I went to some good sessions yesterday during the third day of the RSA Conference. Three things jumped out at me during the lectures and chats that I had with other delegates:
- Building an identity management system is largely a political thing not a technical one (a reoccurring theme)
- The cloud isn't all roses and not everyone is looking at it positively
The fist is a theme I've been hearing over and over again this week in the various identity-related sessions I've attended. The most obvious mention of it yesterday was in a lecture given by Kevin Kampman and Alice Wang of the Burton Group about role-based access and entitlements management. They said at various points in their presentation that the creation of such a system required a sponsor/advocate in the non-IT side of the business that would fight the political battles. They stressed the importance of this citing various reasons. For example, such a system is needed, after all, for the sole purpose of solving the issues confronting the business, so product will have a huge stake in its capabilities, features, timelines, etc. Balancing these with those of IT and security will be a difficult people-centric journey.
This theme is especially important to security professionals (even for those that identity-management isn't their primary focus) if what Microsoft's John "JG" Chirapurath said later that day is correct that security is rapidly become an identity problem. I don't know for sure (because I'm relatively new to the information security space), but I would imagine that security experts and business people have a relatively hard time getting along; I know IT and business do. So, we have a serious problem: IT and security aren't getting along with business and vice versa, and the successful collaboration of all three is fundamental if organizations are going to meet their objectives without falling prey to the tireless forces of competition and cyber crime. What needs to change for us all to get along better? Humility, commitment to the objectives of the organization by all parties, trust, openness and avoidance of group think, and accountability to name a few.
I talked with more of my fellow attendees yesterday than I did on Monday and Tuesday. Robert McMillian (@bobmcmillan on Twitter) of IDG News Service warned that many vendors are recasting themselves as cloud service providers in hopes of capitalizing on the buzz. I heard this from Jay Chaudhry of Zscaler on Tuesday as well. This isn't a new ploy, but it is one to watch out for of course. I also talked with a gentleman at the VeriSign party I was at last night who's name I didn't catch; he said that he thought cloud computing would have a moderate impact on our society and our businesses but it would not be as profound as some (myself included) are predicting. Who knows how cloud computing will pan out? None of us do, so let's be passionate and excited about technology and its possibilities while simultaneously thinking critically about it. If we all do this, it won't matter how and what cloud computing becomes ;-)
The third big take away from the RSA Conference yesterday for me was a new project called Kantara. This initiative, led by representatives from the OpenID, Information Card, and SAML communities, is seeking to create a digital identity system by conflating the three technologies (i.e., creating an intersection of them as shown in the Venn of Identity). Identity is a really hard problem especially at the Internet-scale and considering what I just mentioned about it being largely a political/people issue. The fact that this project has no barrier for entry indicates to me that the folks behind Kantara get this and understand that the brightest minds must be brought to bear on the problem not just those that work for companies willing to put some cash on the line. This grassroots, bottom-up effort is a tact that I think has a lot of potential to go farther faster, and I support and thank those pioneers who stepped up to the challenge by collaborating on the problem in this way.
If you want to learn more about Kantara, join the mailing list, visit the project's Web site, follow @KantaraNews on Twitter, join the group discussions, watch some videos describing the effort, and become a member. I know I'm going to!