SSO Summit field notes

There and Back again...

By Christopher Paidhrin

Summary --

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata's ESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (

Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.

The conference was well balanced with interesting case studies-GM, Chrysler and 3M were fascinating-vendor technologies-Covisint, Ping Identity and Coreblox-and breakout sessions. Normally, I don't find much value in breakout sessions, they tend to be space fillers and socializing sessions, but not here. I was impressed by the topic-centered groups, I think there were seven or eight for each round, in that they addressed real and interesting questions. I had difficulty choosing which to sit in on. Fortunately, we pulled together at the end of each session to share the highlights from each group. Even though there were a number of new-to-SSO attendees, the depth and breadth of collaboration within the small groups was impressive. I'm a slow note-taker, so I am anxiously awaiting the digital copies of the presentations and breakout session summaries.

The customer discussion panel that I participated in, with Steve Craige, VP, Bank of the West, and Michael Thomason, Chief Technical Architect, Emory Healthcare, was a good way to contrast how the three of us choose our SSO partners, what our challenges were, and what we learned about ourselves, our organizations and our vendors, in the process.

The 'take-away' value from the SSO Summit has been transformative. Now, all I have to do is transfer this experience to my IT security peers and the security architects within ACS, and hope that I do justice to the experts who shared their insight and knowledge with us.

Wish you could have been there. I hope to return again next year.

Details, if you're into that sort of thing--

The Keystone Lodge was a welcoming environment, the facilities were well kept and managed, and the staff was first rate. The weather was mild, the beetle-infested trees were disconcerting, and the ride via Colorado Mountain Express (CME) up and down from Denver International was a pleasant alternative to the rental car experience.

Pluses: Two-plus days in the high mountain air and beautiful scenery; comfortable room, and good food. A day and a half was just right for this event. Dave Kearns, Network World, who hosted the SSO customer panel, commented several times on the Burton Group Catalyst conference held in late June, in San Diego. That conference was three days of sessions, plus two days of workshops. Most people needed a vacation after that much intensity. I was in San Diego too, and I can say that the SSO Summit held its own for the quality and value of content.

Minuses: High mountain altitude made several folks not feel so well. I had a low grade headache for most of the time. I guess it's a trade-off.

Topics of interest

One might not think that SSO would be an engrossing stand-alone topic for a conference, but there was a steady and high interest level among the attendees. I have attended a few-make that several-conferences, and there is an ever present opportunity to put the masses to sleep. I was pleased to see an active engagement between the hosts, presenters and the audience.

It was evident from the presentations that SSO tools/technologies/standards have come a long way in the past few years. It was also evident that we still have a ways to go. The current state of SSO is solid, but it is conceptualized within three distinct areas, a) Enterprise, b) Federated enterprises, and c) Web-services or universal. Each of these have existing, viable technologies and vendor solutions, but the talk of universal standards is pulling all of them together-if not to share common security standards, then to share common protocol standards. There was a lot of talk about SAML ( and certificates.

The future of SSO is coming upon us quickly. The adoption of standardized federation, identity and authorization schemas is lagging behind the adoption of Web 2.0, cloud-everything and mobile-diversity technologies and service demands. Both John Haggard and Gunnar Peterson spoke emphatically to the need for 'real' security to catch up with the explosion of perimeter-less networks and SaaS/SOA/cloud services. If you have a chance to hear these guys, don't miss it. Or, better yet, invite them to your nearest ITSec event; they'll knock your socks off.

Key take-aways

It helps to know that confusion is not just a personal state of mind. Everyone seems to be struggling with the many issues and challenges of finding, paying for, integrating and deploying a robust, high-availability, scalable, feature-rich and easy-to-manage SSO solution.

There is much room for maturity in the SSO marketplace. It will help when the dust settles from all the mergers and acquisitions, and when the community agrees upon common best practices, protocols, and federation schemas. As the business communities of the world migrate ever so rapidly into a webified service delivery experience, identity and access management will become ever more important. And right there at the gateway, SSO-in one form or another will be keeping guard.

When people ask me about SSO, I have tried to stress the importance of finding a really good vendor/partner (like Imprivata), because there is too much at stake when deploying an enterprise-wide SSO solution to not have a high degree of competence and wisdom behind you to guarantee success. Even if you have deployed ESSO solutions before, it helps to have expertise on your bench.

Next year's conference focus? Andre hasn't said what that will be, but if it is anything like this year's event, it will be well worth attending.



Christopher Paidhrin

HIPAA & IT Security Officer

ACS HCS, Inc. for

Southwest Washington Medical Center