Friday, September 07, 2007
So as for all those asking for an open source solution in the provisioning space, here it is! And unlike other projects that make claims but nowhere to download and play, Velo is readily downloadable at sourceforge.
Very very cool beans.
Wednesday, September 05, 2007
The first is the notable addition of Novell and Courion to the leaders quadrant. Courion's addition is especially interesting, as its now the only boutique in the leaders' quadrant, which says alot about their product and market presence. The fact that they could play with the big boys is notable, and I've seen alot of clients asking more about their products lately.
The second point is more of a question. When speaking of Sun, they that Sun "...also has a strategic commitment to open source, with open-source versions of its user-provisioning software...". Is that true? I haven't heard of it. I did blog previously about openptk, but as I mentioned - that's not an open source version of Sun's provisioning application, but rather a toolkit. So what's the deal? Am I missing something or did the folks at Gartner goof?
Saturday, July 28, 2007
Now, I know that these guys don't have an actual provisioning solution, but rather a toolkit of APIs, web services, HTML taglibs, etc. that plug into existing provisioning solutions. Unfortunately, there isn't alot of info on their site, but its absolutely intriguing. Affiliations aren't hidden - all three contributors are Sun employees, and their site clearly says: "The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3."...but theoretically, this could plug into any provisioning solution, or am I being too optimistic?
"Don’t start with the tool. Don’t start with even thinking about vendors. Don’t think “gee, now that we have fully committed to Identity and Access Management we will just outsource the whole thing, and a third party will take care of our business process for us.” Instead, make the commitment to work through processes. Don’t worry yet about higher-level tasks such as “role engineering” and “compliance baselining.” If you start there, chances are it will not be worth the paper it’s printed on by the next fiscal quarter. Instead, collect processes. Start with “business snippets” and work up from there."
This got me thinking of a conversation I had with a few folks who are part of the professional services arm of an IdM vendor about this (although this may not be what Corbin was hinting at), and the individual was educating me on how they engage a client on an IdM project. His advice: don't waste too much time on their existing processes, because they are going to change anyway.
I suppose this advice works (even then, only partially) for a company that is willing to completely change existing processes based on advice given by a few individuals that probably know little to nothing about their business - which I can't imagine are many.
One notable exception are the companies in the SMB market. My definition for SMB companies from an identity perspective lie between 200 and 2000 (perhaps that's a little generous). There are many companies in this space that have the regulatory pressures, but are typically flexible to change their processes to "template processes".
Nonetheless, for companies that don't fall into this category, regardless of size, the question is - what are the inherent dangers of glossing over existing processes, and focusing most of the attention on future processes? Perhaps missing some of the "must-haves" in new processes, but not necessarily. With that being said, time for a movie...to be continued?
Monday, July 02, 2007
Thursday, June 21, 2007
Very true. In my experience, companies who may have a business need for managing authentication and authorization for externally facing apps more effectively with specific partners - BUT don't view it as absolutely critical for their business will opt not to deploy federation for two reasons:
1. The invasiveness of the technology vis-a-vis the partner's environment. i.e. the requirement of deploying a federation server in the client environment.
2. The legal ramifications involved as to liability and data ownership ("who owns the data associated with various identities and who has the final say when the data doesn’t agree") ... Phil Windley has written some interesting points regarding this.
I've dealt with a number of companies that were very interested in the technology, but decided to go with other, less elegant solutions because of the complications involved with these two concerns. On the other hand, when the business case is strong enough - federation is a wonderful solution.
A few years back when I got interested in federation, I was very impressed and was looking forward to aid federating the world. Unfortunately, it didn't turn out that way. As Neuenschwander stated... "the world isn't as it is in developers' dreams...businesses have inescapable constraints and markets are brutally pragmatic."
Burden on AT&T? Verizon could lose a million subscribers, they've lost the innovation battle (Prada?), and it seems that they'll be content with a healthy second place. How's that for leadership?
Tuesday, May 08, 2007
“I have recently noticed customers more willing to adapt their business process to out-of-the-box capabilities and industry best practices. There seems to be a large shift in maximizing costs and conforming to standards based provisioning. If this trend continues to thrive, average implementation costs and maintainability will become more palatable for customers looking to get the most out of their phased identity deployments.”
- Robb Harvey
Well said. Also, here are some points from Mark:
• Template-driven rapid implementation methods will be used to reduce Identity Management
implementation time and cost.
• Best practices captured in rapid deployment tools will allow enterprises to minimize customization and increase system effectiveness.
• Rapid implementation tools will allow Identity Management systems to be deployed in smaller enterprises.
It's an interesting notion for business process to morph to templates. I recall when I first started in the identity space, that was the battle we would try to win. Never did though...business processes, however warped they might have been, would for the most part remain the same and we would architect the identity solution around it. Regarding the SMB market, I would have to agree that they are definitely more flexible...but the template approach is extremely difficult for me to envision coming to fruition. Even with our iRim product (Identropy Rapid Identity Management), our prepackaged workflows end up going through some rigorous tweaking before clients are happy. But I must admit that there is an inverse relationship between the size of our library and the amount of tweaking we do.
Wednesday, April 11, 2007
Euripides: Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and--
Athena: Can you do that?
Euripides: Sure! How are these network servers going to know that I'm not you?
Athena: Gee, I don't know. I guess I need to do some thinking.
Euripides: Sounds like it. Let me know when you figure it out.
Monday, April 09, 2007
Secondly, a press release today stated that ProtechT was acquired by Integralis. Integralis CEO stated:
With this acquisition, Integralis’ portfolio will be expanded by ProtechT’s
extensive knowledge in identity management and its expertise in multi-modal
biometric and smart cards.
According to ProtechT's website, it also seems like a general security company. In fact, it is self-described as an "Information Technnology Security" company. Nonetheless, the acquiring company's reasoning for the acquisition was identity, according to the quote above. These two acquisitions add to the Sun's Neogent acquisition from last year, as well as Novacoast's eNvision acquisition, and Secured Services, Inc. acquisition of Cybrix Corporation's Identity Management PS team. Perhaps this is an indication of further maturation in the Identity Management M&A game?
Thursday, March 29, 2007
So I'm going to list all the components of people's reluctance to start startups, and explain which are real. Then would-be founders can use this as a checklist to examine their own feelings.
He also gives feedback from their first investments back in the summer of 05. Out of 8, 4 were successful - and all that in under 2 years! Not bad.
Tuesday, February 27, 2007
OK...so what's the next logical step for Mr. Reid?!
Of course...sue Haliburton! And not for the obvious reasons Haliburton should be sued...but because their Identity Management system is based on it. Pretty interesting logic there, Bill! Using that logic, you could sue almost every company out there...go sue GM and Charles Schwab while you're at it. Too late...he already did.
The most bizarre aspect of the story, is that he got the 'tip' from Catalyst!
In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference.
There's nothing quite like a disgruntled, clueless IBM scientist. (No offense to the happy IBM scientsts out there.)
Monday, February 26, 2007
Earlier this month, Oracle announced that it would hand over the Identity Governance Framework (IGF) to Liberty Alliance. IGF is an interesting framework that is composed of CARML, AAPML, an API and an identity attribute service. This is the very high level of what I understand...
CARML (client attribute req. markup language) is an xml style doc that a developer would write that lets others know about the 'data needs' of their app, for example, my app needs attibutes A, B and C. (A good usage of carml doc is for identity services, which can tell apps what info it could give them)
AAPML (attribute authority policy markup language) on the other hand is a doc that goes with the data sources. These data sources can define how place constraints on how its data is to be used. Its a profile of XACML 2.0, and can be used by a policy enforcement point (pep) to do its job, (although it has an added feature of requiring the pep to check if user consent has been obtained).
IGF also comes with specs for an client api.
What was really cool is the industry's appreciation of Oracle's move:
"We're very pleased to see that Oracle has submitted the Identity Governance Framework to the Liberty Alliance," said Don Bowen, director of Identity Integration for Sun Microsystems, Inc. "Sun believes Liberty is well suited because of its business and technical experts from all verticals, including government. Its work in the area of data privacy is not only valuable, but essential."
— Sun Microsystems, Inc., Don Bowen, director of Identity Integration
"Novell welcomes Oracle's contribution to the Liberty Alliance. We continue to look forward to working with Oracle and the other leaders in the identity management market in the development of an open identity framework."
— Novell, Inc., Nikols, vice president, Product Management Identity and Security
"CA is supporting the Identity Governance Framework to help customers more easily protect personal data across their disparate systems and applications," said Andy Rappaport, Architect, Identity and Access Management at CA. "We look forward to working with the Liberty Alliance, Oracle and others to develop practical, adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies."
— CA, Andy Rappaport, Architect, Identity and Access
It's great when everyone can play nice.
Wednesday, February 21, 2007
Monday, February 19, 2007
Wednesday, February 14, 2007
Saturday, February 10, 2007
Saturday, January 13, 2007
17 Pithy Insights For Startup Founders
- Seek transparency and understanding with your partners early. Issues get harder as time passes
- Startup founders work long hours for a reason. There’s more work than there are people. If you’re seeking balance, seek it elsewhere.
- Bad customers will drain you of passion. Really bad customers will drain you of both passion and profits. Unfortunately, most bad customers will degenerate into really bad customers if you don’t do something about it.
- If you’re changing direction often, worry a little. If you’re changing people often, worry a lot.
- It’s lonely at the top, but even lonelier at the bottom. In the early days of a startup, hardly anyone wants to talk to you (except some desperate vendors).
- Eventually, your product will need to work and do something useful. No amount of marketing or strategy will get you around this.
- At the end of each day, ask yourself: “Did the product get better for customers today?”. If you don’t have a good answer, stay up until you do.
- Until you are profitable, time is working against you. Once you are profitable, time is on your side.
- Learn to take calculated risks. The market rarely rewards safe bets.
- To improve the quality of your output, improve the quality if your inputs. Read, converse and connect with the right people.
- Force yourself to write, as it will force you to think.
- At least once every year or so, your startup will almost die.
- The problem you solve should be ugly. The solution you build should be beautiful.
- Even the most successful startup ideas had 100 reasons not to pursue them. There is no perfect idea.
- If the pain doesn’t kill you, it just hurts a lot.
- You choose your destiny, because you choose your team.
- Be who you are. Do what you love. Join people you like.
Tuesday, January 09, 2007
The first place to start is what role management is all about. Using the latest technical jargon, a role is a grouping of things that need privileges to do stuff to other things. So it follows that role management is the management of what I just said. The main driver is usually all about access management, hence the term RBAC (role based access control). The idea is that its easier to manage roles as opposed to individual privileges. (Of course, compliance is a driver as well.) Sometimes that doesn't work out as planned. It's not unheard of for clients to complain that they ended up with more roles than people in their organization - which sort of defeats the purpose, especially if your role memberships are only people.
So the next post: typical product features in a role management app.
Friday, January 05, 2007
And find out why its important.
Then work your way to the Business Model Template.
Then use it to make very own.
Now the last and final step. Execute.
Wednesday, January 03, 2007
"First, many folks in the IDM space don't really understand how to create use-cases because it is not a traditional business-oriented scenario.
Second, the importance of getting a PM has to be not on internal nor external but someone who has walked the path before. This is pretty difficult to find even amongst the vendors themselves."
Focusing on his first point, I'd have to agree: use cases really come from the software engineering world (I believe originated from one of the three amigos - Jacobson). Wikipedia has a terse description of what a Use Case is:
In software engineering, a use case is a technique for capturing the potential requirements of a new system or software change. Each use case provides one or more scenarios that convey how the system should interact with the end user or another system to achieve a specific business goal. Use cases typically avoid technical jargon, preferring instead the language of the end user or domain expert. Use cases are often co-authored by software developers and end users.
In my opinion, the software engineering world has a lot to offer the identity integration world. Software engineers (and I use that term broadly) typically have a lot more interaction with business users than back-end integration folks. Figuring out how to efficiently produce software that the client wants/needs has been at the center of decades of discussions surrounding dev processes and methodologies. The integration community on the other hand are usually less focused on customer satisfaction, and more about making processes work efficiently and reliably. With the advent of identity integrations, the level of interaction with business development users has increased significantly. Many steps within the process of integrating an identity platform necessitates interaction with business users, such as mapping business processes and ultimately optimizing them (and the various touch points end users will have with it - for example in provisioning workflow), as well as user interaction with password management systems, esso, etc. I do agree that some components of an Identity platform may be invisible to the user, but typically the user will have at least indirect contact with it. (For example, in a metadirectory solution, a self-help name change in an HR data repository might result in a displayname change in their e-mail address or the name that appears on a phone handset.)
Identity integrators usually come over from sysadmin-type backgrounds, and (even those who have done an identity implementation or two) might not have the disciplines a software engineer would have in delivering a solution that the client is pleased with. (Even worse, many PMs for Identity projects that I've met don't seem to have much PM experience to begin with, or might be a sysadmin who successfully ran an exchange upgrade.) The result is what Mark Dixon described as the seven deadly risks, outlined below:
* Poor Pre-Project Preparation
* Poor Requirements Definition
* Large Initial Scope
* Inexperienced Resources
* Poor Project Methodology
* Scope Creep
* Not Using Available Support
The solution might lie in borrowing software engineering processes that would be helpful in initial preparation and scoping of an identity project, as well as ensuring that an iterative process results in happy business users.
To be continued...
Monday, January 01, 2007
Jackson's blog is self-described below:
Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continous "reality tour" of meetings with customers, ISVs and Microsoft.
Ok...so what does commiseration mean?
Definitions of commiseration on the Web:
Got it. Regardless, I think Jackson will have some pretty insightful blog entries regarding the identity topic. Go check him out here.