Ping Identity > Blogs > PingTalk 

PingTalk Blog

San Diego – Provisioning, born of promise but raising hell ever since, is in a transition phase that hopefully accentuates the good, incorporates the new and leaves behind the bad.

That was the message this week from Lori Rowland, vice president and service director for the identity and privacy strategies team in the IT Professionals Research group (formerly Burton Group) at Gartner.

At the analyst firm’s Identity and Access Management conference, Rowland picked at nagging provisioning legacies, detailed changes brought by regulations such as Sarbanes Oxley, explained evolutions such as identity and access governance (IAG) and looked ahead to the cloud.

The cloud is where provisioning, federated to cloud-based apps, should be playing a significant role in adoption, but today provisioning is a work in transition.

In fact, IT’s sore chapters in provisioning’s history – namely connectors – are being recreated in the cloud, a development Rowland calls “frightening.”

“Stop the connector madness whenever possible; especially out to the cloud,” Rowland said. “Right now cloud vendors have their own APIs and we are again building proprietary connectors.”

She admitted connectors will not go away completely then outlined how provisioning has changed and what the alternatives are now.

Rowland says the “push” model, which provisions users accounts to an application, must be replaced by transaction-based authorizations that “pull” data from systems like virtual repositories (such as those from UnboundID or Radiant Logic) and deliver it to applications.

In general, the model delivers to the application a user with attributes in hand, including authentication, authorization and policy vetting.

The model’s defining characteristic is standards-based interfaces used by publishers and subscribers to events, data and transactions.

The pull model is a popular ideahowever, it is not universally accepted.

In the pull model, which is contextual and operates in real-time, data delivery can be accomplished using established federation protocols such as SAML, along with authorization and policy tools based on XACML from vendors such as Axiomatics, which this week inked a major deal with PayPal.

Other standard pieces that might get a look include the Security Provisioning Markup Language (SPML).  The standards group OASIS recently rescued the spec from death, but the group has yet to make any meaningful changes.

Rowland heaped much of the blame for SPML’s churn on vendors, but added that the technology is not well suited for federated provisioning.

“Wasn’t SPML suppose to be your best friend,” she said. “It has not lived up to its pedigree.”

Rowland sees account provisioning/authorization as one leg of three that will encompass the whole of future “provisioning.” The others are IAG, and Data Management and Synchronization.

“This is a shift in thinking, we will not provision each time someone needs access,” she said. She said the transition will take time and the near future will be defined by a hybrid model.

Do you have hopes for cloud provisioning? What technologies are you using/exploring?

Follow John on Twitter and check out our Identity-Conversation Tweet list

Add your comment