CTO Enrique Salem explains his company's approach to securing access privileges THE FIRST LINE of defense in any security plan is authorization. If an IT organization cannot identify its users, then anybody can gain access to its systems by usurping the identity of any user. One company that is trying to create a unified approach to identifying users within the enterprise is Oblix, which has developed an XML-based approach to the problem. Most recently, Oblix integrated its Core ID platform with Microsoft’s Passport service. In an interview with InfoWorld Editor in Chief Michael Vizard, Oblix CTO Enrique Salem explains his company’s approach to the problem and how authorization tools take the headaches out of managing end-user access privileges. InfoWorld: How would you describe Oblix’s approach to authorization? InfoWorld: In your opinion, how has this space changed in the last year? Salem: The big thing is that the world has gone from exclusion — keeping everybody out — to inclusion. And now we all talk about how XML is going to be the glue that’s going to allow us to integrate across corporate boundaries. We’ve done a lot of work in what we call Core ID to basically provide a Web services interface for all the identity management functionality. When you do identity management, you have to have the XML interfaces and built-in workflow because what you want to do is model some of the business process. When you build out an identity management solution and you don’t have an underlying workflow system, everything is manual, time-consuming, and costly. The reason customers select Oblix is because we’re the only vendor delivering an identity XML-based solution. The moment you go into the PeopleSoft system [and] create an XML document, it goes into the back-end identity system. But it’s not just whether you’ve authenticated and you have the identity down; what you’re really trying to do is automate a business process to remove some of the friction in the system. InfoWorld: At one point, directories were supposed to solve this problem. So why do companies need another layer of software? Salem: A directory is a part of a solution, but it’s not a solution that spans all the places identity is stored in the enterprise. And then if you extend that Internet-wide with something like Microsoft Passport, you now have potentially public locations that have information about the user identity. What we’re saying is that with Core ID, you bridge all the places that identity can live. InfoWorld: What does that mean for the next generation of collaborative applications? Salem: I think you’re going to be able to customize what that person sees much more effectively. If you have enough attributes about the person, you’re going to know what they need. It’s also about dynamic group management. Instead of making that a manual enumeration process, make it a dynamic process that’s just based on a filter applied to a set of attributes. InfoWorld: Are companies really taking an enterprise-centric approach to this problem today? Salem: Unfortunately, they’re moving forward in parallel. What’s happening is inside of a large corporation you’ve got people who may be building out a supplier portal. One of the things that we’ve discovered is you don’t find a lot of bridging between the people who are in the supplier-based systems and the people who are on the intranet-based applications. So you’re seeing these things grow up in parallel. What we’re saying is you shouldn’t need different tools. InfoWorld: What comes next in this space in terms of standards? Salem: We’re the only one delivering Identity XML today. There is another one, called the Provisioning Services Markup Language, [or] PSML, that we’re involved with. We believe that will potentially be the solution that talks about how you manage more identity. There’s more to be done in password management. There’s more to be done in provisioning. There’s more to be done in personalization. What we’re able to deliver with Core ID to a corporation today is fairly far along, but as corporations work with other corporations and you scale this out, we’ve got a long way to go as far as how we’re going to all normalize the data and how we’re going to exchange key information. [What] I’m looking at is the convenience factor of me not having to work with disparate systems and keep track of my e-mail names and passwords. I’m going to have more time available to do other things because I’m not hassling and wrestling with what credit card do I need at this site or what information I need at that account. On the corporate side, this is going to drive costs down. As this infrastructure gets put in place, the cost to deliver new applications will be decreased. XML is really going to make a difference. InfoWorld: Why is there no centralized approach to security that is truly viable? Salem: A specific vendor will aggregate a set of pieces and they’ll build some set of XML-based interfaces that will allow other components at the enterprise level to plug in. But I don’t think anybody will ever have all the components of a security solution. I think that’s what you’ll see in 2005. In the short term, enterprises will buy best-of-breed applications and they’re going to pick a couple of vendors to work with. In the long run, a couple of these vendors will be able to aggregate new pieces. InfoWorld: Why should people move to solve this problem today as opposed to waiting for the standards to shake themselves out? Salem: Waiting is always an option. But my point is if you buy our product today, it’s a piece of infrastructure that is going to be able to live with you for five years. If you look at the mess companies are trying to reconcile, they can wait another 12 months. Waiting is always an option. But I don’t think you create competitive advantage by waiting. Security