Adventures of an Eternal Optimist

As lost as we might be right now, the future is very, very bright.    One of the biggest forcing functions that I see on the horizon is cloud computing.    It’s one thing to have a whole bunch of internally controlled silos that don’t talk to each other — but imagine all those silos spread across the internet.

Cloud computing is a practice that garners high risk without disciplined Identity Management.  Enterprises have traditionally had the luxury of laziness when it comes to application integration because removal of physical and network access can compensate for late or non-existent deprovisioning of internal accounts.  There is no corporate perimeter to save you with cloud computing. Automated Enterprise control of at least web access or account status is the only way to mitigate the risk for customers of any size – and this is a great thing, because it means that practically every customer of a cloud service has an identical worry.  When the vast majority of the the client base has an issue, that issue gets vendor attention.

In addition, it is obvious that a huge number of SMALLER Enterprises are going to subscribe to cloud services.  More than anything, I’d like to see resources in place such that at the time a smaller company makes that jump, they can find and follow a few cookbook Identity practices that most Enterprises don’t think to care about until they have severe pain.   If we can help smaller companies to institute solid, integrated Identity practices BEFORE they buy big HR products and massive internal help desk systems and complicated document management software, maybe we can ease the pain before it ever starts, rather than having to apply band-aids after the fact.   Preventative medicine is so much cheaper for all, isn’t it? Perhaps when faced with the choice of adopting an easy-to-integrate cloud service or an impossible-to-integrate in-house software product, companies will choose easy-to-integrate.  If that happens, suddenly those big, lumbering software vendors might get a clue that they cannot operate in a vacuum, and that ease of integration matters.

Case in point: the company I work for, Nulli Secundus.  We recently abandoned our Sun Messaging Server installation for a cloud service.  One of the biggest complaints about Sun Messaging Server was its complete and utter inability to facilitate integration of the web client into our SSO infrastructure – not being able to integrate is pretty embarrassing for a company that specializes in Web Access Management.  With the cloud service, SAML support is already there, waiting for us.   The decision was a no-brainer, the cloud service made it unbelievably easy to switch.   I imagine a lot of small companies are doing the same thing. Once we get SAML integration working for this first service, integration of following SAML-enabled services will be effortless – application sales & marketing teams with any kind of intelligence should see that this waiting and available infrastructure is great sales leverage.  These are the trends that turn into tipping points enacting massive change – we just need to seize the opportunity and provide guidance & pressure in order to maximize the benefit while things are forming and flexible.

So – our current state doesn’t keep me up at night.  Not when we have all of this opportunity in front of us…

In my last blog post, I complained that we’re a bit lost.   I would like to even be more specific.   In the world of Identity, there are theoretically two types of people — those whose job it is to pay attention, and those who rely on the first type of people.  I don’t mind if the second group are lost.  I worry when the first group are lost.

So, why is it that we actually deploy these systems in the first place?  And, if this world of Identity is a journey and not a destination, how do we know when we’ve seen and done enough?

Here is my definition of what a given Enterprise may wish to accomplish by spending money on Identity technology:

1. Simplification of Sign-on & Sign-on related procedures
2. Access to assets granted on basis of least privilege
3. Process-driven Account Automation
4. Delegation of Identity Data Maintenance & Workflow to the person/resource most able to enter correct, timely & knowledgeable data
5. Ability to interact with partners or outsourced services securely & efficiently
6. Accountability for all of the above through Approvals, Audit

Why do we wish to accomplish these things?

1. To make the Enterprise workforce as productive as possible.
2. To protect corporate assets against theft or abuse.

There.  That’s it, assuming I haven’t forgotten anything obvious.   The problem is, you can’t just tick off these items like some kind of grocery list.  All you can do is make a qualitative assessment of how close the processes & technologies your company has implemented from the first list bring you towards the end goals described in the second list. Every organization of every size should be making these evaluations – but the sweet spot between cost undertaken and value returned will be different. For smaller companies everything could be manual, and there is nothing wrong with that as long as the risk and overhead are tolerable.

Is this characterization just an invitation for vendors to get lazy?  It’s hard for me to imagine.  There is so much work to do in these areas, so many things that can improve, that I can’t imagine any of the vendors having time to slack off.  Besides, I think there are revolutions to come.

The really interesting question will be whether or not the big vendors will ever start enabling truly integrated provisioning and SSO support for the full range of their products.   Imagine if every web enabled product sold by Oracle had a configuration property called “trust OAM session cookie”, and if the configuration property was set, the application ceased to prompt users for credentials, and instead simply looked for a set of pre-agreed-upon header values to determine the identity of the user.   Imagine if your provisioning workflows for employee and manager self-service came built into your HR product, but only a configuration page later, you could hook the interface into your provisioning system.   Imagine if all of the application-specific roles in all of your stack applications were consistent and complimentary, both at the fine-grained application level and at the enterprise middleware level. That is the potential, if not the reality, of a stack offering.  Integral adherence to an identity vision, instead of bolted-on adherence.    Sigh, what a lovely thought.

I wouldn’t put money on it though.  Too bad.

You wouldn’t guess it from the announcement, but Wordpress 2.6 completely changes the cookies set when a user authenticates, and in the process breaks quite a few Wordpress Authentication Plugins, including Pamelaware for Wordpress.

I am fiddling with the fix now, but haven’t quite perfected the process;  I can set the new cookies, using the new cookie setting function, but somehow the cookies I set with the cookie setting function don’t look exactly the same as the cookies Wordpress sets when it executes the same function.

There have been a few non-plugin-related panics around the cookies as well – some admins are unable to get to their consoles.  Fixes range from clearing your browser cache and deleting cookies to adding an extra define statement in your wp-config.php file.

If you have already upgraded to Wordpress 2.6, you’ll need to disable the Pamelaware for Wordpress plugin until I can get this fix out — I hope this will be today.  If you haven’t upgraded to Wordpress 2.6, you may want to hold off, or at least to make sure you have time to deal with possible authentication issues like the ones that are cropping up in the forums.

The good news is that I now know that if you develop WordPress authentication plugins, you need to be subscribed to this guy’s blog if you don’t want to be caught by surprise with changes to authentication mechanisms in WordPress.

Update:  I have a working fix now — you can get it from the 0.9 release branch subversion tree, if you want to play.  I have not yet updated the tarball to reflect this change, as I haven’t tested it enough to be sure it won’t break under obscure circumstances.  Contact me if you want more detail prior to a tested release.

The track I spent almost all of my time at this year’s Catalyst conference was:  “Identity Management: Are we There Yet?”

I came out of that track convinced that we have lost touch with the actual question of why we are doing all this work in the first place.    Long before I attended Catalyst, I’ve become more and more worried about the way in which companies are being “assisted” in their work around Identity Management. It seems to be all about ‘getting’ the right product/services, and not about finding a solution that fills a need.

In my opinion, and you’re very welcome to disagree here, nobody “gets” Identity Management.  It is not a destination that you can arrive at.   It is more like a tour you can take, where you can have a different experience depending on how much time you have, how much money you are willing to spend, and what your particular preferences might be.  You might take a slightly different tour every year — but you never stop taking tours, because the experience you might have can always change and improve, because there is a never-ending variance in what you can see, and because the sights are not static – the world changes.

What has happened in Identity Management in the last two years is generally a great thing — niche solutions are evolving to respond to demand that is too specialized for the big Identity & Access frameworks to build in (product fields like Privilege Management and Adaptive Access Control are examples of this).  In addition, there has been a product response to the obvious need to have accurate and complete data on which to base Identity and Access Policy upon – examples of this include Role Management and Mining.   Ideally, the result of all this innovation should be that a patchwork of products are evolving to cover more of any given company’s needs out of the box.

In reality, however, I don’t see a patchwork of complimentary products – I see a whole bunch of products with a whole bunch of overlap and no obvious or well-stated way for an Enterprise to figure out how to knit it all into an actual solution for their original problem.   Perhaps I’ve just not read the right documentation,  but I couldn’t tell you how or whether Privilege Management solutions integrate with provisioning solutions in order to have good combined audit reports.  I have no idea how an Entitlement Management solution might co-exist with an Access Management solution.   I see a fairly strong divide between “Corporate” workflow systems like Remedy and “Identity” workflow systems like those in Novell Identity Manager or Sun Identity Manager that I would like to see go away.

At Catalyst,  I learned a fair bit about each little type of Tinkertoy.  What I wanted was more of a sense of the different ways that different Enterprises might wish to assemble something useful from all the pieces.  Perhaps Burton has expanded their reference architecture to include these new niche product genres and they just didn’t present that architecture at Catalyst (or perhaps I missed it) ?  If not, I hope that such a thing is on their slate in the near future, I think it would help a lot.

So here we are, a little bit lost, I think. Certainly not “There” – but I think the expectation that anyone ever gets “There” is false anyway.  In the process of deciding that we’re lost, I had to sit and think about what exactly Enterprises expect to accomplish in buying Identity product;  I’ve come up with my own definition, in as concise a form as I can think to make it;  I’ll post it shortly and see how it stands up to scrutiny.

I have an ugly confession to make.  I watched the rise of compliance as a business driver for Identity Management, and was pleased but not particularly interested in what it was that suddenly opened the budgetary gates for the projects I was part of.

When I thought of compliance, I would briefly consider how I was helping executives sign little pieces of paper that kept them out of hot water with the auditors, and then I would go back to thinking about organizational efficiency, process for the sake of bringing order to chaos.  It’s easy to say that compliance is important, without ever understanding why it is so.

This is before I saw Nick Leeson speak at this year’s Catalyst conference.

You can’t listen to Nick’s story without your jaw dropping.  Nick was the trader who caused the collapse of the Barings Merchant Bank in 1995.  He was able to do what he did, because he could control every single piece of information that might have led to his discovery.  His superiors didn’t understand the business, and therefore could only take Nick’s word for everything.  Same went for his auditors.   The resulting business failure was unimaginable.

Sitting in the room, listening with disbelief and amazement to this story, everything clicked for me.  Everything I do and recommend in the Enterprise Identity world is applicable to this one story.

There are two things that happen in a provisioning project that make a compliance difference I had never considered before:

1. We create observability in systems beyond the control of the asset owner.
2. We create referential integrity for systems such that account activity does not occur in a vacuum.

The goal is not necessarily to catch bad guys here.  The goal is to ensure that nobody can take an action and also hide that action.  When every account has to resolve to a real person in the Enterprise, and any account created that doesn’t do so shows up on an audit report without the system owner having any say in the matter – well that makes a difference.  When the reports and summaries that are generated happen out of the control of those who might wish to change the data within – it makes a difference.

And when the executive sponsorship of an Identity Management program are truly behind a project such as provisioning, and ensure that the project stays on target and that at the end,  the compliance targets match & reflect the BUSINESS (a feat that no IdM consultant can know for sure they have accomplished) — it makes a difference.

I’m not sure that I’ve expressed this well — but I can tell you that I will do my job differently from now on.  From now on, when I talk about compliance, I will not be thinking of making the lives of the CxO’s easier and/or more worry-free.  I will be thinking about how I can make sure that if there is a cause to worry, it will cross the desk of the person who can recognize it and act on it.  It is a small difference, but a critical one.

Ah Catalyst.   Catalyst is a force of nature.   All the right people are in the room – vendors, analysts, customers, and implementers.  It makes for some pretty intense, valuable conversations.

To me, this year was a year of revival – There were unmistakable signs of life after stack consolidation.  Walking through the hospitality suites, I saw new brands, new approaches, and new blood interspersed amongst the heavy hitters with long standing investment.

Burton changed their format a bit, and for the most part I liked the changes.  Things seemed less frenetic, and somehow the length of the breaks seemed better suited to quality conversation.  Some of the visual changes made to slide formats need tweaking, I think — My preference would be for the images to have been more tightly matched to slide text, so that I could use the image to mentally seek to a given topic, but still see the bullet points in addition.

Of all the interesting things that I experienced at Catalyst, there were two findings that really stood out for me.  I will write about each of these separately, just to keep you all on your toes :)    The first involves a lot of questions, while the second was an answer I’d never thought to quest for in detail.

With that, I’ll wish you all a Happy Canada Day and sign off!