Another thing which became clear once more at the European Identity Conference was, how complex enterprise IT actually is. And this is of course something provoking me and I am wondering if it really needs to be the case. There seem to be both ways of thinking present at the conference.
So here are some reasons, partly from people I talked with, partly some I just made up ;-)
- There are lots of players: Business has business requirements, Risk Management adds requirements on top, IT has to implement all that and the last part being security which sometimes are not really able to talk to the other parties involved because of a culture mismatch (security is mostly technical people). A wholistic approach would probably help but it is easy to imagine that this is far from happening.
- There are lots of legal regulations and frameworks you need to comply with, adding yet more requirements to the mix.
- My suspicion: Quite a lot of over-engineering. From my experience elsewhere you actually see this happening in nearly every area. It takes time and effort then to find out that many use cases are actually never happening or can be solved with simpler tools. Maybe compare Java and Python ;-)
- Lots of legacy system you cannot simply replace.
Moreover I would think that some companies also just want to sell their products quite a bit longer instead of reinventing all the time.
That being said there also seemed to be some wish to make things simpler. This has been coming up in some talks where it either was about quick wins or rethinking your infrastructure on new projects.
Lets once again look at the web and what’s happening there. The main difference is probably (as Eve put it nicely) that on the web you have to convince people to use your protocols. E.g. for authorization you of course could use Kerberos but the internet community refused it and now there is the much simpler OAuth instead.
And not even that: OAuth in itself is becoming even simpler to implement. Or look at the Facebook Graph API and the Open Graph Protocol. Both are very simple in their use.
Of course you have far higher security requirements in the enterprise than on the web but this will change the more security sensitive things you do online (e.g. shopping, eGovernment services etc.). Then the big question is: How easy acually is it to do strong authentication?
But besides different requirements you also see different means in solving problems, just take these two:
- REST vs. SOAP
- JSON vs. XML
So the question might be: Can the enterprise learn from the web? And vice versa?
My answer would be yes:
- the web from the enterprise about necessary requirements
- the enterprise can learn from the web how to build the simplest possible protocol to do the job.
The question is how big the resistance will be. As an example let me mention Kim Cameron’s keynote on the new ADFS2.0. He was asked then why it sounded like a replacement for LDAP and he said while he has a strong love for LDAP, time simply moves on. Asked if he knew how many people in the audience relied on LDAP he added that Active Directory of course is still built on LDAP.
Which makes me wonder: Why is LDAP still around? Isn’t there some RESTful, JSONified alternative to it? (I actually directly started to implement one out of curiosity on how this might look). Or is everything soon replaced by security tokens and Attribute Bases Access Control (ABAC)?
One thing is clear: Things are in motion (UMA and the interest in it might be a sign of this) and it won’t get boring anytime soon. Lets see where we are at EIC 2011 in regards of web/enterprise protocol fusion.