European Identity Conference – Day 2

The second day of EIC is over, and I have to say I’m impressed. I’m feeling a real interest in Identity Management by the participants, that will hopefully turn into real projects and through the feedback loop bring the topic forward.


Today there were a lot of breakout sessions in addition to the keynotes. GRC was added as a topic in many titles, but I have to say this needs more work – I didn’t find much to take away regarding GRC, and some sessions that had “GRC” and “Compliance” in the title mentioned neither.

From a consulting perspective (i.e. real world needs) most of what is discussed here may sound like science fiction to participants. Most customers I’m talking to are busy working on much more mundane issues, namely re-gaining control of the authorizations they created and distributed over the years when words like “GRC” and “Compliance” had not yet been discovered.

More than one session complained about the complexity of todays authorizations (Kim Cameron said something along the lines of “I’m happy that SAP is on the panel to take the heat for this” ;) ), and everybody was ready to take a vow to simplify, many saw XACML as the solution.
This of course completely ignores that the complexity has not been implemented because programmers are too lazy to simplify, but because customers asked for the flexibility to be able to control access in such a granular way.


I will go on a limb and say that if authorizations were easier, applications supported XACML and supported claims, management would not be that much easier for customers. The reason I’m saying this is that I often see customers struggle to define the exact access that should be assigned to employees.

So, a logical step to advance the topic would be to work on processes and best practices to assist in defining access requirements, that can then help to define an authorization structure that can actually be well supported by identity management systems. Right now, we may succeed in speeding up provisioning, but if the mess still remains below the surface, this is not much more than put lipstick on a pig.

European Identity Conference – Day 1

OK, back in the hotel after the first day of this years European Identity Conference in Munich.


My colleagues have a booth on the ground floor presenting SAP’s Compliant Identity Management solution.
This year, I’d say conference attendance is a lot higher than last year. That would also correlate with our experience that Identity Management is getting traction in the market; we’re seeing a lot of interest from customers.


The keynote presentations were reasonably good, I’d count Kim Cameron and Dave Kearns as the most interesting ones, as they are very much forward thinking and not directly product related (at least not with a commercial interest). They also had lots of quotable stuff for my own presentations ;)


Back on the expo floor, I had two interesting encounters.

Next to the bar, a company called “SecurIT” had a batch of Pokens on the counter, and they were nice enough to give me one! A Poken is a small USB device that links to a profile that you can link all your social network identities to. When you meet someone who also has a Poken, you hold the two together as a kind of handshake and your Poken profiles are being exchanged. Let’s see if I can find someone else who has one….

The conference material also had a voucher for another small identification device called the “YubiKey“. This one blew me away – it acts as a USB HID (human interface device) and on the press of a button, it emits a 40 character generated password. That again links to a server that you can implement for your infrastructure which will verify your authentication. The company is called “yubico” and originates from Sweden. Their web site has a free SDK and offers many implementation paths. Integration into SAP Netweaver should be pretty straightforward, maybe that might be an option for some customers. If you’re an SAP developer interested in playing with it, let me know.

All in all, a very exciting day. I met lots of people, and I’m looking forward to networking even more over the next days – after all that’s the best part of taking part in a conference.

The Twitter backchannel is quite active, the hashtag is “#eic”. Let’s see how that develops over the next few days.

5 Security trends for 2007

Vinnie reports from an article on CIO Insight:

“Security and Risk

17. No abatement of IT security threats

18. Security concerns turn users away from Windows

19. Security morphs into risk management

20. Compliance achieves what government intended

21. Compliance spurs financial process improvement”

This totally reflects what I see happening in my job as a security consultant, especially regarding the last 3 items. While lots of the work is forced on the clients by regulators or auditors, more and more they’re seeing the benefits.

Also, risk management means the processes are getting more important than the tools. Companies are starting to grasp that there’s more to risk management than firewalls and virus scanners.

That’s a good thing.