

Coming at this from the perspective of an SOA architect, Todd highlights a number of other important issues:

The problem gets even more complicated when dealing with composite services. If policies are based on system identity, what system identity do you use on service requests?

and

If this wasn?t enough, you also have to consider how to represent identity on processes that are kicked off by system events...Events are purely information. Service requests represent an explicit requests to have action taken. Events do not. Events can trigger action, and often do, but in and of themselves, they?re just information. This now poses a problem for identity.

He's absolutely right to highlight these issues. The question is how do you deal with them. The first step is to rethink identity management architecture and shift away from a focus on identity management as a set of applications for user management, provisioning, authentication etc. Such a rethink will also address a variety of other challenges and should adhere to a number of core tenets:

• Identity management needs to transition from an architectural approach which is user-centric to one which is identity-centric
• The authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual
• Hybrid identity data integration approaches are required to combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
• There is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
• A federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
• Identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
• Roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.