IDaaS, Identity Services, SaaS-ish Identity, Whatever

Thanks Matt, for yet another wonderful term.
I think we've got to settle on some terms here. I recall a presentation by Earl Perkins of Gartner some time back distilling the distinct notions that are all referred to as "Identity Services." According to Mark Dixon's recap of Lori Rowland's presentation at Catalyst this year (I didn't get to go, and no, I'm not bitter), "Burton has encouraged Fischer to "give back" the "Identity as a Service" term to the industry." Anyhow, putting that problem on the side for now, I think Matt was referring to what the industry seems to be settling on as Managed Identity Services. I like Andrew Cser's breakdown, which refers to it as as an offering where "...a Managed Service Provider (MSP) provides on-site or off-site services to the customer, such as provisioning, directory management, or operation of a single sign-on service."

In Matt's post, he states,

"I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in."

Well said, Matt. Even a completely hosted solution like Symplified (which is a true SaaS offering - as opposed to Matt's SaaS-ish), can get around the security concerns, and even claim that they'll do a better job at it.

"The Symplified Identity Cloud combines a highly scalable grid architecture with massively multi-tenant design, and is housed in a secure SAS 70 Type II data center. This level of security is unmatched by mid market enterprises and many of the world’s largest organizations."

"The Identity Cloud resides in a hardened data center with enterprise-class security monitoring and defenses. A virtual private LDAP directory and 256-bit AES encryption secures credentials."

So, theoretically, the technology is there for security. But in my experience selling Managed Identity Services, the biggest concern is that customers are just not comfortable "outsourcing" the business processes that are so intrinsically tied and specific to their corporation. A SaaS model wouldn't necessarily face this hurdle, although a managed services model would. Customers still want to be involved somehow, but can't clearly elucidate why. In my opinion, the reason is more emotional that rational. The market just isn't ready, emotionally, to completely outsource the management of their IdM systems. The whole thing seems so tied to their environment, to their business processes, that handing the management over to a third party just feels wrong.

Ian Yip has some interesting insights into this point:

"IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.

All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes."

Although I agree that business processes are specific, my experience differs with Ian's claim that IdM can't be outsourced. I've been personally involved in accomplishing exactly this for clients, (although we did the implementation to begin with, so that made it a lot easier.) Matt sums it up well: "I think most companies are already outsourcing IdM – they just do it on a project basis..."
I think that the only solution is a pragmatic one, where there is shared management. The customer can still feel "in control", but hand over day to day ops to a third party. Control can be put in place to allow customers to enter in requests, ability to accept/reject change requests, approve any fixes, and transparency into any and all changes that go through. Focus on "control" (and honest discussions regarding the caveats) in conversations with customers, and they'll end up going a heck of a lot smoother. Also, the actual management goes smoother as well. Customer's get to gradually let go, and initially lean on the service provider as a very knowledgeable augmentation to their staff. Once the comfort level sets in, customers can lean a bit harder, grant "persistent approvals" for break/fix scenarios, and reduce management staff for identity.

Financial Model - Tips for Startups

If you're an entrepreneur, this is gold. Real data!
This is the stuff I get to read while everyone else is having fun at Catalyst. There's always next year.

ESSO/Context and Healthcare, in the Trenches (Part 2)

In my last post, I focused on the first lesson: In-House Homework first, Hold Back the Vendors. In this post I'll go on to speak about the importance of executive sponsorship as well as the application inventory.

Executive Sponsorship

I think a ton has been written about this so I won't go into detail. I'll give two live examples. The first example was from a client that was seeking a Provisioning solution. We spent significant time with the right folks, or at least we thought they were the right folks. According to titles and apparent job function, we had an executive sponsor on board for the project. We identified a solid road map, the right resources on both sides of the fence, everything seemed dapper. At the last moment (and I mean legal approved contracts, pens were drawn), the CIO pulled the plug on the project by simply stating, 'I don't like this solution.' Everyone was baffled.
Example number two has a more positive ending. This time, the correct executive sponsor in place. The organization is going through a massive re-org, and it seems that the project will continue running smoothly. The project hasn't completed yet, but so far, so good.

A lesson learned:

Lesson 2: Validate 'Executiveness'

Just because a sponsor seems like he or she has leverage, it's important to understand the dynamics of the relationships in the organization. Each company is different with vastly different cultures. Does the sponsor's superior respect his or her decisions? Does the person have a track record of pushing projects forward?


Application Inventory

On to application Inventory. What is an application inventory and why is it important? I have yet to meet a Healthcare organization that has less than 50 apps. The last one I've dealth with has 1400+! That means that for clients who wish to ESSO/Context enable their environment, we need to identify which applications exist in their infrastructure, how important they are for ESSO/Context Management enablement, the technical difficulty to enable the application, etc. This information will help provide relevant context for the usage of the applications and which applications to focus on first.

Here is a list of things to document regarding each application:

1. General info on the app: name, version, app owner, number of users, app function, etc.
2. Application type: client/server, web, terminal emulator, java, etc.
3. Does the client seek to SSO and/or Context enable this app?
4. What is the driver for enablement? security reasons? audit trail?
5. Ranking importance level for enablement. I.e., how badly does the client want to enable this app vs. other apps?
6. What are the processes around this app? (Login Screen(s), Login Success Screen(s), Login Failure Screen(s) - Note Different Screens based on User Role (Physician, Nurse, Admin, Staff, etc.))
7. Is the application CCOW enabled ?
8. Application Credentials - Does this application have it's own credentials repository or share one with other applications? Application Credential Submission - Does this application use auto submit? (Some applications require users to select printers-ESSO can not auto submit.)
9. Is Change Password functionality supported by the application ? (If Yes, does the application have a configurable expiration timer? What are the valid characters? Do you want to automate Change Password and Auto Generate Passwords?)
10. What is the Business Process of the application Change Password Feature Change Password Screen(s), Change Password Success Screen(s), Change Password Failure Screen(s) - Note Different Screens based on User Role (Physcian, Nurse, Admin, Staff, etc.)
    

This should give you and your team a good handling on your existing application infrastructure vis-a-vis ESSO. In my next post, I'm planning on taking a step back and talk a little about the technologies.

ESSO and Healthcare, in the Trenches (Part 1)

I've been involved in the early stages of a fairly large ESSO project as of late. Since it's been a while since I've been involved hands-on with a project, I've decided to write a short series regarding my experiences. The goal is to impart some practical lessons that a PM could use the next time they decide to undertake an Enterprise Single-Sign On project, with special emphasis on healthcare.

I love working with healthcare institutions. There's always hundreds of apps to support, disparate teams with fragmented goals, and pushy users with lots of power (clinicians). Sarcasm aside, its always interesting given the unique landscape.

Lesson 1: In-House Homework first, Hold Back the Vendors

The client had been embarking on this project for nearly two years. Out of the gate, they called every vendor under the sun to see which products fit their needs. The problem was that they didn't clearly identify their needs up front. The good news is that the client was smart enough to recognize their mistake. They put the vendor calls on hold (indefinitely), and decided to do some in-house homework. The client identified that improving the clinician's experience was their primary driver, which helped a ton with the steps to come (as I'll demonstrate in future posts). They followed this up with the following very intelligent steps:

* They garnered some serious executive sponsorship
* They completed a thorough application inventory


In my next post, I'll dive a little deeper into the two points above. Anyhow, this experience rang loud, especially in light of the recent storm of articles on KPMG's Identity & Access Management Survey findings (here, here and here):

"More than two thirds (68 per cent) of executives surveyed for KPMG’s 2008 European Identity & Access Management (IAM) Survey believe the effectiveness of projects is hampered because they put too much focus on technology and fail to address the organisational and procedural changes that are required. As a result, only a handful, (11 per cent) are fully satisfied with the outcome of their IAM projects."

Ouch...SIs better do something and quick. (I'm sure that KPMG has nothing to gain from that!)

An Interesting Identity Management Use case for Healthcare

I've been meeting and talking with a number of healthcare customers, and thinking about common scenarios that identity technologies could be applied to. And of course, you have the run of the mill common scenarios that address HIPAA (like ESSO, deprovisioning, etc...which are useful, but let's face it - common). But one scenario peaked my interest because it was pretty unique to healthcare, and really provided significant value to Healthcare IT in general, and in specific to Compliance.

Remote physicians' offices often have access to a slew of clinical apps, such as applications that allow a physician or staff member of a remote office to view patient data, x-rays, lab results, etc. In order to demonstrate compliance, some hospitals hire contractors to get in their cars, drive to each remote office (which could be in the 100s), and 'attest' which users still exist at that office, note changes to hires/fires, and each user's application access requirements. Then they leave and drive to the next office. This happens every 6 months or so as a part of the institution's compliance recertification efforts.

Federation would be able to provide remote offices the capability to control authentication of accounts on their end, allowing the hospital to manage authorization profiles...but some (many) of these offices are just 2 or 3 people. A doctor or two, maybe a nurse and a secretary. The only thing you could guarantee regarding their infrastructure is internet connectivity, let alone the skills and infrastructure to deploy a federation server. Anyhow, this falls more into the control category than the audit category.

On the other hand, Attestation fits perfectly here. (Nishant wrote a good entry on attestation here.) Instead of having a person drive around gathering a paper trail of access levels for accounts belong to remote offices, provide the remote offices a web interface to attestation workflows, which allows them to periodically 'attest' to who is still there, who is new, and what they have access to. Simple, not technically complex, but darn useful. Clients love it because it addresses a real scenario with real benefits. Sometimes the coolness of a use case has less to do with the technology, and more to do with how it makes otherwise painful tasks a little more bearable.

Practical Identity Management for Healthcare

Shahid Shah, the Healthcare IT Guy, recently asked me to write up a guest post on his blog. Here it is. Enjoy.

Random Thoughts on Novell's Recent Press Releases

Reaching 6000 users. Impressive, but how does it tally? Is it me, or does that sound high? How is that broken down per product? I'd also be interested in the $33m they reported in revenues for Q4 and how that breaks down per product. They categorize it under the "Identity and Security" umbrella, $30m of which came from identity... Is there a report that can help distill their real marketshare, as well as for other vendors? Either way, its impressive.

On another note, Novell's CTO Jeff Jaffe talks about FOSSA in an interview, and describes Identity as one of the pillars. When asked about how open-source their identity product line is, he honestly states:

Very little. We have some open-source projects; but it's still growing. From the point of view of where the customer wants go with agility, we need it all, but in practice it's going to mature at a different rate.

Given their interest in the open source space, I wonder if the folks at Novell are looking to existing open source initiatives in the identity space and how they might work together?

Neuenschwander, Burton Group, SIs and Philosophical Rantings

I haven't blogged in a while, but something in a press release a few days ago really got me thinking. Mike Neuenschwander recently left his position as Research Director for Identity at the Burton Group to join Mycroft, a systems integrator here in NY.

My first reaction? Pretty impressed with those folks at Mycroft and their recruiting skills.

My brief second thought was - is Mike going to be in NY now? And I wonder if I could pick his brain over lunch about Limited Liability Persona, Relational Continuity Sockets Layer, and guitar smashing.

But then I started pondering another matter all together: the relationship between theory and practice. Burton is mainly about research and advisory services, while System Integrators are all about practical implementations - where the rubber meets the road. Quite a contrast. Research, clean. Integrations, dirty. Research, what ought to be. Integration, what is. But then again, sometimes research describes what is. I suppose I shouldn't write blog posts when I should be sleeping. But before I do that...note to self (and anyone who might be reading): figure out the role of "research and advisory services" for an integrator besides the typical introductory advisory services provided before selecting and implementing a solution.

Open Source Provisioning - VELO!

Earlier this week, Jim Yang and the open-source IdM folks at Safehaus released Velo, an open source provisioning solution. These are the same guys who developed Penrose, an open source virtual directory product.
So as for all those asking for an open source solution in the provisioning space, here it is! And unlike other projects that make claims but nowhere to download and play, Velo is readily downloadable at sourceforge.
Very very cool beans.

On Garter's Provisioning Report, Notes and Inquiries

Gartner's User Provisioning report came out a few weeks back. I had a few questions/thoughts about it.

The first is the notable addition of Novell and Courion to the leaders quadrant. Courion's addition is especially interesting, as its now the only boutique in the leaders' quadrant, which says alot about their product and market presence. The fact that they could play with the big boys is notable, and I've seen alot of clients asking more about their products lately.

The second point is more of a question. When speaking of Sun, they that Sun "...also has a strategic commitment to open source, with open-source versions of its user-provisioning software...". Is that true? I haven't heard of it. I did blog previously about openptk, but as I mentioned - that's not an open source version of Sun's provisioning application, but rather a toolkit. So what's the deal? Am I missing something or did the folks at Gartner goof?

Open Source Provisioning!!!...toolkit

I've been having a few conversations with colleagues about the absence of an open source solution for automated provisioning (keep an eye out here...something cool to come out soon), and then today, I made my way to the openptk website.

Now, I know that these guys don't have an actual provisioning solution, but rather a toolkit of APIs, web services, HTML taglibs, etc. that plug into existing provisioning solutions. Unfortunately, there isn't alot of info on their site, but its absolutely intriguing. Affiliations aren't hidden - all three contributors are Sun employees, and their site clearly says: "The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3."...but theoretically, this could plug into any provisioning solution, or am I being too optimistic?

IdM Processes...Existing vs. Future

Corbin Links put together a thought provoking post the other day on identity management implementations, and how companies are looking for a magic tool that could resolve their identity management woes, when they should primarily be focusing on their processes.

"Don’t start with the tool. Don’t start with even thinking about vendors. Don’t think “gee, now that we have fully committed to Identity and Access Management we will just outsource the whole thing, and a third party will take care of our business process for us.” Instead, make the commitment to work through processes. Don’t worry yet about higher-level tasks such as “role engineering” and “compliance baselining.” If you start there, chances are it will not be worth the paper it’s printed on by the next fiscal quarter. Instead, collect processes. Start with “business snippets” and work up from there."

This got me thinking of a conversation I had with a few folks who are part of the professional services arm of an IdM vendor about this (although this may not be what Corbin was hinting at), and the individual was educating me on how they engage a client on an IdM project. His advice: don't waste too much time on their existing processes, because they are going to change anyway.

I suppose this advice works (even then, only partially) for a company that is willing to completely change existing processes based on advice given by a few individuals that probably know little to nothing about their business - which I can't imagine are many.

One notable exception are the companies in the SMB market. My definition for SMB companies from an identity perspective lie between 200 and 2000 (perhaps that's a little generous). There are many companies in this space that have the regulatory pressures, but are typically flexible to change their processes to "template processes".

Nonetheless, for companies that don't fall into this category, regardless of size, the question is - what are the inherent dangers of glossing over existing processes, and focusing most of the attention on future processes? Perhaps missing some of the "must-haves" in new processes, but not necessarily. With that being said, time for a movie...to be continued?

Apple's New Product (not the iPhone)

Yup...got the iPhone. Love it, but getting used to the keyboard.

So - Apple is already launching new products...take a look.

Am I obsolete already?

On Anonymity

www.gapingvoid.com

Federation Woes

Techtarget has an insightful article on the difficulties surrounding Federation and its abilities to penetrate the market. Alot of the content arises from Burton Group's Neuenschwander, and his work on the topic. Neuenschwander eloquently sums it up: "Businesses have inescapable constraints and markets are brutally pragmatic."

Very true. In my experience, companies who may have a business need for managing authentication and authorization for externally facing apps more effectively with specific partners - BUT don't view it as absolutely critical for their business will opt not to deploy federation for two reasons:

1. The invasiveness of the technology vis-a-vis the partner's environment. i.e. the requirement of deploying a federation server in the client environment.
2. The legal ramifications involved as to liability and data ownership ("who owns the data associated with various identities and who has the final say when the data doesn’t agree") ... Phil Windley has written some interesting points regarding this.

I've dealt with a number of companies that were very interested in the technology, but decided to go with other, less elegant solutions because of the complications involved with these two concerns. On the other hand, when the business case is strong enough - federation is a wonderful solution.

A few years back when I got interested in federation, I was very impressed and was looking forward to aid federating the world. Unfortunately, it didn't turn out that way. As Neuenschwander stated... "the world isn't as it is in developers' dreams...businesses have inescapable constraints and markets are brutally pragmatic."

Wireless Sour Grapes

Verizon CEO: "We need to let iPhone hit the market and see what then reaction is," Seidenberg said. "It doesn't change our game plan. The burden is on [AT&T and Apple] to see if the market will change."

Burden on AT&T? Verizon could lose a million subscribers, they've lost the innovation battle (Prada?), and it seems that they'll be content with a healthy second place. How's that for leadership?

Thoughts on Rapid Identity

An interesting quote I pulled off of Mark Dixon's Identity Trends Presentation from JavaOne.

“I have recently noticed customers more willing to adapt their business process to out-of-the-box capabilities and industry best practices. There seems to be a large shift in maximizing costs and conforming to standards based provisioning. If this trend continues to thrive, average implementation costs and maintainability will become more palatable for customers looking to get the most out of their phased identity deployments.”
- Robb Harvey

Well said. Also, here are some points from Mark:

• Template-driven rapid implementation methods will be used to reduce Identity Management
implementation time and cost.
• Best practices captured in rapid deployment tools will allow enterprises to minimize customization and increase system effectiveness.
• Rapid implementation tools will allow Identity Management systems to be deployed in smaller enterprises.

It's an interesting notion for business process to morph to templates. I recall when I first started in the identity space, that was the battle we would try to win. Never did though...business processes, however warped they might have been, would for the most part remain the same and we would architect the identity solution around it. Regarding the SMB market, I would have to agree that they are definitely more flexible...but the template approach is extremely difficult for me to envision coming to fruition. Even with our iRim product (Identropy Rapid Identity Management), our prepackaged workflows end up going through some rigorous tweaking before clients are happy. But I must admit that there is an inverse relationship between the size of our library and the amount of tweaking we do.

Kerberos, a la Shakespeare

I just read an excellent kerberos primer in the form of a play, full with Dramatis Personae and Scenes. Athena and Euripides exchange thoughts on open network environments, and validating identities. Identity was relevant back then just as it is today...here's an small excerpt:

Euripides: Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and--

Athena: Can you do that?

Euripides: Sure! How are these network servers going to know that I'm not you?

Athena: Gee, I don't know. I guess I need to do some thinking.

Euripides: Sounds like it. Let me know when you figure it out.

More IdM Services Company Acquisitions

Two more, to be exact...the first is our very own Identropy, which is in agreement with Earthling Security to acquire it. Although Earthling is more of a general security company, IdM was the major part of the reasoning for the acquisition.
Secondly, a press release today stated that ProtechT was acquired by Integralis. Integralis CEO stated:

With this acquisition, Integralis’ portfolio will be expanded by ProtechT’s
extensive knowledge in identity management and its expertise in multi-modal
biometric and smart cards.

According to ProtechT's website, it also seems like a general security company. In fact, it is self-described as an "Information Technnology Security" company. Nonetheless, the acquiring company's reasoning for the acquisition was identity, according to the quote above. These two acquisitions add to the Sun's Neogent acquisition from last year, as well as Novacoast's eNvision acquisition, and Secured Services, Inc. acquisition of Cybrix Corporation's Identity Management PS team. Perhaps this is an indication of further maturation in the Identity Management M&A game?

Am I Cut Out for a Startup?

I just read a great post by Paul Graham of Y Combinator entitled: "Why to Not Not Start a Startup" that i found through Phil Windley's blog. Y Combinator does real modest seed funding for entrepreneurs (usually less than 20k). Paul says:

So I'm going to list all the components of people's reluctance to start startups, and explain which are real. Then would-be founders can use this as a checklist to examine their own feelings.

He also gives feedback from their first investments back in the summer of 05. Out of 8, 4 were successful - and all that in under 2 years! Not bad.

Burton Group TIps Off IBM Scientist About Microsoft AD Patent Violation

I was taken back by an article I read today about a former IBM scientist, William Reid, who claims that he created the "technology" behind Active Directory, and that he owns the patent behind it.

OK...so what's the next logical step for Mr. Reid?!

Of course...sue Haliburton! And not for the obvious reasons Haliburton should be sued...but because their Identity Management system is based on it. Pretty interesting logic there, Bill! Using that logic, you could sue almost every company out there...go sue GM and Charles Schwab while you're at it. Too late...he already did.

The most bizarre aspect of the story, is that he got the 'tip' from Catalyst!

In an interview, Reid, who says he worked on artificial intelligence for IBM from 2000 to 2002, says he determined that GM, Schwab, and Halliburton were violating his patent after visiting a trade show. Reid says he watched presentations by IT officials from the companies while attending the Burton Group's Catalyst conference.

There's nothing quite like a disgruntled, clueless IBM scientist. (No offense to the happy IBM scientsts out there.)

Oracle's Donation

Earlier this month, Oracle announced that it would hand over the Identity Governance Framework (IGF) to Liberty Alliance. IGF is an interesting framework that is composed of CARML, AAPML, an API and an identity attribute service. This is the very high level of what I understand...

CARML (client attribute req. markup language) is an xml style doc that a developer would write that lets others know about the 'data needs' of their app, for example, my app needs attibutes A, B and C. (A good usage of carml doc is for identity services, which can tell apps what info it could give them)
AAPML (attribute authority policy markup language) on the other hand is a doc that goes with the data sources. These data sources can define how place constraints on how its data is to be used. Its a profile of XACML 2.0, and can be used by a policy enforcement point (pep) to do its job, (although it has an added feature of requiring the pep to check if user consent has been obtained).
IGF also comes with specs for an client api.

What was really cool is the industry's appreciation of Oracle's move:

"We're very pleased to see that Oracle has submitted the Identity Governance Framework to the Liberty Alliance," said Don Bowen, director of Identity Integration for Sun Microsystems, Inc. "Sun believes Liberty is well suited because of its business and technical experts from all verticals, including government. Its work in the area of data privacy is not only valuable, but essential."
— Sun Microsystems, Inc., Don Bowen, director of Identity Integration

"Novell welcomes Oracle's contribution to the Liberty Alliance. We continue to look forward to working with Oracle and the other leaders in the identity management market in the development of an open identity framework."
— Novell, Inc., Nikols, vice president, Product Management Identity and Security

"CA is supporting the Identity Governance Framework to help customers more easily protect personal data across their disparate systems and applications," said Andy Rappaport, Architect, Identity and Access Management at CA. "We look forward to working with the Liberty Alliance, Oracle and others to develop practical, adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies."
— CA, Andy Rappaport, Architect, Identity and Access

It's great when everyone can play nice.

The Effects of Drugs on Spiderwebs

On Justifications

"We fly 30 million people a year. Ten thousand were affected by this."

- David Neeleman, CEO of JetBlue

On Innovation

“Innovation is trying to figure out a way to do something better than it’s ever been done before."

-David Neeleman, founder and CEO of JetBlue

I'm a sucker for VCRs

T-Mobile AMEO, please come to America.

Advice for IT Startup Founders

Dharmesh Shah from Onstartups.com has some advice for IT Startups. I've pasted them below for your reading pleasure:


17 Pithy Insights For Startup Founders

1. Seek transparency and understanding with your partners early. Issues get harder as time passes

2. Startup founders work long hours for a reason. There’s more work than there are people. If you’re seeking balance, seek it elsewhere.

3. Bad customers will drain you of passion. Really bad customers will drain you of both passion and profits. Unfortunately, most bad customers will degenerate into really bad customers if you don’t do something about it.

4. If you’re changing direction often, worry a little. If you’re changing people often, worry a lot.

5. It’s lonely at the top, but even lonelier at the bottom. In the early days of a startup, hardly anyone wants to talk to you (except some desperate vendors).

6. Eventually, your product will need to work and do something useful. No amount of marketing or strategy will get you around this.

7. At the end of each day, ask yourself: “Did the product get better for customers today?”. If you don’t have a good answer, stay up until you do.

8. Until you are profitable, time is working against you. Once you are profitable, time is on your side.

9. Learn to take calculated risks. The market rarely rewards safe bets.

10. To improve the quality of your output, improve the quality if your inputs. Read, converse and connect with the right people.

11. Force yourself to write, as it will force you to think.

12. At least once every year or so, your startup will almost die.

13. The problem you solve should be ugly. The solution you build should be beautiful.

14. Even the most successful startup ideas had 100 reasons not to pursue them. There is no perfect idea.

15. If the pain doesn’t kill you, it just hurts a lot.

16. You choose your destiny, because you choose your team.

17. Be who you are. Do what you love. Join people you like.
    

Learn OpenID in 5 minutes!

Simon Willison has posted this screencast with a demonstration of how OpenID works. Nicely done. I wish there were one for Infocards. Then I could write a blog entry called "Learn Infocards in 5 minutes!" Kim? Is there already one?

What's this Role Management stuff about?

I read a press release today about a Role Management company called Vaau. Vaau first caught my attention back in March, when Gartner identified them as a "cool vendor". I'm sure the company name helped out, but the main reason for the honor seems to be the ability of their product RBACx to perform attestation at the user level rather than the role level (which seems like an obvious must-have for a role management product, although some "role management" vendors might disagree). Anyhow, today's press release was regarding a strategic partnership they struck with Sun. Seeing that there are more than a few vendors joining this space, I'd like write a few entries about the field, typical product features, general philosophies/approaches to role management, sushi and some of the vendors (off the top of my head, Eurekify, Bridgestream, Vaau, Courion, BHold, etc.).

The first place to start is what role management is all about. Using the latest technical jargon, a role is a grouping of things that need privileges to do stuff to other things. So it follows that role management is the management of what I just said. The main driver is usually all about access management, hence the term RBAC (role based access control). The idea is that its easier to manage roles as opposed to individual privileges. (Of course, compliance is a driver as well.) Sometimes that doesn't work out as planned. It's not unheard of for clients to complain that they ended up with more roles than people in their organization - which sort of defeats the purpose, especially if your role memberships are only people.
So the next post: typical product features in a role management app.

Become Rich: Use a Business Model!

I found this excellent blog yesterday by Alex Osterwalder. For those of you who are clueless (like me) - start here: What is a Business Model?
And find out why its important.
Then work your way to the Business Model Template.
Then use it to make very own.
Now the last and final step. Execute.

Why Use Cases Should Matter in Identity Deployments

In a comment to a previous blog entry, where I attempt to make the case for Use Cases in Identity Management integration efforts, James McGovern comments:

"First, many folks in the IDM space don't really understand how to create use-cases because it is not a traditional business-oriented scenario.

Second, the importance of getting a PM has to be not on internal nor external but someone who has walked the path before. This is pretty difficult to find even amongst the vendors themselves."

Focusing on his first point, I'd have to agree: use cases really come from the software engineering world (I believe originated from one of the three amigos - Jacobson). Wikipedia has a terse description of what a Use Case is:

In software engineering, a use case is a technique for capturing the potential requirements of a new system or software change. Each use case provides one or more scenarios that convey how the system should interact with the end user or another system to achieve a specific business goal. Use cases typically avoid technical jargon, preferring instead the language of the end user or domain expert. Use cases are often co-authored by software developers and end users.

In my opinion, the software engineering world has a lot to offer the identity integration world. Software engineers (and I use that term broadly) typically have a lot more interaction with business users than back-end integration folks. Figuring out how to efficiently produce software that the client wants/needs has been at the center of decades of discussions surrounding dev processes and methodologies. The integration community on the other hand are usually less focused on customer satisfaction, and more about making processes work efficiently and reliably. With the advent of identity integrations, the level of interaction with business development users has increased significantly. Many steps within the process of integrating an identity platform necessitates interaction with business users, such as mapping business processes and ultimately optimizing them (and the various touch points end users will have with it - for example in provisioning workflow), as well as user interaction with password management systems, esso, etc. I do agree that some components of an Identity platform may be invisible to the user, but typically the user will have at least indirect contact with it. (For example, in a metadirectory solution, a self-help name change in an HR data repository might result in a displayname change in their e-mail address or the name that appears on a phone handset.)

Identity integrators usually come over from sysadmin-type backgrounds, and (even those who have done an identity implementation or two) might not have the disciplines a software engineer would have in delivering a solution that the client is pleased with. (Even worse, many PMs for Identity projects that I've met don't seem to have much PM experience to begin with, or might be a sysadmin who successfully ran an exchange upgrade.) The result is what Mark Dixon described as the seven deadly risks, outlined below:

* Poor Pre-Project Preparation
* Poor Requirements Definition
* Large Initial Scope
* Inexperienced Resources
* Poor Project Methodology
* Scope Creep
* Not Using Available Support


The solution might lie in borrowing software engineering processes that would be helpful in initial preparation and scoping of an identity project, as well as ensuring that an iterative process results in happy business users.

To be continued...

Jackson Shaw is Blogging

Jackson Shaw from Quest is blogging. Jackson previously worked for Microsoft where he was Product Manager (I believe) of MIIS. Since then, he joined Vintela which was acquired by Quest. Quest now has its own portfolio of Identity products, ranging from the cool SSO stuff Vintela was doing between Unix and Windows, as well password management, audit tools (including what they call 'cross platform identity auditing' - which sounds really important), and provisioning.

Jackson's blog is self-described below:

Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continous "reality tour" of meetings with customers, ISVs and Microsoft.

Ok...so what does commiseration mean?

Definitions of commiseration on the Web:

a feeling of sympathy and sorrow for the misfortunes of others; "the blind are too often objects of pity"

condolence: an expression of sympathy with another's grief; "they sent their condolences"

Got it. Regardless, I think Jackson will have some pretty insightful blog entries regarding the identity topic. Go check him out here.

Sun on Identity for Healthcare and the Cost Problem

Health IT World has published an interview by John Russel called Sun’s Healthcare Mantra: Reduce Cost and Complexity with Sun Director of Healthcare and Life Sciences, Joerg Schwarz. He weighs in on Identity and provides a few interesting scenarios for federation:

Some RHIOs [regional health information organizations] follow the central model. Some follow the federated model. I chose a centralized model, which naturally creates a lot of animosity by privacy advocates, by patients, by people who are just afraid of having all the data concentrated in one place and I don't want to say who's right or wrong, but these are the two fundamental models. You centralize everything and use that as a model, or do you have a federated model where you keep the data where it is. You just have to make sure that when you need it you can save it to the aggregate it together.

When asked which model was better...

...identity management because data protection to control who accesses information through the entire lifecycle. The best way to do this is building a federated identity management concept so that a doctor that is known and authenticated with one institution can request data from another institution where he is unknown, but that gives him doctor level credentials to access information involving a patient.

Early in the interview, he explains that although most hospitals today have digital records, they are not linked, and primary care physicians typically don't have access to them. It seems that linking hospitals has a strong business case, and its just a matter of time before that gets into full swing...but what about the primary care physicians? A few barriers exist here:

1. $$$ - docs don't have the money to invest in infrastructure like this. And more importantly...
2. Why would they? Why would they want to share their info with other primary care physicians which could possibly give competitors an edge?

So there still seems to be a case for doctors as data consumers, although there seems to be a conflict of interest for them to behave as data providers. This might be circumvented if patient data can be released while protecting data regarding the physician history.

This would be a wonderful scenario for user-centric identity...

Zone of Mediocrity

Words of wisdom from Kathy Sierra:

"...if you're not doing something that someone hates, it's probably mediocre..."

"...be willing to take risks! Perhaps more importantly, be willing to tolerate (and perhaps even encourage) risk-taking in those who are managed by you..."

Identity Management PMs and Use Cases

I just read an interesting blog entry on Mike Wyatt's Blog entitled "Project Managers as a Critical Success Factor or Identity Management Projects". It peaked my interest because it has become a recurring topic of discussion amongst some of the folks in our integration team. Mike talks about clients not wanting to shell out the extra service dollars for the PM, opting to use their own "experienced" PMs. Mike aptly points out...

...in order to "get the deal done" vendors will make this concession. More often than not, when a project gets in trouble, the common issue is not technology (the bits) or even the vendor's technical team. It is usually the lack of strong project management, especially when customers are providing the project manager.

A few points that our team has come up with:

• Use Case definitions for identity projects are quite helpful, especially in defining expected behavior of the IdM system based on predefined inputs. Many times, PMs get caught up in the tasks that need to be completed, and become task masters who babysit the team to ensure that tasks get done, many times losing the big picture. What is the big picture? Its what the client wants, and that needs to be defined up front. So one of the first tasks for a PM should be to engage the client in order to clearly identify the use cases with accompanying pre-conditions and post-conditions. This document should read easily for any business user, so that the client PM (or equivalent) agrees to the exact desired behavior of the system upon project completion.
  
• If the use case document is clearly written, it can be used for project sign-off in the development environment, prior to migration. A meeting can be used to bring all relevant players together in order to demonstrate that the system behaves exactly as the client requested - using the use case document as a checklist. "This is what you wanted. Let me demonstrate that for you...great, it works. Let's check it off and go to the next use case."
• In the "Use Case" phase, the PM could be used heavily while using the architect for reference and sanity checks. Once the Use Case is completed, the PM could take a back seat and let the architect roll up his/her sleeves. The PM from this point only needs to monitor the project rather than to be involved and bill day-to-day. (Of course, the architect has to step in to ensure feasability before the use case is signed off on by both parties.) This shows the client that you could use a PM (and architect) effectively, and make them feel comfortable that it won't cost them a substantial services fee at the same time.

More to come on the PMs continuing role in the project...

Even Identity Can't Save Novell Now

Novell's Identity suite is arguably one of the best, with quite possibly the most number of production deployments in the market. It's provisioning solution is very mature, with Identity Manager 3 boasting "Designer", a tool allowing administrators to create almost the complete identity implementation graphically, and then drill down for configuration.
Furthermore, sales of Novell's Identity Manager are up 3% from last year. All that aside, Novell is in trouble.

Timothy Prickett Morgan states:

In the fourth quarter, Novell had software license sales of $46.1 million, down 41 percent from the year ago period. The bulk of this drop is attributed to a rapid decline in NetWare and its related Open Enterprise Server license sales, but Novell had issues in other areas. Linux is not growing fast enough to fill the NetWare hole, and neither are the company's identity management or server management product lines...You can also see why Novell bought SUSE three years ago. If it had not, Novell would be dead right now.

Hovsepian predicted lengthened stagnation in software sales in 2007, with the exception of Linux and Identity Management...but also stated a boost on '08 as a result of the Microsoft deal. Any way you slice it, Novell is not in good shape. Their stock price hit a 52-week low last week, as a result of their announcement regarding flat sales in '07. Identity brought in revenue of $23.8m in the quarter. Sales were up just $793,000, or 3.5%, to be worth 9.7% of overall revenue...apparently, Identity can't save Novell, but maybe Microsoft can.

DOJ, Ping, and the Disappearing Service Dollar

A friend of mine forwarded an email to me today regarding a project for a client who was interested in deploying Ping Federate. At first, I was pretty excited. I'm a big fan of what Ping has done in the past years - they've brought solid software to solve the world's federation problems. (In the company I used to work for last year, I had the privilege of taking my team of identity consultants to Ping's HQ in Denver to meet the Ping folks and get trained in Ping Federate. Honestly, they've got the highest concentration of brains in a small company I've ever seen. Kudos to Andre.)

When I got the email regarding the project, I noticed that it was in fact a forwarded email from a recruiter who wanted to "staff" a position at the Department of Justice...looking for a person who had experience with the Ping line. Then I saw this press release from Ping, stating:

...PingFederate will be part of the expanded RISSNET architecture used to enable law enforcement and criminal justice agencies throughout the United States, Canada, the United Kingdom, Australia and the U.S. Territories to share intelligence and coordinate efforts against criminal and terrorist networks that operate in multiple locations.

That's some pretty serious stuff. Eric Norlin (who knows a thing or two about Ping) states this on his ZDNet blog:

Ping Identity announced that the U.S. Department of Justice selected them to provide federation to over 7,300 local law enforcement agencies and 700,000 law enforcement officials.

I was interested. It was definitely something we could respond to. But the email's "staffing" approach of the whole thing kind of threw me off. The press release and the recruiter's email didn't seem to fit.
Anyhow, I got a phone call a few hours ago with the details. Worse than I imagined...they want a "resource" (guaranteed till February! yeehaw.), for a rate so low that we wouldn't even cover our costs. Could it be that the Department of Justice was just looking at a federation deployment for nearly three quarters of a million seats as something to throw a "resource" or two at? Anyone who knows anything about identity will tell you that federation could be pretty complicated stuff. Also, how could the rate possibly be so low? How many layers were between us and DOJ? Who's eating all of the service dollars? Even if there were alot of layers, would DOJ accept a team slapped together to deploy an enabling technology like federation? Somethings not right, definitely not right.

Best Identity Management Solution Competition?

SC Magazine has released the Finalists for its Best Identity Management Solution Award. The list of finalists are:

BMC Identity Management
Courion Enterprise Provisioning Suite
Encentuate TCI
Novell Identity Manager and Access Manager
Oracle Identity Management

What do you mean Identity Management?? Kind of broad, isn't it?

"Includes user provisioning solutions, single sign-on, password management, user rights revocation, etc."

OH. "Etc." !! Never mind, that clarifies everything.

Kim Goes Veg

Kim makes some excellent points regarding the inclusion of vegetables into the identity laws. Read for yourself:

The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gouderati”.

Resources for Angel Investment Seekers

Last week, I had the pleasure of attending a seminar conducted by U-Start, led by Peter Pritchard from CEG entitled "Funding Continuum for Start-up & Early-Stage Firms". Excellent information for startups about the practical aspects of the funding process. Anyhow, I gained a few excellent resources for solid information about angel investments:

Angel Capital Association: a professional association focuses on networking and sharing of best practices among these angel organizations. This site has a rather comprehensive list of angels nationwide, broken down by state

New York Angels: self-described as a forum in which its members can exchange information about investment opportunities in early-stage technology and emerging growth companies in the Northeast and to provide administrative support as its members help such companies to grow to market leadership. The section for "resources" has an invaluable slide-by-slide breakdown of what angels typically want to see.

More on IdM's Biz Prowess

Just read this article by John Oltsik, who is Sr. Analyst at the Enterprise Strategy Group - who attended DIDW this past week and gives a series of points why Idenity "finally made it." Point 2 states:

Projects are getting bigger. When identity and access management tools were deployed in the past it was generally on a tactical basis to address IT operations challenges. Suddenly, projects have a more business and enterprise focus. I attribute the change to compliance on the one hand and the externalization of IT on the other. This means that customers are looking at large identity deployments, big investments, and professional services. There's gold in them thar identity hills.

Another nod to the maturation of IdM in the business world...although I don't agree with the "sudden" business and enterprise focus. It took alot of DIDW and Burton Group conferences to get here. There are many indicators that there is a market for business consulting services for identity projects. All we need now is new acronym for this "new" field...

[update]

Another interesting quote... I'm starting to collect the "as a CEO...as a CIO...as a CXO..." quotes about identity:

“As a CIO, I strive to ensure productive, secure, cost effective solutions that help our users realize their potential. Identity and Access Management is the foundation for any solution that I provide to our users.” - Ron Markezich, CIO, Microsoft

Jamie Lewis' Keynote at DIDW and IdM Services

Phil Windley has a pretty lengthy post recapping Jamie Lewis' keynote at DIDW this year. He has some pics of some of Jamie's slides as well. (I always enjoy Jamie's 'status of the market' type slides...take a look at this one.) The interesting part was the claim that the market is moving from suites to services. I'm not sure I sense that in the market at all. Being on the floor, I haven't seen many - if any - IdM services being deployed. I have seen tons of traditional suite-type implementations. Each vendor is, of course, pushing hard to have their stack to be adopted and implemented, and usually with some level of success. Phil wraps this point up well (emphasis mine):

When we get to the point where there are services we can reuse, then we will see progress. There’s reason for hope. Emerging frameworks, like CardSpace, OSIS, Higgins, and Bandit promise to create an access layer.

Identity Management's Business Prowess

It's refreshing to see the strength of the Identity market in the following excerpts. The first is an analysis on Oracle stock by Rob Black. The second is a quote from Sun's CEO, Jonathan Schwartz:

Rob Black submits: Expect an in-line Oracle (ORCL) quarter in a historically difficult period. Expect to see growth from all product segments across all geographies, with better contribution from Europe than reported in recent periods. Analysts believe Fusion Middleware focus and growth will continue for the foreseeable future, highlighted by strength in Identity Management opportunities. Analysts are increasing our price target for ORCL to $19 from $17 based on our revised DCF, which includes a reduced discount rate (due to reduced risk free rate) and increased confidence in a more promising cash flow growth scenario.

Growth to Oracle is ultimately attributed to Identity. Now that is pretty big stuff. The entire company stock is expected to go from 17 to 19 ultimately driven by an upswing in identity sales. Just to put this into perspective, this is a company that could bankroll buying Peoplesoft at $10B and Siebel at almost $6B. In the past year or so, it has picked up some dinosaurs in the Identity world: Octetstring, Thor and Oblix.
The second quote is from Sun CEO:

"As a CEO, nothing is more important to me than security and identity management," Schwartz said. "It's the heart of SOX, HIPAA and other regulations across the world. Who has access to what information often closely relates to who pays for that information and who's liable for that information."

That's a wonderful shout-out for identity. Given that the quote was taken in an interview Schwartz gave in relation to Sun's tight relationship with Accenture (and how they really need Accenture as a consulting arm to compete with IBMs Global Services division) - nonetheless - I'll take it! If that were the case, it would speak to the strength of the services market for Identity - which in turn speaks to the software market as well. Either way, it's a good sign for things to come.

Google's Got Ears!

Google's latest addition is a pair of ears. Perhaps more than a pair...according to this article, Google is aggressively working on software that would leverage your computer's microphone to eavesdrop on you, and play back relevant ads:

The idea is to use the existing PC microphone to listen to whatever is heard in the background, be it music, your phone going off or the TV turned down. The PC then identifies it, using fingerprinting, and then shows you relevant content, whether that's adverts or search results, or a chat room on the subject.

Am I the only who's getting scared? What's next? They already log your searches, follow your blog (I use Blogger), they track the sites you visit via adwords, the email you write via gmail, etc. and now they want to be a fly (with ears) on the wall in your home! And the sad fact is that most people won't have a problem with it, in the interest of having a more intimate experience on the net. But at what cost? Can't we have our cake and eat it too? Can't we have the personalized experience we desire on the net without revealing every detail of our lives? Absolutely - from a technical perspective. The best minds in the identity world have put together a number of theoretically feasible solutions, unfortunately dollars drive advertising over security and anonymity. I think we'll get there some day, but not before our homes are invaded by Google and their likes.


Technorati tags: Identity Management, Google

Stephen Colbert, Identity and User 16006693

Stephen Colbert had a hilarious piece on tonight's Colbert Report regarding protecting identity while searching (he suggests typing with your weaker hand, to disguise your typing patterns), in response to the AOL debacle (if you haven't heard, they released about 3 months of search histories comprising of some 20 million searches...but don't worry, they replaced people's usernames with random numbers...so we are safe, right?)
Not exactly. Paul Boutin used splunkd.com to parse the heck out of the data - and arrived at seven patterns of searchers. According to him, according to the data - people fall into one of seven searcher categories: the pornhound, the manhunter (looks up a persons name again and again), the shopper, the obsessive (the person who searches for the same thing incessantly), the omnivore (the person who searches like crazy, and doesn't really have a pattern), the newbie and the basketcase.

The most interesting way that I found to look at the data is to pick out a specific user. It's damn interesting, comical, and scary as to how much insight you might get. Take a look at User 16006693 go from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food and finally to heartburn. Classic.

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i'll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

Technorati tags: Identity Management, AOL Leak, Privacy, Stephen Colbert

Open Source IdM Implementation

Kepak, a European Food Giant (well, 2000 folks doesn't qualify as a giant, does it?) has asked the Open Source gurus at Sirius Corporation to deploy "...an OpenLDAP-based Identity Management solution...".

The article doesn't mention which vendors were selected, although they do describe it as "...a secure, standards-based platform that will authenticate Windows users to all network services."

Who could they have selected? Don't know, but its probably somewhere in this Identity Management Open Source map put together by Jim Yang and the folks at Identyx. I love this thing. I wish someone would put together another one for vendors outside the open source space...any takers?

Technorati tags: Identity Management, Open Source, Jim Yang, Identyx, Sirius, Kepak

Identity Management Services Company Acquisition

I posted a few probing questions a while back regarding the Identity Management services market. Today, I read an interesting press release with the heading :

"Novacoast Announces Acquisition of eNvision Data Solutions, LLC"

Some excerpts below:

Novacoast, Inc., an IT professional services firm announces the acquisition of eNvision Data Solutions, LLC. eNvision, a systems integrator in Philadelphia, has served Pennsylvania and New Jersey since 2001. eNvision's core competence is in identity management, Linux, and Open Enterprise Server...

Paul Anderson, President and CEO of Novacoast said, "Our attention is constantly focused on acquiring the best engineering skill sets and delivering those skills to the market. Our acquisition of eNvision gives us top engineering skills in identity management and Linux.

So, this is some pretty interesting stuff. You don't hear of Identity Management professional services companies acquisitions every day. We've become accustomed to hearing about product companies getting acquired (there was another one by the way...Entrust announced its picking up Business Signatures on the 19th of this month) - but services companies haven't been having the same excitement. A few more of these, and things might start getting exciting. (At least for us!)

Technorati tags: Identity Management, Acquisition, Novacoast, eNvision, Novell, Entrust, Business Signatures

Excellent Blog for Entrepreneurs on Fund Raising

An excellent blog I've been frequenting lately is www.bostonvcblog.com by Jeff Bussgang. Besides the fact that he was part of some pretty large startups (Upromise) - he gives some excellent insight into the whole fund raising process. The best part of the blog is that Jeff doesnt shy away from giving numbers, percentages and the like...you know, the questions that really matter. He also discusses the mindset of VCs and entrepreneurs, and the possible clashes that could occur. Anyhow, I'll leave you with an excerpt to give you a taste and illustrate his insight into the numbers, but you should go take a look for yourselves:

...Let’s do the math on an example to see how this plays out. Let's say an entrepreneur owns 10% of their VC-backed start-up and someone comes and offers them $100 million. Thus, they stand to make $10 million if they proceed with the sale. Let's say a VC fund owns 20% and thus will take away $20 million, but assume they’ve invested $5 million already in the company, yielding a net capital gain of $15 million. Further, let’s say the VC’s “carried interest” is 20%. Therefore, the general partners of the fund take home $3 million. Let’s say there are 6 partners that split the carry evenly – that’s $500k for each general partner...

Technorati tags: Identity Management, VC, Fund Raising, Startup

ITIL and IDM Buzz (HP, BMC and Courion)

I just read a pretty interesting post by Archie Reed on HP utilizing identity management to align the enterprise with ITIL objectives via automation (or aligning ITIL and IdM through automation). The example he gives is self service password management.

ITIL (IT Infrastructure Library) is a framework of best-practices focused on service delivery. Perhaps that is too broad a definition, but a good place to read about it is here.

The last time I remember ITIL and IdM used together was by BMC's VP, Somesh Singh. In this article (back in December), he stated:

“Technology solutions that build and maintain an IT infrastructure are no longer sufficient. Customers now need to be able to demonstrate business value of investment in their IT infrastructure, only BMC offers a suite of solutions founded on the principles of ITIL and Business Service Management,”

Although he didn't focus on automation as Archie did, nonetheless he brought ITIL into the IdM scene. BMC claims its Identity Compliance Manager is rooted in ITIL principles, and is "a graphical dashboard to report on policy compliance." So obvious, the slant here is towards compliance instead of automation, but a relation exists nonetheless. This kind of intrigued me, so I decided to do a few searches on it, and I found that Courion is polling its clients about usage of ITIL and COBIT. From their press release on their Converge conference this year, the following quote is relevant:

"When asked about best practice methodologies their organizations are undertaking today, thirty-two percent identified ITIL while twenty-one percent identified COBIT; eleven percent identified both. When participants were asked if their organizations found ITIL or COBIT to be beneficial to their risk management, governance, and compliance initiatives, sixty-four percent were not certain about ITIL, while sixty-two percent found COBIT to be beneficial. Thirty-two percent responded that their organizations are not using a best practice methodology."

Interesting, considering they recently launched a Compliance tool and Role Management tool. It seems to me that as the market completes deployments on Password Management and Provisioning implementations, and starts making Role Management and Compliance Management a reality - ITIL and COBIT will become more relevant to the identity discussions.

Technorati tags: Identity Management, ITIL, IDM, COBIT, HP, BMC, Courion

EMC's Justification for RSA Acquisition

According to a number of reports, EMC has been getting criticism from investors and Wall Street regarding the whole RSA buy.
EMC's Rob Sadowski explains their reasoning for purchasing RSA by describing the storage market moving towards "holisitic" information management which is accomplished by Identity Management technologies. So instead of writing their own identity tools, why not buy and beat competitors to it?
Rob's analysis holds some truth. Think about Sun's integration of their storage and identity products earlier this year.
So does this mean we will see more storage and identity companies forging relationships?

EMC Buys RSA

I just posted yesterday that the M&A market in the identity space seems to be slowing down, and then POW, a huge acquisition is announced today (Over $2 Billion!!).

What does this mean?
Well for one, acquisitions are still somewhat alive in the identity market. It might be that this sets off a few more acquisitions. There are a number of boutique shops, and a number of large players with weaknesses here or there. For example, Microsoft could use a better provisioning solution, and a number of companies are weak on federation and such. So, there is room and need for acquisitions in the IdM space, although in my opinion, this would be the final round.

What does it mean for RSA and their partners? (We are, and unfortunately, this is the first I've heard about this deal). Well, in my opinion, its a positive thing. EMC is notorious for their aggressive sales machine. They might be able to give life to RSA sales.


Also, RSA has been pigeonholed as the "keyfob guys", and they have been unsuccessful in their attempts to rebrand themselves as a holistic identity company. This might give their other products (which are pretty damn good) a chance to shine. They have a great web access management tool that has been around forever (Cleartrust), they have a SSO solution (I believe they OEM Passlogix' V-Go), and a federation product (FIM) that desperately need some marketing attention.

Another possible positive is if EMC delivers on their promise to integrate RSAs product into their information management line of products. If this happens, in similar style to the way Oracle has been able to pull off the integration of the companies they acquired (even if only as a marketing ploy), then this is great news for RSAs product line.

All in all, a good move for RSA. As for EMC, that depends on what they do with it.

Technorati tags: Identity Management, RSA, EMC, Acquisition

Identity Management Services Market

A topic of recent interest to me is regarding the Identity Management Services Market, with forcasting and the whole nine. If you google "identity management market", or other similar searches, you'll a few papers on the topic, although their focus is naturally on the product side of things.

Radicati, about 9 months ago, released in their analysis "Identity Management Market, 2005-2009" that the Identity Management market, including all segments -- full-suites, provisioning, secure access/authentication, and federated identity solutions -- will reach over $1.2 billion in 2005 in worldwide revenues, and grow to over $8.5 billion by 2008. I recall Jamie Lewis back in 2004's Catalyst Conference provide a progress report on the IdM market, and he described it back then as the first round of M&A activity coming to a close (I wonder where that puts us today?...havent heard of a good acquisition lately). Anyhow, both were regarding the state of affairs of the software side of things. What about services? I'm sure the folks in Deloitte, PWC, etc. have thoroughly researched the topic - unfortunately, I'm unable to find anything directly on the matter.
Obviously, when the product market is hot, the services should necessarily follow - but that could be contingent on a number of issues. How difficult are the integrations? Are the products increasing in sophistication, thereby easing administrative and deployment burdens? Is ease of use even high on vendors' lists? If not, why? and when will it be? Lots of questions, few answers.
Anyhow, this is a topic that concerns me due to my profession, although I'm not losing sleep on it since the market seems like its chugging along at a decent pace. What does concern me are the questions: for how long? what are the trends in various verticals regarding the selection of professional services firms for services work? How many are outsourcing their deployment and support work? How many are utilizing in-house resources? What factors are affecting decisions regarding which firms to award the bid to? I personally have answers to some of these questions based on my experiences in the market, yet a more scientific study would be welcoming.

Technorati tags: Identity Management, Identity Management Market, Catalyst, Radicati

RSA and PassLogix in TransCanada Presentation (from Catalyst)

I just attended a really interesting presentation at Catalyst today by Martin Vant Erve of TransCanada Pipelines entitled "Implementing Enterprise Single Sign-On with Two Factor Authentication." Wow! What a great case study. Simple, honest, didn't hold any punches. The idea is pretty straightforward: a user uses his/her securid code, that gets forwarded to AD, which references RSA Authentication Manager - which is followed by the whole auth vs. AD (under the hood), finally the end user is authenticated and session is sent to the client. Once that whole thing is completed, PassLogix V-Go takes over by providing the SSO piece of it. He had excellent analytics in regards to reduction of help desk, which is often touted in front of customers. He said that help desk calls actually stayed the same, because they got new calls to the help desk for issues like "I left my token at home", and questions about the new deployed apps. Yet, TransCanada considered this as a win because they increased security which is what they were after. To make the bitter pill easier to swallow for end users, they coupled it with SSO. All in all, a solid case study.

Technorati tags: Identity Management, RSA, PassLogix, Catalyst, SSO, SecurID

Catalyst's Session on Provisioning, "The Vortex of IdM"

The upcoming catalyst conference has what looks like an interesting session conducted by Burton Group's Lori Rowland on Provisioning. The following excerpt from the session description caught my eye:

Compliance and security concerns are driving provisioning solutions into enterprise customer environments, however the sophistication of these customer deployments are lagging behind technology advancements.

What struck me was that on most deployments we've completed, a ton of "customizations" were needed in order to satisfy the customer. By customizations, I mean changes that would qualify as outright upgrade features - and I've heard similar complaints from colleagues in the field. Any way you slice it, this session is a must-see.

Technorati tags: identity management, identity, provisioning, catalyst

Novell Taking a Beating...

This article shows Novell's continuing problems in the past quarter. Although a series of press releases by Novell attempt to paint a different picture, the numbers don't lie. I think this sentence says it all, "Cashflow from operations was a negative $24m, up from a negative $25m."

What does this mean for Novell's identity offering? Well, nothing in the article focused on their identity offering, but they are not as visible as they once were (18 months ago) in third party reports and such. Anyhow, it's something to keep an eye out for.

Technorati tags: identity management

Notes on Laws of Identity (Part 3)

It's been a while, but I'm going to work on finishing unfinished business...

• The definition layed out thus far is flexible enough to cover all the known digital identity systems, allowing for the emergence of a metasystem embracing multiple implementations/ways of doing things.
• The usefulness of the claim is not inherent in the claim, but its evaluation/decision by the relying party.

The Laws (finally...):

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. The system should also protect the user against deception, verifying the identity of any parties who ask for information, ensuring submitted information goes to the right place, and informing the user the reason for which the information is requested.

2. Minimal Disclosure for a Constrained Use: To mitigate risk, the solution should release the least amount of identifying information as possible. This ensures that there is less of a chance identifying a person accross multiple contexts.

3. Justifiable Parties: Information is only disclosed to those parties that have a "justifiable" place in the identity transaction. Although what exactly qualifies as "justifiable" is open to interpretation, this law does provide for a transparent transaction.

A Well Written Post on Common Virtual Directory Scenarios

Matt Flynn has written a concise post on VD scenarios... I've cut and pasted below:

Common Virtual Directory Scenarios

The discussion
regarding possible uses for Virtual Directory is on-going. The following are 8
easy-to-understand scenarios for Virtual Directory in no particular order. This
is by no means an exhaustive list, but I think it covers the simplest scenarios.
I look forward to questions or comments.

Protocol Translation - Provide
access to relational and other non-standardized data over standard LDAP and Web
Services protocols without altering the data.

Web Service Enablement -
Respond to identity data requests made via DSML, SPML or any other
service-oriented data format (standards-based or custom).

Multi-Repository Search - Enable a single search over standard protocols
to return a single clean result-set containing identity data that resides in
multiple repositories in multiple formats.

Joined Identity View - Enable
a search that returns a view of single identities that are comprised of data
from multiple repositories. e.g.) A single user record is presented with name
and phone number from the HR system and the email address from Active Directory.

Permission-Based Results - Enable a customized view into a single data
universe based on which application or which user is performing the search.
e.g.) Employees inside the corporate firewall see a full view of fellow
employees while customers accessing an external-facing application see a reduced
set of attributes and phone number is formatted using the (toll-free +
extension) format.

Dynamic DIT - Build an on-the-fly Directory
Information Tree based on identity data attributes. e.g.) The application calls
for LDAP views based on job title so the virtual directory dynamically presents
an OU for each job title in the database and presents employees within the
appropriate OU based on their job title.

Authentication - Enable
pass-through authentication from a single point of entry into multiple identity
data stores. e.g.) Authentication requests are directed to a single point. The
Virtual Directory authenticates non-employees against a back-end Sun Directory
and employees against Active Directory.

Real-Time Data Access - Provide
real-time access into back-end systems. Because requests are passed to the
originating data source, the search results can be as real-time as required.

Summary

Virtual Directory technologies eliminate boundaries.
Hassles related to LDAP object types, attribute definitions and other
schema-related issues are eliminated by virtualizing the view into the backend
identity stores. You're no longer limited by the existing data format or
database branding. There's no requirement to migrate the data from a relational
database into an LDAP directory in order to make the data LDAP- or Web Service-
accessible.

Sun, Identity Management, and Storage

I think this is going to be huge. I place my bet that Sun's Storage market share will increase significantly because of Identity. Unfortunately I'm not a betting man.

"For example, Sun has integrated the identity-management capabilities obtained via its Waveset acquisition with its StorageTek Enterprise Storage Manager software, allowing customers to discover, monitor, report and charge-back users for storage use. The company also is adding encryption to StorageTek storage devices and providing centralized key management for data and tapes via Waveset's technology."

Federation and 'How we got here'

Eric Norlin has a wonderfully concise post in regards to how we got where we are today in terms of federated identity. I know its a bit dated (as far as IdM technology discussions go) - it was seemingly written as a result of confusions that arose as a result of Higgins being released.
Note: under the heading 'SAML', when he refers to 'web access management' tools - he is referring to tools like cleartrust, siteminder, tivoli access manager, etc.
i think its important to appreciate those tools are really what paved the way for what we have today in terms of federation standards and such. Well, that and a little prodding. Nonetheless, the article gives great context to alot of discussions today regarding attention data, user-centric identity, and stuff like that.

IdM, MENA

Thisi is an interesting article featuring some of Sun's endeavors in the regions. The first line in the article states: "Sun Microsystems Middle East and Africa (MENA) has identified identity management as one of the three most significant issues facing IT management in the GCC in 2006."

The main driver seems to be coming from the push of some of these nations to make a national ID card system. Although the legal validity of these systems is heavily contested in Europe and America due to privacy infringement, the Middle East typically doesn't seem to having that problem (it's not like their actually asking for permission from anyone). The following quote is from Sun's Sales manager, Jamie Bliss:

“As GCC governments consider creating national identity card schemes and businesses in the region stand to lose considerable amounts of money if information or assets fall into the wrong hands, an increasing number of regional organisations are making a centralised, self-service-enabled and affordable identity management solution a top priority in 2006."

Dubai has already deployed such a system. This looks like an area that the Middle East will gain considerable experience in over the next 2-3 years, over their counterparts in western countries.

Here is another article on the same subject, which states:
"Sun will be meeting with regional IT heads at a security summits in the Kingdom of Saudi Arabia and Qatar this week to highlight the need for a federated or uniform approach to both physical and IT security. "
and
"The Sun identity management seminars will take place in Riyadh on April 9 and Doha on April 10. "