Enterprise Architecture: From Incite comes Insight...: Enterprise Scenarios for CardSpace

Monday, April 07, 2008

Enterprise Scenarios for CardSpace

On several occasions, I have asked Kim Cameron, Mike Jones and others to talk about CardSpace from an enterprise perspective as the conversation to date has been somewhat consumerish in nature. Luckily, Microsoft blogger Curt Devlin stepped up to the challenge...

Figured I would dissect his most thoughtful posting:

Hey! CardSpace is not just a consumer technology. If you think it is, you're missing the point. It is a bit frustrating to hear even some of my Microsoft colleagues refer to CardSpace as though it belongs on the shelf somewhere between Zune and Halo3.

This tells me that Kim and Mike need to redouble their efforts and focus more on selling internally as well. How many Microsoft events where the likes of Chris Winn, Sean Lewis and other security folks from Microsoft take the opportunity to talk about cardspace? Do you think my employer has been formally briefed on it?

To see why, take a look at the scenario I bumped into recently in the insurance industry. As anyone who has purchased insurance knows, many products are sold and sometimes managed by independent insurance agents. For these products, the industry is not simply a collection of large, competing carriers; it's an ecosystem of inter-dependent organizations.

In order to truly understand the ecosystem of identity, one needs to be aware of industry-vertical settings. It is no longer sufficient to simply attempt to find an enterprise architect to pitch your value proposition to. If software vendors such as Neustar, Ping Identity and others figured out that they need to speak to ecosystems as well as individuals, then more progress could be made.

It's often highly impractical to manage the identities of these non-employees as though they were internal members of your own organization. Yet at the same time, providing direct access to internal resources or applications can really streamline core business processes-if this access is secure.

The Identity Management crowd who has their super expensive provisioning tools forget to talk to customers about problems within an ecosystem that weaken security and only focus on local concerns. We all know that enteprises are horrible in terms of timely provisioning and do an even worse job of de-provisioning users once they either left their employer or have changed roles. Reality says that if an enterprise is exposed internally, if they also need access to other systems in other enterprises, the problem only gets worse. Have you ever heard Nishant Kaushik or others from Oracle talk about the importance of federated provisioning via SPML? What would it take for Pat Patterson to openly declare when Sun IdM runs out of juice and for folks to realize that they need something else?

In short, organizations must demonstrate their willingness to consume identity tokens from external identity providers. But they will hardly be willing to invest in the technology to consume tokens if there are no providers. The chicken and egg problem rears its ugly head once again.

I am of the belief that many enterprises have no issue becoming relying parties where the identity provider resides elsewhere. I do believe that the problem that isn't discussed is the infamous whose going to pay for it?. Reality says that the best model is for the users themselves to pay any fees desired by identity providers since they not only have the relationship but also choice in which one they want to use. This of course is contradictory though to past practices.

Another thought says that these types of relationships won't happen quickly due to regulatory considerations. Imagine a regulated industry vertical that is on the radar of the likes of Elliot Spitzer. Do you know how difficult it would be for multiple carriers to talk with each other regarding technology without some lawyer somewhere getting it twisted and thinking about collusion?

One potential answer to collusion is that software vendors such as Microsoft, Oracle, Ping Identity, Sun and others could stop sending their order taking sales folks and start figuring out what role they need to play in terms of community formation. I would love to see Patrick Harding share his thoughts on this topic as he has the perfect background in order to make this happen.

The funny thing about Microsoft is that they should at some level consider their own use cases. For example, I know that Microsoft outsources its benefits administration, wouldn't CardSpace make it more secure for their own employees? I would be curious to learn the actual implementation details of how this works today within Microsoft. I wonder if they are leveraging ADFS, OpenID or some other technology?