Wednesday, December 27, 2006

Sun on Identity for Healthcare and the Cost Problem

Health IT World has published an interview by John Russel called Sun’s Healthcare Mantra: Reduce Cost and Complexity with Sun Director of Healthcare and Life Sciences, Joerg Schwarz. He weighs in on Identity and provides a few interesting scenarios for federation:

Some RHIOs [regional health information organizations] follow the central model. Some follow the federated model. I chose a centralized model, which naturally creates a lot of animosity by privacy advocates, by patients, by people who are just afraid of having all the data concentrated in one place and I don't want to say who's right or wrong, but these are the two fundamental models. You centralize everything and use that as a model, or do you have a federated model where you keep the data where it is. You just have to make sure that when you need it you can save it to the aggregate it together.

When asked which model was better...

...identity management because data protection to control who accesses information through the entire lifecycle. The best way to do this is building a federated identity management concept so that a doctor that is known and authenticated with one institution can request data from another institution where he is unknown, but that gives him doctor level credentials to access information involving a patient.

Early in the interview, he explains that although most hospitals today have digital records, they are not linked, and primary care physicians typically don't have access to them. It seems that linking hospitals has a strong business case, and its just a matter of time before that gets into full swing...but what about the primary care physicians? A few barriers exist here:

1. $$$ - docs don't have the money to invest in infrastructure like this. And more importantly...
2. Why would they? Why would they want to share their info with other primary care physicians which could possibly give competitors an edge?

So there still seems to be a case for doctors as data consumers, although there seems to be a conflict of interest for them to behave as data providers. This might be circumvented if patient data can be released while protecting data regarding the physician history.

This would be a wonderful scenario for user-centric identity...

Sunday, December 24, 2006

Zone of Mediocrity

Words of wisdom from Kathy Sierra:

"...if you're not doing something that someone hates, it's probably mediocre..."

" willing to take risks! Perhaps more importantly, be willing to tolerate (and perhaps even encourage) risk-taking in those who are managed by you..."

Monday, December 18, 2006

Identity Management PMs and Use Cases

I just read an interesting blog entry on Mike Wyatt's Blog entitled "Project Managers as a Critical Success Factor or Identity Management Projects". It peaked my interest because it has become a recurring topic of discussion amongst some of the folks in our integration team. Mike talks about clients not wanting to shell out the extra service dollars for the PM, opting to use their own "experienced" PMs. Mike aptly points out... order to "get the deal done" vendors will make this concession. More often than not, when a project gets in trouble, the common issue is not technology (the bits) or even the vendor's technical team. It is usually the lack of strong project management, especially when customers are providing the project manager.

A few points that our team has come up with:

  • Use Case definitions for identity projects are quite helpful, especially in defining expected behavior of the IdM system based on predefined inputs. Many times, PMs get caught up in the tasks that need to be completed, and become task masters who babysit the team to ensure that tasks get done, many times losing the big picture. What is the big picture? Its what the client wants, and that needs to be defined up front. So one of the first tasks for a PM should be to engage the client in order to clearly identify the use cases with accompanying pre-conditions and post-conditions. This document should read easily for any business user, so that the client PM (or equivalent) agrees to the exact desired behavior of the system upon project completion.
  • If the use case document is clearly written, it can be used for project sign-off in the development environment, prior to migration. A meeting can be used to bring all relevant players together in order to demonstrate that the system behaves exactly as the client requested - using the use case document as a checklist. "This is what you wanted. Let me demonstrate that for you...great, it works. Let's check it off and go to the next use case."
  • In the "Use Case" phase, the PM could be used heavily while using the architect for reference and sanity checks. Once the Use Case is completed, the PM could take a back seat and let the architect roll up his/her sleeves. The PM from this point only needs to monitor the project rather than to be involved and bill day-to-day. (Of course, the architect has to step in to ensure feasability before the use case is signed off on by both parties.) This shows the client that you could use a PM (and architect) effectively, and make them feel comfortable that it won't cost them a substantial services fee at the same time.

More to come on the PMs continuing role in the project...

Tuesday, December 12, 2006

Even Identity Can't Save Novell Now

Novell's Identity suite is arguably one of the best, with quite possibly the most number of production deployments in the market. It's provisioning solution is very mature, with Identity Manager 3 boasting "Designer", a tool allowing administrators to create almost the complete identity implementation graphically, and then drill down for configuration.
Furthermore, sales of Novell's Identity Manager are up 3% from last year. All that aside, Novell is in trouble.

Timothy Prickett Morgan states:

In the fourth quarter, Novell had software license sales of $46.1 million, down 41 percent from the year ago period. The bulk of this drop is attributed to a rapid decline in NetWare and its related Open Enterprise Server license sales, but Novell had issues in other areas. Linux is not growing fast enough to fill the NetWare hole, and neither are the company's identity management or server management product lines...You can also see why Novell bought SUSE three years ago. If it had not, Novell would be dead right now.
Hovsepian predicted lengthened stagnation in software sales in 2007, with the exception of Linux and Identity Management...but also stated a boost on '08 as a result of the Microsoft deal. Any way you slice it, Novell is not in good shape. Their stock price hit a 52-week low last week, as a result of their announcement regarding flat sales in '07. Identity brought in revenue of $23.8m in the quarter. Sales were up just $793,000, or 3.5%, to be worth 9.7% of overall revenue...apparently, Identity can't save Novell, but maybe Microsoft can.

Thursday, November 16, 2006

DOJ, Ping, and the Disappearing Service Dollar

A friend of mine forwarded an email to me today regarding a project for a client who was interested in deploying Ping Federate. At first, I was pretty excited. I'm a big fan of what Ping has done in the past years - they've brought solid software to solve the world's federation problems. (In the company I used to work for last year, I had the privilege of taking my team of identity consultants to Ping's HQ in Denver to meet the Ping folks and get trained in Ping Federate. Honestly, they've got the highest concentration of brains in a small company I've ever seen. Kudos to Andre.)

When I got the email regarding the project, I noticed that it was in fact a forwarded email from a recruiter who wanted to "staff" a position at the Department of Justice...looking for a person who had experience with the Ping line. Then I saw this press release from Ping, stating:

...PingFederate will be part of the expanded RISSNET architecture used to enable law enforcement and criminal justice agencies throughout the United States, Canada, the United Kingdom, Australia and the U.S. Territories to share intelligence and coordinate efforts against criminal and terrorist networks that operate in multiple locations.

That's some pretty serious stuff. Eric Norlin (who knows a thing or two about Ping) states this on his ZDNet blog:

Ping Identity announced that the U.S. Department of Justice selected them to provide federation to over 7,300 local law enforcement agencies and 700,000 law enforcement officials.
I was interested. It was definitely something we could respond to. But the email's "staffing" approach of the whole thing kind of threw me off. The press release and the recruiter's email didn't seem to fit.
Anyhow, I got a phone call a few hours ago with the details. Worse than I imagined...they want a "resource" (guaranteed till February! yeehaw.), for a rate so low that we wouldn't even cover our costs. Could it be that the Department of Justice was just looking at a federation deployment for nearly three quarters of a million seats as something to throw a "resource" or two at? Anyone who knows anything about identity will tell you that federation could be pretty complicated stuff. Also, how could the rate possibly be so low? How many layers were between us and DOJ? Who's eating all of the service dollars? Even if there were alot of layers, would DOJ accept a team slapped together to deploy an enabling technology like federation? Somethings not right, definitely not right.

Tuesday, November 14, 2006

Best Identity Management Solution Competition?

SC Magazine has released the Finalists for its Best Identity Management Solution Award. The list of finalists are:

What do you mean Identity Management?? Kind of broad, isn't it?

"Includes user provisioning solutions, single sign-on, password management, user rights revocation, etc."

OH. "Etc." !! Never mind, that clarifies everything.

Sunday, November 05, 2006

Kim Goes Veg

Kim makes some excellent points regarding the inclusion of vegetables into the identity laws. Read for yourself:

The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gouderati”.

Wednesday, October 25, 2006

Resources for Angel Investment Seekers

Last week, I had the pleasure of attending a seminar conducted by U-Start, led by Peter Pritchard from CEG entitled "Funding Continuum for Start-up & Early-Stage Firms". Excellent information for startups about the practical aspects of the funding process. Anyhow, I gained a few excellent resources for solid information about angel investments:

Angel Capital Association: a professional association focuses on networking and sharing of best practices among these angel organizations. This site has a rather comprehensive list of angels nationwide, broken down by state

New York Angels: self-described as a forum in which its members can exchange information about investment opportunities in early-stage technology and emerging growth companies in the Northeast and to provide administrative support as its members help such companies to grow to market leadership. The section for "resources" has an invaluable slide-by-slide breakdown of what angels typically want to see.

Friday, September 15, 2006

More on IdM's Biz Prowess

Just read this article by John Oltsik, who is Sr. Analyst at the Enterprise Strategy Group - who attended DIDW this past week and gives a series of points why Idenity "finally made it." Point 2 states:

Projects are getting bigger. When identity and access management tools were deployed in the past it was generally on a tactical basis to address IT operations challenges. Suddenly, projects have a more business and enterprise focus. I attribute the change to compliance on the one hand and the externalization of IT on the other. This means that customers are looking at large identity deployments, big investments, and professional services. There's gold in them thar identity hills.

Another nod to the maturation of IdM in the business world...although I don't agree with the "sudden" business and enterprise focus. It took alot of DIDW and Burton Group conferences to get here. There are many indicators that there is a market for business consulting services for identity projects. All we need now is new acronym for this "new" field...


Another interesting quote... I'm starting to collect the "as a a a CXO..." quotes about identity:

“As a CIO, I strive to ensure productive, secure, cost effective solutions that help our users realize their potential. Identity and Access Management is the foundation for any solution that I provide to our users.” - Ron Markezich, CIO, Microsoft

Jamie Lewis' Keynote at DIDW and IdM Services

Phil Windley has a pretty lengthy post recapping Jamie Lewis' keynote at DIDW this year. He has some pics of some of Jamie's slides as well. (I always enjoy Jamie's 'status of the market' type slides...take a look at this one.) The interesting part was the claim that the market is moving from suites to services. I'm not sure I sense that in the market at all. Being on the floor, I haven't seen many - if any - IdM services being deployed. I have seen tons of traditional suite-type implementations. Each vendor is, of course, pushing hard to have their stack to be adopted and implemented, and usually with some level of success. Phil wraps this point up well (emphasis mine):

When we get to the point where there are services we can reuse, then we will see progress. There’s reason for hope. Emerging frameworks, like CardSpace, OSIS, Higgins, and Bandit promise to create an access layer.

Thursday, September 14, 2006

Identity Management's Business Prowess

It's refreshing to see the strength of the Identity market in the following excerpts. The first is an analysis on Oracle stock by Rob Black. The second is a quote from Sun's CEO, Jonathan Schwartz:

Rob Black submits: Expect an in-line Oracle (ORCL) quarter in a historically difficult period. Expect to see growth from all product segments across all geographies, with better contribution from Europe than reported in recent periods. Analysts believe Fusion Middleware focus and growth will continue for the foreseeable future, highlighted by strength in Identity Management opportunities. Analysts are increasing our price target for ORCL to $19 from $17 based on our revised DCF, which includes a reduced discount rate (due to reduced risk free rate) and increased confidence in a more promising cash flow growth scenario.

Growth to Oracle is ultimately attributed to Identity. Now that is pretty big stuff. The entire company stock is expected to go from 17 to 19 ultimately driven by an upswing in identity sales. Just to put this into perspective, this is a company that could bankroll buying Peoplesoft at $10B and Siebel at almost $6B. In the past year or so, it has picked up some dinosaurs in the Identity world: Octetstring, Thor and Oblix.
The second quote is from Sun CEO:

"As a CEO, nothing is more important to me than security and identity management," Schwartz said. "It's the heart of SOX, HIPAA and other regulations across the world. Who has access to what information often closely relates to who pays for that information and who's liable for that information."
That's a wonderful shout-out for identity. Given that the quote was taken in an interview Schwartz gave in relation to Sun's tight relationship with Accenture (and how they really need Accenture as a consulting arm to compete with IBMs Global Services division) - nonetheless - I'll take it! If that were the case, it would speak to the strength of the services market for Identity - which in turn speaks to the software market as well. Either way, it's a good sign for things to come.

Monday, September 04, 2006

Google's Got Ears!

Google's latest addition is a pair of ears. Perhaps more than a pair...according to this article, Google is aggressively working on software that would leverage your computer's microphone to eavesdrop on you, and play back relevant ads:
The idea is to use the existing PC microphone to listen to whatever is heard in the background, be it music, your phone going off or the TV turned down. The PC then identifies it, using fingerprinting, and then shows you relevant content, whether that's adverts or search results, or a chat room on the subject.
Am I the only who's getting scared? What's next? They already log your searches, follow your blog (I use Blogger), they track the sites you visit via adwords, the email you write via gmail, etc. and now they want to be a fly (with ears) on the wall in your home! And the sad fact is that most people won't have a problem with it, in the interest of having a more intimate experience on the net. But at what cost? Can't we have our cake and eat it too? Can't we have the personalized experience we desire on the net without revealing every detail of our lives? Absolutely - from a technical perspective. The best minds in the identity world have put together a number of theoretically feasible solutions, unfortunately dollars drive advertising over security and anonymity. I think we'll get there some day, but not before our homes are invaded by Google and their likes.

Technorati tags: ,

Tuesday, August 15, 2006

Stephen Colbert, Identity and User 16006693

Stephen Colbert had a hilarious piece on tonight's Colbert Report regarding protecting identity while searching (he suggests typing with your weaker hand, to disguise your typing patterns), in response to the AOL debacle (if you haven't heard, they released about 3 months of search histories comprising of some 20 million searches...but don't worry, they replaced people's usernames with random we are safe, right?)
Not exactly. Paul Boutin used to parse the heck out of the data - and arrived at seven patterns of searchers. According to him, according to the data - people fall into one of seven searcher categories: the pornhound, the manhunter (looks up a persons name again and again), the shopper, the obsessive (the person who searches for the same thing incessantly), the omnivore (the person who searches like crazy, and doesn't really have a pattern), the newbie and the basketcase.

The most interesting way that I found to look at the data is to pick out a specific user. It's damn interesting, comical, and scary as to how much insight you might get. Take a look at User 16006693 go from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food and finally to heartburn. Classic.

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i'll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

Technorati tags: , , Privacy, Stephen Colbert

Monday, August 14, 2006

Open Source IdM Implementation

Kepak, a European Food Giant (well, 2000 folks doesn't qualify as a giant, does it?) has asked the Open Source gurus at Sirius Corporation to deploy " OpenLDAP-based Identity Management solution...".

The article doesn't mention which vendors were selected, although they do describe it as "...a secure, standards-based platform that will authenticate Windows users to all network services."

Who could they have selected? Don't know, but its probably somewhere in this Identity Management Open Source map put together by Jim Yang and the folks at Identyx. I love this thing. I wish someone would put together another one for vendors outside the open source space...any takers?

Technorati tags: , , Jim Yang, Identyx, Sirius, Kepak

Tuesday, July 25, 2006

Identity Management Services Company Acquisition

I posted a few probing questions a while back regarding the Identity Management services market. Today, I read an interesting press release with the heading :

"Novacoast Announces Acquisition of eNvision Data Solutions, LLC"

Some excerpts below:

Novacoast, Inc., an IT professional services firm announces the acquisition of eNvision Data Solutions, LLC. eNvision, a systems integrator in Philadelphia, has served Pennsylvania and New Jersey since 2001. eNvision's core competence is in identity management, Linux, and Open Enterprise Server...

Paul Anderson, President and CEO of Novacoast said, "Our attention is constantly focused on acquiring the best engineering skill sets and delivering those skills to the market. Our acquisition of eNvision gives us top engineering skills in identity management and Linux.

So, this is some pretty interesting stuff. You don't hear of Identity Management professional services companies acquisitions every day. We've become accustomed to hearing about product companies getting acquired (there was another one by the way...Entrust announced its picking up Business Signatures on the 19th of this month) - but services companies haven't been having the same excitement. A few more of these, and things might start getting exciting. (At least for us!)

Technorati tags: , , Novacoast, eNvision, Novell, Entrust, Business Signatures

Thursday, July 13, 2006

Excellent Blog for Entrepreneurs on Fund Raising

An excellent blog I've been frequenting lately is by Jeff Bussgang. Besides the fact that he was part of some pretty large startups (Upromise) - he gives some excellent insight into the whole fund raising process. The best part of the blog is that Jeff doesnt shy away from giving numbers, percentages and the know, the questions that really matter. He also discusses the mindset of VCs and entrepreneurs, and the possible clashes that could occur. Anyhow, I'll leave you with an excerpt to give you a taste and illustrate his insight into the numbers, but you should go take a look for yourselves:

...Let’s do the math on an example to see how this plays out. Let's say an entrepreneur owns 10% of their VC-backed start-up and someone comes and offers them $100 million. Thus, they stand to make $10 million if they proceed with the sale. Let's say a VC fund owns 20% and thus will take away $20 million, but assume they’ve invested $5 million already in the company, yielding a net capital gain of $15 million. Further, let’s say the VC’s “carried interest” is 20%. Therefore, the general partners of the fund take home $3 million. Let’s say there are 6 partners that split the carry evenly – that’s $500k for each general partner...

Technorati tags: , , Fund Raising, Startup

Tuesday, July 11, 2006

ITIL and IDM Buzz (HP, BMC and Courion)

I just read a pretty interesting post by Archie Reed on HP utilizing identity management to align the enterprise with ITIL objectives via automation (or aligning ITIL and IdM through automation). The example he gives is self service password management.

ITIL (IT Infrastructure Library) is a framework of best-practices focused on service delivery. Perhaps that is too broad a definition, but a good place to read about it is here.

The last time I remember ITIL and IdM used together was by BMC's VP, Somesh Singh. In this article (back in December), he stated:

“Technology solutions that build and maintain an IT infrastructure are no longer sufficient. Customers now need to be able to demonstrate business value of investment in their IT infrastructure, only BMC offers a suite of solutions founded on the principles of ITIL and Business Service Management,”

Although he didn't focus on automation as Archie did, nonetheless he brought ITIL into the IdM scene. BMC claims its Identity Compliance Manager is rooted in ITIL principles, and is "a graphical dashboard to report on policy compliance." So obvious, the slant here is towards compliance instead of automation, but a relation exists nonetheless. This kind of intrigued me, so I decided to do a few searches on it, and I found that Courion is polling its clients about usage of ITIL and COBIT. From their press release on their Converge conference this year, the following quote is relevant:

"When asked about best practice methodologies their organizations are undertaking today, thirty-two percent identified ITIL while twenty-one percent identified COBIT; eleven percent identified both. When participants were asked if their organizations found ITIL or COBIT to be beneficial to their risk management, governance, and compliance initiatives, sixty-four percent were not certain about ITIL, while sixty-two percent found COBIT to be beneficial. Thirty-two percent responded that their organizations are not using a best practice methodology."

Interesting, considering they recently launched a Compliance tool and Role Management tool. It seems to me that as the market completes deployments on Password Management and Provisioning implementations, and starts making Role Management and Compliance Management a reality - ITIL and COBIT will become more relevant to the identity discussions.

Technorati tags: , , , COBIT, HP, BMC, Courion

Monday, July 10, 2006

EMC's Justification for RSA Acquisition

According to a number of reports, EMC has been getting criticism from investors and Wall Street regarding the whole RSA buy.
EMC's Rob Sadowski explains their reasoning for purchasing RSA by describing the storage market moving towards "holisitic" information management which is accomplished by Identity Management technologies. So instead of writing their own identity tools, why not buy and beat competitors to it?
Rob's analysis holds some truth. Think about Sun's integration of their storage and identity products earlier this year.
So does this mean we will see more storage and identity companies forging relationships?

Thursday, June 29, 2006


I just posted yesterday that the M&A market in the identity space seems to be slowing down, and then POW, a huge acquisition is announced today (Over $2 Billion!!).

What does this mean?
Well for one, acquisitions are still somewhat alive in the identity market. It might be that this sets off a few more acquisitions. There are a number of boutique shops, and a number of large players with weaknesses here or there. For example, Microsoft could use a better provisioning solution, and a number of companies are weak on federation and such. So, there is room and need for acquisitions in the IdM space, although in my opinion, this would be the final round.

What does it mean for RSA and their partners? (We are, and unfortunately, this is the first I've heard about this deal). Well, in my opinion, its a positive thing. EMC is notorious for their aggressive sales machine. They might be able to give life to RSA sales.

Also, RSA has been pigeonholed as the "keyfob guys", and they have been unsuccessful in their attempts to rebrand themselves as a holistic identity company. This might give their other products (which are pretty damn good) a chance to shine. They have a great web access management tool that has been around forever (Cleartrust), they have a SSO solution (I believe they OEM Passlogix' V-Go), and a federation product (FIM) that desperately need some marketing attention.

Another possible positive is if EMC delivers on their promise to integrate RSAs product into their information management line of products. If this happens, in similar style to the way Oracle has been able to pull off the integration of the companies they acquired (even if only as a marketing ploy), then this is great news for RSAs product line.

All in all, a good move for RSA. As for EMC, that depends on what they do with it.

Technorati tags: , , ,

Wednesday, June 28, 2006

Identity Management Services Market

A topic of recent interest to me is regarding the Identity Management Services Market, with forcasting and the whole nine. If you google "identity management market", or other similar searches, you'll a few papers on the topic, although their focus is naturally on the product side of things.

Radicati, about 9 months ago, released in their analysis "Identity Management Market, 2005-2009" that the Identity Management market, including all segments -- full-suites, provisioning, secure access/authentication, and federated identity solutions -- will reach over $1.2 billion in 2005 in worldwide revenues, and grow to over $8.5 billion by 2008. I recall Jamie Lewis back in 2004's Catalyst Conference provide a progress report on the IdM market, and he described it back then as the first round of M&A activity coming to a close (I wonder where that puts us today?...havent heard of a good acquisition lately). Anyhow, both were regarding the state of affairs of the software side of things. What about services? I'm sure the folks in Deloitte, PWC, etc. have thoroughly researched the topic - unfortunately, I'm unable to find anything directly on the matter.
Obviously, when the product market is hot, the services should necessarily follow - but that could be contingent on a number of issues. How difficult are the integrations? Are the products increasing in sophistication, thereby easing administrative and deployment burdens? Is ease of use even high on vendors' lists? If not, why? and when will it be? Lots of questions, few answers.
Anyhow, this is a topic that concerns me due to my profession, although I'm not losing sleep on it since the market seems like its chugging along at a decent pace. What does concern me are the questions: for how long? what are the trends in various verticals regarding the selection of professional services firms for services work? How many are outsourcing their deployment and support work? How many are utilizing in-house resources? What factors are affecting decisions regarding which firms to award the bid to? I personally have answers to some of these questions based on my experiences in the market, yet a more scientific study would be welcoming.

Technorati tags: , , ,

Wednesday, June 14, 2006

RSA and PassLogix in TransCanada Presentation (from Catalyst)

I just attended a really interesting presentation at Catalyst today by Martin Vant Erve of TransCanada Pipelines entitled "Implementing Enterprise Single Sign-On with Two Factor Authentication." Wow! What a great case study. Simple, honest, didn't hold any punches. The idea is pretty straightforward: a user uses his/her securid code, that gets forwarded to AD, which references RSA Authentication Manager - which is followed by the whole auth vs. AD (under the hood), finally the end user is authenticated and session is sent to the client. Once that whole thing is completed, PassLogix V-Go takes over by providing the SSO piece of it. He had excellent analytics in regards to reduction of help desk, which is often touted in front of customers. He said that help desk calls actually stayed the same, because they got new calls to the help desk for issues like "I left my token at home", and questions about the new deployed apps. Yet, TransCanada considered this as a win because they increased security which is what they were after. To make the bitter pill easier to swallow for end users, they coupled it with SSO. All in all, a solid case study.

Technorati tags: , , , , ,

Friday, June 09, 2006

Catalyst's Session on Provisioning, "The Vortex of IdM"

The upcoming catalyst conference has what looks like an interesting session conducted by Burton Group's Lori Rowland on Provisioning. The following excerpt from the session description caught my eye:

Compliance and security concerns are driving provisioning solutions into enterprise customer environments, however the sophistication of these customer deployments are lagging behind technology advancements.

What struck me was that on most deployments we've completed, a ton of "customizations" were needed in order to satisfy the customer. By customizations, I mean changes that would qualify as outright upgrade features - and I've heard similar complaints from colleagues in the field. Any way you slice it, this session is a must-see.

Technorati tags: , , ,

Saturday, June 03, 2006

Novell Taking a Beating...

This article shows Novell's continuing problems in the past quarter. Although a series of press releases by Novell attempt to paint a different picture, the numbers don't lie. I think this sentence says it all, "Cashflow from operations was a negative $24m, up from a negative $25m."

What does this mean for Novell's identity offering? Well, nothing in the article focused on their identity offering, but they are not as visible as they once were (18 months ago) in third party reports and such. Anyhow, it's something to keep an eye out for.

Technorati tags:

Monday, May 29, 2006

Notes on Laws of Identity (Part 3)

It's been a while, but I'm going to work on finishing unfinished business...

  • The definition layed out thus far is flexible enough to cover all the known digital identity systems, allowing for the emergence of a metasystem embracing multiple implementations/ways of doing things.
  • The usefulness of the claim is not inherent in the claim, but its evaluation/decision by the relying party.

The Laws (finally...):

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. The system should also protect the user against deception, verifying the identity of any parties who ask for information, ensuring submitted information goes to the right place, and informing the user the reason for which the information is requested.

2. Minimal Disclosure for a Constrained Use: To mitigate risk, the solution should release the least amount of identifying information as possible. This ensures that there is less of a chance identifying a person accross multiple contexts.

3. Justifiable Parties: Information is only disclosed to those parties that have a "justifiable" place in the identity transaction. Although what exactly qualifies as "justifiable" is open to interpretation, this law does provide for a transparent transaction.

Friday, May 26, 2006

A Well Written Post on Common Virtual Directory Scenarios

Matt Flynn has written a concise post on VD scenarios... I've cut and pasted below:

Common Virtual Directory Scenarios

The discussion
regarding possible uses for Virtual Directory is on-going. The following are 8
easy-to-understand scenarios for Virtual Directory in no particular order. This
is by no means an exhaustive list, but I think it covers the simplest scenarios.
I look forward to questions or comments.

Protocol Translation - Provide
access to relational and other non-standardized data over standard LDAP and Web
Services protocols without altering the data.

Web Service Enablement -
Respond to identity data requests made via DSML, SPML or any other
service-oriented data format (standards-based or custom).

Multi-Repository Search - Enable a single search over standard protocols
to return a single clean result-set containing identity data that resides in
multiple repositories in multiple formats.

Joined Identity View - Enable
a search that returns a view of single identities that are comprised of data
from multiple repositories. e.g.) A single user record is presented with name
and phone number from the HR system and the email address from Active Directory.

Permission-Based Results - Enable a customized view into a single data
universe based on which application or which user is performing the search.
e.g.) Employees inside the corporate firewall see a full view of fellow
employees while customers accessing an external-facing application see a reduced
set of attributes and phone number is formatted using the (toll-free +
extension) format.

Dynamic DIT - Build an on-the-fly Directory
Information Tree based on identity data attributes. e.g.) The application calls
for LDAP views based on job title so the virtual directory dynamically presents
an OU for each job title in the database and presents employees within the
appropriate OU based on their job title.

Authentication - Enable
pass-through authentication from a single point of entry into multiple identity
data stores. e.g.) Authentication requests are directed to a single point. The
Virtual Directory authenticates non-employees against a back-end Sun Directory
and employees against Active Directory.

Real-Time Data Access - Provide
real-time access into back-end systems. Because requests are passed to the
originating data source, the search results can be as real-time as required.


Virtual Directory technologies eliminate boundaries.
Hassles related to LDAP object types, attribute definitions and other
schema-related issues are eliminated by virtualizing the view into the backend
identity stores. You're no longer limited by the existing data format or
database branding. There's no requirement to migrate the data from a relational
database into an LDAP directory in order to make the data LDAP- or Web Service-

Thursday, May 25, 2006

Sun, Identity Management, and Storage

I think this is going to be huge. I place my bet that Sun's Storage market share will increase significantly because of Identity. Unfortunately I'm not a betting man.

"For example, Sun has integrated the identity-management capabilities obtained via its Waveset acquisition with its StorageTek Enterprise Storage Manager software, allowing customers to discover, monitor, report and charge-back users for storage use. The company also is adding encryption to StorageTek storage devices and providing centralized key management for data and tapes via Waveset's technology."

Monday, April 17, 2006

Federation and 'How we got here'

Eric Norlin has a wonderfully concise post in regards to how we got where we are today in terms of federated identity. I know its a bit dated (as far as IdM technology discussions go) - it was seemingly written as a result of confusions that arose as a result of Higgins being released.
Note: under the heading 'SAML', when he refers to 'web access management' tools - he is referring to tools like cleartrust, siteminder, tivoli access manager, etc.
i think its important to appreciate those tools are really what paved the way for what we have today in terms of federation standards and such. Well, that and a little prodding. Nonetheless, the article gives great context to alot of discussions today regarding attention data, user-centric identity, and stuff like that.

Thursday, April 13, 2006


Thisi is an interesting article featuring some of Sun's endeavors in the regions. The first line in the article states: "Sun Microsystems Middle East and Africa (MENA) has identified identity management as one of the three most significant issues facing IT management in the GCC in 2006."

The main driver seems to be coming from the push of some of these nations to make a national ID card system. Although the legal validity of these systems is heavily contested in Europe and America due to privacy infringement, the Middle East typically doesn't seem to having that problem (it's not like their actually asking for permission from anyone). The following quote is from Sun's Sales manager, Jamie Bliss:

“As GCC governments consider creating national identity card schemes and businesses in the region stand to lose considerable amounts of money if information or assets fall into the wrong hands, an increasing number of regional organisations are making a centralised, self-service-enabled and affordable identity management solution a top priority in 2006."

Dubai has already deployed such a system. This looks like an area that the Middle East will gain considerable experience in over the next 2-3 years, over their counterparts in western countries.

Here is another article on the same subject, which states:
"Sun will be meeting with regional IT heads at a security summits in the Kingdom of Saudi Arabia and Qatar this week to highlight the need for a federated or uniform approach to both physical and IT security. "
"The Sun identity management seminars will take place in Riyadh on April 9 and Doha on April 10. "

Tuesday, March 28, 2006

Phil Windley's Article on the Challenges of Federation Deployments

This is a pretty good article outlining some of the non-technical issues facing federation deployments.

Sunday, March 19, 2006

Identity Management in the Middle East

After my recent trip to the region, and getting a chance to speak to a couple of Identity players in the UAE, I found the following article pretty interesting. I'd say they are a few years behind the US and European market in identity, but up and coming nonetheless...

Saturday, February 25, 2006

Wednesday, February 08, 2006

BMC and Identity Management for .NET

On thursday, BMC plans to give a webinar (a three hour one at that) on their new .NET based Identity Management offering. At first glance, it seems to be their current IdM offering with a layer of web services over it, and perhaps a toolkit of some sort in .NET to leverage it. Of course, that is a complete guess based on some facts I gathered from reading a few posts here.

Anyhow, I wonder how that plays with MIIS, AD and ADFS. will the Microsoft folks take it?

Tuesday, January 31, 2006

Ping is launching its second product

Andre Durand's company, Ping Identity, is launching its second product (Ping Trust, I believe it used to be called Ping STS...but could be wrong) during the RSA Conference later this month.

Thursday, January 26, 2006

Seven Deadly IdM Risks

Seven Identity Management Implementation Risks
Mark G. DixonJan 25, 2006 - Show original item

I taught a class today addressing best practices in Identity Management implementation. Part of the presentation was entitled "Seven Common Risks." I lobbied to call this "Seven Deadly Risks," but some folks thought that title was a bit over the top. Nonetheless, here are seven risky behaviors that could kill your Identity Management project.
Poor Pre-Project Preparation
Poor Requirements Definition
Large Initial Scope
Inexperienced Resources
Poor Project Methodology
Scope Creep
Not Using Available Support

Wednesday, January 25, 2006

Contention with Law #1?

IBM's Bob Blakely put up a post recently on the Absurdity of Owning One's Identity, where he comments on Kim's first law. Interesting stuff. He also has some really interesting insight on the topic of identity being subjective. Good read.

Sunday, January 22, 2006

Notes on Laws of Identity (Part 2)

Here is the second part of note on the Laws of Identity. Enjoy.

1. "Laws" in Laws of Identity should be understood scientifically - hypothesis about the world resulting from observation which can be tested and therefore disprovable. Laws shouldn't be understood here from moral or legal perspective.

2. Digital Identity is defined as a set of claims by one digital subject about itself or another digital subject. A digital subject is a person or thing represented or existing in the digital realm which is being described or dealt with. Finally, a claim is an assertion of the truth of something, typically one which is disputed or in doubt.

3. Examples of claims:
  • A claim could convey the identifier. ("jdoe" is the username for John Doe)
  • A claim could assert that a subject knows a given key.
  • A set of claims might convey personally identifying data.
  • A claim could propose that a subject is part of a certain group.
  • A claim could state that a subject has a capability.
4. Our definition leaves the evaluation of the usefulness (truthfulness) of the claim to the relying part (or the party to which the claim is made). Evaluation of a digital identity thus results in again producing claims. Matters of trust, attribution and usefulness can then be factored out and addressed at a higher layer in the system than the mechanism for expressing digital identity itself.

Saturday, January 21, 2006

Notes on Laws of Identity (Part 1)

1. Problem Statement: Since there is no identity layer on the internet, various "identity one-offs" emerged to fill the gap. This has led to two problems: (a.) No consistent comprehensible framework allowing users of the internet to evaluate the authenticity of the sites they visit (b.) Lack of a framework for controlling many aspects of their digital existence.

2. Phishing and pharming are two of the fastest growing segments of the computer industry, thereby threatening the trust of the people to use the internet ...thereby limiting the potential of the internet. One huge hole would be the prevention of reaping the benefits of web services.

3. It's hard to add an identity layer to the internet because digital identity is related to context, and the internet is experienced through a thousand kinds of content in at least as many contexts. So the many attempts to add a "layer" in fact work great for a specified set of contexts, but not to other contexts.

4. Therefore, the emergence of a single simplistic digital identity solution as a universal panacea is not realistic. The diverse needs of many players demand that we weave a single identity fabric out of multiple constituent technologies.

5. This is going to be damn tough, but history has proven that things like this are acheivable. Two examples: (a.) Way back when, apps had to be "aware" of specific hardware and code "to it". Over time, a software layer emerged to abstract the specifities of a given hardware. Device drivers enabled interchangeable hardware to be plugged in as required. Hardware became "loosely coupled" to the computer. (b.) Way back when, apps had to be "aware" of specific network devices. Add a layer of abstraction and voila! TCP/IP allows apps to work without knowing a darn thing about the underlying systems (Token ring, ethernet, blah blah). We now "add" wireless to the mix, and no apps break! great stuff.

"Notes" IdM Papers

I've decided to dedicate some time to write "notes" or reviews of some well-known white papers on identity management that focus on the laws or theory of IdM. Here is the list of papers I'm going after:

1. Laws of Identity, Kim Cameron
2. Microsoft's Vision for an Identity Metasystem, Kim Cameron
3. Introduction to the Persona Model, Radovan Semancik
4. Enterprise Digital Identity Architecture Roadmap, Radovan Semancik

After these, I'll work on publish some notes on my following areas of interest:

1. SAML 2.0 Spec
2. WS-Fed Spec
3. LID
4. XDI/XRI and i-Names

Let's see if this ever happens. Hopefully it does.

Sunday, January 08, 2006

MIIS and TDD (part 2)

So from the last post.
So, its obviously important to have version control.
But its just as important to have test cases. And whenever there is a decently large system, its important for the test cases to be automated. (After you've wasted half a day or more manually running through test cases, you really begin to appreciate 10 minutes of an automated test case run.)

How should test cases be written for MIIS? To answer this question, we gotta think a little bit about the differences of an MIIS deployment vs. software development. We've done a bit of thnking around the similarities, which is great. But the differences will give us a clearer understanding of how to approach writing test cases for MIIS. Next blogs should cover these differences.

Thursday, January 05, 2006


TDD (testcase drive development) is an approach to coding, where testcases drive code. What that means is that you write a testcase for your code, then code to make the testcase pass. An example is an (math) addition method. So, you have a math class of some sort that does simple addition, and you want to test it. Your test case takes 2 and 3, and using the addition method from your class, you should get 5.
First comes your test case. It fails because you havent really written the code that does it yet. Then you code to make the testcase pass. That's the crux of it. The benefit of this is that when you have a whole lot of code, and dont remember what does what and could, let's say, refactor and run all of your tests again. If they all pass, then the refactoring effort was done well, and didnt change the way your code works.

So...what does this have to do with MIIS? In complex MIIS deployments, data flows can get so complex that you dont really remember what does what. You could develop a whole lotta helper classes that your rules extensions utilize. At some point in time, you decide make a few changes for a new IAF for example, and all of a sudden - your provisioning logic breaks. Woops!

But you already put it into production! now what? hmmm...

more on this later.

Wednesday, January 04, 2006

MIIS Deployments vs. Software Development (Part 4)

Another similarity:

refactor-ability. not sure if thats a word. basically, a "modular" design that allows for changes in business logic that won't lead to redesigning the entire system.
now, using the word "modular" when it comes to data flow in MIIS seems a bit odd. but there are design considerations that would lead to a "flexible" system that allows for changes in business logic that won't lead to breaking everything.

SO. I think i'm going to quit at part 4.

European Laws - and Identity

Tuesday, January 03, 2006

MIIS Deployments vs. Software Development (Part 3)

Both MIIS Deployments and Software Dev are iterative processes focusing on client satisfaction. Well, most (if not all) consulting work is client-centric, but MIIS and Software dev are from another perspective.

They both have a specific end product that the client will (typically) know right away if he/she is satisfied or not. For example, a client uses a web app aimed at managing site content will know right away if the site suits their needs. After a day or two of use, client satisfaction will become obviously clear to the consultant. There will either be praise or blame. The same goes for MIIS deployments. If users are not being appropriately provisioned, there will be complaints. Usually, the day after going live. :)

So, there is, yet another, similarity between MIIS and Software dev.

Radovan Semancik's Identity Management Predictions 2006

Identity Predictions for 2006 and beyond

The beginning of a new year is usually a time for planning and predictions. I allowed myself a little fun to make these predictions (and hopes) about the "identity" techologies.

1: "Identity" becomes mega-buzzword Every other company will be "identity-focused". More and more products will be "identity-enabled". You will hear more about "identity" in mainstream media. And most of the people (include those in "identity-focused" companies working on "identity-enabled" products) will know absolutely nothing about what this "identity" is all about. The "identity industry" will be hyped. The stock prices will rise too high to be realistic. Many startups and aquisitions. Some really valuable, most of them average, and some just empty shells with good marketing. As usual. 2: Many "identity" mistakes happen, but it will take a while for them to be seen. It will become apparent, that "user-centric" identity is not that easy. Not many of the "identity folk" will ever admit it, but they will know, sooner or later. The naive global (URL-based) "identity" systems will proliferate for a while, but (hopefuly) not for long. Most of the current "user-centric identity" systems will need to be redesigned, limited to specific purpose or will just die. Maybe not in 2006, but they may eventually face the fate of X.509. We need to see at least one more generation of "identity" system to get something really usable. Similar situation will be seen in the real world. Many "national ID" and "national database" system will be proposed only to learn that the technology or the approach is not yet good enough. If you ask me who will "win" on the Internet, I think that it would be something based on WS-Trust. Or maybe something similar to WS-Trust that can be used both over SOAP and REST. But that will not be apparent in 2006. And I think (a hope again) that the "claims" will be SAML-based. 3: More client-side identity implementations will be seen. As of today, we have almost exclusively seen only pure-web server-side "identity" solutions. As the technology starts to mature, we may see more of a client-side support for "identity". Microsoft "identity selector" (InfoCards), and Liberty-Enabled Client Profile being the first signs, but I believe there will be more activity. Maybe Mozilla community will be drawn to "identity". Or maybe we will see first "identity selector" for Linux? 4: Enterprise Identity Management will spread through Europe. This one is more a hope than a prediction. European companies are quite late adopters of Enterprise Identity Management technologies. I think that it will change, but the change will be quite slow (especially here in Central/Eastern Europe). There will be a bit more "identity" projects in 2006. But the hype wave will come with full strength in the following years, powered by regulations such as Sarbanes-Oxley or EU auditing rules. 5: Spam, phishing and pharming will get even wilder. This is a safe bet. Nothing can be done to help in this area given current technology and only one year of progress. Spam will continue unhindered, heuristic methods being the most effective. The community will start to design the replacement for SMTP, that will be based on identity and social networking. It will not be seen as SMTP replacement at first, but will evolve to that. The phraud will move on beyond its current primitive techniques. Phrauders will find advanced methods, just like putting pharming functionality into viruses and worms. Strong auth will help a bit, but will not stop the most sophisticated attacks. 6: Strong authentication will get integrated with "identity". Authentication and "identity" may not be the same, but they cannot be seen as separate. Authentication companies will look at "identity" technologies as a way to sell more of their products. And the authentication products will comoditize. Maybe it will not happen in 2006, but we will eventually buy SecurID tokens in hypermarkets. 7: We will see attacks targeting legacy "trust" mechanisms. Ever seen the list of "trusted" certificate authorities in your browser? Ever wondered how difficult is to get a false certificate from any of these authorities? Well, I expect that someone will try and succeeds. There was not much motivation yet, as it was easier to steal a password. But once strong auth will be here, man-in-middle attacks will be popular again. And given the cumbersome and not-much-functional revocation mechanisms of X.509 implementations, these attacks may get pretty effective. The year 2006 will be long over when people finally realize that the authentication must be mutual, not only one-way and that the "strong auth" is not a panacea.

More on my previous post what are the similarities?
Alot. Im not going to let them all out in one shot. Little by little. So I have an excuse to have more posts. The honest truth is...I don't know if I have all that much to say. So, I'll have to spread it out over alot of posts.

OK. A similarity: Both have business logic. In this sense, it's not like network design/arch.

Monday, January 02, 2006

MIIS Deployments vs. Software Development

Since this is an IdM blog, I'd better start doing some IdM blogging.

OK - here is where i go tech:
MIIS deployments are not your typical middleware type deployments.
So there.

More on this later.