Monday, April 07, 2008


Enterprise Scenarios for CardSpace

On several occasions, I have asked Kim Cameron, Mike Jones and others to talk about CardSpace from an enterprise perspective as the conversation to date has been somewhat consumerish in nature. Luckily, Microsoft blogger Curt Devlin stepped up to the challenge...

Figured I would dissect his most thoughtful posting:

This tells me that Kim and Mike need to redouble their efforts and focus more on selling internally as well. How many Microsoft events where the likes of Chris Winn, Sean Lewis and other security folks from Microsoft take the opportunity to talk about cardspace? Do you think my employer has been formally briefed on it?

In order to truly understand the ecosystem of identity, one needs to be aware of industry-vertical settings. It is no longer sufficient to simply attempt to find an enterprise architect to pitch your value proposition to. If software vendors such as Neustar, Ping Identity and others figured out that they need to speak to ecosystems as well as individuals, then more progress could be made.

The Identity Management crowd who has their super expensive provisioning tools forget to talk to customers about problems within an ecosystem that weaken security and only focus on local concerns. We all know that enteprises are horrible in terms of timely provisioning and do an even worse job of de-provisioning users once they either left their employer or have changed roles. Reality says that if an enterprise is exposed internally, if they also need access to other systems in other enterprises, the problem only gets worse. Have you ever heard Nishant Kaushik or others from Oracle talk about the importance of federated provisioning via SPML? What would it take for Pat Patterson to openly declare when Sun IdM runs out of juice and for folks to realize that they need something else?

I am of the belief that many enterprises have no issue becoming relying parties where the identity provider resides elsewhere. I do believe that the problem that isn't discussed is the infamous whose going to pay for it?. Reality says that the best model is for the users themselves to pay any fees desired by identity providers since they not only have the relationship but also choice in which one they want to use. This of course is contradictory though to past practices.

Another thought says that these types of relationships won't happen quickly due to regulatory considerations. Imagine a regulated industry vertical that is on the radar of the likes of Elliot Spitzer. Do you know how difficult it would be for multiple carriers to talk with each other regarding technology without some lawyer somewhere getting it twisted and thinking about collusion?

One potential answer to collusion is that software vendors such as Microsoft, Oracle, Ping Identity, Sun and others could stop sending their order taking sales folks and start figuring out what role they need to play in terms of community formation. I would love to see Patrick Harding share his thoughts on this topic as he has the perfect background in order to make this happen.

The funny thing about Microsoft is that they should at some level consider their own use cases. For example, I know that Microsoft outsources its benefits administration, wouldn't CardSpace make it more secure for their own employees? I would be curious to learn the actual implementation details of how this works today within Microsoft. I wonder if they are leveraging ADFS, OpenID or some other technology?

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?