#eic10 part 2: lacking policy, lagging XACML, authZ not so externalized
I’m not sure why, but the theme for me at EIC10 was policy. It wasn’t that the sessions or discussions were intent on going there. If anything, it was quite the opposite. I sat in on one of the “pre-conference” sessions that was titled “Moving beyond the Perimeter: Identity & Access Management for a Networked World“. That was what set the tone. I went in expecting a lot of discussion about how organization could, should and have been able to overcome the tricky policy barriers to open themselves up and manage access. The reality was that we spent a lot of the time discussing how to get over the challenges of making IAM work inside the perimeter so they can start thinking about the outside. For those that had some established outside presence for identities accessing other resources or accessing their own (and it was only a few), they were set back on their heels by my questions about policy and challenges to explain the legal implications of those access points. Later on, in a session titled “It has been Quiet around Federation. Is this a good Sign or a bad one?“, asked what challenges were faced by your organization when trying to federate, I answered that we (Quest) had faced numerous legal challenges to getting federation done. Each time has been a meeting with lawyers and lawyers meeting with lawyers and so on. The shocked looks from the general audience didn’t quite drown out the few nodding heads that clearly knew exactly what I meant. It shouldn’t surprise me that technology outstrips policy and that technologists don’t see the policy lagging behind until it’s too late, but somehow it always does.
Of course, technology is still my preoccupation so I was equally into the technology of policy that seemed to pervade EIC10. XACML was everywhere. Or maybe it only seemed that way because I attended so many of Felix Gaehtgens‘s sessions. However, there were a few stark contrasts that struck me. First, there were no fewer than 5 vendors on the floor offering XACML based or compliant solutions for externalized authorization. Despite that, I didn’t see one keynote mention it, nor customer story talk about having that be built into their architecture. Even the big vendors, when directly questioned about it, immediately submersed it into an acronym soup of SAML, claims, and other federated related stuff. It seems like many are now using “federated” interchangeably with “externalized”, which is sensible on some level but seems to lose some of the important distinctions between the two (e.g. trust is explicit with federation and implicit with externalization). By far my favorite externalized authorization moment was in a panel titled “How to make your Software Security Architecture Future-Proof” when Felix asked Kim Cameron, who had just made his interstellar announcement, the following: “if the application has to have internal logic to handle claims, then the authorization has not been externalized, right?” Kim made no real answer. But I think Felix said what a lot of people were thinking. Claims are the bees knees, but WIF still embeds all the authorization logic right in the application itself.
This will be the last on the conference. It was a real blast and I got to meet some of the folks who have haunted my mind via twitter for a long time in person. Good stuff.
About the Identity Sander
Error: Twitter did not respond. Please wait a few minutes and refresh this page.