The European Identity Conference (EIC), which has become the foremost gathering point for the identity community Europe, focused this year on a number of current topics in the areas of identity and security. A new track dedicated to cloud computing shed new light on application scenarios with special reference to security issues. Attendees and experts agreed that this will be the make or break issue for this well-hyped form of decentralized IT.
One important conclusion reached by many at the conference is that, while cloud computing may be good way to handle data processing and even some aspects of security administration, you can’t make risk disappear completely into the cloud. Enterprises themselves are responsible for the safety of their data in the cloud. For many SMEs – and in Munich for the first time there was an entire track, the “Forum Mittelstandsdialog”, devoted to the needs and concerns of small businesses – this is actually good news. After all, odds are that their data will be better administered in a cloud computing scenario than if they try to do the job themselves by “farming IT out to the owners’ son”, a sentence that became a recurring slogan at this year’s EIC.
Another persistent subject at the conference was the growing trend towards externalization of identity administration for applications. On the one hand, the necessary protocols are mature enough by now. On the other, OpenID is available as a lightweight (albeit not completely satisfactory) alternative for customer-facing applications due to remaining security loopholes. This discussion tied in neatly with the introduction of Germany’s new state-issued digital ID card, which took first prize at the European Identity Awards for its architecture, among other things. It enables verification of individual attributes (a person’s age, for instance) without requiring disclosure of their full identities.
Enterprises interested in using cloud services need to administer the identities of their employees securely, but also to set up processes to manage and control the risks associated with cloud computing. This calls for central applications platforms for monitoring aspects of GRC (governance, risk management and compliance) in addition to sophisticated “Identity as a Service” capabilities offered either in-house or by professional service providers. The new motto coined at EIC was “Identity management and GRC will be the last to head cloudwards.”
Various cloud-related sessions provided further proof that identity management is no longer viewed as a commodity. Unlike in previous years, where cleaning up complex user management landscapes was the key focus of interest, participants this year were more concerned with how they can externalize identities, effectively separating their management from the applications themselves, a trend that software vendors are beginning to follow. At least all the major vendors represented at EIC professed their support for this approach and claimed to have taken steps to ensure that their architectures reflect this trend. Microsoft, a company previously known for its conservatism, was one of the loudest and most innovative proponents of the new doctrine.
Incidentally, Microsoft (together with IBM) was also an award winner for its concept of “claims-based identity management” which has already found its way into concrete products such as “Uprove”. Like IBM’s “Idemix”, this system no longer calls for central hosting of identities; instead, access to individual applications can be granted simply through confirmation of certain attributes. This involves use of cryptographic protocols such as zero-knowledge proofs and “blind” signatures” for either standard or laboratory-grade security.
In fact, most vendors who displayed at EIC brought new and novel solutions with them to Munich, and most of them demonstrated „cloud-readiness”. The only remaining question is: Will customers buy in? Some keynote speakers, themselves occupying positions of responsibility within major companies and organizations, voiced reservations. Most agreed, however, that IT ecosystems face dramatic change over the next few years, and that the role of the CIO needs to be redefined. Classic full-service IT departments will soon be the expection and no longer the rule.
Martin Kuppinger aptly summed this up in his opening comments at EIC 2010 when he stated that "it is about the 'I' in IT, not about the 'T'."