Session at the European Identity & Cloud Conference 2013
May 15, 2013 10:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 15, 2013 10:30
Session at the European Identity & Cloud Conference 2013
May 15, 2013 10:30
Yeah. Okay. I think we, we start with who's here and maybe one of the other one or two who have been announced before will appear later. I've heard that there has been a fault for party yesterday, which might explain a delay and after party after yeah. Party after the party. Okay. So welcome this drag on managing identities and access to information for cloud mobile and social computing, or for this computing, dry car will be managed by Sasha mainly and a little by me.
So it's, in fact, it's mainly Sasha who will moderate the drag. And the first session was in this drag and I think we can directly move into this. Okay. I thought we had a slide for the panelist. The first session on this direct, it will be a little bit longer. Panel is around next generation cloud and mobile identity management. And I think when you've been attending the keynotes of yesterday, then it became very clear that there are some big changes going on, which really will fundamentally affect the way we are doing identity management with directories.
I would say directories plus plus whatever in the cloud. So things which are really bigger than, than, than what we know as directory internally with Federation, etcetera, and there with new players in the fields such as salesforce.com. And so we have, I think, a very interesting and directive round of panelists here, start on the, from my perspective left hand side, from your perspective than the right hand with track Martin of state source.com, then we have Craig Burton from KuppingerCole.
We have Mike wan from Oracle check haw, quest, Dell, whatever it is currently, and Patrick Parker from empower ID. So I think we can more or less directly move into the discussion. And I think that will be very much a sort of a self-driven panel. So what I think the best way to start it is that all of you given introductory statement, and then you might in the next step, really start your discussion. And I think we have enough panelists to have some controversial positions. So I hope that'll be a very interesting panel.
We have to use that one microphone, so you have to move it around and you have to speak clearly into the microphone because the session recording is based on that single microphone. So if you want to say something, which shouldn't be recorded, you probably trust hold the microphone power away, but otherwise you should try to use it as planned. So I think we start with Patrick on that side, in this case. So I started with steel product from the other side. So Patrick, and then moving around to checks and like, etcetera, what is your view on this panel topic we had there?
So what would your initial statement? Sure. I would say how I see those coming together right now is that really enterprises are shying away from social identities, almost entirely. We're seeing some SAS vendors adopting social identities with still, maybe more of a focus on bridging SSO out to their cor corporate customers, active directories. More of the focus social identities would be maybe being used in organizations where they have members or affiliates or more of a B to component less in the enterprise right now.
But prob probably the primary area of interest that we see or activity is around enabling single sign on. And the major confusion in the marketplace is whether or not how to enable single sign in for applications. What percentage of my applications can leverage standards like SAML or Federation.
And then since that's typically a much smaller percentage of applications than organizations at first realize what are my other options out there to get something approaching single sign on, or at least same sign on implemented for all of my enterprise applications to try to drive down costs and have at least one centralized authentication mechanism that adds additional security factors, such as device, device proofing or multifactor authentication. Okay, Good morning.
You know, it's such an interesting topic and I have to tell you I'm, I'm struggling with it, not from the perspective of what the topic is, but from what I see customers going through and what I see vendors like, like myself, trying to, to work out, I almost feel like we've gone back 10 or 15 years in time where we now got this thing called the cloud, which is all these different things. And we don't have good connectivity to it. We don't have good single sign on solutions. We don't have good two-factor authentication and high assurance. And we're worried about the data.
It it's almost like we've gone back in time to when we were trying to get a handle on our enterprise. And now the, the, the, the situation is so much worse because you have people in companies like me who set up their own cloud backup service, backing up my own data, which is corporate data. You know, you have things like what you've been seeing happening with Twitter, where you have a corporate resource, but it's a shared account and a shared password.
I mean, can you believe the insanity of that when your, your whole corporate reputation, you know, the ability to, to move the stock market is based on an account like that, that you just have the most basic minimal protections around. So for me, it's, it it's really an incredible time.
I'm, I'm actually quite interested in, in, and really keen on how it's gonna get solved because it's not gonna be solved in sort of the, the identity management stack fashion that we've, you know, solved things in the past with, with all the traditional vendors.
And, and I'm gonna be very curious, you know, with respect to Craig and some of the people who are thinking about the API economy and, you know, what I continue to preach within my company about being, having, you know, I'll call them small programs, but, but with great interfaces and, and web services and great API, so that you can do these, the level of integration you need, but we're, so I feel we're so far from that, I feel like I've been thrown back into the, into the, into the deep end of the swimming pool when I was five years old and didn't really know how to swim very well.
So it's, it's, it's, it's both challenging and very interesting. And, and it's gonna be really interesting to me being, and I'm sure some of the panelists who've been in this business for a long time to see if we make the mistakes that we made then again now, so there you go.
You, you were thrown into the deep end of the pool as a child. That's a that's that's that's telling Now I know why your hair's all white. It got bleached. I just wanna say to my fellow panelists, that's unfortunate that we only have one microphone.
I, I have a rare skin disease that is passed through the fingers and highly contagious at this stage. So if you, if you want me to just continue to hold the microphone, I'll, I'll be, I'll be glad to do that. But the let's see from Oracle's perspective, we actually, in, in contrast, actually we see with our mobile social stuff, actually quite a bit of activity. There's a lot of our customers using our inter our capability to both single sign-on with social sites, but more importantly, to use that connection as a way of establishing a new account with their organization.
So whether or not they continue to use our OAuth capabilities, for example, as a, as a, as a means of doing a single sign on with the Facebook or Twitter at a minimum, they'll use that as an O opportunity to create what we call a low barrier account or some way to begin a conversation with someone. And then over time they can, they can not just step up the authentication. You can also step up the quality of the, of the account, but it's a good way to get started.
You know, the other thing that we end up seeing is that the OAuth pattern is becoming very, very prevalent in, in cloud-based interactions, particularly with mobile devices and so on. So as a result, we, we see quite a bit of activity in, in this space in a lot of our emerging businesses as particularly in that area. So pass it on to Craig.
I'm reminded of what's happening here and the associated complexities of, of a scene in a movie that I saw recently called cloud Atlas, interestingly enough, and in the scene in the setup, the there's this federated group of planets in different galaxies with the communication between 'em and they travel. And, and for some reason you find out later in the movie, why the, the federated group of planets, the government has collapsed and no communication is happening. It just shut down and they don't know why.
And so there's this spaceship stuck on this planet with a group of goat hurdles led by Tom Hanks. So hay Berry goes into meet with the, the village leaders every six months or so, and talk and answer questions.
And, and in the movie, Tom Hanks is narrating and Tom Hanks is finally one of the village elders got the courage up to ask, how do you do interplant planetary travel? And Hailey Berry looks at them and says, well, fusion drives. And the villagers go, oh, fusion drives. Zal fusion drives. Yeah. Now we know how that's done federated naming and the, the, the, the amount of what's going on underneath the covers to give you a single sign on is, is non trivial.
This is, this is complicated stuff. And to get your arms around it in a way that will accommodate what, what I've been calling, the computing Troy, and the CBRN explosion of everything, and the API economy is going to be mind boggling for you. The rate at which the number of identities that you're gonna have to deal with is a, a reality. That's really interesting to see what vendors like.
Well, all the ones up here are trying to come up with to deal with the Nu the sheer number of identities that we're gonna have to generate keys for and maintain them and issue them and be able to use them in a, in a useful fashion. So it's going to be very interesting to see how that plays out. Thank you. Intergalactic Federation is what I need to worry about now. Fusion drive, forget cloud Federation, intergalactic Federation, and fusion drives the future.
So at Salesforce, I'd say we think the identity management industries about to basically get turned on its head, or at least the infrastructure that you're using, and the it's the same trends that we're all talking about here. If, if you look at the transformation that's going on in the it industry last year, I think 1.7 billion touch devices shipped like my children are all post PC children. They don't know what telephones are that aren't computers, basically 4.5 billion people on the planet are on social networks now. And this is I think, changing the dynamic of a bunch of things for it.
The services that we're asked to deliver this is changing the types of customers that we're connecting to. So if these customers all have basically network computers in their pockets, and they're all connected to each other, they're not just connected to each other from that device, they're connected to your brand. They're connected to your company. They're connected to your products. They have different expectations of how they're gonna interact with companies. They have different power than they used to.
Like customers can change perceptions of your company and your brand using these devices. So there's this whole new way to connect to these individuals. And none of our identity management infrastructure is really set up for it. If you think about mobile and the imperative, we all have to deliver mobile applications. Our identity management infrastructure is buried back on behind a firewall. If we think about social, it's not just customers being invited in and establishing relationships off social networks, it's your employees. And how do you enable them to be social?
If you look at the applications that we're trying to deliver in the cloud, our identity management infrastructure is as Jackson was alluding to looking a lot like directory, propagation problems we had inside the firewall, and we're trying to solve in the nineties and the two thousands.
So we think there's this big transformation coming where customers are starting to basically look at how can we take advantage of the cost savings that exists by moving some of our identity processes to the cloud, and how can we get ready for this new type of customer that we have to deal with new types of employees that we have to deal with new types of mobile applications, applications that are resident outside my firewall. And indeed what happens when my firewall just dissolves and we no longer really have perimeter, but identity and context controlling where information flows.
So we think there's this new generation, this new stack of identity management technologies coming based upon the same stuff. We've all been working on for a, a couple decades now. So I'm with Jackson. I hope we don't make the same mistakes we did, but there's probably a good time to stop talking now.
So, and let's get some conversation going. So this is an interactive funnel. So if you have any questions, so raise your hand just right beside you, and please wait until I'm with you so that I can give you the mic or one of two mics, one here on the panel, and one here at my try.
So anyway, just raise your hand. I will up, there you go. First. I have some couple of questions. Don't worry. So Speaker 10 00:15:43 One question, if we start today a company Greenfield, and do you think it would be possible to start everything in the cloud with all identity management and not being to have a ad and your lo people on the local computer? So you start right from the scratch into the cloud with cloud identity and all the things connected in the cloud.
And would it scale to about, I don't know, 20,000 people, or is just for as the first 100, You all know what the cloud guy is gonna answer. So why I pass mic The cloud salesforce.com. So interesting. There are companies who are interested in doing both the traditional active directory or their own directory solution that deals with the premise and, and ized organizations, and then move them to the cloud.
There are also companies who only do cloud-based identity management, salesforce.com is one of those Okta, a few other like that who were, do, you know, their, their solutions for identity and access management are in the cloud. And they, they fully intend to have those solutions scale and manage the scenario that you describe from the get go. I'll let Mike explain his view.
So, first of all, yes, of course, it's entirely possible to have a company that is entirely based in cloud. A lot of that's going to depend though on business decisions, like a lot of, lot of companies don't in fact, want to do that from a business perspective, the it fights folks might wanna do. Yeah. So there's, we have a lot of companies that come to us and want to know about what we can deliver in the cloud, but they, they will only go to a point, right? Because they, they want tighter control of the kinds of things that they're doing. This is specifically true in the healthcare case.
For example, there's just certain things they're not, not willing to put yeah. There's regulated industries and other kinds and certain applications that are simply not available in the cloud yet. So depending on the kind of business that you're in and on the level of risk tolerance and other sorts of questions that the business is going to bring up, it's not always the best option to put that way. Right.
So that's, that's my thought on it. Oh yeah. I'm here.
You can, for me. Yeah. I think that's a great question.
And, you know, I was sitting here thinking about it, and first I said to myself, oh yeah, absolutely. You could. But then I realized that, you know, somewhat to what Mike is saying, there's things, you know, what is it, the eighth, the eighth layer of hell politics.
And, you know, it, it makes me think of, of, of, I think you can start, you can certainly in a small company with the normal workloads that a company has around things like document management and document creation and Excel and those kind of things and email absolutely do it all in the cloud.
I think things start to fall apart, depending on what industry you're in, they're in, if you take, if you take away the regulatory stuff and you take away the things that probably prevent you, I think it might be possible, but you pretty quickly start thinking, you know, as I was, you know, we talked yesterday, you know, what's the next big thing that, that people are gonna work on. Right?
I mean, how do you, I, I'm not a developer, but how do you do development in the cloud? I'm not even sure that you can, maybe you can.
I don't, I don't know. You can, yeah. You can do it all in the cloud. I can come to the cloud, you can come to the cloud. Yeah. I know with Salesforce, everything is answered. Yeah.
So I, I think it's possible, but I think the problem comes with, you know, like any other thing where you get people in the companies that grow larger and larger and larger wanting, you know, they grew up on, you know, their favorite application. That was an in-house thing. And the arguments and discussion start from there and the exceptions start and, you know, it's the thin edge of the wedge. I think it's possible. I just think it's a, you know, once you make a decision that you're gonna, you know, walk the Camino, you have to go the whole way, you know, or quit.
And that's, I think what the, you know, the problem still is today. Yeah. I definitely agree with Jackson, I think for a larger organization, so much of the security revolves around the user's desktop data on the desktop, making sure antivirus or updates are applied at the desktop desktop firewall, desktop security. I think maybe in a large enterprise, if you did some type of VDI virtual desktops, where there were centrally managed as images and pushed down into a sandbox on the device.
So they had complete control potentially, but with having all unmanaged devices with no real connected security infrastructure for the device itself, no ability to push down policies for security settings onto the devices. I think that would probably be a difficult audit to get through depending upon your industry. So may maybe I jump in shortly. Actually it abso it is absolutely possible. I can prove to you because copy a call is running all. Its it services in the cloud. We have no on-prem stuff. We do everything from the cloud.
The question of course, is will we be able to deliver all these things, given the standard of effort offerings that come with the service that we're using, guess know? So there's still some level of inter integration, some level of standardization necessary independently, whether you go into cloud or whether you do it in-house so that going to the cloud doesn't solve your integration problem for it a different way. Yeah. So I'll offer a couple of customer examples, probably relevant here. So we certainly do have customers that do this. It would not be the norm.
Obviously large customers have large investments in existing infrastructure. And they're certainly integrating back with that, but I'll give you two use cases. And I think use cases are important here, cuz it probably illustrates the types of things that are practical to go completely cloud native at the moment or where there's actually strong, strong business drivers to go cloud native one example would be Southern New Hampshire university. So what these folks have done, they've basically started to tap into a higher education market that they were not currently serving.
So they had their existing on-premise university basically. And they wanted to get online and go after a different class of student people that didn't normally have access to higher education. So they basically started a startup within Southern New Hampshire university. They called it college for America and this group has gone all cloud native. So they had existing infrastructure in the college existing email systems, different existing learning management systems, a bunch of existing infrastructure. They went all cloud native on this.
And what it's allowed them to do is deal with a couple key problems. One it's a highly transient user base. So people are coming in and coming out at a rate actually faster than normal university students. So it's allowed them to from an identity management perspective, drive effectively cost outta that system and put a bunch of agility into it. What they've basically done though, is built a bunch of cloud infrastructure, used identity to federated it together, to make it feel like a cohesive offering.
So they use our identity management system branded for their university faculty and students come in and they're getting services from Salesforce. They're getting services from Google app and Gmail. They're getting services from a learning management system on a different cloud. All of this feels like a common cohesive experience for faculty and students. The net result is what they've done is given themselves agility and driven the per student cost down to under $25 per year, which is pretty extraordinary in the education space for like their technology cost being that low.
Another good key example of people that are going cloud native. I won't use the name on this one cuz I don't know if I'm allowed to, but big company does manufacturing picture. They will work on a multi-year bid to build a refinery, the size of London in, you know, in the developing world like big, big projects. And what these companies need to do is basically manifest a multi-billion dollar fortune, you know, fortune 100 scale company overnight. So they win a bid and three weeks later they have to be running a $3 billion or a $1 billion company, you know, somewhere in that. Right.
And that takes a massive amount of infrastructure and a massive amount of human beings that need to pull together very quickly. So they're using cloud systems to basically pull all the it infrastructure together so they can rapidly put together a system that's built, not only of infrastructure that they pull together on the fly, but human beings that they pull together on the fly to do this from lots of different organizations.
So they're using Federation, they're using some of the techniques Mike was referring to of bring your own identity from a social network and then starts stepping the authentication up for higher value transactions. So these are the types of use cases, I think highly transient things, things where there's good strong drivers to be completely cloud native. So can we question to the panel can is, is the set of existing standards sufficient for actually fulfilling that, that Oh fusion drives prolific of course not. By The way then Oracle, We have fusion drives.
Yes, yes. And so, you know, to finish that story, what Tom Hanks is explains is that no one wanted to be wrong or looked to be wrong. So no one asked, well what's a fusion drive.
You know, they just, oh fusion drives problem solved. I would say that there are a group of protocols, which I invoked several of them, of Zach Mo and Sam and so on who not to say that they won't play a role, but that there're going to be need that a need to be retooled, to be a lot simpler and use the rest dish, the restful and OAuth metaphor that we're looking at to make it simple enough that an organization can attract, manage and engage a development community that uses their API economy. And if we don't do that, then it's not gonna work.
So the old method of billing, building a protocol from the ground up that did everything from end to end is broken and we're gonna have to see the restful model reapplied to the functions that those protocols were trying to address. So There's another movie since we're talking about movies, this is like a movie review show, right?
Like I, I was thinking of another movie that was, I think, relates to the movie that you saw it was called. Thank you for smoking. Has anybody seen this thing? Yeah. It's a very good movie. Yeah. I highly recommend it anyway in this movie, of course it's, they're trying to get people to smoke. Right. It's the whole idea there, there, the smoking lobby, right? So the guy that's playing the smoking lobbyist is talking to a movie producer, right. Trying to figure out how we could get two very sexy people to be smoking in outer space. Right.
And, and you know, the common is, oh, that's no problem. Few lines of few lines of text, you know, well like, oh we, oh, good thing. We invented the blah, blah, blah. Smoking machine, cuz like that, that enables us to smoke in an all oxygen environment. You know?
So anyway, point being that, you know, referencing movies on technology is fun, but it's sort of like, you know, it's, it's a, it's a gimmicky kind of thing in a way. I, I think that we do not have the standards yet that we need in order to do what we're talking about with going native. Right. Meaning that the standards that we have now largely unfortunately perpetuate some of the same mistakes. I think we called them earlier. Right.
That, that, that they do, they perpetuate a lot of the same sort of design center and sort of design flaw in my opinion, meaning that we're very, we're very fixated as developers of protocols on sort of a client server relationship. You know, we, we like to think of point a and point B and you know, and even like a three-legged kind request response kind of interaction. It's not clear to me that that's the right model. Right. Going forward. Maybe you guys, maybe you smarter people on protocols. It's clear B it's not. Okay. Alright. We got some agreement here.
Now you Say that it's not gonna work. That's why web hooks were invented is to circumvent the notion of request response. Yes.
So, so I think, I think we need a little more sophistication, right? When it comes to these models.
I mean, one of the things that that would be nice to see in terms of the, I, I alluded to this yesterday in terms of like the, just in time identity capability, your, your identity should exist somewhere, you know, on the internet or in a combination of places. Right. And you should be able to reference it when you need it so that there can be a just in time assemblage of your, of your account. Right.
And, and it's used just in time. We don't really have the ability to do stuff like that today.
I mean, we, we have some of the basics. I think we could use some of the, some of the things we've done, but we need to get away from insisting that everything be some derivative of LDAP or Sam or something like that in order to get there. Right. HTP. Yeah. More bit. I wish Kim was here because I, I seemed to recall a Burton group conference topic a long time ago ago that, that, that Kim titled protocol gas.
And it was, it was all about, you know, how we get ourselves, you know, entrenched in thinking about protocols and RFCs and you know, a few of us up here, well probably no one wants to admit it, but I'll admit it actually worked on things like X 400 and X 500, which were the best things since sliced bread, but never went anywhere. So, I mean, I can't help but agree.
I mean, I really, I really don't think that this may be heresy, but the RFC and the, you know, I ETF and the ISO and all these guys are gonna come up with the answers because it takes too long. I completely agree that we have to get this to the point where it's easy for people to develop that they don't have to be experts.
I mean, you know, I could even ask today how many people in the audience here really understand LDAP versus how many people in the audience understand, you know, databases and ODBC, you know, it's, you know, how many people wanna understand, Zal let alone figure out whether it's alive or dead. Right. So I think, I think there's a lot of, you know, the, the, the, the roadside is littered, just littered with standards and protocols. Right. And that's gonna continue.
I don't know where the next one's gonna come from, that we're all gonna pick up on, but you will know when it happens because it will happen and it'll happen fast. And we need that, you know, liminal moment, so to speak.
I, I don't know where it's gonna come from. Whether, you know, Chuck's gonna do it or Oracle's gonna do it, or someone else is gonna do it, but we've got a lot of, you know, as I said earlier, a lot of interesting ways to go. I don't think it's gonna be solved by, by, by a gang of people in a, in a, in a room working on, you know, 2000 pages of, of protocol spec. But you know, who knows it might be, I could be wrong. I think I would just second. And I think there's too much mistrust in the trust industry.
We don't, we don't really work together because, you know, we're protecting our different sides of the equation and people don't come together to push the standard kind of, you know, like where's my flying car type of argument. I remember going to Microsoft meetings and other vendor meetings back in 99 and 2000 and seeing these amazing demonstrations where you would send an email and then you could immediately recall the email and you could say that they could see it once and they couldn't forward it.
And my documents that I could share documents and then pull them back at any time and see every access to that document. And I could expire the content and I could, you know, black out content and, and, you know, looking ahead by now, we would've imagined we had complete control over our information. We could see all the information out there. We could see exactly who it was shared with, where it lived, whether there are copies, preventing copies.
And I don't think that's the case information can pop up anywhere at any time right now, whether it's, you know, somebody's tweeted something confidential, somebody's shared a file it's been posted on an open download. So you'll have to see where it goes, but I don't see that, you know, we're really headed in the direction to, to, to have a silver bullet for any of these things. And the interesting observation is of course, the technology for doing that is existing. And there are not only, not only in one vendor, there's a number of vendors offering that, but still it doesn't take up.
No, no, there all pursuing different agendas and there's not enough consumer demand or corporate push to get them to work together. Speaker 11 00:33:03 Yeah. I'm gonna challenge that.
So I, I work a lot on standards and I'm gonna challenge the notion that there's too much mistrust and not a lot of collaboration. If you look at the standards, people are actively working on at the moment, moment, OAuth, open ID connect, skim. There's actually a great deal of, I guess, cooperation through people that are normally fairly rabid competitors. So Salesforce, Oracle, Microsoft people that normally if we're going, you know, up against each other in a yeah.
Yeah, exactly. So like normally we're pretty, you know, vicious competitors when you get down to the AEs, like competing against each other in deals, that is not the case of the dynamic and the standards community. So things like OAuth or skim have like representatives from all those companies effectively working together, working on those standards. So at that level, we seem to actually all be getting along. And the net result is that I think the stacks you see emerging for modern identity stacks are all starting to gravitate towards the same set of standards in the same set of capabilities.
So if you look at, if you're abstracted away far enough from a Azure active directory and Salesforce identity, we start to look like the same entity to a certain point in terms of the protocols that we're lining up and the capabilities that we're handing to handing to people. So from that perspective, I do think we're getting along rather than fighting each other and being protectionist. So Speaker 11 00:34:35 A lot of in the, Just wait a take. Yeah. Thank You.
I say, even in the Ola community, there's been a lot of TIFs lately where, you know, I'm gonna take my ball and go home and I'm not gonna work on your, on your group anymore. And that's been out there on the Twitter sphere where people are defecting there because of when the bigger vendors come in. A lot of the smaller players who had a larger voice, you see that they defect because they feel like the larger vendors are kind of bloating the standard. And I think that's just a common, a common occurrence in the life cycle.
And sometimes the protocol will have, you know, enough adoption to where it can get past that. But other times that can just, you know, that can kill it and it could be a walking dead standard and everyone's moved on something lighter, something faster or something easier for, you know, the internet Silicon valley startup companies. I'm not sure if that's the case with some of these or where it's headed the Speaker 11 00:35:26 Community. We're good. Yeah. Room time tweet Here comes token. It should really be a ring.
So, So the, I mean, the rifts in the oof community at that time, those were interpersonal political dynamics, not really protocol dynamics and you know, or technology dynamics. I mean, there was some of that underlying current, but, you know, frankly, the individual that you're probably referring to in, in this case didn't work for a small company. Either. He worked for relatively large company.
There were some differences there, but OAuth itself, I think this speaks to the nature of cooperation and people actually implementing, like, if you look at all of the major stacks were all exposing OAuth services and they're being used fairly heavily in our own stack of all of our login traffic on a daily basis, eight to 10% of our traffic is OAuth based. So like just big protocol. That's Total traffic Authentication, traffic authentication traffic. Yes. Okay. Not total traffic at all. 10% is good. Yeah. All And that's millions, you know, that's millions of transactions a day.
Yeah. Billions, No, it's not billions yet. Not Predicted. You're not, you're not up on the windows scale. Apparently not.
I'd say, I mean, skim, skim is an interesting emerging standard, but I, I think that if you look at the industry, you know, money funding where things are headed and I point them, you know, just to Mike put Mike on the spot, Oracle that makes how much money and is entrenched by the connectivity they have for their applications and the connectors they sell for identity management. If you democratize it and they put out a skim adapter for every system they offer and any small startup vendor could pop up any day and be provisioning to every system that supports skim.
And if all the big vendors supported, skim each one would, you know, come into the market, support every system. And they would be differentiated, not on their longevity, not on all the connectors they developed for legacy systems, but on what their product was, how it was innovating today.
I, I just don't see there's enough motivation for them to do that. It would be cutting their own throat That then. Yeah.
So, okay. So, so first of all, we don't charge for connectors anymore.
We, we gave up on that, the, yeah. So, yeah. Yeah. Thank you. Thank you.
I, I had something to do with that, I think, but the, the, so yeah, I'll go ahead and take a bow. You, but no, the, we, we're not in the connector business and it's, it's never really been, so the there's a basic set of connectors that we feel like everybody needs. And if it's something that's of general use, we throw it in the sta we just, that's just what it is. There are a few connectors. We still charge for like mainframes and stuff just cause they're we want, we want. Yeah. And because we can, and we want people to understand how annoyed we are, knock out, kinda like that.
We have to try, you know, we're anyway, there's reasons for, for that, but by and large, 80% of the connectors are not charged for anymore. And we would prefer to go to a model where we don't charge for connectors at all. Right.
So the, the, the second part of that is in fact, we are building skim connectors and, and we, and we're building it both into our cloud presence and also into the product. And, and, and so, yeah, we don't really, it's not about democratization, but we definitely there's. There's no value in getting into a connector war or connector project.
You know, these, these provisioning and governance things are just difficult as enough as it is anyway. And, and there's the logic resides mainly in the server side. So we don't, we don't see a lot of value in just in the raw connectivity.
In fact, we want that to be adopted much faster. Keep pat Yourself on the back, you participating in the standards effort. Could you please repeat? Yes. Yeah.
And, and Oracle is participating in that standards effort to just pat them on the back. So see, this is very contentious up here. Do you feel it?
No, but skim, this is a good point. Like we, you know, skim is OA feels to me, like there is a lot of, we're all lining up behind OAuth. OAuth is got a lot of very strong industry support and it will, I think, become the predominant model if it hasn't already, in fact, I talk to Martin about this last year and a few others like there, you know, I see from a customer perspective, maybe you don't see it just yet as, but from a vendor perspective, we're already all on OAuth, right. We we've pretty much all gone there already.
Skim is not that far along yet, but at the same time, that's partly because, and I think you're pointing out, it started out as kind of, is it a provisioning thing? Is it an LDAP thing? I think we were trying to figure out roughly where does skim fit into that whole thing.
And, and, and some of that is still being felt out, but we know, but we do know that we need skim and we are, and, and, and we're moving forward on it right Now. What is skim is a fusion drive. It's a protocol to let you provision automatically an identity and issue them and manage them.
You know, an schema and schema is the, is the problem. And, you know, I have a rule of thumb that says for every element of schema, add one year of time before you get agreement. So you get 10 elements. It's a 10 year process and skim is stripping that rule of thumb. Nonetheless, it's got a schema, you know, so Microsoft's approaches to say, well, let's build a store in their case, a graph store that is schema independent, and just worry about the relationships instead of what the schema looks like. I think that's an interesting approach. I don't know if it solves a problem yet.
I wanted to say more about what SKIMA is, but I'll let Chuck take the mic. Cause I can see he's Cho at the token bit. I got nothing to say. Now You were like about to say something really Awesome.
I know, I can't remember. I was looking at the DNA in the ceiling and I Are you actually, I did, I did want to get on, on one of your comments though, that I thought was really insightful and we sort of like move, move from it, which is that I, so I, I worked for Noel way back in the day and, and, and network. And GroupWise had a lot of the features that you were discussing about file.
You know, we had a lot of file controls and you could do all these wonderful things. The world has moved away from that weirdly. Right? Like we have gone we've we've gone from a certain perspective backwards. Can you hold that thought for me again? Okay.
Okay, good. So we we've changed our attitudes and our expectations of technology reduced, let's say, and that's, what's changed, not the technology like we, and I, I, I think that's probably a good thing because we can be more general purpose about what we're doing with file.
You know, we're less control freaks maybe than we were in the past at the same time. This is the, this is to get back to the question around. Can you do all this stuff in the cloud?
Well, yes you can. But we, the cloud, I don't doesn't feel to me like has that same level of control because we have we've pulled back from that over the last 10 years or so. Right? I think so. I thought it was a very interesting comment. I remember what I was gonna say now, having been a vendor and an Analyst, both, it's really interesting to learn the nuances of vendor speak. And one thing you'll hear about that you wanna learn about vendor speakers. When a vendor tells you we're gonna do that when the customer asks for, it means bullshit. It's not even funded.
There's no money in the queue. It's not gonna happen. Unless some, you know, an act of God causes it to occur.
Now, when you're a vendor at this level, trying to deal with what you guys are gonna need. It's, it's like you, you can either use a tennis metaphor or Wayne Greski, you know where he said, how do you, how do you play hockey like that? And he said, well, you go to where the puck's gonna be. And if you're waiting to see where the puck is before you go there, it's called a point. And not for you for the other team, right?
You, you, you have to be in complete anticipation. If you're using the tennis motor metaphor of where your opponent is moving, how fast the record, the racket is, moving, where the face is going and go to where the ball's going to be. Not where you're hearing your customer, all of a sudden say, oh my God, I gotta have skim.
You know, it's not gonna happen. They've gotta have the vision.
I mean, that's what I like about this panel is that they're involved with trying to have enough vision, enough leadership capabilities to over anticipate where that ball's gonna be and get there on time. Now, the problem is with the computing trick and API economy is out stripping all of us it's happening so fast. That it's way too hard. It's getting very difficult to figure out where that ball's gonna be Any questions from the crowd. Just one, one other comment on that.
I, I, you know, can't but help to agree with that. Craig, the problem from being a vendor is, you know, I sit on phone calls probably every day. Like some of my colleagues do where we talk about the vision and where we want to go and the reality of where we are and the resources that we have. And it's always a difficult thing. And we have to, you know, as a product manager and, and a team of product managers that I have in my company, you know, I say that the most important thing about a product manager is not going to a customer and hearing what the customer wants. It's like Steve jobs.
When someone said to him, you know, how many customers did you talk to about the iPhone? And he said, none, cuz they didn't know what they needed. Right. And in product management, I think the hardest thing about product management and one of the most interesting things about product management for a poker player like me, is making a bet. The problem is you only have so many chips. I don't disagree with what Craig has said or, or, or other panelists have said, but you only have a certain amount of chips in your, in your, in your stack.
You make a bet on skim and you're not making a bet on something else. You make a bet on O off. You're not making a bet somewhere else. And that's, that is a, a problem.
You know, I want to be forward thinking like everyone else does, but at the end of the day, you've got only a certain number of bets you can make. Yeah. But that's why you're here. Right? That's exactly. Why Get better predictions for your Bets.
Yes, absolutely. Absolutely. And this is a great venue for doing that.
Well, I'll give you one, if you're not doing OAuth, you just missed the ball. This is not a question. It's a done deal. Restful OAuth is a done deal.
You, you tweak that, right. You know it, this isn't maybe, and maybe it's gonna be succeed. It's already done. If you're not building your API strategy based on rest and OAuth with SSL as the encryption mechanism, rethink it. So this is the protocol part, but, and I, I, I, I, I have a, I have my own view on that, which very much is aligned with what Craig force is saying. But the other part is where does the identity come from? Right?
I mean, one thing is how do I connect my application? Or as, as an enterprise, how do I connect my services that I've been purchasing in the cloud to my existing infrastructure? So maybe a solution, one, probably one very successful solution, but still the question remains where those, the identities come from, try that For a minute.
You know, Jackson and I have been over here kind of ruminating on Chuck's comment around being native. Right. Like going native. Yeah.
Which I, which I, I love that phrase, but yeah. Going, going in and then, and to your question earlier around, you know, how, how, how can, is it possible to go native?
Well, it occurred to me that, you know, our identities are not native in the cloud apparently, and they're not there yet. So how, how do we make that happen? Right. Because I think until you, until you really see that your identity is something that does exist in the cloud already, right? Facebook. Yeah.
Well, yeah, that, that, that could be part of it. Right.
I, I, you know, I don't know. I'm just, I'm whether it's different question wants to silo Silo, it's not the cloud.
So, but the point is, is that as long as we're in this mode where we feel like an identity is a thing that has to be asserted from something that's outside the cloud, essentially. Right. And you know, some I'm gonna produce this assertion and I'm gonna throw it out into the cloud and someone's gonna believe me and like stuff's gonna happen to it, I guess. So it would be nice to see a truly native version of a, of an identity or an account. So Chuck Before Chuck. Okay.
So what we're going to see, and you can quote me in the middle is identity management in this, as a service in the cloud, issuing identities, it's a cloud service, just like any software is a service. And that's where the trend that's where we're headed. Who's gonna, it's going to be run by us as a community. It isn't a single vendor it's and we will be able to have access through that's why rest and O is so important, cuz that's gonna be the interface to getting your identities through an API.
So that's where we're headed as a trend is a industry based identity management as a service from many vendors that you can get to in the cloud and choose which one, which identity provider services you use to get your identity. Yeah.
And, and if we're talking about corporate identities, I think one interesting dynamic that we can draw on is where those things historically originate from and where people develop powerful positions in the identity industry. From, if you look at active directory, active directory, somewhat leveraged its position in the enterprise, in from exchanges, strong position. And where are our email accounts shifting now? Right. Office 365 and Google are starting our, our email accounts.
And if that's the primary conception of identity for end users, like where's that identity starting to exist, HR systems are typically, you know, system of record for, do you work at this organization? And often are the original thing that kicks off a provisioning event within an organization to get provisioning your corporate directory, to actually get services. Those are starting to shift into the cloud. Like a bunch of people are yeah. Are now exist in Workday. And that identity exists in the cloud. We're actually starting to see a trend where you're seeing cloud inversions.
So rather going from on-premise HR system to corporate directory and then pushed into the cloud, we are seeing some customers start with Workday, push into a cloud-based identity system and provision active directory down from the cloud, right? So we're starting to see the world turn on its head. It's very early, but as those identities naturally shift into the cloud, because that's where the business applications are driving those identities, you're going to see this happen.
So, And I would say another key identity service that isn't in the discussion yet, but has to be on the horizon is proofing how integration with services like Equifax and other authorities that can truly proof an identity that it's not, that just you can't authenticate as that user, you have their username, you have their password, you have their device, but periodic proofing that you truly are, that person based on external third parties.
And how often do you proof do you proof when you get the identity in that system, do you proof procession, do you proof based on risk when, depending upon the transaction and I see that they probably have, since they have kind of a monopoly on that data, probably a strong position at some point to enter the identity management space, especially as it moves into the cloud. So along bring your own identity Speaker 11 00:51:49 Yet.
And, and then rep proofing, haven't heard from you in a while. So along those lines, the proofing aspect, what we're gonna see then is an API that lets you use a trust framework, like an Equifax to go get another factor of authentication, to say who you are and what level of access or authorization you have to what types of data.
So trust framework, isn't really a good name for what I'm talking about, cuz it, you know, it's a fusion drive, you know, it's a complicated problem and you can't well, you know, these are, these are hard problems and how do you name them in a way what's the relationship it's meaningful. Speaker 11 00:52:35 Drive an API. Is there like a, is that same thing Off and on drive?
So, you know, we're gonna the ability to then choose what identity management as a service provider you use to get your identity, what then service you do to do two or three factor authentication so that the, the level of trust that you have from the service that you're trying to access goes up, it has to be no silo, no locking on single vendors. See when a vendor tells you that they want to give you freedom of choice. What I wanna see is not their decision to let you have a freedom of choice of captor, But really freedom of choice that I can choose.
Who's gonna provide what service now, when you really get protocol independent, then I can, I can choose what vendor or group of vendors that I use to provide the identity services that I'm looking for to give me other levels of trust. I different types of identities, different types of let's even go further and call 'em personas.
You know, who sometimes I use a different persona for different reason. And I may not use that those set of services to do that because I don't do a good job of it. I really want to have freedom of captor, no silo, no vendor lock in and no choice of captor. How Speaker 12 00:54:09 Much are you willing to pay for that? Nothing. Yeah. So you're willing to pay what for that? Why would you Charge me for that?
Speaker 13 00:54:16 Well, the other question is I yeah, so, you know, actually the, the problem, I guess I have with the way that we're phrasing this discussion is just that it, it, it still seeped in the terms of the client server sort of thing that I was talking about before, when we mentioned like IDP and SP and that sort of thing, it sort of, it, it it'd be nice if we could sort of break outta that framework a little bit and I don't know exactly how, but the point being, what, what I, what I see happening is the shift away from an actual authentication as an event, as a one time sort of event, or even a two time kind of event, or maybe even a three time kind of event.
And it it's becoming more about context. Everything is becoming about context in in fact, including vetting, including authentication, including authorization there's we're, our customers are essentially moving to a model where you'll start out maybe with a social identity and you, you kind of show up and there's, we, we're not very trustful of that, of that interaction, but we're willing to start a conversation and then we'll start moving into other kinds of tests and proofs and other sorts of things.
And we're finding out where you're coming from, we're looking at your device and whether it's been jailbroke and, and you know, what sort of, you know, where have you been on that thing? And like, whatever, what, what network are you coming from? And we're starting to look at at whether or not, you know, we've, we've seen you before.
And, and it's, it's the combination of all of those things that, that is building kind of a risk profile, right? For a particular transaction. And based on that, we're, we're saying, okay, should we authorize something or should we ask for something more? Do we need?
And, and that interaction is more complex than, than, than, you know, what we used to do, which is because authentication is so important. And because it only happens once, right? You need to have nine different cards, you know, and you have to present all these, like, who are you? And what are you?
And like, it's not really happening like that anymore. Right. We we've moved into a more nuanced, very, and, and not all of these sort, these are not all coming from a single identity provider. Either these, these contextual components are coming from lots of things they're coming from your device. They're coming from your network provider. They're coming from.
Yeah, yeah, yeah. That's way I am. So I'm gonna give it to Jackson because it's been a while since I heard from we're, Are we almost done only? We are.
So, I mean, one thing is clearly we all better upgrade our internet speeds at home. Right. Cuz a lot of this stuff, you know, I mean, I we've been doing a lot of thinking. I've been doing a lot of thinking about contextual authorization, contextual authentication, adaptive authorization, adaptive authentication, authentication is typically a one time event.
You know, maybe two times authorization, something that occurs over and over and over and over again, you know, it's gonna be really interesting to see how we, we just handle this from the perspective of, you know, can we distribute all these events? Can we do these things? What order do we have to do these things?
But I think it's a, an exciting time from the perspective of how we're going to, you know, build some of these capabilities and you know, in my case, trying to think about, you know, cause now I'm part of a hardware company, how much hardware and what, and can we use hardware to help with some of these decisions around where people are coming from and you know, what the circumstances are, where they're coming from and pat, as to what Patrick is saying, what is the trust level with a particular person or a particular, you know, transaction at the atomic level and, and, and how you, you know, are gonna ask a lot of these questions.
So an answer to your question about who's gonna pay for it, Mike, I'm sure that you will see the vision that you can't charge for connectors. And that this is a connector conversation that I was talking about. I can charge for the service and the connector is not where you make your money.
Oh, you said you got that. Oh, that's right. I remember now.
I mean, I'd say maybe if you fast forward to the end where we all have our own fusion drive, our own little personal fusion drives built into our, our, our apple phone of the future, our apple watch of the future, maybe each individual at some point is a claims issuer. And there's some type of, you have a limited authority to issue claims about yourself. And there's some type of certificate revocation list where, you know, you can revoke a claim and it goes down the chain, the concepts of PKI, but something to think about Last words from Salesforce, Last words. Okay.
We're, we're working really hard on JSON bindings for fusion drives. The XML representation was too heavyweight. So I I'm last words. Yes. I would pay attention to the trend. We've just started talking about, which is identity and context becoming your new perimeter and that what you're shifting to is a world where you're doing continuous authentication or authenticating transactions and the context of that transaction and the identity continuously, along with the other authorization you're doing for resource access. I think that's quite important.
I think taking a serious serious look at oof as not a consumer protocol, but a great enabler for enterprise use cases, both for mobile applications and general agility within the enterprise. There's nothing actually in oof, that dictates it's this pattern of end users go to a service and approve access to resources on their own. So if you look at the oof deployments that many of us are are building, or have we have shifted all of that. So you can still use enterprise authorization, you can layer it together with SAML, so you can bring your own identity into the authentication portion of oof.
You can establish context of the application that you're trying to deal with because now application is an actor, sometimes an authenticated actor in that process. So this opens up all sorts of possibilities to layer in policy contextualization and things like that. So those are two trends I would pay attention to as your organizations. So I have a list of technologies that you wanna look at as an it professional when trying to look at solving your identity or your identity access management issues.
So restful soap based loosely coupled event driven, and what I call the private, the proxy facade to protect your privacy are the, is the list that I'll let you look at mean Speaker 15 01:01:08 Soap based? Or did you mean HTTP? Did I say soap? Yes. Oh my God. It's Okay. It's like a 40th. Speaker 15 01:01:14 Yeah. Restful H yeah. HTTP.
So, boom, man. What day is it? Loosely coupled event driven and privacy facade. A pro proxy facade. Sorry. I think I've said everything I wanted to say, except that fusion is a registered trademark of the Oracle corporation and, and we've kept track of how many times you've used it. So we'll be sending you a bill.
It's I, I think this panel should come back next year and have a discussion about exactly how we've done in the, the year up to the next, the next one. Zero accountability please. Yeah. Zero accountability. I I'd say the cloud. It's a jungle out there. If you just bring a silver bullet, you're probably not gonna survive. It's better to come in with a Swiss army knife. You might make it out. Speaker 15 01:02:10 Okay. Thank you very much. Thanks again, gentlemen. Thank you.