SecurityNewsletter.com : What are Sun's priorities regarding IAM in 2008 ?

We see two major avenues of development for Identity & Access Management in 2008. First, we will focus on advanced workflow and roles management. Our acquisition of Vaau and it's RBACx product last February will allow us to better help our customers model their organization within the Sun Java System Role Manager tool. Our goal here is to make the IT more agile, able to adapt more easily to changing business requirements.

Our second focus will be on Identity Federation. Some major projects within both the public and the private sectors will reach deployment stage in 2008. This will give considerable traction to this segment. To us, Identity Federation is the ultimate stage in I&AM.

SecurityNewsletter.com :  Why such a focus on Federation, since there are only a few projects out there so far ?

Identity Federation is essential to guarantee access to resources across boundaries within the enterprise and outside. It simplifies and rationalizes many access processes that tend to become very complex in time. 

Federation builds upon a set of common rules shared by all participants. Standards such as WS-Security, SAML or Liberty Alliance help business partners to simultaneously check an identity from several sites. Besides, it allows business partners to re-use common processes to check identities without the need to design new processes each time a new business partner comes in. 

SecurityNewsletter.com : What would be some usage scenarios for Identity Federation ?

Enterprises rely on Federation to face outsourcing challenges such as scalability, quality of service and security.

• Scalability : thanks to normalization, Identity Federation extends outsourcing to an unlimited number of business partners. Enterprises can build as many outsourcing deals as necessary, and have them grow as needed.
• Quality of Service : Identity Federation allows for the quick deployment of many diverse services, and for all its customers or partners to access them easily. Besides, the SSO (Single-Sign-On) portion offered in Federated environments eases the day-to-day tasks.
• Security : Federation helps security by bringing coherence to the authentication processes across several domains. And again, the SSO portion that comes with Federation naturally strengthen security by allowing users to only have one password to remember instead of writing them all down in an insecure way.

Then the enterprise can rely upon Identity Federation to grab outsourcing opportunities more quickly and easily, thus getting a true business advantage. They have a coherent, normalized, framework to authenticate users and can extend it to as many business partners as needed, and as long as they need.

• Business advantage : Federation allows to answer more rapidly to customers that require quick access to many different services through a single source. It also can decreases the Time To Market for new services or products.
• Savings : Identity Federation eases and rationalize the secure sharing of resources across business partners. This can bring significant cost reduction by safely outsourcing tasks like Human Resources or IT support. Enterprise can save literally thousands of man-hours doing so.
• Revenue growth : When a company deploys an Identity Federation framework, it's able to offer more services, and to do it more quickly, to its customers. And more important, it can increase the number of services offered. A financial business for example could start by inking a deal with a business partner in order to offer a credit card service. Through Identity Federation, it would then be able to quickly use that relationship to bring in new partners and offer new services like banking or online investment.
• Resources management : By using Identity Federation to safely outsource non-critical tasks, the enterprise is able to re-allocate its IT resources to more productive, and more interesting, tasks.

I believe Identity Federation will be I&AM next driver. Of course, this is still something only governments and major institutions look into. But we see that, for example, the finance industry is showing an interest in Federation. And we already have a specific product lineup (Access Manager, Fédération Manager, Open Federation Library...).

SecurityNewsletter.com : Speaking of products, how do you structure your I&AM lineup ?

• "Packaged" provisionning : We always add new standard functionnalities. Provisionning is now mature and we were able to integrate best practices in our products to help deploy more rapidly and lower the management costs of the solution.
• ERP audit : Sun offers Identity Auditor, an audit module that helps our customers to audit their ERP systems and check their compliance. That's why we initiated business partnerships with companies like Virsa and Approva.
• Role management : Sun Identity Manager offers a comprehensive coverage of role management through business-driven rules. This really is a hot subject for many of our customers. Most of them want to deploy provisionning based on roles and are interested to map business roles with IT roles. We recently acquired Vaau to help in that department.
• Fine-grained rights management : Customers who were successful in their provisionning project now look to manage access rights with a lot more finesse. They want to go above the notions of groups or roles in their applications, and work at the system level. We started to adapt our middleware to support this request, especially our Oracle ERP connector.