I snuck away at the end of the year to ski, but I was thinking about the top identity story lines of 2010 and what will rise to the top in 2011 (we’ll cover that in another posting).
First, looking back at the past 12 months.
The trajectory of cloud computing has pulled identity technology from niche mode into the larger discussion around defining security in a new world of proliferating devices, ubiquitous connectivity and online applications. The traditional notion of a corporate network protected by a fence of virtual razor wire and tuned detection systems is losing relevance.
In fact, that development was the big story in 2010, perhaps punctuated by Symantec’s $1.28 billion acquisition of VeriSign.
Swept along in the conversation was the emergence and transformation of technologies to align with the new security thinking. Acronyms such as OAuth, XACML, OpenID, and NSTIC rose to the top of industry efforts. The proliferation of mobile devices added its own flavor to the soup. Here is a brief look at five top identity story lines of 2010 (add your own and predictions for 2011 in the comments section).
Cloud and identity force rethinking of security boundaries
It took the better half of a year, but the emerging theme was the eroding viability of corporate security perimeters built over the years. Think network firewalls, web app firewalls, AV scanners, and intrusion detection.
“2010 was the year that security people recognized that identity or 'let the good guys in' tools are the way of the future,” said Ping CTO Patrick Harding.
Neil MacDonald, a Gartner fellow, put it this way, “Information security infrastructure needs context to stay relevant in a world that is more interconnected, virtualized and distributed out to untold numbers of devices.”
Adoption of mobile and other devices coupled with the cloud’s integration across the Internet is what applied pressure on traditional security practices.
‘Kiss your perimeter goodbye. And while you’re at it, stop thinking security and start focusing on risk management, “ was the message from Don Proctor, senior vice president and executive sponsor of Cisco’s Cybersecurity Initiative, when he keynoted the Computer Security Institute’s 2010 conference. “The control point needs to be pulled back into the network.”
It’s a theme that will drive other identity technology developments going forward in 2011 and beyond.
OAuth and the API
The emergence of OAuth aligns with new security evaluations. OAuth is an authorization (and authentication) technology that is hitting a sweet spot around protecting access to APIs.
The OAuth 2.0 upside is the ability for applications to securely share data programmatically via REST-based Web services or SOAP-based APIs.
There are millions of Web services calls today that don’t involve a user and a UI.
Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.
Secured API calls make apps device-agnostic – smartphone, tablet, PC, DVR, kiosk, in-car computer, gaming console and other platforms. Those devices want access to cloud services data to support composite applications, such as integrating SaaS apps and on-premise systems.
In May, Aaron Fulkerson, CEO of Mindtouch, advised developers, “build an API for every feature first. Your original conception for your product is wrong, you don’t know how people are going to use your product.”
Mobile client explosion meets secured by identity
The cloud is fueling the desire for resource access from mobile clients and devices, says Brian Campbell, principal engineer with Ping.
And the number of devices is exploding. IDC said this month that half of Web users next year will be on mobile and handheld devices, and it says mobile device shipments will surpass PCs in the next 18 months. In addition, IDC predicted that 80% of new software in 2011 will be available as cloud services.
Those connections need to be secured. OAuth factors into that, and XACML is another technology that promises to strengthen federated identity and pull mobile devices into the flow. The devices themselves could become identity tokens. XACML could enforce security and other policies specific to mobile and other handhelds.
Companies like Salesforce are already priming the pump.
“We want one integration to the cloud , standards-based, facilitating users getting access through whatever device or integration pattern they need, including mobile and desktop,” said Chuck Mortimore, product management director for identity and security at Salesforce.com.
OpenID business morph
In March, Google declared itself an OpenID Provider via its Google Apps Marketplace, by November it had added the title of Relying Party in an effort to ignite adoption and use of the technology across the Internet.
Scores of Web sites and providers including Yahoo and Facebook also were fueling the OpenID engine, even as some providers were shutting down.
For its part, Ping released an OpenID connector for Google Apps in May and is out in beta with an OpenID Cloud Identity Connector that supports Google Apps, Google, Yahoo, AOL and OpenID 2.0 providers.
OpenID caught fancy as a consumer technology by allowing users to sign into one web site using credentials issued by a different web site.
As consumer adoption crept along, the discussion and development around OpenID was undergoing transformation driven by corporations, which were bending the core conceptual underpinnings to reflect their current business agreements with other Web sites.
“It's been a tumultuous year for OpenID, and there are strong forces working within the community to push the protocol in two very different directions,” says Pam Dingle, Ping’s representative at the OpenID Foundation. Those who strive for easy relying party adoption want simplicity, but those that want the protocol to meet high levels of assurance need another level of complexity. Work towards both goals is difficult but progressing.
Given current efforts, OpenID might be paired with OAuth as part of OpenID Connect, which is supported by Facebook and Google.
In addition, the OpenID Foundation is working on OpenID Artifact Binding (AB), which has attracted interest from the U.S. government and is designed to deal with both long URLs from mobile browsers and the security problems of non-encrypted payloads.
Release of NSTIC proposal
Speaking of the government, in June the Obama Administration released a draft of its National Strategy for Trusted Identities in Cyberspace (NSTIC).
The 39-page document outlines an Identity Ecosystem. The details of that ecosystem are peppered with words familiar to the identity community: interoperability, user-centric, policy, privacy, trust, attributes, IdP, RP, and compliance.
NSTIC would establish the most significant collection to-date of identity providers, relying parties and credentials choice for different types of online transactions with varying levels of assurance.
Unfortunately, the fall deadline to finalize the initiative came and went and politics (surprise, surprise) are delaying advancements. Early 2011 is the likely timeframe to hear more from the government on NSTIC.
Independent consultant Jay Unger, said in November, "We need to find a way to get the [identity] community involved. If [NSTIC] ends up getting shuffled from agency to agency that process could hurt it.”