Oracle Waveset

Acquisitions!  Can’t live with ’em, can’t wait until they stop holding up progress.   At least now we have new fodder for speculation.

What’s great about the Snoracle merger finalizing:  already I’ve seen more blogs from more people in “the know” who are reaching out than I can recall ever seeing from the Identity team at Oracle.   Nishant has always been the sole Oracle blogger in my acquaintance, but a few other voices are being heard – if you aren’t listening, you should be!  I am really excited about the idea that this merger could herald a cultural shift at Oracle towards more transparency.

The dust has settled on the initial announcements, and the big surprise is that OIM (previously Thor) has been chosen as the strategic provisioning product.  I can see all sorts of technical reasons why this might be the case – I imagine that the original Thor product had already been heavily retooled for integration into the fusion middleware suite.  Any other strategic considerations (size of existing customer base, ease of expansion, etc) really don’t have as much weight as those of us on the outside had been assigning for a simple reason:  the Waveset customer base is captive. There is no competitor right on the heels of either OIM or Waveset, no hungry beast to prey on dissatisfaction or fear around assimilation costs or adapter growth/expansion for Waveset.  As such, Oracle can play it cool by supporting Waveset long enough to appease nervous customers, cherrypick the functionality that is missing from OIM, and eventually find a migration path once the dust has settled.

So then, we have the following communities:  1) Existing OIM customers, who are relieved I’m sure. 2) Existing Waveset customers, who are probably unimpressed, but who will hopefully be well supported and given a migration path. 3) New customers, who are in the worst position, having had their choices narrowed. Will prospective customers keep asking for “Oracle Waveset” (the re-rebranded name of Sun Identity Manager)?  Or will memories fade fast?  There is a hole now – will another product fortuitously step in, for example Forefront Identity Manager 2009 2010?

I also wonder what kind of pressure SaaS will put on applications that traditionally are provisioning hard cases.  If you are an software vendor competing against SaaS services, and that SaaS service offers a provisioning API that allows for a 10-minute integration into an automated Enterprise infrastructure, wouldn’t you be worried? Will bricks & mortar software companies feel compelled to compete?   I hope and pray that this will be the case – and frankly I can’t figure out why on earth any software vendor would prefer to have a provisioning tool bypass its core logic and reach into the backend database to twiddle bits.

The access front is interesting, if not surprising.  Given that OpenSSO was opensourced, I don’t think anyone really felt it was likely to replace OAM, but in this case there is a migration path that sees customers stay with the pre-Oracle codebase and maintain the code themselves (I hear there are integrators out there already offering up a new neck to choke with respect to codebase management and support).  Oracle has said that there are a few things that they will adopt from OpenSSO, but I imagine that the opensourcyness of OpenSSO might be a barrier there, most engineers I know are loathe to mix license types in a product.

No matter what happens, at least it’s now able to happen openly.  As Green Day sings:  “every new beginning comes from some other beginning’s end“.  The world marches on, but I’ll always remember the long hours I spent in the Sparc 1 and Sparc 2 labs at university; on Sparc 5’s and 20’s at the beginning of my career; and the time spent on the ever-renamed directory that started at Netscape, went to iPlanet, then SunOne, then suffered from all sorts of horrible marketing mangling around “Java” and “Enterprise”.  The pre-marketing-mangled Sun brands will always make me smile; they were representative of a bright shiny world that I felt awed to be a part of.

Brace Yourself

I believe that what Apple releases next week will herald the end of broad adoption of general computing devices.   The introduction of their tablet will begin in earnest a trend towards tightly integrated, tightly controlled sealed-hardware computer devices that allow the majority of the population to accomplish the most popular computing tasks without doing anything more than visiting the app store.  Not as your “mobile” computing solution by the way — as your only computing solution.

Why wouldn’t the world move in this direction?  Why shouldn’t your computer be as easy to use as your smartphone? Why fiddle with drivers and desktops and operating systems if all you ever do is surf the web and send email to your grandchildren?  Even if you want more than the basics, why go through long and complicated application installs when you can just click a button?

This is the future, and those of us in industries like identity management had better stop and pause right now, because per-application passwords have no place in the world of the app store.  They are difficult to type on a touchscreen, and inconvenient in exactly the way that the new push-button paradigm seeks to overcome.   This could be the best thing — or the worst thing to happen to those of us working on protocols which replace password storage.

There is no doubt that passwords *will* be hidden from the user from now on.  In the same way that nobody types a telephone number into their phone anymore (they just use Contacts),  nobody will type a username or a password.  Heck, they won’t even type the URL of the service.  Details will be hidden, the pain taken away.  We have a small window in time to affect the way in which that happens, before users forget what it was like to have to figure out which user name went with which password and which site.

Don’t believe me?  If you have an iPhone, you should try PageOnce‘s Personal Assistant app.  I reviewed PageOnce ages ago:  it aggregates accounts of all kinds, giving a consolidated dashboard and allowing you to login without typing your password.  I panned the service: not only do you have to give your passwords away, but you have to go out of your way to pageonce for that very first account login – why do that when you can go directly to the website and log in?   On a general purpose computing device, the service has no use to me.  On the iPhone however?   Pure solid gold.  Clicking that little “Personal Assistant” icon is always easier than typing in a URL for the original website.  Not only do I never have to remember credentials, I am essentially given a menu of my accounts, and I’m one click away from transacting.

But, you say – it’s just mobile.   What really matters is the desktop.  I say you’re wrong.   I say that the ubiquity of the smartphone is coming to a desktop near you, courtesy of Apple Computers Inc.  I say that we had better *start* our strategy thinking about what happens when a user has an expectation that authentication should be no more complicated than making a phone call on a smartphone.

If we don’t make it that easy, somebody else will do it.  Of that you can rest assured.

OpenID Bound

I’m really happy to report that today I join the board of directors of the OpenID Foundation, representing Ping Identity.  This is a big decision for us! It reflects not only our strategic conclusion that OpenID is a critical part of the ecosystem that will evolve in this new decade, but also our tactical roadmap, driven by our customers and their use cases.

From a personal perspective, I am excited to be able to more closely work with all the smart folks that I’ve been rubbing shoulders with for years and years at IIW, and to literally have time allocated in my week to focus both on OpenID technology and community tasks.  I believe 2010 will see renewal and acceleration in both consumer identity and enterprise identity: having a small part in that growth will be fascinating.

Check out the Ping Identity Press Release here.

“Kick Me” for Cloud

Patrick just posted to the Ping CTO blog some of our combined thoughts about what a  terrible idea it is to synchronize Enterprise passwords to the cloud:  Grounding Enterprise Passwords.Kick Me, Please

The ctotalk blog post is much more detailed so make sure to read it, but let me sum up in somewhat stronger terms:  Giving away the shared secret that (for better or worse) is often the key to your internal windows domain and to anything linked into that domain is a really stupid idea.   It is the IT equivalent of putting a “Kick Me” sign on your organization’s back.   It means that no matter how stringent your own security regime is, you are only as secure as the weakest of the partners you synchronize to. Most partners are loyal and upstanding, employ good people and protect your passwords better than you do, but even then,  if/when you get hacked,  who are you going to point fingers at?

I believe Enterprises should be educating their employees NEVER to set or use an Enterprise password outside of the Enterprise.  I also believe that a cloud service is nuts to actually accept passwords synchronized from their customers.  Of course it goes without saying that the better choice is to eliminate external passwords altogether, but if you can’t do that, at least try to keep users from typing the same set of credentials into every web form that comes their way, while protecting your partners from even the implication that they might sell your password list.

New Gig!

I am so tardy in writing this, tsk tsk…

I am now officially a Senior Technical Architect at Ping Identity.   All of you who know the Ping folks know that this will be an exhilarating ride.  I work for Patrick Harding in the Office of the CTO, and I can honestly say that this is one crazy learning curve!

Ping Identity

For those of you who aren’t familiar with Ping Identity, they do Internet Identity Security – SSO and token transformation using SAML, WS-Trust, WS-Federation, and whatever else is necessary to get the job done.  They also do federated provisioning, which of course is one of my passions. It’s a fun time to join; the current interest (dare I say mania?) around cloud computing is starting to resolve into common-sense questions around potential risk to the Enterprise caused by mis-management of cloud resources – and at least in my mind, I see these questions changing the adoption patterns for technologies like SAML from a early adopters and massive organizations to everyone’s organizations.  I’m also very excited to see what the addition of consumer identity protocols like OpenID and oAuth will do to adoption patterns.

From the employment front, it has been fascinating to have insight into the inner workings of a product company – I have always been on the customer side before this, and the change in perception is fascinating.  I think it must change some of what I write here – but change is good, I think.   The biggest challenge will be finding the time to write —  keeping up with these Ping folks is hard work, they are aggressive and agile, and they are focused, holy cow are they focused.  Er, we are focused.  I am we!  Woohoo!!!

Ok.  Gotta run.  Life at Ping is a sprint, and I’m loving the adrenaline high :)

Axel’s Challenge

Axel says he’ll fetch you a beer at IIW if you can decrypt the token he has made publicly available on his blog: crypto doubters in the crowd,  this is your big chance!   As someone who was recently burned while copying and pasting encrypted tokens off of a web page and trying to decrypt, I would be careful of the white space though, I bet if you ask really nice he’d even send you a file version.Axel's Challenge

Canadian IAM Community

Are you a Canadian member of the identity or access management community?  In case you don’t know already, there are a number of new venues evolving to service this community, and I’m really excited to be a part of them!

  1. The CanadIAM Blog – this blog is dedicated to the Canadian take on Identity and Access  Management, thanks to the organizing efforts of Mike Waddingham over at Code Technology.  It’s just getting off the ground, but I think it will attract a very strong community — make sure you add it to your blog reader!
  2. The ICE Conference — this will be the very first Canadian tech conference that I’ve spoken at, I can’t wait to actually meet folks from my own backyard and compare notes and experiences!   The conference is in Edmonton on November 2-4, 2009 – the only sad thing is that it happens to conflict with the Internet Identity Workshop;  as a result I’ll have to split my time between the two rather than getting the full benefit of either, which is such a shame!IAM Canadian

It is great to see these kinds of resources evolving, and I think it speaks to the maturity and growth of I&AM practices in Canadian organizations.   I believe that the best way to be successful in many of these ventures is to share – and what better way than to do so than with a group of people who have strong common interests.

Photo credit: http://www.flickr.com/photos/michael40001/1828017204/

Rocky Mountain Bank should be more solid now

I’m tired of yelling and complaining about data breaches.  As a result, I think I’m going to change my tune.

Take, for example, Rocky Mountain Bank of Wyoming USA.  An employee of the bank emailed sensitive details about 1375 customers to the wrong Gmail user, and now the bank is suing Google to discover who this anonymous user is, in an attempt to try and figure out just who they managed to gift their data to, and whether their gift kept on giving.    In the meantime, the Gmail account of a completely innocent bystander has been deactivated by court order.

As I see it, Rocky Mountain Bank is in their own little hell right now – they are being widely ridiculed, they have initiated an expensive legal action that can only partially assuage their fear of exploitation by a third party, they have at least 1375 really pissed off customers, and they have incurred some amount of liability and/or responsibility to those customers should their data be criminally exploited in the future.

You can think of these guys as one more incompetent organization and call them names.  Or you can think of it as one more organization whose eyes have been opened to the cost and danger of playing fast and loose with customer privacy.  Perhaps we simply have to hit a tipping point where enough people are close enough to enough victims that our societal internal risk meter changes.  If you look at it that way, every breach can also be viewed as an education…  and I’m a big fan of education.

So congratulations Rocky Mountain Bank on having your eyes opened as a corporation, serving as an example for others, and personally educating 1375 otherwise clueless end users.  It is appreciated.

Sears == Slimy

I want to talk about the Sears Holding Company, and I have nothing nice to say.

They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

There is little to do except spit in Sears’ general direction – so I do.   Ptooey.