CEO Kurt Long talks about the most effective way to manage end-user authorization and access OPENNETWORK, WHICH THIS week announced support for SAML (Security Assertion Markup Language), is one of a handful of companies that is solely focused on identity management issues in the enterprise and one of the few that offers a solution that spans J2EE (Java 2 Enterprise Edition) and Microsoft .Net environments. In contrast to other vendors in this space, OpenNetwork is focused on providing identity management solutions that rely completely on directory infrastructure to manage policies and roles. In an interview with InfoWorld Editor in Chief Michael Vizard and Test Center Director Steve Gillmor, company CEO Kurt Long explains why he thinks his company’s approach is the most effective way to manage end-user authorization and access. InfoWorld: What problem is OpenNetwork trying to address? InfoWorld: What is your security model? Long: Our security model is based on a role-based access control model. We use the directory security groups as the roles, so that’s why we get a good fit with the .Net servers. Typically, our customers are looking at large external organizational structures where they need a role-based access control model where you can define a logical set of security policies, give that to someone, and say, “You can give someone else this access.” We’ve got that very well defined. It makes that delegation possible. With regards to this architecture, we architected no policy servers. We are just going to be role-based access control, so we store the associated identities and security policies directly in the directory. Now the big bet is [that] directories have to take off. InfoWorld: What are the connection points between identity management and Web services? Long: If you kind of bear in on the details around the Web services, really there’s a huge void around security and Web services, to be more specific. With the emergence of J2EE as the incumbent in the extranet and the introduction of .Net products, there’s actually a security void that is a huge. So that’s where OpenNetwork positioned itself. We secure existing J2EE environments, and Microsoft is enthusiastic about working with us to provide a security foundation for .Net. For example, OpenNetwork is the only vendor that is bundled with the .Net product line, specifically Commerce Server 2000. That’s been a tremendous boon to our business. We have a unique architecture around a directory — the product’s called Directory Smart — that has really resonated with Microsoft, its approach to .Net, and its directory-centric security model. InfoWorld: What’s your goal in working with Microsoft? Long: We’re hoping that we’ll be recognized as the de facto standard for .Net Web security. That’s our mission within the company. We’re always going to be a multiplatform company — that’s the value proposition to the customer and to our partners — but we also want to be recognized as the de facto standard for .Net. InfoWorld: A lot of the solutions in the identity management space seem to come with a lot of consulting overhead in terms of cost. What’s your approach to implementation? Long: This is infrastructure that should be able to deploy rapidly and should be able to fit seamlessly on top of existing infrastructure. To do that, we needed the directory to be everywhere. With ubiquitous directories, our product installs faster, runs faster, and is easier to manage. That isn’t necessarily what the consultants want to hear. Now there’s a challenge for OpenNetwork to make sure that an organization adopts this infrastructure — it’s not enough just to get it installed. So there is still a consulting element in order to get the organization to adopt it and make it run. But it shouldn’t take six months to get the thing just up and running. InfoWorld: Is identity management primarily about security or is it more about just getting people easy access to the information they need to do their jobs? Long: OpenNetwork is in the security business. At the root level of purchase, the dollars come out of the security budget. But the business side of the house is very often an OpenNetwork proponent at the start of the account. In the end, there is some application or set of applications that a business person wants to get online. So the dynamic of the sale becomes [the following]: You get this person as a champion to come over and pressure the infrastructure and security people to say “There is a real business need for us to move the ball.” And then the purchase of the infrastructure tends to come out of infrastructure and security budgeting, even though the business people are the catalysts for an OpenNetwork sale. InfoWorld: So at the end of the day, how big a challenge is identity management across multiple enterprises? Long: There is the ability to support multiple domains through your access control agents. Everybody provides that in some proprietary fashion. Right now, there are standards under way to make that an industry standard. Once you’ve got that capability, you can either do one of two things. You can either centralize your security administration, where you’ve got a single set of people that define all the policies and publish them outward, or you can delegate them and say these people have the capability to manage both identity and the policies as long as you’ve got a control infrastructure that says you can’t give away what you don’t have. We have the most powerful delegated administration in the industry because of because of the role-based access control. Security