Friday, September 07, 2007

Open Source Provisioning - VELO!

Earlier this week, Jim Yang and the open-source IdM folks at Safehaus released Velo, an open source provisioning solution. These are the same guys who developed Penrose, an open source virtual directory product.
So as for all those asking for an open source solution in the provisioning space, here it is! And unlike other projects that make claims but nowhere to download and play, Velo is readily downloadable at sourceforge.
Very very cool beans.

Wednesday, September 05, 2007

On Garter's Provisioning Report, Notes and Inquiries

Gartner's User Provisioning report came out a few weeks back. I had a few questions/thoughts about it.

The first is the notable addition of Novell and Courion to the leaders quadrant. Courion's addition is especially interesting, as its now the only boutique in the leaders' quadrant, which says alot about their product and market presence. The fact that they could play with the big boys is notable, and I've seen alot of clients asking more about their products lately.

The second point is more of a question. When speaking of Sun, they that Sun "...also has a strategic commitment to open source, with open-source versions of its user-provisioning software...". Is that true? I haven't heard of it. I did blog previously about openptk, but as I mentioned - that's not an open source version of Sun's provisioning application, but rather a toolkit. So what's the deal? Am I missing something or did the folks at Gartner goof?

Saturday, July 28, 2007

Open Source Provisioning!!!...toolkit

I've been having a few conversations with colleagues about the absence of an open source solution for automated provisioning (keep an eye out here...something cool to come out soon), and then today, I made my way to the openptk website.

Now, I know that these guys don't have an actual provisioning solution, but rather a toolkit of APIs, web services, HTML taglibs, etc. that plug into existing provisioning solutions. Unfortunately, there isn't alot of info on their site, but its absolutely intriguing. Affiliations aren't hidden - all three contributors are Sun employees, and their site clearly says: "The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3."...but theoretically, this could plug into any provisioning solution, or am I being too optimistic?

IdM Processes...Existing vs. Future

Corbin Links put together a thought provoking post the other day on identity management implementations, and how companies are looking for a magic tool that could resolve their identity management woes, when they should primarily be focusing on their processes.

"Don’t start with the tool. Don’t start with even thinking about vendors. Don’t think “gee, now that we have fully committed to Identity and Access Management we will just outsource the whole thing, and a third party will take care of our business process for us.” Instead, make the commitment to work through processes. Don’t worry yet about higher-level tasks such as “role engineering” and “compliance baselining.” If you start there, chances are it will not be worth the paper it’s printed on by the next fiscal quarter. Instead, collect processes. Start with “business snippets” and work up from there."

This got me thinking of a conversation I had with a few folks who are part of the professional services arm of an IdM vendor about this (although this may not be what Corbin was hinting at), and the individual was educating me on how they engage a client on an IdM project. His advice: don't waste too much time on their existing processes, because they are going to change anyway.

I suppose this advice works (even then, only partially) for a company that is willing to completely change existing processes based on advice given by a few individuals that probably know little to nothing about their business - which I can't imagine are many.

One notable exception are the companies in the SMB market. My definition for SMB companies from an identity perspective lie between 200 and 2000 (perhaps that's a little generous). There are many companies in this space that have the regulatory pressures, but are typically flexible to change their processes to "template processes".

Nonetheless, for companies that don't fall into this category, regardless of size, the question is - what are the inherent dangers of glossing over existing processes, and focusing most of the attention on future processes? Perhaps missing some of the "must-haves" in new processes, but not necessarily. With that being said, time for a be continued?

Monday, July 02, 2007

Apple's New Product (not the iPhone) the iPhone. Love it, but getting used to the keyboard.

So - Apple is already launching new products...take a look.

Am I obsolete already?

Thursday, June 21, 2007

On Anonymity

Federation Woes

Techtarget has an insightful article on the difficulties surrounding Federation and its abilities to penetrate the market. Alot of the content arises from Burton Group's Neuenschwander, and his work on the topic. Neuenschwander eloquently sums it up: "Businesses have inescapable constraints and markets are brutally pragmatic."

Very true. In my experience, companies who may have a business need for managing authentication and authorization for externally facing apps more effectively with specific partners - BUT don't view it as absolutely critical for their business will opt not to deploy federation for two reasons:

1. The invasiveness of the technology vis-a-vis the partner's environment. i.e. the requirement of deploying a federation server in the client environment.
2. The legal ramifications involved as to liability and data ownership ("who owns the data associated with various identities and who has the final say when the data doesn’t agree") ... Phil Windley has written some interesting points regarding this.

I've dealt with a number of companies that were very interested in the technology, but decided to go with other, less elegant solutions because of the complications involved with these two concerns. On the other hand, when the business case is strong enough - federation is a wonderful solution.

A few years back when I got interested in federation, I was very impressed and was looking forward to aid federating the world. Unfortunately, it didn't turn out that way. As Neuenschwander stated... "the world isn't as it is in developers' dreams...businesses have inescapable constraints and markets are brutally pragmatic."

Wireless Sour Grapes

Verizon CEO: "We need to let iPhone hit the market and see what then reaction is," Seidenberg said. "It doesn't change our game plan. The burden is on [AT&T and Apple] to see if the market will change."

Burden on AT&T? Verizon could lose a million subscribers, they've lost the innovation battle (Prada?), and it seems that they'll be content with a healthy second place. How's that for leadership?

Tuesday, May 08, 2007

Thoughts on Rapid Identity

An interesting quote I pulled off of Mark Dixon's Identity Trends Presentation from JavaOne.

“I have recently noticed customers more willing to adapt their business process to out-of-the-box capabilities and industry best practices. There seems to be a large shift in maximizing costs and conforming to standards based provisioning. If this trend continues to thrive, average implementation costs and maintainability will become more palatable for customers looking to get the most out of their phased identity deployments.”
- Robb Harvey

Well said. Also, here are some points from Mark:

• Template-driven rapid implementation methods will be used to reduce Identity Management
implementation time and cost.
• Best practices captured in rapid deployment tools will allow enterprises to minimize customization and increase system effectiveness.
• Rapid implementation tools will allow Identity Management systems to be deployed in smaller enterprises.

It's an interesting notion for business process to morph to templates. I recall when I first started in the identity space, that was the battle we would try to win. Never did processes, however warped they might have been, would for the most part remain the same and we would architect the identity solution around it. Regarding the SMB market, I would have to agree that they are definitely more flexible...but the template approach is extremely difficult for me to envision coming to fruition. Even with our iRim product (Identropy Rapid Identity Management), our prepackaged workflows end up going through some rigorous tweaking before clients are happy. But I must admit that there is an inverse relationship between the size of our library and the amount of tweaking we do.

Wednesday, April 11, 2007

Kerberos, a la Shakespeare

I just read an excellent kerberos primer in the form of a play, full with Dramatis Personae and Scenes. Athena and Euripides exchange thoughts on open network environments, and validating identities. Identity was relevant back then just as it is's an small excerpt:

Euripides: Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and--

Athena: Can you do that?

Euripides: Sure! How are these network servers going to know that I'm not you?

Athena: Gee, I don't know. I guess I need to do some thinking.

Euripides: Sounds like it. Let me know when you figure it out.

Monday, April 09, 2007

More IdM Services Company Acquisitions

Two more, to be exact...the first is our very own Identropy, which is in agreement with Earthling Security to acquire it. Although Earthling is more of a general security company, IdM was the major part of the reasoning for the acquisition.
Secondly, a press release today stated that ProtechT was acquired by Integralis. Integralis CEO stated:
With this acquisition, Integralis’ portfolio will be expanded by ProtechT’s
extensive knowledge in identity management and its expertise in multi-modal
biometric and smart cards.

According to ProtechT's website, it also seems like a general security company. In fact, it is self-described as an "Information Technnology Security" company. Nonetheless, the acquiring company's reasoning for the acquisition was identity, according to the quote above. These two acquisitions add to the Sun's Neogent acquisition from last year, as well as Novacoast's eNvision acquisition, and Secured Services, Inc. acquisition of Cybrix Corporation's Identity Management PS team. Perhaps this is an indication of further maturation in the Identity Management M&A game?

Thursday, March 29, 2007

Am I Cut Out for a Startup?

I just read a great post by Paul Graham of Y Combinator entitled: "Why to Not Not Start a Startup" that i found through Phil Windley's blog. Y Combinator does real modest seed funding for entrepreneurs (usually less than 20k). Paul says:

So I'm going to list all the components of people's reluctance to start startups, and explain which are real. Then would-be founders can use this as a checklist to examine their own feelings.

He also gives feedback from their first investments back in the summer of 05. Out of 8, 4 were successful - and all that in under 2 years! Not bad.

Tuesday, February 27, 2007

Burton Group TIps Off IBM Scientist About Microsoft AD Patent Violation

I was taken back by an article I read today about a former IBM scientist, William Reid, who claims that he created the "technology" behind Active Directory, and that he owns the patent behind it. what's the next logical step for Mr. Reid?!

Of course...sue Haliburton! And not for the obvious reasons Haliburton should be sued...but because their Identity Management system is based on it. Pretty interesting logic there, Bill! Using that logic, you could sue almost every company out there...go sue GM and Charles Schwab while you're at it. Too late...he already did.

The most bizarre aspect of the story, is that he got the 'tip' from Catalyst!

In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference.

There's nothing quite like a disgruntled, clueless IBM scientist. (No offense to the happy IBM scientsts out there.)

Monday, February 26, 2007

Oracle's Donation

Earlier this month, Oracle announced that it would hand over the Identity Governance Framework (IGF) to Liberty Alliance. IGF is an interesting framework that is composed of CARML, AAPML, an API and an identity attribute service. This is the very high level of what I understand...

CARML (client attribute req. markup language) is an xml style doc that a developer would write that lets others know about the 'data needs' of their app, for example, my app needs attibutes A, B and C. (A good usage of carml doc is for identity services, which can tell apps what info it could give them)
AAPML (attribute authority policy markup language) on the other hand is a doc that goes with the data sources. These data sources can define how place constraints on how its data is to be used. Its a profile of XACML 2.0, and can be used by a policy enforcement point (pep) to do its job, (although it has an added feature of requiring the pep to check if user consent has been obtained).
IGF also comes with specs for an client api.

What was really cool is the industry's appreciation of Oracle's move:

"We're very pleased to see that Oracle has submitted the Identity Governance Framework to the Liberty Alliance," said Don Bowen, director of Identity Integration for Sun Microsystems, Inc. "Sun believes Liberty is well suited because of its business and technical experts from all verticals, including government. Its work in the area of data privacy is not only valuable, but essential."
— Sun Microsystems, Inc., Don Bowen, director of Identity Integration

"Novell welcomes Oracle's contribution to the Liberty Alliance. We continue to look forward to working with Oracle and the other leaders in the identity management market in the development of an open identity framework."
— Novell, Inc., Nikols, vice president, Product Management Identity and Security

"CA is supporting the Identity Governance Framework to help customers more easily protect personal data across their disparate systems and applications," said Andy Rappaport, Architect, Identity and Access Management at CA. "We look forward to working with the Liberty Alliance, Oracle and others to develop practical, adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies."
— CA, Andy Rappaport, Architect, Identity and Access

It's great when everyone can play nice.

Monday, February 19, 2007

On Justifications

"We fly 30 million people a year. Ten thousand were affected by this."

- David Neeleman, CEO of JetBlue

Wednesday, February 14, 2007

On Innovation

“Innovation is trying to figure out a way to do something better than it’s ever been done before."
-David Neeleman, founder and CEO of JetBlue

Saturday, February 10, 2007

I'm a sucker for VCRs

T-Mobile AMEO, please come to America.

Saturday, January 13, 2007

Advice for IT Startup Founders

Dharmesh Shah from has some advice for IT Startups. I've pasted them below for your reading pleasure:

17 Pithy Insights For Startup Founders
  1. Seek transparency and understanding with your partners early. Issues get harder as time passes
  1. Startup founders work long hours for a reason. There’s more work than there are people. If you’re seeking balance, seek it elsewhere.
  1. Bad customers will drain you of passion. Really bad customers will drain you of both passion and profits. Unfortunately, most bad customers will degenerate into really bad customers if you don’t do something about it.
  1. If you’re changing direction often, worry a little. If you’re changing people often, worry a lot.
  1. It’s lonely at the top, but even lonelier at the bottom. In the early days of a startup, hardly anyone wants to talk to you (except some desperate vendors).
  1. Eventually, your product will need to work and do something useful. No amount of marketing or strategy will get you around this.
  1. At the end of each day, ask yourself: “Did the product get better for customers today?”. If you don’t have a good answer, stay up until you do.
  1. Until you are profitable, time is working against you. Once you are profitable, time is on your side.
  1. Learn to take calculated risks. The market rarely rewards safe bets.
  1. To improve the quality of your output, improve the quality if your inputs. Read, converse and connect with the right people.

  1. Force yourself to write, as it will force you to think.
  1. At least once every year or so, your startup will almost die.
  1. The problem you solve should be ugly. The solution you build should be beautiful.
  1. Even the most successful startup ideas had 100 reasons not to pursue them. There is no perfect idea.
  1. If the pain doesn’t kill you, it just hurts a lot.
  1. You choose your destiny, because you choose your team.
  1. Be who you are. Do what you love. Join people you like.

Tuesday, January 09, 2007

Learn OpenID in 5 minutes!

Simon Willison has posted this screencast with a demonstration of how OpenID works. Nicely done. I wish there were one for Infocards. Then I could write a blog entry called "Learn Infocards in 5 minutes!" Kim? Is there already one?

What's this Role Management stuff about?

I read a press release today about a Role Management company called Vaau. Vaau first caught my attention back in March, when Gartner identified them as a "cool vendor". I'm sure the company name helped out, but the main reason for the honor seems to be the ability of their product RBACx to perform attestation at the user level rather than the role level (which seems like an obvious must-have for a role management product, although some "role management" vendors might disagree). Anyhow, today's press release was regarding a strategic partnership they struck with Sun. Seeing that there are more than a few vendors joining this space, I'd like write a few entries about the field, typical product features, general philosophies/approaches to role management, sushi and some of the vendors (off the top of my head, Eurekify, Bridgestream, Vaau, Courion, BHold, etc.).

The first place to start is what role management is all about. Using the latest technical jargon, a role is a grouping of things that need privileges to do stuff to other things. So it follows that role management is the management of what I just said. The main driver is usually all about access management, hence the term RBAC (role based access control). The idea is that its easier to manage roles as opposed to individual privileges. (Of course, compliance is a driver as well.) Sometimes that doesn't work out as planned. It's not unheard of for clients to complain that they ended up with more roles than people in their organization - which sort of defeats the purpose, especially if your role memberships are only people.
So the next post: typical product features in a role management app.

Friday, January 05, 2007

Become Rich: Use a Business Model!

I found this excellent blog yesterday by Alex Osterwalder. For those of you who are clueless (like me) - start here: What is a Business Model?
And find out why its important.
Then work your way to the Business Model Template.
Then use it to make very own.
Now the last and final step. Execute.

Wednesday, January 03, 2007

Why Use Cases Should Matter in Identity Deployments

In a comment to a previous blog entry, where I attempt to make the case for Use Cases in Identity Management integration efforts, James McGovern comments:

"First, many folks in the IDM space don't really understand how to create use-cases because it is not a traditional business-oriented scenario.

Second, the importance of getting a PM has to be not on internal nor external but someone who has walked the path before. This is pretty difficult to find even amongst the vendors themselves."

Focusing on his first point, I'd have to agree: use cases really come from the software engineering world (I believe originated from one of the three amigos - Jacobson). Wikipedia has a terse description of what a Use Case is:

In software engineering, a use case is a technique for capturing the potential requirements of a new system or software change. Each use case provides one or more scenarios that convey how the system should interact with the end user or another system to achieve a specific business goal. Use cases typically avoid technical jargon, preferring instead the language of the end user or domain expert. Use cases are often co-authored by software developers and end users.

In my opinion, the software engineering world has a lot to offer the identity integration world. Software engineers (and I use that term broadly) typically have a lot more interaction with business users than back-end integration folks. Figuring out how to efficiently produce software that the client wants/needs has been at the center of decades of discussions surrounding dev processes and methodologies. The integration community on the other hand are usually less focused on customer satisfaction, and more about making processes work efficiently and reliably. With the advent of identity integrations, the level of interaction with business development users has increased significantly. Many steps within the process of integrating an identity platform necessitates interaction with business users, such as mapping business processes and ultimately optimizing them (and the various touch points end users will have with it - for example in provisioning workflow), as well as user interaction with password management systems, esso, etc. I do agree that some components of an Identity platform may be invisible to the user, but typically the user will have at least indirect contact with it. (For example, in a metadirectory solution, a self-help name change in an HR data repository might result in a displayname change in their e-mail address or the name that appears on a phone handset.)

Identity integrators usually come over from sysadmin-type backgrounds, and (even those who have done an identity implementation or two) might not have the disciplines a software engineer would have in delivering a solution that the client is pleased with. (Even worse, many PMs for Identity projects that I've met don't seem to have much PM experience to begin with, or might be a sysadmin who successfully ran an exchange upgrade.) The result is what Mark Dixon described as the seven deadly risks, outlined below:

* Poor Pre-Project Preparation
* Poor Requirements Definition
* Large Initial Scope
* Inexperienced Resources
* Poor Project Methodology
* Scope Creep
* Not Using Available Support

The solution might lie in borrowing software engineering processes that would be helpful in initial preparation and scoping of an identity project, as well as ensuring that an iterative process results in happy business users.

To be continued...

Monday, January 01, 2007

Jackson Shaw is Blogging

Jackson Shaw from Quest is blogging. Jackson previously worked for Microsoft where he was Product Manager (I believe) of MIIS. Since then, he joined Vintela which was acquired by Quest. Quest now has its own portfolio of Identity products, ranging from the cool SSO stuff Vintela was doing between Unix and Windows, as well password management, audit tools (including what they call 'cross platform identity auditing' - which sounds really important), and provisioning.

Jackson's blog is self-described below:
Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continous "reality tour" of meetings with customers, ISVs and Microsoft. what does commiseration mean?

Definitions of commiseration on the Web:

  • a feeling of sympathy and sorrow for the misfortunes of others; "the blind are too often objects of pity"
  • condolence: an expression of sympathy with another's grief; "they sent their condolences"

  • Got it. Regardless, I think Jackson will have some pretty insightful blog entries regarding the identity topic. Go check him out here.