|
||
|
||
|
|
|
|
|
|
|||
|
|
|
|
|
|||
|
|
|
|
Microsoft Chief Identity Architect, Kim Cameron, was interviewed
by Neil MacDonald on 20 November 2007 Gartner: You're well-known in the IT industry as the creator of the Seven Laws of Identity. What was your motivation for writing them? Cameron: It was interesting. The idea came to me during a panel discussion in 2005. I've been in the identity world since I guess the early 1980s (and here I'm talking about digital identity – I leave the problem of philosophical identity to the Greeks). Anyway, at some point in the 1980s I discovered that the hard thing about e-mail was directory and identity. So I became fascinated by it. Over the years that followed, I continued to see the same ideas recycled again and again. At the time of the panel, Identity 2.0 was just beginning to emerge. It occurred to me that we'd gone back to square one on digital identity for the hundredth time. The only way that we'd go further is if we started to codify where we'd gotten to. I wanted to try and grasp what the theory was – not from an abstract point of view, because I didn't think that would have any influence on anything – but rather from the point of view of what the industry should do and what the industry should build. Gartner: For people who aren't familiar with the concept, how would you explain personal identity frameworks, Identity 2.0 or the Identity Metasystem at a high level? Cameron: Well, systems should be capable of responding to us as individuals and support interactions based on relationships. In order to do that, we have to know things about each other. Right now, we don't even know who we're talking to on the Web. The Web is missing its identity layer. How can we build relationships in a world where we don't know who we are talking to? A lot of the Web 2.0 stuff is based on the notion of communities, relationships and an understanding of my individual preferences. A lot of people would like their personal information to be transportable and shareable. I've got information over here that I'd like to get over there, and by the way, I'd like you to be able to see my calendar. But who are you? I don't know. Nobody has an identity. Gartner: We have a form of identities, but they're siloed. I have an identity in Facebook, or I have an identity on eBay or Amazon, but it's been this way for quite a while. What creates a tipping point for something to change, for an identity metasystem to emerge? Cameron: The identity we have at Facebook and so on isn't my identity. That's Facebook's version of my identity. And when we say we're siloed, it means that our experience is very compartmentalized. It makes sense from the point of view of Facebook. I'm a user. I'm part of Facebook's system. But my identity transcends Facebook and all these other Web sites. I want to be able to mix and match stuff across all kinds of different sites and interactions. That's what I mean when I'm saying that I don't have identity on the Web. What we have is systems that define us on the Web. We need to turn that around. We need to define our identity on the Web in a way that makes it possible for us to take information from one system to another system, breaking down the silos. We actually are seeing that. Now you're saying, What are the forces that push toward that? Gartner: Exactly. Facebook is doing a great business as is. It has millions of users. It is valued at billions of dollars. It's got Microsoft investing in it. Why change? Cameron: Look at what happens in Facebook when they decide that they need to attract developers. Developers now have to know what your identity is from a Facebook point of view and whether you really are that identity. To enable this, Facebook has to publish APIs that end up pulling down some of its walls. And, yes, they're cautious about that. I was on a panel with someone from Facebook and they were actually being criticized because of their walls, which was unfair because they have no more walls than anyone else. But he explained they are taking down walls because that is the precondition to having the development community and the applications built on the Facebook platform. It's interesting then to look at Google's recent OpenSocial initiative, seen by many as a response to Facebook. It positions itself explicitly as having fewer and lower walls, allowing itself to be integrated more easily by developers. So we can see there is a dynamic of competition based on the fact that, to become a platform, you need to bring down your walls. There's a new dynamic in the Web 2.0 economy based on becoming platforms with applications on them. Gartner: But I'm concerned. This still seems like a chicken-and-egg scenario. Someone has to provide these identities. Someone needs to take some liability. This is going to cost money. Who makes money? What motivates identity service providers to emerge out of this chaos? Cameron: I'm going to start in a strange way in terms of answering that, by arguing that what's really happening here is the emergence of a new model for how you build software – how you build these mashup applications. That's where we should start from. Not from the point of view of the economics of the identity provider. I'll come back to those economics, but what's happening here is that by using a system of claims, it turns out it's tremendously easier to build loosely coupled systems than it is without them. That's what we need to create these mashups inside and across organizations. Applications aren't going to have all of the services inside of one box; the services are going to be all over the place. And some of them will ultimately be in a different company. Without identity and claims, it's very difficult to hook them together. Identity and claims change this. Imagine a process carrying its little bundle of claims and the claims are not proprietary to one of the systems, but rather nice, easy-to-understand things like, "This person is a resident of the state of Washington," or "This person is over 21," or whatever it might be, right? These are straightforward claims that operations and systems can understand. This greatly simplifies applications. When you start to explain this to the application developers, they get excited. When they start to look at claims, they don't see it as "here's an identity provider" and "here's a relying party" in sort of the consumer scenario sense. They see it as "here is a whole mechanism for building applications where you can carry the information that's needed in order to deliver complex interactions with mashups." And so they became tremendously interested. Developers can be pretty jaded people. To get them excited at a new technology like this it doesn't happen very often. But they see the benefits of claims. So my argument is that the applications will be the driver Gartner: Today, I have an enterprise identity and lots of consumer identities. Even if we get it together on the consumer side, do these two worlds remain separate? Or do they come together? Cameron: In terms of the problems being solved, they come together. What happens on the Internet always predominates over what happens inside the enterprise and then moves into the enterprise over time. Look inside the enterprise – we have SAP over here and we have SharePoint over there. As a user, is my identity in SAP or is it in SharePoint? Suppose I'm Kim Cameron and I'm here and I want to take all the people from this list, let's say within SAP, and give them access to my SharePoint site. Today, I have to synchronize list membership and attributes out of SAP and stick them into SharePoint. It becomes very convoluted. What if I could transparently get visitors to go to SAP and pick up a claim that they're on the list and then use that claim in SharePoint? That's the end of the problem. All of the complexity goes away. And what you're solving is really the same thing as I want to use my information from Facebook over at MSN. Gartner: The problem we are solving is the same. So let's assume we move toward a claim-based model for the consumer world and the enterprise world. At what point does a claim from the consumer world mean something to the enterprise world, and vice versa? Do these things remain separate or converge? Cameron: That's it. You've put your finger on why we call them "claims." Because they're in doubt. So once I have a system inside the enterprise which can tolerate doubt, I can have a claim coming in from outside, do a risk analysis in my system (and we're going to talk about that in a minute), that says I'm going to use that claim to do this because it will cost me more to ignore claims like that than to accept them. So, I could just say, I'm going to take claims from these places on this one server. So now are those claims from inside or outside, are those consumer claims? Maybe some of them are! Maybe I've got a relationship with some of the large companies and it's not that we "trust" those identities for doing our funds transfers here at Microsoft, for example, but we're certainly willing to do joint projects together. So this has led to the notion that identity is claims with claims being assertions that are in doubt. This question of doubt is key. Once the boundaries are gone, there is no godlike source of truth within the system. You're going to have multiple inputs and you have to arbitrate, and decide how you are going to behave based on who is providing the inputs. The whole notion of deperimeterization and information protection – where we start to put the protection inside the information as opposed to these artificial boundaries – means that the identity technologies for consumers and enterprises have to converge. Gartner: Deperimiterization? Do you believe that the need for traditional network security mechanisms like firewalls will go away? Cameron: One of my big "Ah Ha's" working on this was the power of claims to change the way we frame this question. Our new thinking came out of our work on federation, where we first figured out claims. Then one day we started to see that people were using claims for unexpected reasons. And we started to get the idea that these things are actually powerful beyond federation. They help us get over silos of all kinds. There are silos between applications and claims can help us to get over them. They can help us to get over the silos between platforms. They can also help us get over the different layers that lead to information. Right now you have the firewall, which is completely disconnected from the network access protection and quarantining layer, and then you have the guard on the machine that lets you pass from the network into the machine. These are all silos. And then once you get through that you have to access the application – another silo. And then access to the hard disk and that's another silo. And then if you have digital rights protection you have access to the information itself. And then access to the transactions and the Web services. And so what has happened? Anybody who is building any part of the application has concluded, "Gee, I'd better start getting interested in security, to make sure I'm protected too." And so you've gotten all these individual pieces and they've done a wonderful job with their security but they've only done it inside their silo. The result is complete confusion Gartner: How does an identity metasystem help to solve this problem of enterprise security silos? Cameron: Yes, suppose now I have a claim which says that I can access Neil's wiki. Let's see what happens. Neil says "Kim can access my wiki." So now when I go to the wiki, it realizes I need to be able to access a fileshare. So it creates a claim that I can take to the fileshare. I give it to the fileshare, and it realizes that to gain access, I need to be able to get past the machine guard. It adds a new claim that I can give to the machine guard. And then the machine guard can say, "Because he can access me as a machine guard, I'll let him in on the network domain to connect to my machine." And so Kim ends up with a book of "coupons" – claims – that he can present to all the different components that he is navigating. The key here is that the whole thing works through an end-to-end policy that is applied through capability claims transformers that allow one coupon to issue another. So this could not be a more enterprise-oriented technology in my view. Gartner: I want to talk about identity federation for a moment. Say Gartner wants to federate with Fidelity, since they run our 401(k). The technology to enable federation is understood, but federation still seems to be the exception. Typically, it comes down to culture, politics, trust and legal documents. Do you see anything that changes this dynamic? Cameron: The first thing that changes in the Identity 2.0 model is the user is now present in the interaction. The Fidelity case is an especially interesting one. I happen to know something about that case, because I've watched an instance of it with my own eyes here at Microsoft. Let's suppose that Microsoft wants to federate around Fidelity and now the Microsoft users can use their credentials to go to Fidelity. That's really convenient – so we proposed building that. But the first response was a whole bunch of people who said, "I don't want Microsoft to be able to get into my Fidelity account." These are loyal, loving Microsoft employees, but they still thought of the Fidelity account as solely their account. The second part was the lawyers looked at this and said, "Can someone please explain the business justification for Microsoft now taking the liability for people breaking into our users' accounts? We don't have that liability now, so why are we assuming this new liability?" So part of the reason that federation didn't work was that the user had been eliminated from the discussion. The user had disappeared and the system engineers were too smart for their own good, setting up these backchannel relationships and not thinking through the liability issues. Gartner: So how does this change with an identity metasystem? Cameron: Let's say we had this metasystem and now Fidelity was willing to accept claims either from the individuals themselves or from Microsoft. And in the CardSpace metaphor, you have one card that says you're from Microsoft, and another card that's your personal card, right? When I go to that site I can use whatever card I want – and who's making that decision? Who's taking the liability? Me! I'm the one that makes the decision. And I should be the one making the decision. It shouldn't be done behind my back in an automated way such that I have no clue what's going on. So that's a good example of how the early ways we built federation created trust problems, rather than solving them. I personally believe that you should only remove the user from the situation when the user explicitly says, "I really want to be removed. This is bothering me. You take over." For example, if I'm going to the same Web site all day long, I'll probably want to have a checkbox that says, "Automate this." But once again you're respecting the users and their decision-making. And so they're part of this and they are taking on the liability just as they do when they are in business. We're all taking risks all day. Our businesses wouldn't make money if we didn't take risks. What's happening today is the IT people whose job it is to prevent risk are the ones who have to set up the federation systems that involve risk. How can they, in all conscience, put in something that increases risk? On the other hand, if you have a businessperson, who says, "I can reduce friction, do more business, and make more money by putting in place this system, even though there's a bit of risk," that's just normal business. There's always risk. And so my point here is that the wrong people have been trying to solve this problem Gartner: Even though the users get to select which identity they use, Fidelity would still have concerns about liability. Suppose the users choose their Microsoft identity. Fidelity still wants to know that the Microsoft user was properly vetted and authenticated. So, yes, the user involvement issues are resolved with Identity 2.0 but not the organizational trust issues. So how do you see progress in this area being made? Cameron: The Fidelity scenario is more complex than some others because in it, Fidelity has relationships both with an employer and with its employees. Where are the actual benefits of federation here? It isn't clear to me how the employer really benefits enough that it is worthwhile for it to assume new liability. Fidelity might benefit from reduced help desk costs and better security by accepting employer-managed credentials, but would likely have to indemnify the employer before the latter would cooperate. This, in turn, would only be worthwhile if the user thought there was an increase in security and convenience – in other words, control. There are much clearer scenarios (for example, relationships with suppliers, customers and outsourcers), where the participating parties benefit more tangibly through federation, and where the legal issues are more similar to those arising in conventional relationships. I think that once federation software starts to become commoditized and ubiquitous, businesspeople will sense the opportunities in these scenarios, and that will drive federation. In addition, we clearly need standardized legal frameworks, so business decision makers don't have to be "pioneers" to set up identity relationships. Gartner: In prior Gartner research, we concluded that if identity metasystems are going to work, they have to involve the banks, the credit card companies, the telecommunications companies or the government. Is this inconsistent with your vision of an identity metasystem? Cameron: No, that's a part of the vision. The identity metasystem is coming from all over the place. It's coming from bottom up, it's coming from sideways, it's coming from federation, it's coming from application development, and it's going to come from large Web sites, financial institutions and government. Governments have this tremendous problem right now. They don't really deal with us much electronically. So whenever we deal with them, they don't have a good handle on who we are. How often do you go to the income tax Web site? I don't know how many people remember their password from one year to another with a single use of the site, but I'd bet it's not very many. So a number of people that I've spoken to in government here in the U.S. are interested in outsourcing identity to people who do have close relationships. And this is surprising, but I think a very encouraging thing. For example, a bank does have a close relationship. It knows who you are and it would be nice for consumers to be able to leverage that identity when getting into a government site. Citigroup has an extremely strong initiative where they've become a certificate authority that issues high-assurance certificates. Well, who is positioned better than them, to do that? Except, of course, the other banks. And they're very smart! There's a vice president there named Hilary Ward who, when I first met her, after listening to the laws of identity said, "We've been in the identity business for 500 years. We don't actually deal with money. We deal with identity." She knew that. She was completely conscious of that. And she was trying to build a business around that. Now the question is who is going to be willing to be a relying party for that type of service? I think it makes a lot of sense for government to outsource some of this stuff to people who have the core competence of maintaining close relationships with people. Not all governments will do that, of course, since in many countries there is a strong tradition of the government issuing identity cards. But it's an example of the new options that Identity 2.0 provides us. Gartner: Gartner has written about "what you need is what you get" applications and services enabled by an underlying context delivery architecture. The idea is that as I, as an individual, move between networks and devices, there is a contextual understanding of who I am, and where I am. We believe there is a new generation of applications that absolutely depend on identity and presence as context. Have you considered this? Cameron: Well I haven't heard such good words for it. But, yes, we talk about this all the time. And of course the really interesting additional complexity is the privacy problem. You have the "follow me" aspect of it. But due to the indelible nature of activity in the digital world, you also have the corresponding "don't follow me" issue. So we need to solve those two problems simultaneously. And this can be done through claims. I can say "follow me" as someone with this characteristic, instead of "follow me" as someone with this serial number, as we do today. And I can get all of the contextualization – in fact, I can get more convenient contextualization – than I could through a serial number. Because when you start with a serial number, then you have to look things up: "Here's a person with a serial number, what is their music preference?" But now you have the questions of: Can I get in to look it up? Would the subject want me to look it up? These bring in the privacy element. Those problems are just too hard to solve. Whereas with claims, claims become a way to carry a set of music preferences, and those preferences have nothing to do with my serial number. The privacy problem goes away, and the security problem of granting access to the resource goes away. I give them a coupon that conveys a set of musical tastes. Gartner: This is a critical point. How does the issue of privacy go away? Cameron: Because I haven't revealed my serial number – the metaphor for my unique identifier. In a world without claims we had to have a number that identifies the user with a unique identifier so we'll be able to look stuff up with it. But, to make this work, we have to reveal the number – and that's the problem. Now you've got this linkage between all aspects of things, and you also have to control who can follow and see what that number is linked to. Both are incredibly complicated problems. Claims make that go away, because instead of giving you a number, I just give you the actual set of preferences you wanted. You say, "I want your claims about your music tastes." And I give them to you. It's part of my identity. A lot of people, when you initially talk about "identity," think you mean "identifier." This is especially true in the technical world where, if you talk about identities, many people will assume you must be talking about identifiers. However, if you look in the dictionary you'll see that identity includes these things like, "I'm of French origin – that's part of my identity. I'm an American citizen – that's part of my identity." Those are not unique identifiers, but they may have tremendous bearing on the types of food you like, art you prefer and these sorts of things. So with the claims model we're just getting back to a deeper, more humanistic, longtime and ancient notion of identity, instead of this sort of serial number version of identity that came along in the diaper days of computing.  |
|
|
||||||||
|
||||||||||||||
|
