At the start of the week I attended the IDM09 Conference in the Docklands in London. This relatively new one day event was host to several key security, identity and access control vendors and partners as well as delegates from the private and public sector. Most delegates held positions in leadership, architecture or implementation positions related to security or audit.
The attendance was fair considering the time of year and the ongoing economic uncertainty and credit issues facing many finance related organisations - the very companies that most security solutions are aimed at. The vendor sponsorship list contained the standard big name players including Sun and Oracle as well as developing vendors such as Aveksa, Courion and the Benelux based Bhold. The consultancy partner and SI space was also well attended with the likes of DNS, Infinitum and Oxford Computer Group sponsoring and presenting.
Due to the event being only the single day the agenda was quite compact with the idea of 15 minute bullet style presentations, case studies and vendor pitches spread throughout the day. The case studies were mainly SSO based with some touching on the provisioning arena, covering the implementation and project deliverable cycle. An increasing focus was on the goverance and compliance aspect of access control, be it from a provisioning perspective or from an audit and reporting perspective. Sun's SRM tool is one of the industries leading compliance, certification and identity cleanup tools and many of the techniques, and methodologies used by Sun are now being adopted by the industry and other vendors as a means to cleanup identity data either before or during a provisioning project.
Conversations were again placed on Microsoft and their small scale attempts to enter the full identity lifecycle and provisioning landscape with their ILM tooling. Many of the features discussed - like a UI for management or workflow design - were new to Microsoft and again tend to focus on none-heterogenous landscapes. Many were discussing the use of AD as a central repository for authN across legacy and *nix based applications. Whilst this is a great idea in principle - reduction of silo'd LDAP repo's, easier provisioning/deprovisioning, centralised identity information and so - the main question was still around authZ. Unless an applications is being designed from scratch, existing deployments will need to have considerable remodelling with regards to internal access control in order to use AD as an authZ store. The discussions will continue no doubt due to the omnipresent nature of Microsoft in the desktop and directory landscape.
One of the other areas I took note of, was the discussions surrounding the Kantara Initiative. The relatively new organization is to focus on "Bridging and harmonizing the identity community with actions that will help ensure secure, identity-based, online interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments".
An interesting presentation by ex-Sun employee Robin Wilton on the focus and benefits of the initiative gives food for thought. Like most cross vendor forums however, the most notable vendors tend to be the ones not involved.
Overall the event was a worthwhile addition to the identity calendar.