What IIW Means to Enterprise
Identity in the enterprise
Mike Beach from Boeing
Lena Kannappan from FuGen
Current issues
Mike:
because of security and privacy concerns we have a team looking into identity technologies. Our requirements are:
* easy for users * cheap * better than passwords
if a few thousand were using info cards and Boeing could start issuing the cards then maybe the users would start to be familiar with the technology.
"Boeing has no low value transactions" (therefore, no Open ID)
Lena
in the world of IDPs, you don't want only one (passport model), and you don't want many (anyone is an IDP) issue now is that people only talk about product interop; have you make it really work? No set of best practices exists.
Comment made about the fact that a lot of identity technologies today seem to be Web centric.
The enterprise is not necessarily web-based; network access has always been separate from application access.
Comment about cardspace can be physically based in a physical card. Typical enterprise identity boundaries: OS -- network -- application Mike: in the next five years we want a badge to be a little logins using a smart card to unlock your device will be able to leverage the certificate store in Vista. Students at universities want to be able to use their existing e-mail instead of the e-mail address provided by the University. Universities of as a whole access and federate to a cloud of identity providers. So today, students want to use their own e-mail, we see next that people will come in with their own identities to the University.
Discussion about value proposition Liberty and WS* address one value proposition, open ID focuses on a different value proposition (users having multiple passwords)
Hank: I don't think staff identities will be external in the enterprise ever. Question about whether university should provide username/password for low value transactions.
Trends
* SAML becoming a more dynamic * open ID is exploring becoming more static
Mike: "I want convergence, not interoperability."
Reputation systems are not how Boeing makes decisions. Boeing makes decisions based on contracts, not reputation. Perhaps open ID from specific providers will be white listed. Or alternatively to the white list, specific providers may be certified, for example by FuGen. Question about whether to rely on certification I trusted third party as opposed to trusted named federations, similar to the automotive industry.
Question: how important is open source?
Hank: low. The question is about support; you have SLAs and contracts. Support is a big issue.
Grass is always greener: if you are not using open source, that open source is appealing for its cost. If you are using open source, the support is extremely appealing.
If you question the authentication provider you have to question the authorization. Re: open source, these are important:
* deployability * support
for example, a third-party vendor started with open SAML (open source) found that it was too hard and gave up, then went to a third party. Enterprise: more $ than people University: more people than $
Comments about the fact that we don't see a lot of new corporations attending IIW. I IW is not for enterprises, enterprises are not taking seriously, we need different events? Comment about the fact that "user centric" turns away many enterprises. Enterprises avoid this sort of meeting and just "wait for Gartner"
Consensus
Enterprises are looking for credential providers for IDP's
we need a common understanding of the levels of assurance.
What about liability -- you don't assume liability unless there is value. .