Keeping Cool At The Cloud Identity Summit

8/1 update: Bob Blakley, VP and Distinguished Analyst for Gartner - and fabulous photographer - has posted his photos from the Summit at http://t.co/Up6qa75. Definitely worth checking out.

I spent most of last week beating the Dallas heat in Keystone, Colorado, for the second annual Cloud Identity Summit, hosted by Ping Identity. This is a great conference for the "identerati" - key players in cloud identity security and standards from companies like Ping, Google, Microsoft, Salesforce.com, and UnboundID - and increasingly, high-level identity professionals that want to learn how to address their own identity issues in our hybrid on-premises / cloud future. And it certainly lived up to expectations.

The conference has about doubled in size from last year, but it's still only about 250 attendees. This allows everyone to rub elbows with everyone else, and participate in some really interesting conversations. It's part of what makes CIS special. You could tell how the conversation has evolved from last year. In 2010, most of the talk was about the existing and emerging protocols that make cloud identity work such as SAML, OpenID, and OAuth. This year the talk has moved both deeper (Shibboleth’s Ken Klingenstein gave a breakout session named “Killer Attributes”) and broader (for example addressing the need for standardized just-in-time provisioning / de-provisioning of accounts at the service provider).

Monday and Tuesday were reserved for pre-conference workshops held by experts from salesforce.com, Google, Microsoft, and Ping. There was also an OpenID Summit held at the same time to work on the evolving standards of this important authentication protocol. Wednesday and Thursday were the big days, however, with keynotes and two breakout tracks each afternoon. Andre Durand, the founding CEO of Ping Identity, acted as master of ceremonies, obviously respected his speakers and indeed shares a long technical history with many of them. His short speech focused on the importance of the formal and informal standards work being done at the conference, quoting Konrad Friedemann’s “Every undertaking…is generally accompanied by unforeseen repercussions that can overshadow the principal behavior.” (If you need an example, think of the IBM PC.) He quite rightly noted that results from a conference like this that focuses on cloud computing security and identity standards will affect literally billions of people in the future.

Gunnar Peterson, Principal Consultant for the Arctec Group and overall highly respected security guy, led off the keynotes with “Cloud Identity: Yesterday, Today, and Tomorrow”. He demonstrated how, as software architecture has evolved over the last ten years, the security model (firewall and SSL) has not evolved to keep pace. He pointed out what he considers to be one of the most important statements in the Cloud Security Alliance (CSA) Security Guidance paper: "A portion of the cost savings from cloud computing must be invested into increased scrutiny of the security capabilities...to ensure requirements are continuously met." In other words, companies should take some of the capital they’ve saved by the move to cloud computing and invest it in security – because today’s firewalls and SSL transport encryption isn’t up to the job.

Patrick Harding, Ping’s CTO, presented a “State Of Cloud Identity” keynote. He mentioned how he was recently interviewed by CNN on cloud security, and one of the instructions CNN gave was that he talk about the topic as though he were addressing an eight-year old. (It’s good guidance to keep in mind when you talk about cloud security to non-technologists; it forces you to boil complicated concepts down to their essence.) Most of his keynote covered an important project named SCIM, for Simple Cloud Identity Management. SCIM is a specification to create a standard for adding, changing, and deleting user accounts at service providers. Currently there is no standard, and as a result setting up a connector between the identity provider (e.g. your enterprise) and the service provider (e.g. one of the thousands of SaaS applications available) requires custom work for each vendor. I’ll talk more about SCIM in a future article, and Patrick has posted a short SCIM tutorial video about it.

Pamela Dingle of Ping moderated a panel about the future of identity and mobility featuring speakers from Google, Verizon, and LG. The standout quote came from Paul Donfried, CTO for Identity and Access Management at Verizon. Answering a question about location privacy on mobile devices, he quipped, “People worry about service providers locating their phones. Well, if we don’t know where the hell your phone is, we can’t make it ring.”

In “Federated IT and Identity”, Microsoft Technical Fellow John Shewchuk talked about how, since last year, “we’ve really hit the tipping point on cloud”. The conversation has moved from just the infrastructure to the applications on top of the infrastructure (such as productivity, mobility and consumerization) that are driving cloud computing’s adoption. “Applications are pulling in customers, and customers are pulling through the infrastructure…it’s not about the identity erector set, it’s about the solutions (customers) can get.” 50,000 organizations, for example, signed up for Office 365 the first two weeks after the product launch. He also mentioned what must be the largest Active Directory-like directory in the world: The Windows Azure directory. This is a multi-tenant, highly available, highly scaled directory, “built on the same model that we have with Active Directory.” It houses the synchronized identities of customers using Azure, Office 365 / Live@edu, and presumably many other Microsoft online properties. His key message was that, in the new world of federated IT, companies must empower IT professionals to empower users or IT will become less and less relevant as users find their own way without IT.

Gartner Vice President and Distinguished Analyst Bob Blakley got everyone’s interest with his session title: “Death of Authentication”. His premise was, unlike the real world, authentication took place because there wasn’t enough information about you online to identify you. With the increasing ubiquity of the internet and the rise of social media, plus the explosion in mobility, that’s rapidly changing. People will be able to identify – not just authenticate– someone using their mobile devices, which will collect and correlate a wealth of public information about a subject to give the user an augmented reality. (Think of James Cameron’s Terminator head-up display.) The trick, of course, is to use this augmented reality wisely and enact restrictions on retaining data after the subject has been identified.

Finally (though there were other excellent presentations), Jeremy Grant of the National Institute of Standards and Technology (NIST) presented a US government strategy with the potential to greatly increase the individual’s online security. Called the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “n-stick”), it envisions an identity ecosystem composed of private identity providers working within a framework of standards they participate in creating. This ecosystem will allow individuals and organizations to use enhanced, more secure versions of their accounts with existing and new identity providers to access a range of online services well beyond what’s available today. Participation in the system will be voluntary, but the goal is to make the system so useful and secure that it will be voluntarily adopted. The government intends to only provide a general framework, coordination, and "grease the skids" (for example, volunteer agencies to act as early adopters) to keep things moving forward.

If you’re suspicious of the government having any involvement in cloud security, know that remarks and tweets from almost all of the identerati present were favorable after listening to Jeremy’s engaging presentation. It’s the right direction, and the right idea. But even though everyone wished Jeremy good luck, the devil is in the details. The strategy is just getting started, and it could be derailed by any number of road blocks or political interference in technical issues. I’ll examine the NSTIC strategy in more detail in an upcoming article. Jeremy’s standout quote: “We think the password is fundamentally insecure and needs to be shot.”

This year’s Cloud Identity Summit exceeded the expectations set by last year’s inaugural event. It combined technology learning, getting trends and opinions from the people that know, one-on-one networking, and standards work so important in this early phase of cloud computing security. Andre Durand and Ping Identity deserve special thanks for organizing and putting resources into a conference that is not, by any means, just about them. The Cloud Identity Summit is all about getting the right people together (evidenced by the stellar array of speakers and the fact the conference was sponsored by both Microsoft AND Google) and watching the unforeseen repercussions reverberating through the cloud.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.