Skip to main content

IDM09 Conference London

At the start of the week I attended the IDM09 Conference in the Docklands in London. This relatively new one day event was host to several key security, identity and access control vendors and partners as well as delegates from the private and public sector. Most delegates held positions in leadership, architecture or implementation positions related to security or audit.

The attendance was fair considering the time of year and the ongoing economic uncertainty and credit issues facing many finance related organisations - the very companies that most security solutions are aimed at. The vendor sponsorship list contained the standard big name players including Sun and Oracle as well as developing vendors such as Aveksa, Courion and the Benelux based Bhold. The consultancy partner and SI space was also well attended with the likes of DNS, Infinitum and Oxford Computer Group sponsoring and presenting.

Due to the event being only the single day the agenda was quite compact with the idea of 15 minute bullet style presentations, case studies and vendor pitches spread throughout the day. The case studies were mainly SSO based with some touching on the provisioning arena, covering the implementation and project deliverable cycle. An increasing focus was on the goverance and compliance aspect of access control, be it from a provisioning perspective or from an audit and reporting perspective. Sun's SRM tool is one of the industries leading compliance, certification and identity cleanup tools and many of the techniques, and methodologies used by Sun are now being adopted by the industry and other vendors as a means to cleanup identity data either before or during a provisioning project.

Conversations were again placed on Microsoft and their small scale attempts to enter the full identity lifecycle and provisioning landscape with their ILM tooling. Many of the features discussed - like a UI for management or workflow design - were new to Microsoft and again tend to focus on none-heterogenous landscapes. Many were discussing the use of AD as a central repository for authN across legacy and *nix based applications. Whilst this is a great idea in principle - reduction of silo'd LDAP repo's, easier provisioning/deprovisioning, centralised identity information and so - the main question was still around authZ. Unless an applications is being designed from scratch, existing deployments will need to have considerable remodelling with regards to internal access control in order to use AD as an authZ store. The discussions will continue no doubt due to the omnipresent nature of Microsoft in the desktop and directory landscape.

One of the other areas I took note of, was the discussions surrounding the Kantara Initiative. The relatively new organization is to focus on "Bridging and harmonizing the identity community with actions that will help ensure secure, identity-based, online interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments".

An interesting presentation by ex-Sun employee Robin Wilton on the focus and benefits of the initiative gives food for thought. Like most cross vendor forums however, the most notable vendors tend to be the ones not involved.

Overall the event was a worthwhile addition to the identity calendar.

Popular posts from this blog

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…