Ash's Identity Management Rantings

Regarding a Potential Way Forward for SPML

2010-08-22T17:32:00.004-04:00

Some of you might have followed the conversation in the blogosphere regarding SPML a few months back. If interested, get up to speed by reading the posts below:

- Mark Diodati, Burton Group: SPML Is On Life Support
- Ingrid Melve, Feide: Provisioning, Will SPML emerge?
- Nishant Kaushik: Oracle: SPML Under The Spotlight Again?
- Jeff Bohren, Identity guru: Whither SPML or Wither SPML?

- Jackson Shaw, Quest: SPML - Not Dead Yet!

Last month, I had the opportunity to join a discussion with some really smart folks regarding the future of the SPML standard at the SPML SIG (Special Interest Group) at the Burton Group in San Diego. Anyhow, Mark Diodati led the session and recently published some of the conversation points discussed at the SIG. Take a look here.

IAM Failures...Product or Services?

2010-07-18T22:21:00.003-04:00

Jackson Shaw put up a few interesting posts last week regarding IAM Project Failures. The first was a company that sank $7M into an IAM Initiative that never took off. The second was an informal survey of 9 IAM projects (6 used Sun, 3 used Novell). Jackson concludes:

This was a great illustration to me of how far our little industry segment needs to improve. None of these customers were trying to do anything fancy. They had fancy plans originally but they were failing on basic provisioning or password management and were never able to progress further. It also further reinforced my view that there’s a great opportunity for a solution that doesn’t require a couple of busloads of consultants to get it (and keep it) running. A solution that delivers immediate value. A solution that customers are happy to have. A solution that is my dream

The question that I'd like to pose is, where does the cause of the failure lie? Is it a lack of IAM product capabilities or IAM services?

In my take, IAM products have evolved (and continue to evolve) quite rapidly. Due to my profession, I am present when customers are shown IAM products from vendors and even when they get to test-drive them. Some of the stuff out there now is downright impressive...from visual drag-n-drop workflow capabilities to wizard-like setup of connectors, all in all, the innovation I've seen on the product side is impressive. Furthermore, most IAM project failures that I've seen occur are rarely due to the lack of a product feature.

I think the problem lies in the services side of the IAM house. I suppose that statement is a confession of sorts, since that's the industry I've lived in for the past however long. Anyhow, the IAM services game is anything but impressive. To pull from one of Brad Feld's quotes, IAM services companies typically win deals because 'they suck less' than the next guy. Definitely nothing to be proud of! The services models are pretty much stagnant with limited innovation over the past decade. Every consulting firm has roughly the same implementation model (discovery, design, implement, test, blah blah blah). Replace those words using a thesaurus and you have the next System Integrator's methodology. That's why I believe there needs to be a shift in the IAM services paradigm.

What's your take? What's the culprit? IAM Product or Services?

On Developing a Deprovisioning Policy

2010-04-14T06:45:00.004-04:00

An interesting discussion emerged out of a blog entry over at the Identropy blog on developing a Deprovisioning Policy.

I've reproduced both the contents of the blog and the comments section (which is probably more interesting than the article) below. Enjoy!

----

Identity Management technology can be tricky. But in most instances, it's not the technology that trips up an implementation. It's the policy development (or lack thereof) that causes the heartache.

Deprovisioning Policy is typically more complex than a simple policy that states that when HR says a person is terminated, the identity system terminates the user's access to all systems. Here are a few things to consider when developing your Deprovisioning Policy.

1. Deprovisioning Policy (Technical View)

The technical view of a deprovisioning policy is concerned with what the identity system should do once we know that the user should be deprovisioned for each target system.

Should the user's account be hard deleted or just disabled?
If disabled, how is that done? (Move the AD account to a disabled users OU, place the row into an archive table, etc.)
How long should disabled users be kept in the system?
What should happen to the person's shares, mailbox, etc.?

2. Deprovisioning Policy (Business Process View)

The business process view of a deprovisioning policy addresses the states that should trigger a deprovisioning action. Here are a few questions to ask your policy team:

How do we calculate the actual last day a person should have access? Is there an effective date that can be used? Is HR using that field properly?
How should 'leaves of absence' be handled?
What should happen if a person wants to use his/her vacation days directly before retirement? What if the person may still provide off-site help during this time period and therefore needs access?
How should sabbaticals be handled?
Should a user's current access be terminated in a department transfer? What if they still need their old access for some time?
How should unused sick days be taken into consideration?

3. Take Compliance Policy into Consideration

Besides the business process view of the policy, sometimes existing regulatory compliance rules may have an adverse impact on an otherwise sensible policy. For example, definitions of 'termination', 'employee job role change' and 'leave of absence' will directly impact the overall policy and should be taken into consideration.

By thinking through these issues, an effective Deprovisioning Policy can be put together prior to implementing an IAM solution.

----

Comments:

Hi Ash, my suggestion (as always with IAM related decisions) is to start from the business view and try to stay out from the temptation to start analyzing the event from a technical standpoint.

Using business as starting point can be very helpful for example in fragmented, complex or very dynamic environments where could be very hard to find a common agreement on the right behavior to follow and where, probably, it can give you also a longer-term solution.

What do you think?

Posted @ Tuesday, April 13, 2010 7:10 AM by Luca

Hi Luca,

Interesting point.

From a policy standpoint, both sides (biz process view and tech view) have to be defined. And although the business process view (i.e. defining the states of the user should trigger a decommissioning of the user's access) is critical, the policy would simply be incomplete without the tech view.

From a dependency standpoint, I really don't see that one piece of this is dependent on the other...(although I'm still thinking through it). It's almost as if both sides of the policy can be developed independently.

Thoughts?

Posted @ Tuesday, April 13, 2010 11:13 AM by Ash Motiwala

Ash, for sure both sides (biz process view and tech view) have to be defined. My suggestion is to avoid developing them independently and where possible to start from the business view and requirements and understand how those requirements can be fulfilled from the technical standpoint.

My idea is based on two main assumptions:

1) Technology should support business and so we should start from it and try to define the best suitable tech solution. So, is it possible to keep them independent?

2) Deriving technical view from business view allows to have more stable policies because in my (very very short) experience I’ve saw more stability on the business requirement than that on the technical one. Technical side of policies could be more fragmented, detailed and sometimes system dependent and for this reason more subject to modifications when changes happen in the technical infrastructure (mergers, new systems, etc.). In my opinion, this approach allows to keep unchanged business view and most of the decisions related to the tech view.

Are, in your opinion, my assumptions valid?

Posted @ Wednesday, April 14, 2010 2:47 AM by Luca

Hi Luca,

I'd agree in general that business process development should happen before technical analysis, (as I've mentioned in other articles here).

In order to think through this, I posed myself the following: should the following 2 questions (1 business process oriented, the other technically oriented - as defined in the article) be answered in a specific order?

1. Should a leave of absence translate to termination of access?
2. What should happen to a person's shared folder contents once terminated?

Thinking through this, the 1st question should be posed to the business process owner - whose answer will provide context to the technical owner to answer his part of the question...since a leave of absence (as a state) will probably have a direct impact on how long to hold on to a person's mailbox or shares. And will probably have a different impact on a person who was terminated for cause.

So yes...I agree. Thanks for the insight, Luca!

Posted @ Wednesday, April 14, 2010 5:42 AM by Ash Motiwala

Sorry MIIS, It's Not You, It's Me

2010-02-26T11:39:00.003-05:00

Here's some geek humor. A buddy of mine sent me an old email correspondence I had with him back in 2006 (back when ILM, I mean FIM, was MIIS). I was doing my best to get him going on the training path on the product, and this is what he wrote me after doing MIIS dirty:

Now if you'll excuse me I have to go speak to MIIS. I think it's mad at me cuz I haven't touched it for so long (it's starting to feel that I think it's ugly). It's my fault actually, I met someone named Tivoli at a party and we really hit it off. You know when you have that connection instantly? Anyway, since then MIIS and I haven't been speaking much outside of the daily niceties a couple stuck in a rut routinely exchange. Both of us know it's a facade, but we maintain it, almost mockingly, for the sake of the little Management Agents we have running around. To make them Disconnectors now, would be devastating to business continuity.

As a side note, he still doesn't know MIIS/ILM/FIM. "If-you-don't-know-me-by-now..." :)

Series on Developing an Identity Management Roadmap

2010-01-11T14:20:00.003-05:00

I've recently been involved in putting together a blog series on developing an Identity Management roadmap. It's a 3 part series over at the Identropy blog. Part 3 is a bit long for my taste, but has a lot of great content I'm sure you'll benefit from if you are involved in identity management strategy development for an organization.

Part 1 is an intro to what an identity management roadmap is, who needs one, who doesn't and why.
Part 2 is about the prerequisites to developing a roadmap.
Part 3 is the meat & potatoes of how to develop one.

We've left some room for input and discussion. Chime in!

Manged dentity Serv*ces, Trademarked!

2009-11-12T21:15:00.004-05:00

I received the following email today from our friends at Fischer:

http://identityman.blogspot.com/2009/01/another-entry-into-idm-managed-services.html

Dear Ashraf Motiwala,
We note that one of your recent articles used the phrase "Managed Identity Services" This phrase is a trademark owned by our company and is also the subject of a U.S. trademark application examined and approved by the U.S. Trademark Office. When you use the phrase in your articles, please place the "R" superscript after the trademark, and please make a reference in your articles that "Managed Identity Service®" is a trademark owned by Fischer International Identity, LLC. In addition, you should use the trademark as an adjective, not as a noun. These steps will help us continue to protect our trademark rights and also allow you to properly refer to it in your various articles.

Thank you for your support and proper usage of our trademarks. If you have any questions, please feel free to contact us.

I see. It's all about trademarks (and grammar). For some reason, I thought it was about innovation and making the (identity) world a better place.

Anyhow, I wonder if they are going after Citi, Arcot, Wipro, and IBM. Wait, they barked at my blog...so I also wonder if they also went after Ian Yip, Felix Gaehtgens, Matt Flynn, Nishant Kaushik and Jonathan Penn. Anyone else get an email? or should I feel honored that they are singling me out because of the 6 readers who read my blog?

C'mon Fischer, you guys should really let the trademark go. The term belongs to the industry. Remember, trademarks don't buy marketshare.

Identity Services, SaaS, and Another Matt

2009-09-02T01:29:00.004-04:00

Matt Gardiner over at the CA blog makes some interest points regarding identity services and SaaS. (I'm a new reader of Matt's blog, and want to personally thank him for adding yet another Matt to the list of identity bloggers I have to keep up with. What's up with identity bloggers and the name 'Matt' anyhoo?)

Matt questions the value/feasibility of providing identity services in a Software-as-a-Service format, since there's a difference between apps and infrastructure. Infrastructure, he argues, must be "appropriately integrated into the enterprise premises and processes". He continues to argue that identity services in a SaaS format can't ignore on-premise apps in favor of identities in the cloud, and mentions the traditional concerns around "outsourcing" compliance and security.

Ironically, I had an interesting conversation just yesterday with an industry colleague regarding the exact issues mentioned by Matt, where he presented some new emerging paradigms in the 'Identity as a Service' world, including what he dubbed "Enterprise Looking In" and "Enterprise Looking Out" (more on this in future posts). Here are a few questions/direction for the conversation (more questions than direction)...

Let's nail down the definition of 'identity services'. If not for the industry at large, at least for this conversation at hand. In my opinion, a lot hinges on that.
Is the notion of 'Identity Services' in a SaaS format an either-or paradigm for on- and off-premise apps?
Can technology help blur the internal vs. external line? Does this lead to a new category of infrastructure?

Matt does acknowledge that he sees the opportunity for some areas of identity to be outsourced. Perhaps this conversation could help clarify what areas in specific...

On SaaS Provisioning

2009-06-26T10:24:00.004-04:00

Jackson Shaw posted some of his thoughts today on enterprise-class SaaS provisioning...

"If you consider an SaaS application as "just another application" you will understand that your end-user identities still must be managed in that SaaS application...We have a standard called "Services Provisioning Markup Language" (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I'll bet they do not! What do you do then? I've met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning - via some hairbrained interface because the vendor doesn't support SPML - and it only adds to the organization's identity management complexity."

I have to agree. The real pain point here is the connectivity into SaaS apps, and the lack of standards there. Ian had talked about this in a previous post. Recreating a workflow engine, role management, delegation, etc. in the cloud seems to just create redundancy for these capabilities, especially for organizations that have already dropped a few dollars to deploy an IdM solution on premise. Why would I drop my existing investment here? (Perhaps there is a compelling case, but I just don't see it.) I would much rather find a solution that proxies the SPML requests from my existing provisioning solution that handles all the complexities (or "hairbrained interfaces") for the SaaS apps on the backend! More on this soon...

DIY: Identity Management Project Scoping Exercise

2009-05-30T19:02:00.004-04:00

-

Identity Management Project Scoping, Part I

Identity Management Project Scoping, Part II

-

FUD Swings Both Ways

2009-04-28T19:45:00.010-04:00

Salesmen are an interesting bunch. They have to drink the company kool-aid to enable them to sell with conviction. But what happens when a salesperson starts to waver in that conviction? What happens when they start losing their religion? Fear-based selling! Easy peasy!

Since I noticed that my last post on FUD based selling and Vendor Selection was being used to spread more FUD (with Oracle being the victim this time), I decided to do my part to rid the world of keep-the-client-ignorant tactics and try to put the facts out there. It's interesting how fear always finds a home ("they're too small!" vs "they're too big!")...anyhow, here goes:

In a solid article by techtarget, Jonathan Penn points out that customers have no need to panic today, and that Oracle will have the resources to support both product lines for a while, noting that it has continued to support the ERP products of both PeopleSoft and JD Edwards following its 2005 acquisition of PeopleSoft.
Instead of spreading fear, let's spread facts - namely regarding Oracle's track record with acquisitions. Siebel hasn't gone away. Also, Oracle now supports multiple app servers with the BEA acquisition. (Someone else may want to chime in on this since I'm not an expert, but remember: facts over fear!)
Anectodal evidence: a casual conversation with a VP at a financial firm uncovered that in the past years, Oracle has acquired nearly all of their major systems, effectively turning them into an Oracle shop. The result? Fear and mayhem? Not really. In fact, Oracle offered up a free inventory analysis from Oracle Consulting to guide the client to maximize their existing software investment and determine how they might benefit from updates resulting in tighter integration between systems (although the client stated he would have opted for a deal on maintenance).

That's my $.02, and I hope it moves the conversation away from fear and closer to the facts. And although I know I didn't cover all the facts and I welcome folks to chime in with their side, the point should NOT be boutique vs. large vendor, large vs. small, red vs. twitter blue, but simply the product's capabilities to "scratch your itch", as Dave Kearns put it. Remember this, young salesman: Sell your product, not fear, for FUD is the path to the dark side. FUD leads to anger. Anger leads to hate. Hate leads to suffering.

A Story About Vendor Selection and FUD

2009-04-21T08:39:00.004-04:00

The shocking (at least to me) story of Oracle acquiring Sun yesterday made me think about an experience I had helping a client in the vendor selection process late last year.

The client was seeking an identity solution, and with our help, reduced the vendors to Sun, another large vendor and a small boutique vendor. After their demos/POCs, the vendor scoring matrix we helped them put together showed that the boutique vendor actually ended up with the highest score.

After some great FUD work from the sales folk, the client decided to add a new metric in the matrix for Company Viability. All of a sudden, Sun came out on top...and the solution was purchased and implemented. The whole reason the boutique vendor lost out was because of fear and the likeliness of acquisition or failure, etc.

A few months later...Sun is on the block, and finally inks a deal. Now I'm hearing that the client is worried about the direction of the Sun product line post-acquisition, because of the heavy overlap between the Sun and Oracle product lines. (And also worried about what Oracle will do to Sun's open source initiatives.)

Now the smaller vendors are having their say (and they should). Here is an interesting perspective from a Network World article:

"Figuring out what stays, what goes, and integrating the remaining pieces is going to be an enormous task that will undoubtedly create consequences for deployed customers," says Andre Duran, CEO of Ping Identity, which develops identity federation software. "This is yet one more reason companies should consider standards-based, loosely coupled approaches, as it insulates them from the potential for single vendor lock-in, which is occurring irrespective of how they are selecting their vendors."
...
Blakley says as the deal closes, Oracle management likely won't address identity until the more compelling strategies, such as the database, are worked out. "So there will be a period where not much happens and it is business as usual."

Virtual Directory Whitepaper

2009-04-14T07:07:00.003-04:00

Oracle just put out an interesting whitepaper on how to use their virtual directory product with Sharepoint. A few interesting scenarios:

Allow users to authenticate to SharePoint with Windows credentials but control access based on job codes maintained in a HR database (without having to sync!)
Allow a SharePoint workspace to be used by two different business units who each maintain their own AD domain

On another note...sharepoint has been getting a lot of attention from the identity folks, hasn't it? Microsoft was promising a new "Identity Portal" in ILM 2, until they blew their release date by A YEAR(!!). Courion's been marketing their solution for Sharepoint as well, which is basically an attestation/segregation of duties play. Bitkoo has their fine grained authorization management stuff for Sharepoint.

I wonder why the trend? Hmmm....
Well, here's a billion reasons.

Some Process Re-engineering Principles for Identity Management Projects (part 1)

2009-04-08T10:08:00.008-04:00

I'm in the early stages of working with a colleague on a whitepaper on guidelines for business process re-engineering for provisioning projects, and thought I'd share some of our thoughts to see if I could get some feedback. (If we use anyone's feedback, we'll make sure we reference you.)

1. The first point is to put some parameters around the re-engineering effort. The most common mistake that IDM focused re-engineering efforts make is to overdo it. Once a current state process diagram is put together (preferably in BPMN) - many consultants find way too much to optimize, usually because of complaints from the customer. It's important to keep your scope in mind, otherwise the project can quickly turn into a much larger endeavor than you (and the client) had previously anticipated. It's important to focus primary re-engineering efforts on areas that can positively impact identity data. It may be tempting to re-engineer an inefficient interviewing sub-process of the onboarding process, but will most likely not impact your identity data either way. Furthermore, provioning platforms were not created to solve that problem (more on this later). On the other hand, re-engineering a self-registration process to prevent duplicate accounts will have a significant impact on your identity data. The lesson: pick your process re-engineering battles wisely.

Thoughts?

(to be continued...)

Pottery Making, Iterations and Identity Management

2009-04-01T09:20:00.005-04:00

I'm a big fan of iterations in identity management implementations. The reason is pretty simple: you can't learn from lessons until you try. (You could learn from consulting firms, but not about your environment.) Which means that you don't get really good at delivering identity management until the 3rd or 4th time. (So take that 9 month project and break it down into smaller 3 month projects!)

Anyhow, here is the pottery making connection. It's a parable a co-worker forwarded to me from Art and Fear:

The ceramics teacher announced on opening day that he was dividing the class into two groups. All those on the left side of the studio, he said, would be graded solely on the quantity of work they produced, all those on the right solely on its quality.

His procedure was simple: on the final day of class he would bring in his bathroom scales and weigh the work of the “quantity” group: fifty pound of pots rated an “A”, forty pounds a “B”, and so on. Those being graded on “quality”, however, needed to produce only one pot—albeit a perfect one—to get an “A”.

Well, came grading time and a curious fact emerged: the works of highest quality were all produced by the group being graded for quantity. It seems that while the “quantity” group was busily churning out piles of work—and learning from their mistakes—the “quality” group had sat theorizing about perfection, and in the end had little more to show for their efforts than grandiose theories and a pile of dead clay.

The lesson: Take on a small, well-defined, low-risk phase 1. Learn lessons. Take on a small, well-defined phase 2. Lather, rinse, repeat.

Nation's First CIO Has IdM Background

2009-03-05T10:01:00.003-05:00

President Obama named Vivek Kundra as the nation's first CIO today. An interesting tidbit caught my eye.

Kundra also worked as vice president of marketing for Evincible Software, which provided electronic signatures and identity management for financial services companies and the Defense Department.

Evincible was acquired by Exostar back in 2004. On their site...

In 2004, Exostar acquired Evincible, a leader in PKI and digital signature technologies and best practices. The acquisition brought both proprietary technologies and leading subject matter experts into the Exostar organization, enabling us to deliver technology, policy and best practices leadership in the areas of PKI, federated identity management and physical and logical assess.

It's going to be interesting to see how his background in identity might influence what's happening in the federal IT space, and current initiatives (that seem to be lagging) to federate gov agencies. Hopefully, he takes identity farther than HSPD-12 did.

Where is the Motivation for Deprovisioning?

2009-02-14T12:24:00.003-05:00

A series of blog posts on self-service deprovisioning in the federation world got me thinking about a simpler, albeit very real, problem with the "traditional" deprovisioning process in a company.

Most companies that have an IdM system have 2 ways to deprovision users:

Emergency Termination Workflow (where a manager logs on to the deprovisioning workflow, and kicks off the termination process that disables accounts across the board)
Automated Terminations (where the IdM system keys off of HR or Payroll or some authoritative store that provides the user's status and termination date which in turn automatically disables accounts)

The problem I've seen most companies face is with the second workflow because data is entered in late. So why not put a workflow together for self-service deprovisioning?

The only problem with this approach is the lack of motivation for an end-user to run through the workflow. Perhaps there is an approach to tie the completion of this workflow to some interest for the end user that will motivate him/her to run through it. Some ideas...

Severence Pay
COBRA Enrollment
Continued Communications (to enter in personal e-mail address?)
An iPhone? (seems to work for other things)

I bet that this approach would solve some of the data-timeliness issues. What do you think?

More on VDS and Cache

2009-02-12T21:03:00.003-05:00

Mark Wilcox put up a post responding to my previous queries about the virtues of persistent cache and virtual directories. The bottom line of my post was around performance, so Mark gives some figures for OVD:

The overhead is absolutely minimal - it's generally around 2-5 milliseconds. And worst I've ever seen is around 50 milliseconds (remember that's still only 5/100s of a second). This includes doing a join of data.

Are Symlabs, Radiant Logic and other vendors seeing the same results? Perhaps, a skilled SI may want to chime in? If so, then why does anyone use a persistent cache? Anyone?

Also, Blink Technologies put the following comment on my previous post:

I thought the whole point of the cache is to lighten the load against the system as a whole. It's a compromise of data freshness for performance. Plus the entire point of a cache is to "cache" frequently used data, of course depending on the algorithm used (LRU, MRU, etc.). I also assume that the cache is adjustable and can have specific timeouts for freshness. I think for a highly trafficked directory this is a great trade-off.

Funding Doc Templates From VC = Saving $$$

2009-02-10T14:09:00.004-05:00

Brad Feld just posted a set of 5 docs entitled "Model Seed Funding Documents" that I really wished I had a few years ago. (It has a term sheet and subscription agreement!)

Anyone who is going through a seed round should/must go read Brad's blog thoroughly before speaking with attorneys. Educating yourself on your time rather than the attorney's could save you a ton of money. I wish all VCs were this helpful.

Deprovision. We're in a Recession!

2009-02-10T06:44:00.003-05:00

Hot off the Canadian Press:

The Canada Revenue Agency has issued at least $3-million in paycheques to people who don't work there, says a new audit.
"Overpayments generally occur when employees leave the agency and through errors or omissions their pay is not stopped on time," says the internal report.

I often hear something like this from identity management workshop participants: "I wonder how much payroll gives away for free because of a broken deprovisioning process."

Me too.

Here's a quick example I saw last week. The daily inactivation report that gets sent out to all admins from HR contains an "entry date" that is weeks, sometimes months, passed the "effective date". How's that for an ROI analysis for your next identity project?

Another Entry into the IdM Managed Services Space

2009-01-31T13:47:00.004-05:00

I just read an interesting press release this morning from Watson SCS, an IBM Identity Management SI. They've announced an off-premise managed service offering offering called Identity Management On Demand, bolstering the following:

implementation of a simple Identity Management program can be executed in twelve weeks – about half as long as the quickest deployment of a customized solution.

I have special interest in this area. (Last week, Identropy announced the expansion of its off-premise managed identity services offering (iMIS) by adding support for Novell Identity Manager.) What's interesting about Watson SCS's play is that they're opting to offer a fully managed service, hosted off-site. A few days ago, I was speaking to a colleague at another integrator who recently pulled the plug on their off-site offering, for reasons I've already discussed.

Anyhow, it's great to hear more offerings in this space. It validates what we've been hearing from our clients: Why is this stuff so painful to implement and manage?

Welcome to the party, Watson SCS...looking forward to seeing you out in the field.

On Identity POCs - From a Vendor's Perspective

2009-01-06T09:41:00.004-05:00

I pinged Joe (Nobody?) on Twitter last week regarding Identity Management POCs. Joe put up a lengthy post on his blog regarding some of his thoughts from the perspective of the vendor (so it seems). It's always great to get thoughts on the topic from another vantage point...some great points, with my $.02 in-line:

"a POC is that they are a dangerous sales activity used against a vendor rather than for it (I used to be a customer and did just that)"

I've witnessed that before. So Joe, how do we make sure the POC stays on the right track?

"But a POC is should not be a repeat of a demo in a customer's environment. On the flip side, a POC should not be an installation exercise based on the customer's demands.
A POC should be a onsite installation to show at a minimum, key use cases for the defined phase 1 and 2. Self service, HR feeds, provisioning into the key systems and de-provisioning for exmaple. Which means Phase 1 and 2 should be defined prior. How do you know what to show if the customer doesn't know where they are going?"

Use cases. I like. Tell me more...

"Prove the concept. Prove the process. Prove the business improvements and solving of business needs rather than proving when you hit this button this technical thing happens."

Completely with you.

"Don't prove installation, don't prove configuration, don't prove how many components it takes to do it. "

Hmm....not so sure about this one. A POC should prove business use cases as well as allow the technical team understand how it works in order to judge integration efforts and supportability...no?

"Another reason why POCs are often an embarrassing cluster is the customer's environment. I generally require, based on the customer's hardware, that I have sterile servers, patched specifically, nothing else on them and require the pre-req software installed on them before I walk in the door...What GPOs are set that is locking down a service and takes you 2 days to find it. Regardless on the cause, any delay is bad impression on you and the product."

Fantastic point. I've seen POCs blow up because of a misconfigured DC, DNS problems, etc. And the vendors end up spending time troubleshooting environment problems rather than working on the actual POC.

"If, as a vendor, you drive the use case creation with the customer you will show your knowledge and leadership. You will have a controlled flow from start to finish they will make you look successful and show the customer their needs. Your time will be shorter and cost less for you. The success rate will be higher. You miss these things, the customer will push you into a hole of broken knowledge. We are the experts, not them."

Well said, Joe. Nobody.

Poor Man's Deprovisioning

2008-12-30T11:52:00.003-05:00

In this economy, I've been repeatedly pinged by clients on how to maximize their investment in their existing Identity Management software investment. In other words "I want to do all this stuff, but I don't want to buy more software, and barely buy any services."

So here is an idea that came from a conversation with one of our engineers. This is for clients that own a Password Management solution only, but want to be able to deprovision users. They could create a workflow to change the password to all target systems to a random password that no one knows. In effect, the user would be locked out of all accounts. A small program could be written to call the workflow's SPML interface (assuming it has one) based on a feed from Payroll or HR as well for a nightly process. No new software, barely any services, but an effective deprovision of accounts.

I'm noodling if this would pass an audit, but I doubt it would since the account is still active. But it would work, it would leverage the clients investment in connectors built for all target systems, and could be accomplished in no time.

I think it's the best thing since sliced bread, but I'm sure I'll find a new favorite tomorrow. Would this work?

Identity, Holidays, and a Little Marketing

2008-12-25T10:26:00.001-05:00

Fun.
Enjoy!

Virtual Directories and Persistent Cache

2008-12-23T11:04:00.003-05:00

I got drawn into a debate lately about the pros/cons of persistent cache in a virtual directory, and the practical implications of it. (I know this is an old debate. Better late than never?) A persistent cache is basically storing a copy of data locally at the virtual directory, so it doesn't have go get the data each time.

The first question is 'why add this capability? isn't the whole point of a virtual directory provide real-time access to backend data?' In my conversations, I basically received one answer: performance. Virtualizing and transforming the data can slow things down a bit.

Clayton Donley makes a case against persistent cache in an older post. To summarize:

Persistent cache will mean data isn't real-time, which means the 'freshness' of data will be compromised.
There are security concerns with adding another place to keep the data.
There is pain associated with managing yet another directory.

(i.e., if you want a metadirectory, then get a metadirectory!)

So, I've come up with a few questions, and was wondering if anyone has any thoughts about it...

Since performance is the main point here, does any one have numbers on the performance hit caused by virtual directories?
Is performance the only real justification for persistent cache?

Managed Identity Services Winner

2008-11-25T22:01:00.003-05:00

Thanks to everyone who filled out the Managed Identity Services survey. We finally identified the winner of the giveaway....and the winner is Niall McLoughlin! Enjoy your new iTouch! Thanks Ian for all the work on the survey, and thanks Matt for aiding with the whole winner selection thing.

A Few More Snappy IdM One-Liners...

2008-11-23T22:25:00.003-05:00

In response to my request for snappy one-liners that would be applicable for identity projects, Jeff Bohren and Mike Conklin (welcome to the blogosphere, Mike!) provided some input. Here are some of my favorites:

The dirty little secret about provisioning is that it’s really all about deprovisioning.
You shouldn’t start out trying to do account management by adding another account to manage.
It doesn't matter what you do on the back-end -- if the end users (and project sponsors) can't see tangible results that affect their day-to-day activities, all the process re-engineering and data clean-up in the world is going to go unnoticed and unappreciated.
For whatever reason, hearing the exact same thing come from an outside consultant actually sinks in with management, but this never seems to happen for internal people :)

Seems like fun so far... so, I'm tagging Matt F., Matt P., Azeem Khan, Mike Trachta, Ian Yip and Jackson Shaw (just to throw a little product in the mix) to contribute their wit to the conversation.

It's About the Business...

2008-11-18T12:44:00.002-05:00

I just got back from another long day with a client to aid them lay out their identity management roadmap. I've noticed a few interesting recurring themes:

Good technology can't compensate for bad processes (although it might make it less painful)
Fixing your data without fixing your processes is like painting your house on a rainy day
Throwing more software at an identity problem usually exacerbates it
A dollar in an identity project doesn't take you as far as you'd expect (even though its well worth it)
What business users think is happening is quite often vastly different than what is happening under the hood

Any other snappy one liners?

Repealing SOX and Identity Management

2008-11-05T10:01:00.003-05:00

Newt Gingrich and David Kralik wrote an op-ed in today's San Francisco Chronicle about repealing SOX. I've been following the buzz around this for a few months, but it always has a bit more bite when it comes from a former Speaker of the House. Gingrich and Kralik outline a number of convincing reasons to repeal SOX, including its negative impact on the IPO market as well as its failure at "...preventing insolvencies and accounting shortfalls in companies such as Bear Sterns, Lehman Bros., American International Group (AIG) and Merrill Lynch." The last lines of the article are very action oriented,

With a new presidential administration and a Congress convening in less than three months, now is the time to begin thinking through the solutions needed to address our economic challenges. Economic growth in a sound market economy requires smart regulation, not destructive regulation that hurts economic growth. Sarbanes-Oxley fails that test. It should be repealed.

I've written previously on the need to move away from compliance as *the* driver for identity. A legislative act such as this could force our hand as an industry. Being personally involved in the process, I am acutely aware of the impact that compliance has on quickly approving budgets for projects, and the way IT has leveraged SOX in order to push projects of their liking (even if its true ability to demonstrate compliance was suspect). This hyper-compliance environment may have created complacency on our end from the perspective of demonstrating the true value of identity for the business. Anyway you slice it, if SOX gets repealed (or slimmed down, as I expect it will be), we're going to have think a little harder, and I think that's a good thing.

Random Thoughts on Hitachi and Construction Cranes

2008-11-04T09:16:00.001-05:00

Looking outside of my window this morning, I noticed a construction crane with the label "Hitachi" on the side. I kind of chuckled at the notion that a company could provide Identity Management software and construction machinery at the same time. Being part of startups nearly my entire career, where focus and niche is everything, my narrow view of the world makes it difficult to comprehend that a company could do such vastly different things effectively. Then again, it's not the first time. Siemens has its foot in the Identity world, and makes hearing aids and dishwashers too.
Does laser focus in the startup world not apply to larger corporations? I'm sure there are a few dozen books on the topic...time to go find 'em.

The Answer is...On-Premise Managed Identity Services

2008-11-03T07:30:00.004-05:00

Ian has posted his findings from his Managed Identity Services survey. My primary interest around the survey was to see if data could be collated that could identify characteristics of a managed services solution around IdM that would make customers "comfortable". (In the past, I've posted on the "comfort vs. security" notion). Anyhow, some tasty nuggets are below. Go to the real survey findings for more.

67% of respondents have already completed a provisioning implementation (3% as SaaS, 10% have done it in some type of managed service offering, 37% have host and manage it themselves)
When asked what model they would prefer, 19% wanted SaaS, a whopping 36% wanted an on-premise managed service, 19% wanted an hosted managed service model (that's a total of 55% who are looking for a managed service offering!), while only 13% want to handle it all themselves.
When asked about what was the barrier preventing them from outsourcing IdM, 22% identified security risks around data being held outside of their infrastructure, 20% said risks regarding external people access their environment, 14% said cost, 11% said loss of control.

So, it seems that although most respondents managed it themselves, over half wanted a managed service model. The risk around data being held outside of their infrastructure could be alleviated by an on-premise model, although I don't think that the significant 20% who didn't want outsiders accessing their environment will be appeased by any solution.

A Few IdM Vendors Responding to the Market

2008-10-15T10:00:00.003-04:00

Courion put out a press release today around their Jumpstart program for Password Management deployments. Undoubtedly not a coincidence given the market conditions. It's worth a look - 4 target systems, ROI in 30 days, fixed-price delivery. Not too shabby.

Also, Symplified has a webinar coming up entitled 'Scary Economic Times Heighten The Need for SaaS Security' with Jeff Kaplan: "With the current economic downturn pressuring enterprises to freeze capital spending on software and quickly find ways to lower spending on IT, the move to SaaS has never been more compelling. This has accelerated already rapid SaaS adoption in an effort to save costs and reduce IT spending."

I'm sure more to come....

More on IdM in the Economic Downturn

2008-10-15T07:17:00.003-04:00

Over lunch with an NYC VC, conversations inevitably turned to the economy and it's impact on startups. A telling takeaway was that cost cutting in IT budgets is going to be deeper than previously expected. Gartner and Forrester until just last week stated that IT spend will grow less than expected (Gartner placed it at at 2.3% and Forrester at 6.1%). On the other hand, the gentleman I had lunch with stated that those predictions will most likely be changed dramatically, and that the number on the street is that cuts will be in the ballpark of 20%. Now given that typically 65% of IT budgets are dedicated to maintenance and upkeep, that leaves about 15% on the table for new initiatives. Ouch is right!

In my opinion, if IdM projects are to survive these cuts, it has to be positioned around 2 areas simultaneously: 1. The project has to be linked to core business and 2. Cost cutting capabilities. If the project can't rally around both, it's probably a gonner.

A good case in point is how salesforce.com made it through the 2000-01 scenario. It provided an easier way to do CRM (critical to core business) in a more cost effective way.

So the question is...who's going to be the salesforce.com of the identity world? Or from a project perspective, which initiatives will be able to survive?

A few random thoughts: I like SSO/Context Management in healthcare. Great impact on the business (especially for clinicians) and cuts cost. Password Management is pretty good, except impact on the business in most cases is negligible. The same goes for provisioning and role projects, although a better case could be made for impact on core business. Unfortunately, I think the new kid on the block, privileged access management is in trouble because of its positioning as primarily a security play. I'm still noodling this, but I'm sure this scenario will bring about some interesting innovations in our space in the coming year. Nonetheless, the forecast is pretty cloudy from where I stand.

Selling Identity in an Economic Downturn

2008-10-14T13:59:00.004-04:00

Rough week. And it's Tuesday. In the wake of the current financial crisis, I've received 3 phone calls in the past 3 days from potential customers (who were almost surely moving forward with an Identity Management deployment) to tell me that the project is in serious jeopardy. All three happen to be in the healthcare sector. One of them was given a mandate to cut $1m from his budget. Another simply stated that all new initiatives that haven't been inked yet are frozen indefinitely. The third stated that their organization's revenues were deeply impacted because of cuts in Medicare/Medicaid, and any and all projects not directly related to core business will be cut.

I've been able to position the projects to be possibly salvaged by quickly shifting drivers from compliance to ROI and cost avoidance opportunities. Thank God we're in an industry that supports multiple and varied drivers! I think that trying to sell Identity from a compliance and security angle in this environment is just a lost cause, which will probably impact the types of technologies that will be deployed. Any thoughts on other business/tech drivers that might be used? Which types of identity projects will live and which will die?

How to Make a Better Identity Management POC

2008-10-10T08:15:00.007-04:00

Mike Trachta responded to my previous post about lackluster POCs by highlighting the difficulty posed to SIs to live up to the fantastic show presented by the POC folks.

"...the customer remembers more about the POC than you think. They remember how pretty the screens were. They remember how seamlessly all the pieces fit together, and how quickly each task executes. What they don’t realize is that all of the data is massaged and simplified. Of course the POC could do these things! It has 3 users with 4 roles to choose from, and doesn’t include any of the “exceptions” often found in the customer’s environment. When it comes time to actually implement this feature with 30,000 users things can (and do) get quite a bit more complex."

Jeff Bohren put together an eloquent post as well, pointing to his experience as the developer in the background helping out both the POC folk, as well as the SI who has to make this happen for real. It's a great read and provides insight from both ends of the spectrum.

I have a few suggestions that might make your IdM POCs a little better. So here they are:

1. Couch your immediate goals in the context of a larger Identity Management initiative that ties it to your business objectives. Jeff already hit on this point in his post, "Instead of doing a POC of who has 'The Most Magical Bullet', enterprise would be better suited to craft a long term IdM strategy and chose a vendor whose product best aligns with it." This approach voids the notion that phase 1 of the project has to cover everything under the sun. A fantastic way to do this is to engage an SI that understands the game, and can walk you through an Identity Management workshop that speaks to both your business and technical objectives.

2. From your workshop findings, carve out a Phase 1 of the project that is attainable - the best way to do that is to write up a handful of detailed use cases that boils the expected deliverables down to non-technical language.

3. Highlight the top X number of use cases to focus on for a POC. Keep it limited (but representative) of your expected project deliverables. Identify the vendors who might be able to respond, and request a technical architecture document outlining their approach to solving the use cases you have identified and have a Q&A session with them. Filter out the vendors who don't make the cut (yes, I know that's a loaded sentence), and identify the top 1 or 2.

4. Prepare a POC lab. (Another loaded sentence).

5. Bring the vendors in, but don't allow them to touch anything! OK, this suggestion point might be a bit much but I suggest that, as much as possible, have the vendor's experts sit on their hands, next to your techies while your techies drive. If the vendor whips out a canned script, your guys will know it (and document it in the findings). If the vendor has to make a nasty directory schema change, your techies will know it. If the vendor has an ugly hack that inserts pages of code into the presentation layer of the "ultra configurable identity app", your techies will know it.

6. Have a structured way to present the findings.

While I know that the approach above requires a lot of background knowledge and support, it just seems to be a much more valuable experience that actually tells you something that a demo can't. If help is needed, supplement the team with an SI that has strong experience in the space. Either that, or save everyone time and effort and just make your decision based on sales demos and references.

Why (most) Identity Management POCs Suck

2008-10-06T06:03:00.003-04:00

For those unaware, POC is an acronym for "Proof of Concept", and consists of a client requesting a vendor to bring their software in to demonstrate ("prove") that their software can perform in their environment as promised ("concept"). The engagement usually lasts for a few days to a week, and typically the vendor foots the bill (if the potential deal is large enough). Most often, POCs are borne out of a conversation between a client and an industry analyst who completed a 2 hour identity management market briefing, concluding that it would be a good idea for the client to host a POC. A few vendors are selected to strut their stuff, and after reviewing which vendor did a better job, a winner is hailed and ultimately awarded the contract.
After being involved in one too many POCs, I've come to the following conclusion: IdM POCs suck. Usually. And here are a few reasons/scenarios that explain why:

1. A typical POC is just a glorified demo. So, wisdom states that if the vendor is integrating their software with your target apps, then it's not just a demo, but undeniable evidence that their software is good for you and your organization. That is both true and false. Just because software can be made to "seem" to work with your apps is not evidence that the integration is robust or production ready. Hacks are very common in POCs, and a lot of what is demo'd at the end of the POC is a lot of smoke and mirrors and doesn't prove that what was completed is production ready, or more importantly, can ever be production ready.

2. The success of the post-POC demo is highly dependent on 2 individuals on the vendor team: the Sales Engineer (the guy who duck-taped together the POC) and the POC-demo-guy. The vendor that has the best duo typically wins the deal, which may not reflect the best software solution for your environment. A good SE can make crappy software work (with his arsenal of scripts and tricks), and a good POC-demo-guy can bedazzle almost any audience. On the other hand, a bad SE can make good software break, and a bad POC-demo-guy can put a lively audience to sleep.

3. A POC is typical technology focused. Most IdM deployments are business process centric. When decisions are made based on the number of out-of-the-box connectors or the long list of supported standards without considering how it all applies to your specific set of business processes, the wrong vendor can be selected.

Well, I'm sure there are more reasons, but I'll leave it at that for now.
But the picture isn't that bleak. There are ways around the problems above, and exciting approaches that will not only make POCs not not suck, but actually make them effective and useful...a topic for another blog entry.

Managed Identity Services - OOOH, A SURVEY!

2008-09-19T07:56:00.003-04:00

Ian's done it again. I've come to admire his style of blogging-outside-of-the-box.
Over the past months, a number of bloggers have commented on the notion of managed services in the world of identity management, and speculations around customer attitudes towards it due to security/privacy concerns, as well as from a process perspective. Ian decided to cut through all of the speculation, and put together a survey on managed identity services aimed towards clients, in order to capture a sampling of actual client feedback. Brilliant.
I immediately saw the value in this, and decided to reach out to Ian in order to see how Identropy could help out. Ultimately, we decided that a simple giveaway might spur user participation, but agreed on keeping the marketing mumbo jumbo to a minimum at the same time. This is about getting clients involved in our discussions, reporting on the findings and hopefully initiating more practical conversations around the topic in the community. I'm very excited about working with Ian, and he has turned out a very well put together survey.

A last note: This survey is geared towards actual customers rather than vendors or integrators. If you are in touch with customers who have an identity infrastructure in place, please forward them this link ( http://www.surveygizmo.com/s/68286/ian-yips-managed-identity-services-survey ) if they want to participate. They do NOT have to provide any personal information if they do not want to. Our only interest is assessing attitudes out in the marketplace towards this notion, and the wider the participation, the better the data Ian gets to report on.

Is WAM Complex?

2008-09-16T06:34:00.007-04:00

Jeff Bohren responded to my post on Symplified yesterday, stating that although he agreed that most WAM solutions are complex, the OpenNetwork/BMC (now Symphony) solution doesn't fit that mold.
Admittedly, I don't have experience with the BMC solution, but Jeff makes a good case for its simplicity:

(it) could be deployed with nothing more than AD and access control agents on each web server. The access control agents served as both a PEP and PDP. No policy servers, APIs, or proxy servers required. The same accounts used for intranet login could be used for web access control and the policies could be expressed in terms of AD security groups.

A few questions, (pardon my ignorance). What if apps want to query policy information (for example, does this user have access to that resource)? Do they query AD directly? Might that not get complicated if there are a complex array of rules to crunch through? Some environments seek a web services based API rather than the (typical) java API. Who stands that up? What about the admin console? Who manages that? Also, doesn't agent management become a headache? Keeping up with different web server versions, and handling upgrades could cause admin overhead. I agree that the solution sounds easier, but for an admin with a mediocre skill set, it seems that it would prove challenging. I'd love to hear your thoughts/real life experiences.

My experience falls more in the cleartrust/siteminder/oam realm, and clients constantly complain about maintenance. Here is an example. Some years back, a company sought an access management solution, found one, bought it and contracted a consulting firm to implement it. They did, and left them with documentation just as any good firm would. Years later, policies required updating, certs started expiring, web services API was requested, redundancy was removed/neglected, and general failures became more frequent. I rummaged through old docs, and found a diagram from existing documentation (sanitized).
Besides the components shown, there was a BEA server that hosted the management interface, as well as a web services wrapper for the WAM API, and of course, agents on each web server. The infrastructure also included a CA used exclusively for the WAM environment (don't ask), and was therefore considered part of the same admin burden.
The client wasn't especially tech savvy, and explaining the difference between an authorization server, dispatcher, entitlements server, and how to ensure they were appropriately set up in failover mode, and how to troubleshoot when specific problems arose wasn't particularly easy. Most importantly, it wasn't the client's "fault" - they had a host of other applications they were tagged with managing (including a metadirectory, provisioning solution, security event management, directory services, etc.), and handling a WAM solution was just another component waiting to be neglected.
I don't think that this is an unusual scenario. Now even if the complexity level were cut in half, it's still quite a bit of infrastructure to handle for an admin staff that is already overburdened. Now imagine someone offers all of this in a hosted model, and a pretty appliance (or 2) in your infrastructure that you really don't have to worry about managing...

My Latest IdM Crush

2008-09-15T07:48:00.004-04:00

At DIDW, I got a chance to sit down and chat with Eric Olden, CEO of Symplified. Symplified brings Web Access Management into the SaaS world. Their approach resonated with me immediately.
A few clients we had just been dealing with over the past weeks had "fires" that needed containing. For one client, after 48 hours of dispatching consultants, phone calls to support, and just hard core technical work, all was well...for the time being. Soon after, another client had a similar situation. Things were going down all over the place, and no one knew why. After significant investigative work, the culprits were found and dealt with. But the real culprit wasn't a person or an inopportune config change. The real underlying problem was a complex (and perhaps antiquated) IdM infrastructure put in place by a team of consultants years ago coupled with an IT team that didn't provide the identity management infrastructure the appropriate level of care and feeding. Unfortunately, this toxic combination is not uncommon in mid market enterprises.
Enter Symplified. Anyone who knows idenity knows that WAM infrastructures are rather complex. Agents, proxy servers, APIs, Policy Servers and a host of other moving parts. Eric walked me through Symplified's approach to "symplifying" (get it? i just did) this complexity. Think of a proxy based WAM architecture. Symplified provides an "identity router", which is an appliance dropped in the client's infrastructure that acts as the proxy. All traffic to protected apps get routed through the identity router, which acts as the policy decision point as well as the policy enforcement point. Identity data can be consumed from your existing identity stores. For example, you could have the router point to AD to pick up users, but policy information is stored in the router itself. So where does the SaaS component fit in? The admin interface is hosted in Symplified's SAS 70 Type II data center and allows access policies to be defined. Once completed, the policies can be pushed down to the identity router in the client environment. Symplified also provides a slick option to deliver the identity router as a virtual appliance. They call it the GTV form factor, and it can run in an existing ESX environment.

The last word: the client has less infrastructure to manage. Compare this to the number of components in your typical agent based WAM solution, and the value Symplified is providing should be pretty obvious.

The VDS Use Case

2008-09-08T16:31:00.004-04:00

I attended Radiant Logic's workshop today at DIDW. An interesting tidbit that they shared with us was that a whopping 90% of field usage of virtual directories today are around solving authentication problems.
Given all the wonderful use cases that virtual directories solve, I'm a bit surprised the lopsided real world usage. For folks in this space, is this what you're seeing as well?

Words of Wisdom: Sell Early

2008-08-22T10:20:00.004-04:00

Phil Windley has a fantastic post giving good startup advice. The basic idea is, don't wait to sell your product/service. Never wait until its "ready", because chances are, you'll never think its really ready. An eye opening point he makes is that selling to customers and speaking with them helped him up his pitch-game more than talking to VCs and raising capital.

As a consequence of all this, I wish we’d been positioned to start selling well before we started raising money. Unfortunately, because of various timing issues and our own understanding, things didn’t work out that way. If I do this again, I’ll start selling much earlier.

A question that pops into my head: is there a point where you are just too raw to go out there with your product. I suppose there is an inverse relationship between how ready your app is and the patience (and free-time) of your first customers. Anyhow, keep 'em coming, Phil.

The Worst IdM Product Review Article. Ever.

2008-08-07T10:34:00.003-04:00

A product review should...umm...review the product. Talk about the features, where it shines, where it doesn't, etc. This one in specific is just really, really bad. (I'm not saying anything against the product, just the review.) Here are a few nuggets:

The P Synch package performs the single sign-on component of identity management. The ID Synch package is primarily a web-based package that uses SSL for protecting the data during transmission.

...now that is just wrong info.

The web-based configuration of the M-Tech product suites felt intuitive and easy to understand. For example, each of the major headings in the menus reflected commonly used terms in the field of identity management.

...?

The PDF files are large and a more advanced search function could also help speed the reader’s search to find the correct passage.

...are you listening adobe?

Apologies for the sarcasm this morning.

More on Virtual Directory Pervasiveness

2008-07-08T20:20:00.003-04:00

Nishant and Clayton Donley have written some solid responses to my last post (and Jeff Bohren's post) here, here and here. (You've gotta love the responsiveness of the Oracle folks!)
I'd love to hear their thoughts regarding apps that seek to leverage some of the benefits from "advanced integration" with AD, as Jackson Shaw mentions in an old post (please don't ask me to explain them out)...

"...But I'm really interested in advanced integration with Active Directory like "serverless bind", Group Policy integration, the ability to modify permissions on resources...automatic failover in an Active Directory environment without any additional hardware or software..."

The comments section of the post is pretty interesting, given our current discussion. But putting that aside, would it be possible to leverage some of these AD specific capabilities, but benefit from abstraction using a virtual directory at the same time? Perhaps something like a virtual directory plug-in that allows an app to leverage some of the AD specific capabilities mentioned above, but still allow a COTS app that expects to see data in a specific way (e.g. shallow trees) to leverage a virtual directory to ensure that data is represented appropriately?

Pervasiveness of Virtual Directories?

2008-07-08T11:39:00.004-04:00

Does anyone know what the actual market penetration of virtual directories is? How many mid to large sized organizations actually use a virtual directory in their infrastructure? With all the debate on virtual directory vs. metadirectory recently in the blogosphere, one of Nishant's comments caught me off guard, when he was responding to Matt's statement that there "...has been a ground swell of apps that directly support Active Directory as the user store":

"And how are more applications supporting AD anyway? A lot of that has to do with the emergence of Virtual Directory solutions. A number of applications in the Oracle stable today claim to support AD as the identity store. The mechanism for all these is moving to Virtual Directory NOT because Oracle has a Virtual Directory product, but because maintaining adapters/connectors/plugins and what have you for all LDAP variants is a colossal nightmare."

Woah...that is a a huge claim there. Is it possible that the "groundwell of apps that directory support Active Directory" is due to "emergence of Virtual Directory solutions"?
Although I usually find what Nishant has to say as thought provoking, and the fact that every organization should be running a virtual directory solution is pretty evident by now, that claim sounds pretty absurd to me. What are the actual market numbers of the virtual directory solutions in production? (I know Radicati had some numbers around this, although I haven't gotten my hands on the paper yet.) Now compare that to the number of companies running AD. Even without the numbers, I think that Nishant is way off here. App support for AD is due to its undeniable pervasiveness, not because of the emergence of virtual directory technology.

Jeff Bohren has some interesting comments on the same post. Check it out.

ESSO/Context and Healthcare, In the Trenches (Part 3)

2008-07-03T22:58:00.004-04:00

From my last post, I promised a post to go a bit deeper on the technical side. Instead of reinventing the wheel, there are a few docs that could provide a good starting point. I think Gartner's report provides a decent high level technical overview of the products out there, although the vendor analysis seemed a bit superficial. The most notable area from the report is the "Architectural Differences" section.

The following is a terse explanation of how it works:

ESSO tools serve as a proxy between client devices and target systems. Target systems still maintain independent credential stores and will present their own unique, sign-on prompts to users' client devices. ESSO tools provide various mechanisms to sense sign-on, password and password change prompts for different target systems. Automated sign-on logic can fail when sign-on or password update prompts change with new releases of target applications or operating systems (OSs).

Two-tiered architectures will require schema modifications in AD (or whichever repository is being utilized), although it gets to leverage the benefits of your directory services infrastructure, like redundancy, fault-tolerance and performance. N-tiered approaches require a separate set of ESSO boxes (midtier architectural components) - i.e. more stuff to maintain, and vendors in this world tend to battle on how many concurrent users their boxes could handle (Don't confuse the number of users on a box, with the number of concurrent connections the box could handle. Sales folk love to muddle those two). On the other, this approach may prove useful if your directory infrastructure leaves something to be desired, or if your data is dispersed in more than one repository. In that case, a synchronization strategy is pretty typical from the various data repositories to the internal ESSO repository. Although I have yet to see it, I would love to see an ESSO/Virtual Directory model here. On paper, this seems like an elegant solution, allowing (for example) physician data to remain in eDirectory, employee data in AD, and the ESSO solution pointing to the Virtual Directory that intelligently routes requests based on user type. At least this would not mangle things with a metadirectory, though I'm not about to get into the whole 'metadirectory is dead/almost dead' debate.

Instead of going into depth on every ESSO feature, I've decided to put together a list of technical areas that are important differentiators. Each vendor may have a different approach in dealing with the situations described below. Anyhow, these questions are a good place to start:

* What directories does the ESSO solution support - in terms of storing ESSO data?
* How are username changes managed? For example, someone changes their last name, and their username changes...how does the ESSO system manage that?
* Every healthcare institution has a pretty involved Citrix environment. How will it deal with physicians accessing applications externally through a portal? Will it still provide the appropriate ESSO experience? Does the solution support authentication by generic accounts using virtual channel?
* Most healthcare institutions have areas with shared workstations, in which generic accounts are used for authentication. How does the ESSO solution deal with that? What about multiple session private desktops?
* How does the vendor support remote users (i.e. users connecting via VPN)? How does it support for a user connecting via VPN from a non-domain controlled PC?
* Does the solution support fast user switching?
* How easy is it to integrate new applications? Is the point and click wizard really that easy to use? (In a POC, make sure your techies get hands-on. An expert can make it look easy, so don't be fooled.)

On another note, if you are looking for a detailed analysis of the vendor offerings, at over 400 pages - the KLAS report on ESSO and Context Management is quite a comprehensive paper (Sorry, I can't seem to find the link right now), and definitely better than Gartner's magic quadrant report from a vendor analysis perspective.

Up next...a bit on Context Management.

IDaaS, Identity Services, SaaS-ish Identity, Whatever

2008-07-01T07:13:00.004-04:00

Thanks Matt, for yet another wonderful term.
I think we've got to settle on some terms here. I recall a presentation by Earl Perkins of Gartner some time back distilling the distinct notions that are all referred to as "Identity Services." According to Mark Dixon's recap of Lori Rowland's presentation at Catalyst this year (I didn't get to go, and no, I'm not bitter), "Burton has encouraged Fischer to "give back" the "Identity as a Service" term to the industry." Anyhow, putting that problem on the side for now, I think Matt was referring to what the industry seems to be settling on as Managed Identity Services. I like Andrew Cser's breakdown, which refers to it as as an offering where "...a Managed Service Provider (MSP) provides on-site or off-site services to the customer, such as provisioning, directory management, or operation of a single sign-on service."

In Matt's post, he states,

"I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in."

Well said, Matt. Even a completely hosted solution like Symplified (which is a true SaaS offering - as opposed to Matt's SaaS-ish), can get around the security concerns, and even claim that they'll do a better job at it.

"The Symplified Identity Cloud combines a highly scalable grid architecture with massively multi-tenant design, and is housed in a secure SAS 70 Type II data center. This level of security is unmatched by mid market enterprises and many of the world’s largest organizations."

"The Identity Cloud resides in a hardened data center with enterprise-class security monitoring and defenses. A virtual private LDAP directory and 256-bit AES encryption secures credentials."

So, theoretically, the technology is there for security. But in my experience selling Managed Identity Services, the biggest concern is that customers are just not comfortable "outsourcing" the business processes that are so intrinsically tied and specific to their corporation. A SaaS model wouldn't necessarily face this hurdle, although a managed services model would. Customers still want to be involved somehow, but can't clearly elucidate why. In my opinion, the reason is more emotional that rational. The market just isn't ready, emotionally, to completely outsource the management of their IdM systems. The whole thing seems so tied to their environment, to their business processes, that handing the management over to a third party just feels wrong.

Ian Yip has some interesting insights into this point:

"IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.

All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes."

Although I agree that business processes are specific, my experience differs with Ian's claim that IdM can't be outsourced. I've been personally involved in accomplishing exactly this for clients, (although we did the implementation to begin with, so that made it a lot easier.) Matt sums it up well: "I think most companies are already outsourcing IdM – they just do it on a project basis..."
I think that the only solution is a pragmatic one, where there is shared management. The customer can still feel "in control", but hand over day to day ops to a third party. Control can be put in place to allow customers to enter in requests, ability to accept/reject change requests, approve any fixes, and transparency into any and all changes that go through. Focus on "control" (and honest discussions regarding the caveats) in conversations with customers, and they'll end up going a heck of a lot smoother. Also, the actual management goes smoother as well. Customer's get to gradually let go, and initially lean on the service provider as a very knowledgeable augmentation to their staff. Once the comfort level sets in, customers can lean a bit harder, grant "persistent approvals" for break/fix scenarios, and reduce management staff for identity.

Financial Model - Tips for Startups

2008-06-25T20:32:00.002-04:00

If you're an entrepreneur, this is gold. Real data!
This is the stuff I get to read while everyone else is having fun at Catalyst. There's always next year.

ESSO/Context and Healthcare, in the Trenches (Part 2)

2008-06-17T14:58:00.005-04:00

In my last post, I focused on the first lesson: In-House Homework first, Hold Back the Vendors. In this post I'll go on to speak about the importance of executive sponsorship as well as the application inventory.

Executive Sponsorship

I think a ton has been written about this so I won't go into detail. I'll give two live examples. The first example was from a client that was seeking a Provisioning solution. We spent significant time with the right folks, or at least we thought they were the right folks. According to titles and apparent job function, we had an executive sponsor on board for the project. We identified a solid road map, the right resources on both sides of the fence, everything seemed dapper. At the last moment (and I mean legal approved contracts, pens were drawn), the CIO pulled the plug on the project by simply stating, 'I don't like this solution.' Everyone was baffled.
Example number two has a more positive ending. This time, the correct executive sponsor in place. The organization is going through a massive re-org, and it seems that the project will continue running smoothly. The project hasn't completed yet, but so far, so good.

A lesson learned:

Lesson 2: Validate 'Executiveness'

Just because a sponsor seems like he or she has leverage, it's important to understand the dynamics of the relationships in the organization. Each company is different with vastly different cultures. Does the sponsor's superior respect his or her decisions? Does the person have a track record of pushing projects forward?

Application Inventory

On to application Inventory. What is an application inventory and why is it important? I have yet to meet a Healthcare organization that has less than 50 apps. The last one I've dealth with has 1400+! That means that for clients who wish to ESSO/Context enable their environment, we need to identify which applications exist in their infrastructure, how important they are for ESSO/Context Management enablement, the technical difficulty to enable the application, etc. This information will help provide relevant context for the usage of the applications and which applications to focus on first.

Here is a list of things to document regarding each application:

General info on the app: name, version, app owner, number of users, app function, etc.
Application type: client/server, web, terminal emulator, java, etc.
Does the client seek to SSO and/or Context enable this app?
What is the driver for enablement? security reasons? audit trail?
Ranking importance level for enablement. I.e., how badly does the client want to enable this app vs. other apps?
What are the processes around this app? (Login Screen(s), Login Success Screen(s), Login Failure Screen(s) - Note Different Screens based on User Role (Physician, Nurse, Admin, Staff, etc.))
Is the application CCOW enabled ?
Application Credentials - Does this application have it's own credentials repository or share one with other applications? Application Credential Submission - Does this application use auto submit? (Some applications require users to select printers-ESSO can not auto submit.)
Is Change Password functionality supported by the application ? (If Yes, does the application have a configurable expiration timer? What are the valid characters? Do you want to automate Change Password and Auto Generate Passwords?)
What is the Business Process of the application Change Password Feature Change Password Screen(s), Change Password Success Screen(s), Change Password Failure Screen(s) - Note Different Screens based on User Role (Physcian, Nurse, Admin, Staff, etc.)

This should give you and your team a good handling on your existing application infrastructure vis-a-vis ESSO. In my next post, I'm planning on taking a step back and talk a little about the technologies.

ESSO and Healthcare, in the Trenches (Part 1)

2008-06-17T10:01:00.002-04:00

I've been involved in the early stages of a fairly large ESSO project as of late. Since it's been a while since I've been involved hands-on with a project, I've decided to write a short series regarding my experiences. The goal is to impart some practical lessons that a PM could use the next time they decide to undertake an Enterprise Single-Sign On project, with special emphasis on healthcare.

I love working with healthcare institutions. There's always hundreds of apps to support, disparate teams with fragmented goals, and pushy users with lots of power (clinicians). Sarcasm aside, its always interesting given the unique landscape.

Lesson 1: In-House Homework first, Hold Back the Vendors

The client had been embarking on this project for nearly two years. Out of the gate, they called every vendor under the sun to see which products fit their needs. The problem was that they didn't clearly identify their needs up front. The good news is that the client was smart enough to recognize their mistake. They put the vendor calls on hold (indefinitely), and decided to do some in-house homework. The client identified that improving the clinician's experience was their primary driver, which helped a ton with the steps to come (as I'll demonstrate in future posts). They followed this up with the following very intelligent steps:

* They garnered some serious executive sponsorship
* They completed a thorough application inventory

In my next post, I'll dive a little deeper into the two points above. Anyhow, this experience rang loud, especially in light of the recent storm of articles on KPMG's Identity & Access Management Survey findings (here, here and here):

"More than two thirds (68 per cent) of executives surveyed for KPMG’s 2008 European Identity & Access Management (IAM) Survey believe the effectiveness of projects is hampered because they put too much focus on technology and fail to address the organisational and procedural changes that are required. As a result, only a handful, (11 per cent) are fully satisfied with the outcome of their IAM projects."

Ouch...SIs better do something and quick. (I'm sure that KPMG has nothing to gain from that!)

An Interesting Identity Management Use case for Healthcare

2008-04-12T17:55:00.006-04:00

I've been meeting and talking with a number of healthcare customers, and thinking about common scenarios that identity technologies could be applied to. And of course, you have the run of the mill common scenarios that address HIPAA (like ESSO, deprovisioning, etc...which are useful, but let's face it - common). But one scenario peaked my interest because it was pretty unique to healthcare, and really provided significant value to Healthcare IT in general, and in specific to Compliance.

Remote physicians' offices often have access to a slew of clinical apps, such as applications that allow a physician or staff member of a remote office to view patient data, x-rays, lab results, etc. In order to demonstrate compliance, some hospitals hire contractors to get in their cars, drive to each remote office (which could be in the 100s), and 'attest' which users still exist at that office, note changes to hires/fires, and each user's application access requirements. Then they leave and drive to the next office. This happens every 6 months or so as a part of the institution's compliance recertification efforts.

Federation would be able to provide remote offices the capability to control authentication of accounts on their end, allowing the hospital to manage authorization profiles...but some (many) of these offices are just 2 or 3 people. A doctor or two, maybe a nurse and a secretary. The only thing you could guarantee regarding their infrastructure is internet connectivity, let alone the skills and infrastructure to deploy a federation server. Anyhow, this falls more into the control category than the audit category.

On the other hand, Attestation fits perfectly here. (Nishant wrote a good entry on attestation here.) Instead of having a person drive around gathering a paper trail of access levels for accounts belong to remote offices, provide the remote offices a web interface to attestation workflows, which allows them to periodically 'attest' to who is still there, who is new, and what they have access to. Simple, not technically complex, but darn useful. Clients love it because it addresses a real scenario with real benefits. Sometimes the coolness of a use case has less to do with the technology, and more to do with how it makes otherwise painful tasks a little more bearable.

Practical Identity Management for Healthcare

2008-04-07T19:08:00.001-04:00

Shahid Shah, the Healthcare IT Guy, recently asked me to write up a guest post on his blog. Here it is. Enjoy.

Random Thoughts on Novell's Recent Press Releases

2008-03-26T11:47:00.005-04:00

Reaching 6000 users. Impressive, but how does it tally? Is it me, or does that sound high? How is that broken down per product? I'd also be interested in the $33m they reported in revenues for Q4 and how that breaks down per product. They categorize it under the "Identity and Security" umbrella, $30m of which came from identity... Is there a report that can help distill their real marketshare, as well as for other vendors? Either way, its impressive.

On another note, Novell's CTO Jeff Jaffe talks about FOSSA in an interview, and describes Identity as one of the pillars. When asked about how open-source their identity product line is, he honestly states:

Very little. We have some open-source projects; but it's still growing. From the point of view of where the customer wants go with agility, we need it all, but in practice it's going to mature at a different rate.

Given their interest in the open source space, I wonder if the folks at Novell are looking to existing open source initiatives in the identity space and how they might work together?

Neuenschwander, Burton Group, SIs and Philosophical Rantings

2008-01-30T21:38:00.000-05:00

I haven't blogged in a while, but something in a press release a few days ago really got me thinking. Mike Neuenschwander recently left his position as Research Director for Identity at the Burton Group to join Mycroft, a systems integrator here in NY.

My first reaction? Pretty impressed with those folks at Mycroft and their recruiting skills.

My brief second thought was - is Mike going to be in NY now? And I wonder if I could pick his brain over lunch about Limited Liability Persona, Relational Continuity Sockets Layer, and guitar smashing.

But then I started pondering another matter all together: the relationship between theory and practice. Burton is mainly about research and advisory services, while System Integrators are all about practical implementations - where the rubber meets the road. Quite a contrast. Research, clean. Integrations, dirty. Research, what ought to be. Integration, what is. But then again, sometimes research describes what is. I suppose I shouldn't write blog posts when I should be sleeping. But before I do that...note to self (and anyone who might be reading): figure out the role of "research and advisory services" for an integrator besides the typical introductory advisory services provided before selecting and implementing a solution.

Open Source Provisioning - VELO!

2007-09-07T08:41:00.000-04:00

Earlier this week, Jim Yang and the open-source IdM folks at Safehaus released Velo, an open source provisioning solution. These are the same guys who developed Penrose, an open source virtual directory product.
So as for all those asking for an open source solution in the provisioning space, here it is! And unlike other projects that make claims but nowhere to download and play, Velo is readily downloadable at sourceforge.
Very very cool beans.

On Garter's Provisioning Report, Notes and Inquiries

2007-09-05T07:30:00.000-04:00

Gartner's User Provisioning report came out a few weeks back. I had a few questions/thoughts about it.

The first is the notable addition of Novell and Courion to the leaders quadrant. Courion's addition is especially interesting, as its now the only boutique in the leaders' quadrant, which says alot about their product and market presence. The fact that they could play with the big boys is notable, and I've seen alot of clients asking more about their products lately.

The second point is more of a question. When speaking of Sun, they that Sun "...also has a strategic commitment to open source, with open-source versions of its user-provisioning software...". Is that true? I haven't heard of it. I did blog previously about openptk, but as I mentioned - that's not an open source version of Sun's provisioning application, but rather a toolkit. So what's the deal? Am I missing something or did the folks at Gartner goof?

Open Source Provisioning!!!...toolkit

2007-07-28T20:12:00.002-04:00

I've been having a few conversations with colleagues about the absence of an open source solution for automated provisioning (keep an eye out here...something cool to come out soon), and then today, I made my way to the openptk website.

Now, I know that these guys don't have an actual provisioning solution, but rather a toolkit of APIs, web services, HTML taglibs, etc. that plug into existing provisioning solutions. Unfortunately, there isn't alot of info on their site, but its absolutely intriguing. Affiliations aren't hidden - all three contributors are Sun employees, and their site clearly says: "The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3."...but theoretically, this could plug into any provisioning solution, or am I being too optimistic?

IdM Processes...Existing vs. Future

2007-07-28T20:07:00.000-04:00

Corbin Links put together a thought provoking post the other day on identity management implementations, and how companies are looking for a magic tool that could resolve their identity management woes, when they should primarily be focusing on their processes.

"Don’t start with the tool. Don’t start with even thinking about vendors. Don’t think “gee, now that we have fully committed to Identity and Access Management we will just outsource the whole thing, and a third party will take care of our business process for us.” Instead, make the commitment to work through processes. Don’t worry yet about higher-level tasks such as “role engineering” and “compliance baselining.” If you start there, chances are it will not be worth the paper it’s printed on by the next fiscal quarter. Instead, collect processes. Start with “business snippets” and work up from there."

This got me thinking of a conversation I had with a few folks who are part of the professional services arm of an IdM vendor about this (although this may not be what Corbin was hinting at), and the individual was educating me on how they engage a client on an IdM project. His advice: don't waste too much time on their existing processes, because they are going to change anyway.

I suppose this advice works (even then, only partially) for a company that is willing to completely change existing processes based on advice given by a few individuals that probably know little to nothing about their business - which I can't imagine are many.

One notable exception are the companies in the SMB market. My definition for SMB companies from an identity perspective lie between 200 and 2000 (perhaps that's a little generous). There are many companies in this space that have the regulatory pressures, but are typically flexible to change their processes to "template processes".

Nonetheless, for companies that don't fall into this category, regardless of size, the question is - what are the inherent dangers of glossing over existing processes, and focusing most of the attention on future processes? Perhaps missing some of the "must-haves" in new processes, but not necessarily. With that being said, time for a movie...to be continued?

Apple's New Product (not the iPhone)

2007-07-02T13:01:00.000-04:00

Yup...got the iPhone. Love it, but getting used to the keyboard.

So - Apple is already launching new products...take a look.

Am I obsolete already?

On Anonymity

2007-06-21T18:13:00.001-04:00

www.gapingvoid.com

Federation Woes

2007-06-21T12:43:00.000-04:00

Techtarget has an insightful article on the difficulties surrounding Federation and its abilities to penetrate the market. Alot of the content arises from Burton Group's Neuenschwander, and his work on the topic. Neuenschwander eloquently sums it up: "Businesses have inescapable constraints and markets are brutally pragmatic."

Very true. In my experience, companies who may have a business need for managing authentication and authorization for externally facing apps more effectively with specific partners - BUT don't view it as absolutely critical for their business will opt not to deploy federation for two reasons:

1. The invasiveness of the technology vis-a-vis the partner's environment. i.e. the requirement of deploying a federation server in the client environment.
2. The legal ramifications involved as to liability and data ownership ("who owns the data associated with various identities and who has the final say when the data doesn’t agree") ... Phil Windley has written some interesting points regarding this.

I've dealt with a number of companies that were very interested in the technology, but decided to go with other, less elegant solutions because of the complications involved with these two concerns. On the other hand, when the business case is strong enough - federation is a wonderful solution.

A few years back when I got interested in federation, I was very impressed and was looking forward to aid federating the world. Unfortunately, it didn't turn out that way. As Neuenschwander stated... "the world isn't as it is in developers' dreams...businesses have inescapable constraints and markets are brutally pragmatic."

Wireless Sour Grapes

2007-06-21T10:25:00.000-04:00

Verizon CEO: "We need to let iPhone hit the market and see what then reaction is," Seidenberg said. "It doesn't change our game plan. The burden is on [AT&T and Apple] to see if the market will change."

Burden on AT&T? Verizon could lose a million subscribers, they've lost the innovation battle (Prada?), and it seems that they'll be content with a healthy second place. How's that for leadership?

Thoughts on Rapid Identity

2007-05-08T12:15:00.000-04:00

An interesting quote I pulled off of Mark Dixon's Identity Trends Presentation from JavaOne.

“I have recently noticed customers more willing to adapt their business process to out-of-the-box capabilities and industry best practices. There seems to be a large shift in maximizing costs and conforming to standards based provisioning. If this trend continues to thrive, average implementation costs and maintainability will become more palatable for customers looking to get the most out of their phased identity deployments.”
- Robb Harvey

Well said. Also, here are some points from Mark:

• Template-driven rapid implementation methods will be used to reduce Identity Management
implementation time and cost.
• Best practices captured in rapid deployment tools will allow enterprises to minimize customization and increase system effectiveness.
• Rapid implementation tools will allow Identity Management systems to be deployed in smaller enterprises.

It's an interesting notion for business process to morph to templates. I recall when I first started in the identity space, that was the battle we would try to win. Never did though...business processes, however warped they might have been, would for the most part remain the same and we would architect the identity solution around it. Regarding the SMB market, I would have to agree that they are definitely more flexible...but the template approach is extremely difficult for me to envision coming to fruition. Even with our iRim product (Identropy Rapid Identity Management), our prepackaged workflows end up going through some rigorous tweaking before clients are happy. But I must admit that there is an inverse relationship between the size of our library and the amount of tweaking we do.

Kerberos, a la Shakespeare

2007-04-11T19:24:00.000-04:00

I just read an excellent kerberos primer in the form of a play, full with Dramatis Personae and Scenes. Athena and Euripides exchange thoughts on open network environments, and validating identities. Identity was relevant back then just as it is today...here's an small excerpt:

Euripides: Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and--

Athena: Can you do that?

Euripides: Sure! How are these network servers going to know that I'm not you?

Athena: Gee, I don't know. I guess I need to do some thinking.

Euripides: Sounds like it. Let me know when you figure it out.

More IdM Services Company Acquisitions

2007-04-09T10:35:00.000-04:00

Two more, to be exact...the first is our very own Identropy, which is in agreement with Earthling Security to acquire it. Although Earthling is more of a general security company, IdM was the major part of the reasoning for the acquisition.
Secondly, a press release today stated that ProtechT was acquired by Integralis. Integralis CEO stated:

With this acquisition, Integralis’ portfolio will be expanded by ProtechT’s
extensive knowledge in identity management and its expertise in multi-modal
biometric and smart cards.

According to ProtechT's website, it also seems like a general security company. In fact, it is self-described as an "Information Technnology Security" company. Nonetheless, the acquiring company's reasoning for the acquisition was identity, according to the quote above. These two acquisitions add to the Sun's Neogent acquisition from last year, as well as Novacoast's eNvision acquisition, and Secured Services, Inc. acquisition of Cybrix Corporation's Identity Management PS team. Perhaps this is an indication of further maturation in the Identity Management M&A game?

Am I Cut Out for a Startup?

2007-03-29T13:47:00.000-04:00

I just read a great post by Paul Graham of Y Combinator entitled: "Why to Not Not Start a Startup" that i found through Phil Windley's blog. Y Combinator does real modest seed funding for entrepreneurs (usually less than 20k). Paul says:

So I'm going to list all the components of people's reluctance to start startups, and explain which are real. Then would-be founders can use this as a checklist to examine their own feelings.

He also gives feedback from their first investments back in the summer of 05. Out of 8, 4 were successful - and all that in under 2 years! Not bad.

Burton Group TIps Off IBM Scientist About Microsoft AD Patent Violation

2007-02-27T12:51:00.000-05:00

I was taken back by an article I read today about a former IBM scientist, William Reid, who claims that he created the "technology" behind Active Directory, and that he owns the patent behind it.

OK...so what's the next logical step for Mr. Reid?!

Of course...sue Haliburton! And not for the obvious reasons Haliburton should be sued...but because their Identity Management system is based on it. Pretty interesting logic there, Bill! Using that logic, you could sue almost every company out there...go sue GM and Charles Schwab while you're at it. Too late...he already did.

The most bizarre aspect of the story, is that he got the 'tip' from Catalyst!

In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference.

There's nothing quite like a disgruntled, clueless IBM scientist. (No offense to the happy IBM scientsts out there.)

Oracle's Donation

2007-02-26T10:04:00.000-05:00

Earlier this month, Oracle announced that it would hand over the Identity Governance Framework (IGF) to Liberty Alliance. IGF is an interesting framework that is composed of CARML, AAPML, an API and an identity attribute service. This is the very high level of what I understand...

CARML (client attribute req. markup language) is an xml style doc that a developer would write that lets others know about the 'data needs' of their app, for example, my app needs attibutes A, B and C. (A good usage of carml doc is for identity services, which can tell apps what info it could give them)
AAPML (attribute authority policy markup language) on the other hand is a doc that goes with the data sources. These data sources can define how place constraints on how its data is to be used. Its a profile of XACML 2.0, and can be used by a policy enforcement point (pep) to do its job, (although it has an added feature of requiring the pep to check if user consent has been obtained).
IGF also comes with specs for an client api.

What was really cool is the industry's appreciation of Oracle's move:

"We're very pleased to see that Oracle has submitted the Identity Governance Framework to the Liberty Alliance," said Don Bowen, director of Identity Integration for Sun Microsystems, Inc. "Sun believes Liberty is well suited because of its business and technical experts from all verticals, including government. Its work in the area of data privacy is not only valuable, but essential."
— Sun Microsystems, Inc., Don Bowen, director of Identity Integration

"Novell welcomes Oracle's contribution to the Liberty Alliance. We continue to look forward to working with Oracle and the other leaders in the identity management market in the development of an open identity framework."
— Novell, Inc., Nikols, vice president, Product Management Identity and Security

"CA is supporting the Identity Governance Framework to help customers more easily protect personal data across their disparate systems and applications," said Andy Rappaport, Architect, Identity and Access Management at CA. "We look forward to working with the Liberty Alliance, Oracle and others to develop practical, adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies."
— CA, Andy Rappaport, Architect, Identity and Access

It's great when everyone can play nice.

The Effects of Drugs on Spiderwebs

2007-02-21T15:03:00.001-05:00

On Justifications

2007-02-19T23:43:00.000-05:00

"We fly 30 million people a year. Ten thousand were affected by this."

- David Neeleman, CEO of JetBlue

On Innovation

2007-02-14T13:36:00.000-05:00

“Innovation is trying to figure out a way to do something better than it’s ever been done before."
-David Neeleman, founder and CEO of JetBlue

I'm a sucker for VCRs

2007-02-10T22:45:00.000-05:00

T-Mobile AMEO, please come to America.

Advice for IT Startup Founders

2007-01-13T00:27:00.000-05:00

Dharmesh Shah from Onstartups.com has some advice for IT Startups. I've pasted them below for your reading pleasure:

17 Pithy Insights For Startup Founders

Seek transparency and understanding with your partners early. Issues get harder as time passes

Startup founders work long hours for a reason. There’s more work than there are people. If you’re seeking balance, seek it elsewhere.

Bad customers will drain you of passion. Really bad customers will drain you of both passion and profits. Unfortunately, most bad customers will degenerate into really bad customers if you don’t do something about it.

If you’re changing direction often, worry a little. If you’re changing people often, worry a lot.

It’s lonely at the top, but even lonelier at the bottom. In the early days of a startup, hardly anyone wants to talk to you (except some desperate vendors).

Eventually, your product will need to work and do something useful. No amount of marketing or strategy will get you around this.

At the end of each day, ask yourself: “Did the product get better for customers today?”. If you don’t have a good answer, stay up until you do.

Until you are profitable, time is working against you. Once you are profitable, time is on your side.

Learn to take calculated risks. The market rarely rewards safe bets.

To improve the quality of your output, improve the quality if your inputs. Read, converse and connect with the right people.

Force yourself to write, as it will force you to think.

At least once every year or so, your startup will almost die.

The problem you solve should be ugly. The solution you build should be beautiful.

Even the most successful startup ideas had 100 reasons not to pursue them. There is no perfect idea.

If the pain doesn’t kill you, it just hurts a lot.

You choose your destiny, because you choose your team.

Be who you are. Do what you love. Join people you like.

Learn OpenID in 5 minutes!

2007-01-09T16:18:00.000-05:00

Simon Willison has posted this screencast with a demonstration of how OpenID works. Nicely done. I wish there were one for Infocards. Then I could write a blog entry called "Learn Infocards in 5 minutes!" Kim? Is there already one?

What's this Role Management stuff about?

2007-01-09T13:51:00.000-05:00

I read a press release today about a Role Management company called Vaau. Vaau first caught my attention back in March, when Gartner identified them as a "cool vendor". I'm sure the company name helped out, but the main reason for the honor seems to be the ability of their product RBACx to perform attestation at the user level rather than the role level (which seems like an obvious must-have for a role management product, although some "role management" vendors might disagree). Anyhow, today's press release was regarding a strategic partnership they struck with Sun. Seeing that there are more than a few vendors joining this space, I'd like write a few entries about the field, typical product features, general philosophies/approaches to role management, sushi and some of the vendors (off the top of my head, Eurekify, Bridgestream, Vaau, Courion, BHold, etc.).

The first place to start is what role management is all about. Using the latest technical jargon, a role is a grouping of things that need privileges to do stuff to other things. So it follows that role management is the management of what I just said. The main driver is usually all about access management, hence the term RBAC (role based access control). The idea is that its easier to manage roles as opposed to individual privileges. (Of course, compliance is a driver as well.) Sometimes that doesn't work out as planned. It's not unheard of for clients to complain that they ended up with more roles than people in their organization - which sort of defeats the purpose, especially if your role memberships are only people.
So the next post: typical product features in a role management app.

Become Rich: Use a Business Model!

2007-01-05T10:21:00.000-05:00

I found this excellent blog yesterday by Alex Osterwalder. For those of you who are clueless (like me) - start here: What is a Business Model?
And find out why its important.
Then work your way to the Business Model Template.
Then use it to make very own.
Now the last and final step. Execute.

Why Use Cases Should Matter in Identity Deployments

2007-01-03T09:52:00.000-05:00

In a comment to a previous blog entry, where I attempt to make the case for Use Cases in Identity Management integration efforts, James McGovern comments:

"First, many folks in the IDM space don't really understand how to create use-cases because it is not a traditional business-oriented scenario.

Second, the importance of getting a PM has to be not on internal nor external but someone who has walked the path before. This is pretty difficult to find even amongst the vendors themselves."

Focusing on his first point, I'd have to agree: use cases really come from the software engineering world (I believe originated from one of the three amigos - Jacobson). Wikipedia has a terse description of what a Use Case is:

In software engineering, a use case is a technique for capturing the potential requirements of a new system or software change. Each use case provides one or more scenarios that convey how the system should interact with the end user or another system to achieve a specific business goal. Use cases typically avoid technical jargon, preferring instead the language of the end user or domain expert. Use cases are often co-authored by software developers and end users.

In my opinion, the software engineering world has a lot to offer the identity integration world. Software engineers (and I use that term broadly) typically have a lot more interaction with business users than back-end integration folks. Figuring out how to efficiently produce software that the client wants/needs has been at the center of decades of discussions surrounding dev processes and methodologies. The integration community on the other hand are usually less focused on customer satisfaction, and more about making processes work efficiently and reliably. With the advent of identity integrations, the level of interaction with business development users has increased significantly. Many steps within the process of integrating an identity platform necessitates interaction with business users, such as mapping business processes and ultimately optimizing them (and the various touch points end users will have with it - for example in provisioning workflow), as well as user interaction with password management systems, esso, etc. I do agree that some components of an Identity platform may be invisible to the user, but typically the user will have at least indirect contact with it. (For example, in a metadirectory solution, a self-help name change in an HR data repository might result in a displayname change in their e-mail address or the name that appears on a phone handset.)

Identity integrators usually come over from sysadmin-type backgrounds, and (even those who have done an identity implementation or two) might not have the disciplines a software engineer would have in delivering a solution that the client is pleased with. (Even worse, many PMs for Identity projects that I've met don't seem to have much PM experience to begin with, or might be a sysadmin who successfully ran an exchange upgrade.) The result is what Mark Dixon described as the seven deadly risks, outlined below:

* Poor Pre-Project Preparation
* Poor Requirements Definition
* Large Initial Scope
* Inexperienced Resources
* Poor Project Methodology
* Scope Creep
* Not Using Available Support

The solution might lie in borrowing software engineering processes that would be helpful in initial preparation and scoping of an identity project, as well as ensuring that an iterative process results in happy business users.

To be continued...

Jackson Shaw is Blogging

2007-01-01T00:30:00.000-05:00

Jackson Shaw from Quest is blogging. Jackson previously worked for Microsoft where he was Product Manager (I believe) of MIIS. Since then, he joined Vintela which was acquired by Quest. Quest now has its own portfolio of Identity products, ranging from the cool SSO stuff Vintela was doing between Unix and Windows, as well password management, audit tools (including what they call 'cross platform identity auditing' - which sounds really important), and provisioning.

Jackson's blog is self-described below:
Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continous "reality tour" of meetings with customers, ISVs and Microsoft.

Ok...so what does commiseration mean?

Definitions of commiseration on the Web:

a feeling of sympathy and sorrow for the misfortunes of others; "the blind are too often objects of pity"

condolence: an expression of sympathy with another's grief; "they sent their condolences"

Got it. Regardless, I think Jackson will have some pretty insightful blog entries regarding the identity topic. Go check him out here.

Sun on Identity for Healthcare and the Cost Problem

2006-12-27T08:56:00.000-05:00

Health IT World has published an interview by John Russel called Sun’s Healthcare Mantra: Reduce Cost and Complexity with Sun Director of Healthcare and Life Sciences, Joerg Schwarz. He weighs in on Identity and provides a few interesting scenarios for federation:

Some RHIOs [regional health information organizations] follow the central model. Some follow the federated model. I chose a centralized model, which naturally creates a lot of animosity by privacy advocates, by patients, by people who are just afraid of having all the data concentrated in one place and I don't want to say who's right or wrong, but these are the two fundamental models. You centralize everything and use that as a model, or do you have a federated model where you keep the data where it is. You just have to make sure that when you need it you can save it to the aggregate it together.

When asked which model was better...

...identity management because data protection to control who accesses information through the entire lifecycle. The best way to do this is building a federated identity management concept so that a doctor that is known and authenticated with one institution can request data from another institution where he is unknown, but that gives him doctor level credentials to access information involving a patient.

Early in the interview, he explains that although most hospitals today have digital records, they are not linked, and primary care physicians typically don't have access to them. It seems that linking hospitals has a strong business case, and its just a matter of time before that gets into full swing...but what about the primary care physicians? A few barriers exist here:

1. $$$ - docs don't have the money to invest in infrastructure like this. And more importantly...
2. Why would they? Why would they want to share their info with other primary care physicians which could possibly give competitors an edge?

So there still seems to be a case for doctors as data consumers, although there seems to be a conflict of interest for them to behave as data providers. This might be circumvented if patient data can be released while protecting data regarding the physician history.

This would be a wonderful scenario for user-centric identity...

Zone of Mediocrity

2006-12-24T13:01:00.000-05:00

Words of wisdom from Kathy Sierra:

"...if you're not doing something that someone hates, it's probably mediocre..."

"...be willing to take risks! Perhaps more importantly, be willing to tolerate (and perhaps even encourage) risk-taking in those who are managed by you..."

Identity Management PMs and Use Cases

2006-12-18T09:23:00.000-05:00

I just read an interesting blog entry on Mike Wyatt's Blog entitled "Project Managers as a Critical Success Factor or Identity Management Projects". It peaked my interest because it has become a recurring topic of discussion amongst some of the folks in our integration team. Mike talks about clients not wanting to shell out the extra service dollars for the PM, opting to use their own "experienced" PMs. Mike aptly points out...

...in order to "get the deal done" vendors will make this concession. More often than not, when a project gets in trouble, the common issue is not technology (the bits) or even the vendor's technical team. It is usually the lack of strong project management, especially when customers are providing the project manager.

A few points that our team has come up with:

Use Case definitions for identity projects are quite helpful, especially in defining expected behavior of the IdM system based on predefined inputs. Many times, PMs get caught up in the tasks that need to be completed, and become task masters who babysit the team to ensure that tasks get done, many times losing the big picture. What is the big picture? Its what the client wants, and that needs to be defined up front. So one of the first tasks for a PM should be to engage the client in order to clearly identify the use cases with accompanying pre-conditions and post-conditions. This document should read easily for any business user, so that the client PM (or equivalent) agrees to the exact desired behavior of the system upon project completion.
If the use case document is clearly written, it can be used for project sign-off in the development environment, prior to migration. A meeting can be used to bring all relevant players together in order to demonstrate that the system behaves exactly as the client requested - using the use case document as a checklist. "This is what you wanted. Let me demonstrate that for you...great, it works. Let's check it off and go to the next use case."
In the "Use Case" phase, the PM could be used heavily while using the architect for reference and sanity checks. Once the Use Case is completed, the PM could take a back seat and let the architect roll up his/her sleeves. The PM from this point only needs to monitor the project rather than to be involved and bill day-to-day. (Of course, the architect has to step in to ensure feasability before the use case is signed off on by both parties.) This shows the client that you could use a PM (and architect) effectively, and make them feel comfortable that it won't cost them a substantial services fee at the same time.

More to come on the PMs continuing role in the project...

Even Identity Can't Save Novell Now

2006-12-12T18:40:00.000-05:00

Novell's Identity suite is arguably one of the best, with quite possibly the most number of production deployments in the market. It's provisioning solution is very mature, with Identity Manager 3 boasting "Designer", a tool allowing administrators to create almost the complete identity implementation graphically, and then drill down for configuration.
Furthermore, sales of Novell's Identity Manager are up 3% from last year. All that aside, Novell is in trouble.

Timothy Prickett Morgan states:

In the fourth quarter, Novell had software license sales of $46.1 million, down 41 percent from the year ago period. The bulk of this drop is attributed to a rapid decline in NetWare and its related Open Enterprise Server license sales, but Novell had issues in other areas. Linux is not growing fast enough to fill the NetWare hole, and neither are the company's identity management or server management product lines...You can also see why Novell bought SUSE three years ago. If it had not, Novell would be dead right now.

Hovsepian predicted lengthened stagnation in software sales in 2007, with the exception of Linux and Identity Management...but also stated a boost on '08 as a result of the Microsoft deal. Any way you slice it, Novell is not in good shape. Their stock price hit a 52-week low last week, as a result of their announcement regarding flat sales in '07. Identity brought in revenue of $23.8m in the quarter. Sales were up just $793,000, or 3.5%, to be worth 9.7% of overall revenue...apparently, Identity can't save Novell, but maybe Microsoft can.

DOJ, Ping, and the Disappearing Service Dollar

2006-11-16T18:59:00.000-05:00

A friend of mine forwarded an email to me today regarding a project for a client who was interested in deploying Ping Federate. At first, I was pretty excited. I'm a big fan of what Ping has done in the past years - they've brought solid software to solve the world's federation problems. (In the company I used to work for last year, I had the privilege of taking my team of identity consultants to Ping's HQ in Denver to meet the Ping folks and get trained in Ping Federate. Honestly, they've got the highest concentration of brains in a small company I've ever seen. Kudos to Andre.)

When I got the email regarding the project, I noticed that it was in fact a forwarded email from a recruiter who wanted to "staff" a position at the Department of Justice...looking for a person who had experience with the Ping line. Then I saw this press release from Ping, stating:

...PingFederate will be part of the expanded RISSNET architecture used to enable law enforcement and criminal justice agencies throughout the United States, Canada, the United Kingdom, Australia and the U.S. Territories to share intelligence and coordinate efforts against criminal and terrorist networks that operate in multiple locations.

That's some pretty serious stuff. Eric Norlin (who knows a thing or two about Ping) states this on his ZDNet blog:

Ping Identity announced that the U.S. Department of Justice selected them to provide federation to over 7,300 local law enforcement agencies and 700,000 law enforcement officials.

I was interested. It was definitely something we could respond to. But the email's "staffing" approach of the whole thing kind of threw me off. The press release and the recruiter's email didn't seem to fit.
Anyhow, I got a phone call a few hours ago with the details. Worse than I imagined...they want a "resource" (guaranteed till February! yeehaw.), for a rate so low that we wouldn't even cover our costs. Could it be that the Department of Justice was just looking at a federation deployment for nearly three quarters of a million seats as something to throw a "resource" or two at? Anyone who knows anything about identity will tell you that federation could be pretty complicated stuff. Also, how could the rate possibly be so low? How many layers were between us and DOJ? Who's eating all of the service dollars? Even if there were alot of layers, would DOJ accept a team slapped together to deploy an enabling technology like federation? Somethings not right, definitely not right.

Best Identity Management Solution Competition?

2006-11-14T12:36:00.000-05:00

SC Magazine has released the Finalists for its Best Identity Management Solution Award. The list of finalists are:

BMC Identity Management
Courion Enterprise Provisioning Suite
Encentuate TCI
Novell Identity Manager and Access Manager
Oracle Identity Management

What do you mean Identity Management?? Kind of broad, isn't it?

"Includes user provisioning solutions, single sign-on, password management, user rights revocation, etc."

OH. "Etc." !! Never mind, that clarifies everything.

Kim Goes Veg

2006-11-05T09:51:00.000-05:00

Kim makes some excellent points regarding the inclusion of vegetables into the identity laws. Read for yourself:

The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gouderati”.

Resources for Angel Investment Seekers

2006-10-25T07:55:00.000-04:00

Last week, I had the pleasure of attending a seminar conducted by U-Start, led by Peter Pritchard from CEG entitled "Funding Continuum for Start-up & Early-Stage Firms". Excellent information for startups about the practical aspects of the funding process. Anyhow, I gained a few excellent resources for solid information about angel investments:

Angel Capital Association: a professional association focuses on networking and sharing of best practices among these angel organizations. This site has a rather comprehensive list of angels nationwide, broken down by state

New York Angels: self-described as a forum in which its members can exchange information about investment opportunities in early-stage technology and emerging growth companies in the Northeast and to provide administrative support as its members help such companies to grow to market leadership. The section for "resources" has an invaluable slide-by-slide breakdown of what angels typically want to see.

More on IdM's Biz Prowess

2006-09-15T15:21:00.000-04:00

Just read this article by John Oltsik, who is Sr. Analyst at the Enterprise Strategy Group - who attended DIDW this past week and gives a series of points why Idenity "finally made it." Point 2 states:

Projects are getting bigger. When identity and access management tools were deployed in the past it was generally on a tactical basis to address IT operations challenges. Suddenly, projects have a more business and enterprise focus. I attribute the change to compliance on the one hand and the externalization of IT on the other. This means that customers are looking at large identity deployments, big investments, and professional services. There's gold in them thar identity hills.

Another nod to the maturation of IdM in the business world...although I don't agree with the "sudden" business and enterprise focus. It took alot of DIDW and Burton Group conferences to get here. There are many indicators that there is a market for business consulting services for identity projects. All we need now is new acronym for this "new" field...

[update]

Another interesting quote... I'm starting to collect the "as a CEO...as a CIO...as a CXO..." quotes about identity:

“As a CIO, I strive to ensure productive, secure, cost effective solutions that help our users realize their potential. Identity and Access Management is the foundation for any solution that I provide to our users.” - Ron Markezich, CIO, Microsoft

Jamie Lewis' Keynote at DIDW and IdM Services

2006-09-15T06:44:00.000-04:00

Phil Windley has a pretty lengthy post recapping Jamie Lewis' keynote at DIDW this year. He has some pics of some of Jamie's slides as well. (I always enjoy Jamie's 'status of the market' type slides...take a look at this one.) The interesting part was the claim that the market is moving from suites to services. I'm not sure I sense that in the market at all. Being on the floor, I haven't seen many - if any - IdM services being deployed. I have seen tons of traditional suite-type implementations. Each vendor is, of course, pushing hard to have their stack to be adopted and implemented, and usually with some level of success. Phil wraps this point up well (emphasis mine):

When we get to the point where there are services we can reuse, then we will see progress. There’s reason for hope. Emerging frameworks, like CardSpace, OSIS, Higgins, and Bandit promise to create an access layer.

Identity Management's Business Prowess

2006-09-14T11:11:00.000-04:00

It's refreshing to see the strength of the Identity market in the following excerpts. The first is an analysis on Oracle stock by Rob Black. The second is a quote from Sun's CEO, Jonathan Schwartz:

Rob Black submits: Expect an in-line Oracle (ORCL) quarter in a historically difficult period. Expect to see growth from all product segments across all geographies, with better contribution from Europe than reported in recent periods. Analysts believe Fusion Middleware focus and growth will continue for the foreseeable future, highlighted by strength in Identity Management opportunities. Analysts are increasing our price target for ORCL to $19 from $17 based on our revised DCF, which includes a reduced discount rate (due to reduced risk free rate) and increased confidence in a more promising cash flow growth scenario.

Growth to Oracle is ultimately attributed to Identity. Now that is pretty big stuff. The entire company stock is expected to go from 17 to 19 ultimately driven by an upswing in identity sales. Just to put this into perspective, this is a company that could bankroll buying Peoplesoft at $10B and Siebel at almost $6B. In the past year or so, it has picked up some dinosaurs in the Identity world: Octetstring, Thor and Oblix.
The second quote is from Sun CEO:

"As a CEO, nothing is more important to me than security and identity management," Schwartz said. "It's the heart of SOX, HIPAA and other regulations across the world. Who has access to what information often closely relates to who pays for that information and who's liable for that information."

That's a wonderful shout-out for identity. Given that the quote was taken in an interview Schwartz gave in relation to Sun's tight relationship with Accenture (and how they really need Accenture as a consulting arm to compete with IBMs Global Services division) - nonetheless - I'll take it! If that were the case, it would speak to the strength of the services market for Identity - which in turn speaks to the software market as well. Either way, it's a good sign for things to come.

Google's Got Ears!

2006-09-04T20:06:00.000-04:00

Google's latest addition is a pair of ears. Perhaps more than a pair...according to this article, Google is aggressively working on software that would leverage your computer's microphone to eavesdrop on you, and play back relevant ads:

The idea is to use the existing PC microphone to listen to whatever is heard in the background, be it music, your phone going off or the TV turned down. The PC then identifies it, using fingerprinting, and then shows you relevant content, whether that's adverts or search results, or a chat room on the subject.

Am I the only who's getting scared? What's next? They already log your searches, follow your blog (I use Blogger), they track the sites you visit via adwords, the email you write via gmail, etc. and now they want to be a fly (with ears) on the wall in your home! And the sad fact is that most people won't have a problem with it, in the interest of having a more intimate experience on the net. But at what cost? Can't we have our cake and eat it too? Can't we have the personalized experience we desire on the net without revealing every detail of our lives? Absolutely - from a technical perspective. The best minds in the identity world have put together a number of theoretically feasible solutions, unfortunately dollars drive advertising over security and anonymity. I think we'll get there some day, but not before our homes are invaded by Google and their likes.

Technorati tags: Identity Management, Google

Stephen Colbert, Identity and User 16006693

2006-08-15T22:35:00.000-04:00

Stephen Colbert had a hilarious piece on tonight's Colbert Report regarding protecting identity while searching (he suggests typing with your weaker hand, to disguise your typing patterns), in response to the AOL debacle (if you haven't heard, they released about 3 months of search histories comprising of some 20 million searches...but don't worry, they replaced people's usernames with random numbers...so we are safe, right?)
Not exactly. Paul Boutin used splunkd.com to parse the heck out of the data - and arrived at seven patterns of searchers. According to him, according to the data - people fall into one of seven searcher categories: the pornhound, the manhunter (looks up a persons name again and again), the shopper, the obsessive (the person who searches for the same thing incessantly), the omnivore (the person who searches like crazy, and doesn't really have a pattern), the newbie and the basketcase.

The most interesting way that I found to look at the data is to pick out a specific user. It's damn interesting, comical, and scary as to how much insight you might get. Take a look at User 16006693 go from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food and finally to heartburn. Classic.

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i'll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

Technorati tags: Identity Management, AOL Leak, Privacy, Stephen Colbert

Open Source IdM Implementation

2006-08-14T11:03:00.000-04:00

Kepak, a European Food Giant (well, 2000 folks doesn't qualify as a giant, does it?) has asked the Open Source gurus at Sirius Corporation to deploy "...an OpenLDAP-based Identity Management solution...".

The article doesn't mention which vendors were selected, although they do describe it as "...a secure, standards-based platform that will authenticate Windows users to all network services."

Who could they have selected? Don't know, but its probably somewhere in this Identity Management Open Source map put together by Jim Yang and the folks at Identyx. I love this thing. I wish someone would put together another one for vendors outside the open source space...any takers?

Technorati tags: Identity Management, Open Source, Jim Yang, Identyx, Sirius, Kepak

Identity Management Services Company Acquisition

2006-07-25T23:23:00.000-04:00

I posted a few probing questions a while back regarding the Identity Management services market. Today, I read an interesting press release with the heading :

"Novacoast Announces Acquisition of eNvision Data Solutions, LLC"

Some excerpts below:

Novacoast, Inc., an IT professional services firm announces the acquisition of eNvision Data Solutions, LLC. eNvision, a systems integrator in Philadelphia, has served Pennsylvania and New Jersey since 2001. eNvision's core competence is in identity management, Linux, and Open Enterprise Server...

Paul Anderson, President and CEO of Novacoast said, "Our attention is constantly focused on acquiring the best engineering skill sets and delivering those skills to the market. Our acquisition of eNvision gives us top engineering skills in identity management and Linux.

So, this is some pretty interesting stuff. You don't hear of Identity Management professional services companies acquisitions every day. We've become accustomed to hearing about product companies getting acquired (there was another one by the way...Entrust announced its picking up Business Signatures on the 19th of this month) - but services companies haven't been having the same excitement. A few more of these, and things might start getting exciting. (At least for us!)

Technorati tags: Identity Management, Acquisition, Novacoast, eNvision, Novell, Entrust, Business Signatures

Excellent Blog for Entrepreneurs on Fund Raising

2006-07-13T11:27:00.000-04:00

An excellent blog I've been frequenting lately is www.bostonvcblog.com by Jeff Bussgang. Besides the fact that he was part of some pretty large startups (Upromise) - he gives some excellent insight into the whole fund raising process. The best part of the blog is that Jeff doesnt shy away from giving numbers, percentages and the like...you know, the questions that really matter. He also discusses the mindset of VCs and entrepreneurs, and the possible clashes that could occur. Anyhow, I'll leave you with an excerpt to give you a taste and illustrate his insight into the numbers, but you should go take a look for yourselves:

...Let’s do the math on an example to see how this plays out. Let's say an entrepreneur owns 10% of their VC-backed start-up and someone comes and offers them $100 million. Thus, they stand to make $10 million if they proceed with the sale. Let's say a VC fund owns 20% and thus will take away $20 million, but assume they’ve invested $5 million already in the company, yielding a net capital gain of $15 million. Further, let’s say the VC’s “carried interest” is 20%. Therefore, the general partners of the fund take home $3 million. Let’s say there are 6 partners that split the carry evenly – that’s $500k for each general partner...

Technorati tags: Identity Management, VC, Fund Raising, Startup

ITIL and IDM Buzz (HP, BMC and Courion)

2006-07-11T21:13:00.001-04:00

I just read a pretty interesting post by Archie Reed on HP utilizing identity management to align the enterprise with ITIL objectives via automation (or aligning ITIL and IdM through automation). The example he gives is self service password management.

ITIL (IT Infrastructure Library) is a framework of best-practices focused on service delivery. Perhaps that is too broad a definition, but a good place to read about it is here.

The last time I remember ITIL and IdM used together was by BMC's VP, Somesh Singh. In this article (back in December), he stated:

“Technology solutions that build and maintain an IT infrastructure are no longer sufficient. Customers now need to be able to demonstrate business value of investment in their IT infrastructure, only BMC offers a suite of solutions founded on the principles of ITIL and Business Service Management,”

Although he didn't focus on automation as Archie did, nonetheless he brought ITIL into the IdM scene. BMC claims its Identity Compliance Manager is rooted in ITIL principles, and is "a graphical dashboard to report on policy compliance." So obvious, the slant here is towards compliance instead of automation, but a relation exists nonetheless. This kind of intrigued me, so I decided to do a few searches on it, and I found that Courion is polling its clients about usage of ITIL and COBIT. From their press release on their Converge conference this year, the following quote is relevant:

"When asked about best practice methodologies their organizations are undertaking today, thirty-two percent identified ITIL while twenty-one percent identified COBIT; eleven percent identified both. When participants were asked if their organizations found ITIL or COBIT to be beneficial to their risk management, governance, and compliance initiatives, sixty-four percent were not certain about ITIL, while sixty-two percent found COBIT to be beneficial. Thirty-two percent responded that their organizations are not using a best practice methodology."

Interesting, considering they recently launched a Compliance tool and Role Management tool. It seems to me that as the market completes deployments on Password Management and Provisioning implementations, and starts making Role Management and Compliance Management a reality - ITIL and COBIT will become more relevant to the identity discussions.

Technorati tags: Identity Management, ITIL, IDM, COBIT, HP, BMC, Courion

EMC's Justification for RSA Acquisition

2006-07-10T11:58:00.000-04:00

According to a number of reports, EMC has been getting criticism from investors and Wall Street regarding the whole RSA buy.
EMC's Rob Sadowski explains their reasoning for purchasing RSA by describing the storage market moving towards "holisitic" information management which is accomplished by Identity Management technologies. So instead of writing their own identity tools, why not buy and beat competitors to it?
Rob's analysis holds some truth. Think about Sun's integration of their storage and identity products earlier this year.
So does this mean we will see more storage and identity companies forging relationships?

EMC Buys RSA

2006-06-29T21:34:00.000-04:00

I just posted yesterday that the M&A market in the identity space seems to be slowing down, and then POW, a huge acquisition is announced today (Over $2 Billion!!).

What does this mean?
Well for one, acquisitions are still somewhat alive in the identity market. It might be that this sets off a few more acquisitions. There are a number of boutique shops, and a number of large players with weaknesses here or there. For example, Microsoft could use a better provisioning solution, and a number of companies are weak on federation and such. So, there is room and need for acquisitions in the IdM space, although in my opinion, this would be the final round.

What does it mean for RSA and their partners? (We are, and unfortunately, this is the first I've heard about this deal). Well, in my opinion, its a positive thing. EMC is notorious for their aggressive sales machine. They might be able to give life to RSA sales.

Also, RSA has been pigeonholed as the "keyfob guys", and they have been unsuccessful in their attempts to rebrand themselves as a holistic identity company. This might give their other products (which are pretty damn good) a chance to shine. They have a great web access management tool that has been around forever (Cleartrust), they have a SSO solution (I believe they OEM Passlogix' V-Go), and a federation product (FIM) that desperately need some marketing attention.

Another possible positive is if EMC delivers on their promise to integrate RSAs product into their information management line of products. If this happens, in similar style to the way Oracle has been able to pull off the integration of the companies they acquired (even if only as a marketing ploy), then this is great news for RSAs product line.

All in all, a good move for RSA. As for EMC, that depends on what they do with it.

Technorati tags: Identity Management, RSA, EMC, Acquisition

Identity Management Services Market

2006-06-28T19:55:00.000-04:00

A topic of recent interest to me is regarding the Identity Management Services Market, with forcasting and the whole nine. If you google "identity management market", or other similar searches, you'll a few papers on the topic, although their focus is naturally on the product side of things.

Radicati, about 9 months ago, released in their analysis "Identity Management Market, 2005-2009" that the Identity Management market, including all segments -- full-suites, provisioning, secure access/authentication, and federated identity solutions -- will reach over $1.2 billion in 2005 in worldwide revenues, and grow to over $8.5 billion by 2008. I recall Jamie Lewis back in 2004's Catalyst Conference provide a progress report on the IdM market, and he described it back then as the first round of M&A activity coming to a close (I wonder where that puts us today?...havent heard of a good acquisition lately). Anyhow, both were regarding the state of affairs of the software side of things. What about services? I'm sure the folks in Deloitte, PWC, etc. have thoroughly researched the topic - unfortunately, I'm unable to find anything directly on the matter.
Obviously, when the product market is hot, the services should necessarily follow - but that could be contingent on a number of issues. How difficult are the integrations? Are the products increasing in sophistication, thereby easing administrative and deployment burdens? Is ease of use even high on vendors' lists? If not, why? and when will it be? Lots of questions, few answers.
Anyhow, this is a topic that concerns me due to my profession, although I'm not losing sleep on it since the market seems like its chugging along at a decent pace. What does concern me are the questions: for how long? what are the trends in various verticals regarding the selection of professional services firms for services work? How many are outsourcing their deployment and support work? How many are utilizing in-house resources? What factors are affecting decisions regarding which firms to award the bid to? I personally have answers to some of these questions based on my experiences in the market, yet a more scientific study would be welcoming.

Technorati tags: Identity Management, Identity Management Market, Catalyst, Radicati

RSA and PassLogix in TransCanada Presentation (from Catalyst)

2006-06-14T17:22:00.000-04:00

I just attended a really interesting presentation at Catalyst today by Martin Vant Erve of TransCanada Pipelines entitled "Implementing Enterprise Single Sign-On with Two Factor Authentication." Wow! What a great case study. Simple, honest, didn't hold any punches. The idea is pretty straightforward: a user uses his/her securid code, that gets forwarded to AD, which references RSA Authentication Manager - which is followed by the whole auth vs. AD (under the hood), finally the end user is authenticated and session is sent to the client. Once that whole thing is completed, PassLogix V-Go takes over by providing the SSO piece of it. He had excellent analytics in regards to reduction of help desk, which is often touted in front of customers. He said that help desk calls actually stayed the same, because they got new calls to the help desk for issues like "I left my token at home", and questions about the new deployed apps. Yet, TransCanada considered this as a win because they increased security which is what they were after. To make the bitter pill easier to swallow for end users, they coupled it with SSO. All in all, a solid case study.

Technorati tags: Identity Management, RSA, PassLogix, Catalyst, SSO, SecurID

Catalyst's Session on Provisioning, "The Vortex of IdM"

2006-06-09T22:24:00.000-04:00

The upcoming catalyst conference has what looks like an interesting session conducted by Burton Group's Lori Rowland on Provisioning. The following excerpt from the session description caught my eye:

Compliance and security concerns are driving provisioning solutions into enterprise customer environments, however the sophistication of these customer deployments are lagging behind technology advancements.

What struck me was that on most deployments we've completed, a ton of "customizations" were needed in order to satisfy the customer. By customizations, I mean changes that would qualify as outright upgrade features - and I've heard similar complaints from colleagues in the field. Any way you slice it, this session is a must-see.

Technorati tags: identity management, identity, provisioning, catalyst

Novell Taking a Beating...

2006-06-03T15:23:00.000-04:00

This article shows Novell's continuing problems in the past quarter. Although a series of press releases by Novell attempt to paint a different picture, the numbers don't lie. I think this sentence says it all, "Cashflow from operations was a negative $24m, up from a negative $25m."

What does this mean for Novell's identity offering? Well, nothing in the article focused on their identity offering, but they are not as visible as they once were (18 months ago) in third party reports and such. Anyhow, it's something to keep an eye out for.

Technorati tags: identity management

Notes on Laws of Identity (Part 3)

2006-05-29T09:48:00.000-04:00

It's been a while, but I'm going to work on finishing unfinished business...

The definition layed out thus far is flexible enough to cover all the known digital identity systems, allowing for the emergence of a metasystem embracing multiple implementations/ways of doing things.
The usefulness of the claim is not inherent in the claim, but its evaluation/decision by the relying party.

The Laws (finally...):

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. The system should also protect the user against deception, verifying the identity of any parties who ask for information, ensuring submitted information goes to the right place, and informing the user the reason for which the information is requested.

2. Minimal Disclosure for a Constrained Use: To mitigate risk, the solution should release the least amount of identifying information as possible. This ensures that there is less of a chance identifying a person accross multiple contexts.

3. Justifiable Parties: Information is only disclosed to those parties that have a "justifiable" place in the identity transaction. Although what exactly qualifies as "justifiable" is open to interpretation, this law does provide for a transparent transaction.