A lovely article...
Remember Drummond Reed and XRI? Still not sure how (or if) TRUSTED COMPUTING intersects with all that OneName/Drummond Reed/cm nonsense-DD from years ago? Well... read on...
Extending Identity Management's Realm
February 28, 2005 6:47PM
"This identifier thing, it's just like a hitching post," says Marty Schleiff, associate technical fellow and cyber-identity specialist at Boeing. "It is someplace to bring other pieces of information together, to aggregate them. That aggregation then constitutes an identity from the perspective of whatever uses that information such as a device or an application."
With the security benefits and administrative efficiencies of user identity management coming into focus for IT leaders, some experts say those same benefits can be extended to routers, switches, applications, Web services and devices by creating a common interoperable identity model for other nodes on a network.
The thinking is that the two together -- the identities of users and things -- complete an infrastructure capable of policy-based management and security for the distributed computing environment of the future.
Experts say the goal is to have one place to administer and apply security and management controls based on a set of policies or permissions that can be applied via identity.
"It's a single point for administering policies, a single infrastructure for enforcing policies and a single infrastructure for storing policies that are applicable to anything that can be named or identified," says James Kobielus, an independent consultant and analyst. "It's about management efficiencies, tighter security and more consistent security across your entire infrastructure."
Users say it's high time the user identity concept was expanded.
"Metadirectories, virtual directories, provisioning systems, access management systems, the security Assertion Markup Language and a slew of other technologies have been focused on people. Now it's time to address other identities: networks, devices, applications, services and other IT objects that must be managed and secured," says Fred Wettling, chairman of the Network Applications Consortium (NAC), a user group with interoperability at the top of its agenda.
Wettling, who also is the infrastructure architect at engineering, construction and project management firm Bechtel, says his interest is pure selfishness. "I want to make my life easier," he says.
Standards Stampede
It appears others do, too, including standards bodies and major IT organizations such as Boeing , Lockheed Martin , Chevron/Texaco, GlaxoSmithKline and other high-profile NAC members.
Last month, NAC, the Open Group and the Distributed Management Task Force (DMTF) got together to begin creating a framework that describes a common identifier for things.
Another group is working on the same issue. The Extensible Resource Identifier (XRI) Technical Committee at the Organization for the Advancement of Structured Information Standards (OASIS) has been developing a common identifier for network resources that can be shared across corporate boundaries.
"This identifier thing, it's just like a hitching post," says Marty Schleiff, associate technical fellow and cyber-identity specialist at Boeing. "It is someplace to bring other pieces of information together, to aggregate them. That aggregation then constitutes an identity from the perspective of whatever uses that information such as a device or an application."
Today there are many identifiers, such as URLs, media access control addresses, IP addresses, digital certificates, secure chips in PCs, phone numbers and Universal Product Code symbols that work in well-defined contexts.
The DMTF also has protocols such as the Common Information Model and the Systems Management Architecture for Server Hardware that use this identity concept in a particular context.
Experts say what's missing is a common framework that would make it possible to share identifiers across systems, applications and company boundaries.
"The goal is interoperability," Bechtel's Wettling says.
He says a simple example is how LJSB technology works today. A user plugs in a mouse that reveals its identity to the PC , which recognizes it and knows what it can do.
The Real Big Picture
On a grander scale, non-human network elements would be able to express their identity and a set of attributes -- features, capabilities and limitations -- in much the same way as a USB device. Applications that talk to one another such as in a service-oriented architecture model could be authenticated and validated against a directory or a third-party source based on their identities.
"We need to get the identifier semantics resolved so that we can leverage our access management, our role-based management and all our security systems, which are user-focused today to handle other kinds of principals, such as applications," Boeing's Schleiff says.
These non-human identities, much like in the user identity world, would be the foundation for applying permissions, so-called roles and rules that govern the use and actions of any one thing or collection of things on a network or across networks. And identities for users and things could be combined so a single rule, such as providing a designated QoS to everything on the network related to completing year-end financial statements, could be applied with a click of a mouse.
"One way to look at this is in the context of trusted computing," says Jamie Lewis, president of Burton Group. "If you are going to go to grid systems and trusted computing, the ability to uniquely identify and authenticate a specific machine, a specific piece of code and to confirm systems are talking to the right endpoint without human intervention is crucial."
Lewis says the big challenge is how to uniquely identify these items. He says once you do, you have the same issues trying to be solved in user identity management, the proliferation of multiple repositories, redundant information, fragmentation and multiple ways to correlate data.
"But eventually it comes down to naming. How do you uniquely name something, and in what context does the name have to be unique? Does it have to be unique in the galaxy, planet, country state, town, company? The larger the context, the more difficult it is because you have to get more people to agree on a namespace," he says. "That is the process that is being worked on now by OASIS and by the trio of the NAC, Open Group and DMTF."
The groups met last month and are investigating identity models such as the World Wide Web Consortium's Uniform Resource Identifier or the Open Group's Common Core Identifier (URI) model, which combines a pair of Universally Unique IDs, a mechanism for computing identifiers. The DMTF is talking about its "correlatable" metadata and instance ID technology, for combing various properties associated with a thing that form an identity
"What we are saying with the Common Core Identifier is that it is simpler if you don't have so many identifiers to manage," says Chris Harding, the forum director for directory and identity management at the Open Group. Harding says there is a list of requirements, including stability persistence over time and a reliance on different authorities to issue identifiers as opposed to a central registration authority
The Big Challenge
"The challenge is for all three of us to agree what the requirements are," Harding says. "But there is a feeling we have common ground broadly speaking."
Independent of that work, OASIS has been working on XRI, or what it calls the next generation of URI.
"XRI has features that extend the URI syntax and add persistence, cross referencing and extensibility so you can not only ID the thing, say a network device, but a thing that may move and change owners such as a company-issued cell phone," says Drummond Reed, co-chair of the XRI technical committee, who has been working on identity issues for the past 10 years. One of the huge problems that these abstract, persistent XRIs solve is by having a common way to express rights associated with any resource."
Reed says XRI is the standard on which the industry eventually will agree.
