Processes of Identity and Access Management

On the joint conference (http://www.eema.org/static/eema2007/program.htm) of the enisa (http://www.enisa.europa.eu/) and the eema (http://www.eema.org/) I not only had the chance to present our initiative GenericIAM (2007-06-13_GenericIAM_Presentation(1.0).ppt) but also to attend several workshops and round tables on selected topics from the information security field.

Although attending several conferences and less spectacular event, I seldom came across with expert communities with a comparable high level of expertise. Many of them represent a long record of intensive work on the very forefront of secure electronic communication.

They take their job serious and try to come up with good results, no, with even excellent results. And perhaps that’s the fault. Why? Well excellent sounds like near 100%. And everybody dealing with security knows, that 100% means it can’t be done as long as humans are involved – at least those still alive.

A discussion for example on the electronic identity cards revealed the full colourful picture of European differences and peculiarities – as expected. I further expected that following the very European principle of subsidiarity these local solutions would be mutually accepted. As Dr. Ingo Neumann from the German BSI (http://www.bsi.de/) pointed out: In the physical world we do have valid and mutually accepted documents – passports and national Id-cards. Why can’t we transfer this principle of mutual trust to the electronic world? In addition Anthony Whitehead from NordicEdge (http://www.nordicedge.se/) a British citizen living in Sweden demonstrated how easy this can be - by presenting his Swedish driving licence, Swedish id card, credit cards and more. The Swedish authorities simply trusted his British passport.

Instead a long discussion raged on the unification of the different levels of trustworthiness of the national enrolment processes for identity documents. Obviously this can’t be successful – at least on short timeframes. Why can’t work out in the e-world, what we practise in the physical world? Because we here traditionally and intuitively take a risk based, a risk balanced approach. Live is risky and will stay risky – at least as long as it lasts. (Afterwards the situation improves quite a bit!)

But there was an example demonstrating nearly the opposite danger: Not always it might be a good idea to transfer physical objects to the e-world unchanged. As a special indication Ulrike Linde from the Association of German Banks (http://www.germanbanks.org/) mentioned, that according to German data protection law the date of birth must not be on the Germen eID-card. But as banks require it, you would not be able to open a bank account with an eID-card, whereas by means of its paper equivalent you can. According to Kim Camerons Laws of Identity (who by the way showed up at the same conference as well, http://www.identityblog.com/) banks shouldn’t be interested in our age anyway – just in the information, that I’m over 18 years old. But that’s another story.

Another question may have even more impact. Why should this information on an eID-card anyway? Ok, I understand that in the physical world, there was no other chance to deliver this information in a comparable trustworthy way.

But in the e-world? Wim Coulier from the Belgium Certipost (http://www.certipost.be/en/homepage.php3) gave a good example in his short presentation: an electronic Identity reduced to its identifying nature without any additional attributes. Whenever these attributes are requested, e.g. for opening up a bank account, the attribute provider can decide to deliver it to the requester, a principle well known in the movement of the user centric Identity. Here the user decides if it is worth disclose the information – well, who else?

So the question arises: How much information should an identity carry? Not too much, I would say. It could otherwise unnecessarily disclose information. It could conflict with national data protection law. It could become difficult to agree on the appropriate set of information resulting in turn in an unnecessary high need for identity federation and so on.

Following Occams razor (http://en.wikipedia.org/wiki/Occam’s_Razor) and taking it to the limits, the eIdentity should be reduced to its bare identifying nature.

Every answer just raises the next question: What should this natural set of identifying data be like? “Excellent” question the hard nosed sales man would reply. But there is a natural unique set of data: Remember when you were baptised or just given your name. It was done with the idea in mind to be able to uniquely identity and address you. The name should be your and unique in the personal context.

This context is the key of course. It is made of time and location: during the moment of birth in your local context. So, the natural GUID is composed of name & time and the regional context (City, town, village, …). Ok, I understand. It is not that easy: the idea might be compelling. But fixing the local context is the weak point as it doesn’t map with the local birth registration office – at least in many cases.

But back to the minimal identifying data set: I once wrote, that there is a mismatch of the natural perception of the word “identity” which is indicating the sameness of two things and the use of the term “digital identity”. Perhaps this is the reason why Kim Cameron interdicted the use of the term “identity” internally in his team. It only causes confusion.

In the natural perception a human can only have one identity everything else is schizophrenia. Whereas in de digital world – there is a broad consensus - we can have several “digital identities”. But the relaxed view on having multiple identities is in danger. Biometrics has the potential to damage this consensus as it will uncover doublettes – even if they are considered as tolerable.

It will push for the use of a GUID instead of just an ID. But in this case the Identity must not carry any additional attributes besides the pure identifying information itself.

A lightweight Identity.

The father of our group GenericIAM, Dr. Horst Walther starts a series of articles about digital identities in the famous german IT-Newspaper "Computerwoche".

This week (number 23, from june 8th) the first part was published on page 28/29 with the headline "No integration without digital identities". The next three articles will follow in the emerging editions.

A few days ago i spoke to SAP people about the position of SAP with regard to the still growing IAM-market. At the end of the speaking i believed that SAP never followed a strategy with achieving growth due to acquesitions or mergers - Like it did the big competitor Oracle in the past years (The nutritional value of IAM-companies).
So it is for me still a secret which goals SAP is focussing on with acquisitions like MaxWare, Wicom Communications or others.

Matt Flynn guesses in his blogpost that MaXware’s products will compliment SAP’s core product architecture. That is the most obvious position. But i am sure that SAP´s hunger is not satisfied yet. See Pressrelease from SAP: SAP Extends Identity Management Capabilities in SAP NetWeaver with Acquisition of MaXware

We like to invite you to attend our 7th regular quarterly GenericIAM meeting.

We will meet Friday, June 29th, in the CSC building in Munich. We have scheduled the meeting from 09:00 to 17:00.

We thank Mrs. Dr. Angelika Steinacker, CSC for hosting the meeting.

The location will be
CSC, IT Management & Security
Sandstr. 7-9
80335 München
Germany
Phone: +49.89.5908.6485
Fax: +49.89.5908.6503
Internet: http://www.de.csc.com
See: how to get there

Last monday we hold our 6th GenericIAM meeting. The first European Identity Conference (EIC) hosted the meeting. We used this shortened meeting to present our initiative to some interested guests. Subsequent to this we had the privilege to listen to Dave Miller, CISO for Covisint. Related to IAM in general he explained the strategies and activities of Covisint. 

The feedback from our guests was pretty good. They all agreed with us that we definitively need an IAM process model. We would be pleased to stay in contact with our guests. Perhaps someone likes to join our initiative.

Processes and future:

M. Neher: In which way do you develop your process models?

Dr. Walther: "The fundamental idea is to identify recurring similarities which we can arrange in consistent models. This is the only way we can get general, universal models.
We decided to take five steps:

1. Selection of processes
   The members decide itself which of their processes will be provided for the initiative.
2. Take-over
   Our task force “Modelling” takes over the models and documents them in a formal manner.
3. Modelling
   The aim of this step is to identify and isolate general aspects of the processes. These aspects are used for our own models.
4. Quality assurance
   GenericIAM authorises modelled processes after proving them. For this purpose special reviewer control all the models. If necessary we engage external experts.
5. Publication
   The results of the modelling activities will be published by GenericIAM annually."

M. Neher: Can you tell us something about concrete results?

Dr. Walther: "On the one hand we could gain very useful input from consumer companies like BMW Group, Dekra and the WestLB. On the other hand consultants and software integrators like doubleSlash, iC Consult and ism offered stuff from practice.
I’m very optimistic that we will present our first reference model in late 2007 to the public."

M. Neher: Is there any concrete timetable for your standardisation efforts?

Dr. Walther: "We depend on voluntary work. So we are not able to plan our activities in a very strict way. But we have the aim to go international and to publish our first reference model in 2007. "

M. Neher: Please tell us something about the next steps. Do you concentrate only on the German market?

Dr. Walther: "I gave some hints already. It doesn’t make sense to continue as a isolated German initiative. We started in the German region to hold the costs low, because every member has to come up for them on their own. The only way to be successful is to integrate international standardisation organisations. We have several promising contacts with members of the OASIS and ITU."

M. Neher: GenericIAM started with a new blog not long ago - contrary to the German webpage – completely in English. Why did you decided to do so?

Dr. Walther: "English is indeed the language for international communications and publications. We decided to manage the webpage in German and English. This is possible because of the static content on the webpage. The blog contains much more dynamic content. So we decided to keep the blog in English, only."

The Members:

M. Neher: If we have a look at the members of GenericIAM we find classical IT-companies like Novell, Oracle and Sun, but also companies from other industrial sectors like Dekra or the WestLB. What are the reasons to participate in GenericIAM?

Dr. Walther: "Identity Management and Access Management aren’t limited to IT-companies. Even if both disciplines weren’t termed like this, both are older than information technology. The new thing is that companies get a holistic view of the individual access to corporate resources. Thus IAM is part of every company’s management infrastructure. First of all we concentrated on consumer companies, whose implemented processes we would have analysed for similarities in order to get a general process model. To achieve this we appreciate every member which can help us. Accordingly our members are analysts, users, consultants, software integrators and vendors."

M. Neher: Won’t the participating companies loose their edge in knowledge?

Dr. Walther: "This is a question of all standardisation activities. It’s a matter of fact that there will always be leaders and other who follow. Consolidated everyone wins, if you can refer to an accepted standard. Consumer companies often see IAM as a needful task without any relevance for competition. Their aim is to implement IAM-functions in an easy and cheap way. However the more standardised processes we have the easier this can be achieved.
The most likely to have such an edge of knowledge – if there is one – are analysts, consultants and software integrators. But up to now we couldn’t find someone with any significant advance in this field. We take this as indication that this task cannot be managed by a single company but rather by joined efforts."

GenericIAM in general:

M. Neher: Dr. Walther, we would like to find out more about the GenericIAM initiative. What’s behind all this?

Dr. Walther: "As often, the starting point was anger about a disappointing situation: in a project for the implementation of a comprehensive IAM-system I had to design the underlying processes - once again. From experience of former projects I knew that the designing the processes could make up to 2/3 of the total costs. However subsequent to the projects, I realised that these processes often look similar. This fact is not astonishing. All the processes are about standardised IT-infrastructure. So why do we have to define the processes all the time from the outset? Why do we have to do that to our customers? Why isn’t it possible to get a set of reference processes?
That was the trigger for GenericIAM. Perhaps that wouldn’t have been enough. But the postulation of generic processes fits great in the context of current management trends. Consultants have preached the "industrialisation of services" for a long time. Today this is in fact a topic for companies. The times in which we had a lot of individual hand-made work are long gone because of rising cost pressure, security efforts and agility on the market. The answer is the standardisation of the relevant management processes. And ITIL is just the beginning of that.
So what we really need, are task related reference models. We intend to develop such a model for Identity & Access Management. That is what our brand "GenericIAM" stands for - generic processes for the Identity & Access Management."

M. Neher: You are talking about process definitions. Why is it so important to define the relevant processes before IAM-projects?

Dr. Walther: "Identity & Access Management – as the name already suggests – is an organisational management task with a strong link to technology. The main task is the interaction of identities (mostly individuals) with the company and its resources. Generally an interaction is being described by a process, if it should not occur undefined and ad hoc. Consequently processes are core of IAM and – by the way – the most expensive part when installing an IAM-system in a company. Well defined processes are the condition to achieve the addressed benefits like process automation and cost reduction."

M. Neher: Why did GenericIAM join the National Initiative for Internet Security NIFIS?

Dr. Walther: "As a consortium we need to have a formal organisation. Of course we could work in an informal manner together and present our results to the ITU, OASIS or other standardising consortiums. But on the other hand the affiliated companies making their process models available need the NIFIS to have a proper contact. The NIFIS as a self helping organisation of the economy provides this judicial context in a brilliant manner. I think there are very few security based topics which do not touch IAM. The fact that we don’t limit our activities to national efforts and security matters and their application in the internet, does not distort that picture. Recapitulating, the NIFIS with its flexible an pragmatic organisation is the right institution for us."

I asked Dr. Walther, the head of GenericIAM, to answer me a few questions. I’m going to post the questions and his answers step by step on this blog.

Here is the first one:

M. Neher: Dr. Walther, due to your acitivities as a business consult, you have a good overview of the IAM-market. Can you tell us where we can find more information about the Identity & Access Management?

Dr. Walther: "The appropriate analysts like the Burton Group, the Gartner Group and the German Kuppinger, Cole + Partner offer much information about IAM. Another great overview is provided by meetings and conferences like the European Identity Conference in Munich, May 2007. And of course the internet provides much information, too. There you find wikis like the IAM-Wiki (http://www.iam-wiki.org) or blogs like http://www.identityblog.com, http://blog.doubleSlash.de. 100 other blogs can be found at http://blog.doubleslash.de/2006/11/21/alle-blogs-rund-um-das-identity-access-management. Another way to keep up to date is to subscribe to mailing lists like http://openid.net/wiki/index.php/Mailing_lists or https://opends.dev.java.net/servlets/ProjectMailingListList. Last but not least I like to refer to the web pages of the big standardisation organisations Liberty-Alliance (http://www.projectliberty.org), OASIS (http://www.oasis-open.org/) and ITU (http://www.itu.int/ITU-T/index.phtml)".

We want to meet us on Monday May, 7th. from 1pm to 3pm during the 1st European Identity Conference 20007 (EIC 2007) in Munich.

We propose following agenda:

• 1:00 Greeting - housekeeping - Introduce new members and guests
• 1:15 Pass minutes from last meeting March, 2 2007
• 1:30 Tasks from last meeting March, 2 2007
• 2:00 IAM Processes at Covisint (Dave Miller)
  - What is Covisint?
  - What are Covisints major processes?
  - Why is Identity- & Access Management important for Covisint?
  - What are the IAM-Processes of Covisint?
  - What is special - what might be generic?
  - Why do we think, that reference models will become more important?
  - Outlook - What are we going to improve / change?
• 2:30 Report from AG Organisation (Horst Walther) and adjust next steps
  - Blog (blog.genericiam.org) and website (www.genericiam.org)
  - New members (CSC und IDS Scheer)
  - Using the ARIS-Licenses
  - Progress in modellisinh
  - Public relations, support of our GenericIAM-booth
  - Organisation of our collaboration until next meeting
  - Find appropiate date and host for next meeting (possiblly in June)
  - Identify following tasks which have to be done to next meeting
  - Distribute tasks to members
• 3:00 End of meeting

Meetingplace:
Forum am Deutschen Museum
Museumsinsel 1
80538 München
Tel.: 089211 25170
Fax: 089211 25165
http://www.forumamdeutschenmuseum.de