The second day of EIC is over, and I have to say I’m impressed. I’m feeling a real interest in Identity Management by the participants, that will hopefully turn into real projects and through the feedback loop bring the topic forward.
Today there were a lot of breakout sessions in addition to the keynotes. GRC was added as a topic in many titles, but I have to say this needs more work – I didn’t find much to take away regarding GRC, and some sessions that had “GRC” and “Compliance” in the title mentioned neither.
From a consulting perspective (i.e. real world needs) most of what is discussed here may sound like science fiction to participants. Most customers I’m talking to are busy working on much more mundane issues, namely re-gaining control of the authorizations they created and distributed over the years when words like “GRC” and “Compliance” had not yet been discovered.
More than one session complained about the complexity of todays authorizations (Kim Cameron said something along the lines of “I’m happy that SAP is on the panel to take the heat for this” ;) ), and everybody was ready to take a vow to simplify, many saw XACML as the solution.
This of course completely ignores that the complexity has not been implemented because programmers are too lazy to simplify, but because customers asked for the flexibility to be able to control access in such a granular way.
I will go on a limb and say that if authorizations were easier, applications supported XACML and supported claims, management would not be that much easier for customers. The reason I’m saying this is that I often see customers struggle to define the exact access that should be assigned to employees.
So, a logical step to advance the topic would be to work on processes and best practices to assist in defining access requirements, that can then help to define an authorization structure that can actually be well supported by identity management systems. Right now, we may succeed in speeding up provisioning, but if the mess still remains below the surface, this is not much more than put lipstick on a pig.