Impressions from Burton’s 2009 Catalyst Conference

I attended Burton’s Catalyst Conference in San Diego a couple of weeks ago. The Burton Group has always been one of the leading analyst firms in the digital identity arena, and Catalyst is certainly one of the premier identity-related conferences. Catalyst has expanded over the last few years to include SOA, Cloud, and Security tracks, but I pretty much stuck with the Identity track this year. Maybe not the best choice in retrospect; more on that later.

I was happy to run into lots of old friends from The Expert’s Conference… James Booth (formerly at Oxford, now on his own at Boothbilt… sort of like Peterbilt I guess), Pamela Dingle (formerly at Nulli, now on her own at Bonsai Identity), Felix Gaehtgens from Kuppinger-Cole, Brian Puhl and Mark Wahl from Microsoft, and Dave Kearns and John Fontana from Network World (one of the few guys who makes a ponytail look cool).

<aside>Watching John Fontana write is a lesson in literary efficiency that I never cease to be impressed by. John writes as he’s listening to each speaker (something I don’t do well), and when the speaker finishes up, John spends a minute or two tidying up his text, and presto! an article ready to be published. And based on my discussions with John afterwards, he hears and understands pretty much everything that’s said, and asks quests about the things he doesn’t. Nothing like watching a professional do his thing.</aside>

Bob Blakley provided the keynote for the identity track, titled “Upheaval in the Identity Market”. I was hoping for an indication of some sort of sea change in the identity and access business, but Bob’s comments were pretty much limited to Oracle’s acquisition of Sun; hardly what I would call an upheaval. But Bob’s a smart guy and a good speaker, so the session wasn’t a waste, just a little disappointing.

The Burton Group identity regulars (Kevin Kampmann, Bob Blakley, Mark Diodati, Gerry Gebel, Ian Glaser, and Lori Rowland) started off with a group discussion of the current state of the identity market. It was a rambling discussion that didn’t really produce anything surprising, though there were a few nuggets:

  • You can’t have 18 month IdM deployments any more; you have to show value within the first 3-6 months (duh!)
  • Evaluating vendor risk is different now. It’s not just “is the company successful enough to survive…”'; witness Sun.
  • “Provisioning” has outgrown itself trying to encompass all of the various aspects of IdA
  • Efficiency in IT has become extremely important (ya think?)
  • SPML might be making a comeback with the notion of federated provisioning
  • Companies with active IdM projects are outrunning their tools

That last comment is kind of interesting. I think the deployment curve for identity management is wider than that for most other technologies, meaning that the distribution of IdM projects of different technical maturities (from non-existent to extremely sophisticated) is very flat. There are many companies that are nowhere in terms of identity management maturity, and at the same time there are companies that have leveraged the available tools to their limits and are pushing the envelope beyond what the vendors can provide. It’s as if we had some companies deploying ARCNet at the same time others are deploying 10 Gig Ethernet. I don’t know why that would be, but it is interesting.

Some notes from the other IdM sessions:

Michael Barrett, CISO at PayPal regarding three-party authN models: Don’t worry about the technology, the technology is there. Worry about the business model, i.e. how do all the parties provide and derive value in the relationship. He almost mentioned that authentication does not produce a binary result; it produces a probability distribution, e.g. “this is how likely this person is who he says he is.” True dat. Double true.

Kevn Kampmann and Alice Wang, talking about roles and entitlements: Certification, attestation, role management, provisioning, access requests, etc. are all closely related, but should be treated separately.

Bob Blakley, talking about cloud economics: Running software in the cloud is not cheaper. The value proposition is time-to-value and a closer matching of cost to consumption (which presumably is cheaper, but I quibble.)

There were a couple of vendor-driven case study puff-pieces, one by a guy from Hoovers who had just deployed Cisco’s Enterprise Policy Manager (what used to be Securent). They had deployed an entire application! Whoa, hold me back! There were a couple of other similarly content-free case-study sessions that I’ve since blocked from my mind. How do vendors get customers to do this sort of thing? Does anyone from Burton look at them? I should have switched over to the Virtualization track… the case-studies were a waste.

Well, not all of them. There was one case-study that I thought was really outstanding, and that was the one by Paul Rarey from Safeway. They have an impressively large IT operation, and the scope of what they’ve managed to automate is mind-boggling. And Paul was a great speaker as well, so great in fact that I have almost no notes from his session (remember when I said I don’t write well when I’m listening to someone?)

Mark Diodati, during a survey of the Unix-to-Active Directory integration market: The market for Active Directory bridge products, Unix security products, and privileged account management is converging and is growing rapidly (he actually said “exploding”, but I don’t think something can converge and explode at the same time).

The vendor hospitality suites were the usual, although maybe a little toned down from last year. Quest’s suite was done in cool blue and white with a 007 James Bond theme. One of the screens was running clips from some of the old Bond movies, like Goldfinger. Very nicely done I thought. One thing that struck me as really funny during the Thursday suite-crawl: Oracle’s suite was covered in crime-scene tape, and next door, RSA’s suite was hosted by clowns. Hmmm. Subliminal positioning? Who comes up with these ideas? At least IBM had the Star Trek theme nailed.

So all-in-all, how was Catalyst? Meh. I was underwhelmed this year. The sessions could have all been on last years agenda. The feeling that came across was that not much had changed, and not much was changing. And yet there is a significant transition occurring the market that hasn’t really manifested itself, and that is the transition from managing identities to managing access. I’ve said for a while that identity management ultimately isn’t what you want to do; you want to control access to your resources. Identity management is simply a prerequisite, a waypoint on the trip. But the whole business of entitlement management, claims-based authN, fine-grained authZ, role management, attestation, etc. is pretty fuzzy right now. There isn’t yet even any agreement on the terminology, and that in fact may be why it feels like the industry is stagnating a bit… it’s hard to talk about what’s next when you haven’t agreed on the terminology.