Reporting From RSA 2010: Identity, Health Care, and a Higher Realm of Credentials

Written by Mike Kirkwood. Read the full article.

This week we are reporting from RSA, the security conference in San Francisco. We’ve seen hackers, threats, and industry leaders roaming these halls – and among these we found leaders of the identity community, people who are thought leaders focused on creating a safe Internet for all individuals.
This includes folks who in the Identity Commons and OASIS workgroups, and the 1-year-old Kantara Initiative. The latter was announced to the public at RSA 2009, and this year it hosted an all-day workshop that brought cloud computing into the forefront of the dialog.

Diverse Community of Interests Coming Together

Today’s all-day workshop offered by the Kantara Initiative focused almost exclusively on identity services and included viewpoints from several perspectives: enterprises (CA, Ping Identity, Aetna, Oracle, HP), service providers (NTT), consumer applications (Paypal, Google), and government agencies (NIH).
The room was packed – standing room only. After the kickoff we had a chance to ask Trent Adams, chair of the Kantara leadership council, to share his thoughts about identity, cloud computing and year one of the new organization.
He talked about the potential big win that existed for the organization because of its involvment in preparing standards for federal government approval. These are in historic times, he said, and embracing openness at the federal level was an opportunity the organization decided was valuable for the community. We’re keeping our ears open to learn more about how identity services will be enabled and approved through the government.

Landscape Change: Cloud Computing Invigorates Identity Efforts

One thing that is clear is that things get more complicated when combining identity services with cloud computing. We were reminded that many of the technologies that have been developed, including things like OpenID and SAML were designed around the same scenarios of sharing across domains. Identity can be solved in a multi-vendor, multi-protocol, and multiple-infrastructure world.
Matthew Gardiner of CA summed the importance of the link between identity solutions and cloud computing in his talk, “Identity as Security Glue for the Cloud”:

“I want to say the phrase cloud security in the first few moments of my talk because you’ll be hearing it a thousand times before the end of the conference. Cloud security can be viewed as a Rubik’s cube of security implications, when identity services and combining them within the vectors of Iaas, PaaS, and SasS combined with private, public, and hybrid clouds.”

The West Coast Perspective on Health Care

MEDecisionMarch2010Logo.jpgRSA and HIMSS fall on the same week this year. While nearly all of the healthcare IT leadership headed to Atlanta, several companies also came to San Francisco.
Yesterday, MEDecision presented their solution and connections to different Web applications and health care records and systems, and gave a very tangible set of scenarios showing how cloud computing and identity meet around sharing information about a person who is a patient.
At the same time on the East Cost, MEDecision was also at HIMSS demonstrating open exchange of health information in a HIE product offering that helps connect services across providers in order to aggregate a view of an individual. The company offers software and services to insurers to negotiate their cloud-based work flow, including moving private data across pharmacy, doctors, insurers, and the entire health care landscape.

No Passwords in the Cloud

patrick_harding_1.jpgPatrick Harding of Ping Identity spoke about his company has learn about cloud computing in this session, “How the Cloud is Changing Federated Identity Requirements”. A few of his observations:

  • Software is no longer build vs. buy. It now includes subscribe, which by definition is a shorter term relationship.
  • Cloud computing is an evolution of architecture. It arrives after Web services, which evolved from Web, client server, and mainframe.
  • Complexity of the identity layer is harder than ever for the simple reason that there are more apps per user than ever before.
  • Services are becoming any-to-any, where internal (employee) and external (customer) classifications don’t matter nearly as much as before. Because of this firewalls are losing their usefulness.
  • Audit is no longer an afterthought. Auditors don’t care how or where applications hosted, but hey do need their reports! This includes Sarbanes-Oxley, HIPAA, Gramm-Leach, Bliley, and more.

A core theme of this session was how the consumer mindset is driving requirements for application experience. Consumers expect it to work on any device, be secure, and be portable. To deliver on this, it must be easy to use. At the same time, password risk must be reduced.
A key trend that Harding pointed out is moving identity systems from “push” models into “pull” models. Instead of updating partners and directories by batch services, companies need to be building real-time identity resolution in applications.
We asked Harding if he had any predictions for where that type of service will come from. His response led us to the conclusion that the leader will be a brand and service that people trust and understand the motivations of. It will likely enter the market from a higher realm of credentials than Twitter or Facebook – perhaps from financial services.

Context is Fundamental: Person, Father, Employee, All of the Above

One thing we learned today is that Google’s App Engine is worth watching as this space evolves. Several interesting things are being done in this sandbox that haven’t been accomplished other places, including how to connect consumer services to enterprise login discovery using domain.
Google has inserted itself into the sweet spot by getting consumers and enterprises alike hooked on their applications, giving the company a unique view of the challenges and solutions in joining identity with cloud computing. We’ll be taking a closer look at these offerings and where Google is headed.
Another thing we observed is the power of the network. NTT gave a demonstration of the power of mixing identity protocols (SAML and OpenID) for the purpose of connecting social, information, and financial transactions in the browser with one login. It starts to show how the next generation Internet might work, where the application requests profile from the cloud rather than a user typing it in.
A summary of overlapping-world-multi-protocol integration has been shared on Google’s site.