Summary --

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata's ESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 - www.ssosummit.com).

Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.

The conference was well balanced with interesting case studies-GM, Chrysler and 3M were fascinating-vendor technologies-Covisint, Ping Identity and Coreblox-and breakout sessions. Normally, I don't find much value in breakout sessions, they tend to be space fillers and socializing sessions, but not here. I was impressed by the topic-centered groups, I think there were seven or eight for each round, in that they addressed real and interesting questions. I had difficulty choosing which to sit in on. Fortunately, we pulled together at the end of each session to share the highlights from each group. Even though there were a number of new-to-SSO attendees, the depth and breadth of collaboration within the small groups was impressive. I'm a slow note-taker, so I am anxiously awaiting the digital copies of the presentations and breakout session summaries.

The customer discussion panel that I participated in, with Steve Craige, VP, Bank of the West, and Michael Thomason, Chief Technical Architect, Emory Healthcare, was a good way to contrast how the three of us choose our SSO partners, what our challenges were, and what we learned about ourselves, our organizations and our vendors, in the process.

The "take-away" value from the SSO Summit has been transformative. Now, all I have to do is transfer this experience to my IT security peers and the security architects within ACS, and hope that I do justice to the experts who shared their insight and knowledge with us.

Wish you could have been there. I hope to return again next year.

Details, if you're into that sort of thing--

The Keystone Lodge was a welcoming environment, the facilities were well kept and managed, and the staff was first rate. The weather was mild, the beetle-infested trees were disconcerting, and the ride via Colorado Mountain Express (CME) up and down from Denver International was a pleasant alternative to the rental car experience.

Pluses: Two-plus days in the high mountain air and beautiful scenery; comfortable room, and good food. A day and a half was just right for this event. Dave Kearns, Network World, who hosted the SSO customer panel, commented several times on the Burton Group Catalyst conference held in late June, in San Diego. That conference was three days of sessions, plus two days of workshops. Most people needed a vacation after that much intensity. I was in San Diego too, and I can say that the SSO Summit held its own for the quality and value of content.

Minuses: High mountain altitude made several folks not feel so well. I had a low grade headache for most of the time. I guess it's a trade-off.

Topics of interest

One might not think that SSO would be an engrossing stand-alone topic for a conference, but there was a steady and high interest level among the attendees. I have attended a few-make that several-conferences, and there is an ever present opportunity to put the masses to sleep. I was pleased to see an active engagement between the hosts, presenters and the audience.

It was evident from the presentations that SSO tools/technologies/standards have come a long way in the past few years. It was also evident that we still have a ways to go. The current state of SSO is solid, but it is conceptualized within three distinct areas, a) Enterprise, b) Federated enterprises, and c) Web-services or universal. Each of these have existing, viable technologies and vendor solutions, but the talk of universal standards is pulling all of them together-if not to share common security standards, then to share common protocol standards. There was a lot of talk about SAML (http://en.wikipedia.org/wiki/SAML ) and certificates.

The future of SSO is coming upon us quickly. The adoption of standardized federation, identity and authorization schemas is lagging behind the adoption of Web 2.0, cloud-everything and mobile-diversity technologies and service demands. Both John Haggard and Gunnar Peterson spoke emphatically to the need for "real" security to catch up with the explosion of perimeter-less networks and SaaS/SOA/cloud services. If you have a chance to hear these guys, don't miss it. Or, better yet, invite them to your nearest ITSec event; they'll knock your socks off.

Key take-aways

It helps to know that confusion is not just a personal state of mind. Everyone seems to be struggling with the many issues and challenges of finding, paying for, integrating and deploying a robust, high-availability, scalable, feature-rich and easy-to-manage SSO solution.

There is much room for maturity in the SSO marketplace. It will help when the dust settles from all the mergers and acquisitions, and when the community agrees upon common best practices, protocols, and federation schemas. As the business communities of the world migrate ever so rapidly into a webified service delivery experience, identity and access management will become ever more important. And right there at the gateway, SSO-in one form or another will be keeping guard.

When people ask me about SSO, I have tried to stress the importance of finding a really good vendor/partner (like Imprivata), because there is too much at stake when deploying an enterprise-wide SSO solution to not have a high degree of competence and wisdom behind you to guarantee success. Even if you have deployed ESSO solutions before, it helps to have expertise on your bench.

Next year's conference focus? Andre hasn't said what that will be, but if it is anything like this year's event, it will be well worth attending.

Regards,

Christopher Paidhrin HIPAA & IT Security Officer ACS HCS, Inc. for

"I'm usually a 'find open source and build it' type of guy. I've been that way for nearly 10 years now. But the interactions I have had with Ping Identity on both a technical and business level have really impressed me."

"From my vantage, I'm interested in the market maturity of SSO as it emerges out of the scripting/utility phase and into a new architecture discipline. I've been closely following Ping for a number of years and suspected they might be the vendor who breaks the SSO glass ceiling. From what I could tell at the SSO Summit, my suspicions were correct."

New features in this release include:

· Improved Kerberos/NTLM fallback authentication

· Improved NTLM support for multiple domains

· Improved logging and exception handling

· Simplified adapter configuration

· Added support for Microsoft Vista Internet Explorer 7

You can download the new kit from our website at www.pingidentity.com.

We've got an even larger check going out to a company that did nothing more than refer us to a customer. Not a bad day's pay for what amounts to a simple referral!

At the Burton Catalyst conference last week, there was a fair amount of talk about failed provisioning and IdM projects. So much so, it prompted me to post an observation.

Many large projects fail to achieve their initial definition of success, not just IdM projects. But we appear to have more than our share of failures. If a customer doesn't take the time to understand the problem enough such that they can define a practically achievable solution, vendors will take advantage of them.

Many centralized strategies, nearly by virtue of their large and complex scope, fail to ever realize their initial definition of success. When is the last time someone defined success in a provision project to simply connecting two data-repositories? These centralized strategies are often not done until everything is centralized, and that's nearly impossible to achieve in today's large and dynamic enterprise environment.

And here is where the vendor community, especially the large suite vendors, combined with the integrator channel, exasperate the problem. If a vendors route to a customer is through an integrator who adds-value by unraveling complex products, someone who is responsible to make all the complexity work, then why would that vendor feel compelled to make their software easier to install, integrate and use? After all, they rely upon their channel partner to make it all work for them?

And if your sales organization is motivated to sell larger and larger deals, or worse yet, enterprise-wide licenses, then there is a motivation to cover more use-cases (instead of making existing ones easier to implement), and so vendors build larger and larger products, which of course are even more complex. It's all fine if someone else can make your complicated product work, but what if they can't? And when success in implementation is defined in years, what are the odds that the person responsible for starting a project is actually still around to see the project completed?

Maintaining quality and simplicity as use-cases grow is a real challenge for vendors. Maintaining achievable scope for customers is similarly challenging, but a requirement if expectations are to be met. Selecting an architectural approach which rewards quick, tactical wins on the way towards larger strategic objects can help, and that's one of the benefits of the federated identity (decentralized) approach. Customers can celebrate a win one connection at a time.