Thursday, May 24, 2018

From federated identity to consolidated identity: a look at the past, present and future

This post was also published in

It’s time for a better way to maintain identity in the enterprise. Let’s explore a new identity model, Consolidated Identity, that will simplify how employees authenticate into systems, access data and complete workflows.

Today, it is common to use your Google, LinkedIn, or Facebook identity to log into a website. However, in the first generation of the commercial Internet, this was not the standard experience. Virtually every internet service required users to create an account with a username and password. For services that were only used occasionally, having to create this account and remember all the associated passwords often created friction for new users.

The invention of federated identity for the consumer Internet

I worked for Sun Microsystems in the early 2000s and was fortunate enough to be the technical lead for a new concept called federated identity, which presented a way for separate online entities to share identity across any number of websites. In order to build it, Sun formed the Liberty Alliance, a consortium of large companies from a variety of sectors, ranging from telecom to travel to banking.

With federated identity, we separated two important concepts:

  • Logging into a website
  • Using a service from a website

Using a standard protocol, a user could, for example, log into and then go rent a car from without having to log into their Hertz account. Federated identity allowed distinct websites to enter a business relationship with each other. Using a standard protocol, a website, such as, could operate as an identity provider where users had an account with login credentials, while another website, such as, could operate as a service provider where users could then rent a car. As a result, users benefitted from simplified access to services using their pre-existing accounts.

User identity on the consumer internet

Federated identity was built on a loose trust model, which placed a firewall between users’ account information and their service history across providers. In other words, there was no need for AOL to know anything about your rental car history or for Hertz to know your AOL preferences. With the Liberty Alliance, we created extensions to the protocol that enabled services, such as user information transfer and payment processing, to be exchanged between providers.

The adoption of federated identity in the enterprise

The protocols of the Liberty Alliance became the basis of SAML 2.0 when they were transferred to the OASIS standards organization. Accelerated by the prevalence of identity servers and identity access managers that supported the SAML standard from vendors, such as Sun, Oracle, and CA, enterprises embraced the SAML 2.0 protocol as a standard way to perform single sign-on (SSO) across enterprise systems.

However, SSO is only the first step for a successful enterprise identity model since, unlike consumer internet and service providers, enterprise systems have a tight trust model. Many enterprise identity and service providers are hosted by the enterprise itself, and external service providers are subject to intense security controls and compliance to ensure that employee data remains secure.

A direct consequence of federated identity is that all of the data related to an identity is also federated across countless systems. Employee data, for example, is hosted in numerous systems, including payroll, human resources management, and financial and ticketing systems.

Consolidated identity is an evolution of federated identity, specifically for the enterprise. In an organization, there is no need for the firewall between the identity provider and the service provider. The enterprise itself is the primary identity provider and the service providers that provide services, such as payroll and time off requests, do not hold any data that should not be accessible to the enterprise.

In the enterprise, each employee has data spread across dozens of systems, and unfortunately with federated identity, there is no way for the employee to cross those silos – the employee has to log into each system and use its interface to access the data they need. That’s where consolidated identity comes in, providing employees with the same simplified access to their business services that federated identity delivers to consumers.

Here are the five steps to consolidating identity in the enterprise:

  1. Determine which authentication systems are in use and chain an employee’s identity across those systems. A typical enterprise uses one or more directories, such as Active Directory or LDAP, and enterprise mobility management systems.
  2. Consolidate the data associated with an employee. While it is considered incredibly difficult to integrate widespread data, it is much more efficient when the use case is narrowed. Typically, it is only necessary to consolidate the “active data” related to an employee. For example, the requests of the consolidated identity system could be only for open time off requests, rather than every time off request ever made for both active and inactive employees.
  3. Control how data can be accessed. A consolidated identity framework must also include a copy of the rules for how any cached data can be accessed. Most systems use declarative access rules and groups that can be copied along with data to ensure that data is only viewed by appropriate parties. Combining the rules that control how data is accessed with the data itself is a much more efficient mechanism than using mechanisms like data warehouse slices.
  4. Control access to functions, such as micro apps, with identity provider and application groups. In a typical enterprise, there are Active Directory groups, such as “Management”, as well as groups defined within applications like “ServiceNow Administrators”. A consolidated identity system needs the capability to validate a user’s membership in an application’s security groups.
  5. Facilitate writebacks to source systems. This can be performed using an application API with a service account and delegated authentication or a record notation of who performed an action. Another option is to leverage SSO to either deep link into a target application, so a user can perform an action within it, or have the user bounce to an application login page and login via SSO in order to get a user token to pass to an API.

Consolidated identity and the identity graph

A consolidated identity system evolves federated identity by creating an aggregated store of each employee and their entitlements across both identity providers and applications. This “identity graph” enables a new wave of applications that are both employee-centered and secure in authentication, authorization, and data governance.

For more, check out this whitepaper on consolidated identity that I wrote.

Monday, January 22, 2018

Why disrupting government pot policy is so much harder than the taxi commission

This post was also published in VentureBeat.

The recent legalization of recreational marijuana in California and other states now totals to 45 states that have legalized some form of marijuana. However, the federal government has never endorsed even medical marijuana. The Obama administration created rules known as the Cole memo where they decided not to enforce federal marijuana laws if states legalized it. Recently, Attorney General Jeff Sessions reversed this course and stated that marijuana laws would be enforced.

A raft of startups are operating in this tenuous legal gray area, including Eaze, Baker, and Pax Labs. Much like Uber and Lyft flouted taxi commission regulations, these startups are betting that public sentiment and user traction will overcome the existing legal and regulatory environment. Indeed, all of the state legalization efforts were passed by millennial-driven voter ballot initiatives in both red and blue states rather than by entrenched legislators. The citizens want their cannabis, just like they wanted their Uber.

Name brand Silicon Valley investors have been much more reticent to jump into the fray, which is understandable given the legal uncertainty. The void is being filled by seed investors like Snoop Dogg, AngelList cannabis syndicates, smaller institutional investors like The Arcview Group, and foreign firms like Merida.

The big question is, why is there such government resistance to legalizing marijuana? The answer is quite simple, and actually quite similar to the reason for the resistance to ride sharing. Just as the taxi commission and taxi companies were protecting the $3 billion taxi market, the war on drugs is a $76 billion annual business that decidedly does not want to be disrupted.

The government can credibly spend $76 billion a year on a very big problem with 44 million criminals. If marijuana is decriminalized, that subtracts 35 million people from the user count. It’s also hard to justify a war against the 15 million prescription drug abusers in the United States, because the drugs come from large pharmaceutical companies, not across the border from drug cartels.

Without marijuana users and prescription drug abusers, the annual $76 billion war on drugs becomes about just the seven million serious drug abusers who are consuming cocaine, heroin, hallucinogens, and other hard core drugs. That’s just not enough people to justify the huge investment and would constitute an incredibly excessive spend of about $11,000 per user.

Much as certain jurisdictions arrested Uber drivers and regional managers, it is very likely the federal government will actively bring its weight to bear on cannabis startups. Unfortunately for the nascent cannabis startups, the federal government is much more powerful than the taxi commission and regional police forces. Cannabis startups are already forced to avoid the federal banking system, and it is likely the government will use aggressive tools like asset forfeiture to seize profits.

An array of businesses, citizens groups, and legislators from both sides of the political spectrum are aligning to attempt to convince the federal government to change its mind. Both cannabis startups and investors thought they had a clear quasi-legal path to success with state initiatives, but the recent about-turn in federal government policy is definitely going to put a pause on the nascent industry. Disrupting the government is never easy, especially when $76 billion per year of spend is at stake. From that perspective, Uber had it easy.

The author last smoked pot at the tender age of 18.