I must be getting old (er). In my pursuit to have even a beginner’s grasp of what’s going on around this cloud stuff this year, I’ve joined about 300 “groups” (what us old guys used to call “mailing lists”). One of those groups is the A6 working group — spearheaded by Gluecon keynoter Chris Hoff. Hoff just pointed out that there’s now a group forming in the UK that consists of 24 vendor types that’s seeking to provide the Common Assurance Metric (CAM). This “CAM” sounds an awful lot like the things already being worked on by groups like A6 and the Cloud Security Alliance, and Hoff is reaching out to them in hopes that we don’t end up with multiple groups re-inventing the wheel.
Unfortunately, if history is our guide, the prospects aren’t bright. Take, for instance, identity protocols (something I’ve had a front row seat to) — things like SAML, IDFF, OpenID, etc. Back in 2007, I did a quick “history” of identity protocols — you’ll notice when you read it that I could’ve just as easily written it in 2009. Yea, not good.
Bottom-line: the dominant “enterprise” identity protocol is SAML. But even SAML 1.0 only came about only because a research analyst publicly browbeat the vendors into bringing together four or five competing yet similar efforts. And even once SAML existed, a whole boatload of companies still formed the Liberty Alliance. And then IBM and Microsoft went off and did the WS-* complex. And because we *still* didn’t have what we needed for identity protocols, OpenID happened. But wait – that wasn’t enough either, so we had to give birth to Facebook Connect. And then, because it isn’t all about authentication, we had to come up with OAuth. Whoops – almost forgot, OAuth is now being expanded to OAuthWRAP.
Timeline of that paragraph: 8 YEARS.
The good news is that none of that dithering stopped the identity “industry” from selling an awful lot of identity management software to enterprises. From SAML 1.0 to present day we still haven’t really solved “internet identity for the masses” – but, you know, we feel like we’re getting warmed up and starting to get our feet underneath us.
I fully believe that groups like the Cloud Security Alliance and A6 working group are completely necessary for the “cloud industry” to mature. But that doesn’t make me optimistic that we’ll get through this whole process without it getting very messy. How do you sort it all out? Insert “you should come to gluecon ” pitch here.