She’s Geeky 2009

Hats off to Kaliya for organizing She’s Geeky this year – I wish I could be there.

I love the idea of showing up and just finding out what other women in technology are doing, it seems like such a positive experiment.  I hope you all have a great time!

TEC 2009

Thanks Axel for highlighting my TEC 2009 talk abstract — you’re much better at publicizing my upcoming speaking plans than I am, something I need to improve upon!

My plans for TEC 2009 are indeed to talk about a Survivalist’s Guide to Identity Management.  In my years working in this space, I can’t help but note that most of the things that companies pay me to unravel are things that a little foresight and planning could have rendered unimportant – often they come down to configuration decisions made arbitrarily in the absence of any guiding principle.  I believe that if you can introduce some simple discipline into IT practices early on in a company lifecycle, you can drastically reduce the complexity, and therefore the cost of automating your processes and applications when the time comes.  My goal is to document that discipline in very simple terms, and then to demonstrate how  a pragmatic IT department can go on to derive benefit from that discipline.

I can’t tell how much I’m looking forward to this presentation – It is a topic very near and dear to my heart, and something I hope to enlarge upon whenever I can, for a long time to come.

Home from CSI 2008

I just got home from CSI 2008,  and I have to say, I’m incredibly impressed.  The more I speak at these things, the more I’m realizing that there are qualities in conferences that make or break the experience, and this conference has crystallized some of those qualities in my mind.

One of the qualities I saw at CSI that I now recognize as a critical factor, is that there is a core expert community who are re-occuring, recognizable faces.  CSI reminded me of The Experts Conference (formerly DEC) in this area — both conferences have this group of friendly, accessible people who are around throughout the conference, speaking but also participating.   These are the people who can transform a group of complete strangers into a community that interact with and learn from each other. You need the big names that jet in, speak, and leave – but those big names are in some sense sterile – they have no community context or history, they have no understanding of what else might have been said – they speak in their own vacuum, and generally the message is a one-way broadcast.   The message may be valuable – but it often doesn’t build on previous conversations.

From a conference organization perspective, I think that the CSI setup was revolutionary.  Every morning, the entire conference assembled for a series of short keynotes which acted as introductions and advertisements for the themes of the day.   Once the keynotes ended, attendees could choose separately-titled individual talks, or they could attend one or more parts of a multiple-timeslot “summit” created around that day’s themes.   Within those summit sessions, speakers still gave presentations, however emphasis was not on slides, but on two-way conversations.  In the summit sessions I attended, all of the speakers were up-front for all of the conversations, so it ended up being a very interesting mix of slides, panel conversation, and audience input.  The keynotes at the beginning of the day gave the speakers a chance to pique the interest of attendees in a way that a conference agenda title just can’t accomplish, and given the theme of this conference,  “security reconsidered”,  it made perfect sense that the keynotes be constructed to interrupt the status quo.  I’d like to see this kind of interruption become the focus at more of the conferences I attend.

Thank you CSI,  for the invitation and for the experience, it was extremely positive!

DIDW 08 & the User-Centric Debate

This year’s Digital ID World was in Anaheim California, and ran from September 8-10.  I really enjoyed this conference — the feel for me wasn’t the usual sense of a “broadcast medium”,  it wasn’t so much a big show as a big conversation.  I know that attendance was lower than usual, and perhaps if you were an Identity implementer/manager looking to find peers in the same verticals, etc,  this might have been a problem – but with respect to access to the speakers,  and access to vendors,  you could not beat this conference.

Of course, given that I was a speaker myself I could be biased, but I thought that the agenda was comprehensive and well put together, and that each speaker taught me something that I hadn’t known before (thanks to Eric for giving me the opportunity to be part of it all).

On Tuesday I participated in a panel with Dale Olds, Denise Tayloe, Bob Blakley, and Paul Trevithick on Open Source Projects and their contribution to User-Centric Identity, and the conversation was lively, with lots of participation from the audience as well.

One of the debates we jumped into during the panel was around the term “user-centric”.   A central theme in Jamie Lewis’ keynote was that ‘centric’ in general is bad, but I can honestly say that I didn’t understand the justification for this opinion — the speech talked about moving away from “ours” and “theirs”… but what does that mean?   In the panel, Bob stated that he didn’t like user-centric because it personified the “male mafia” conflict model (hopefully I paraphrased that correctly), which confused me even further.   Did they think that by changing the names that somehow the essentials of the negotiations would change?

I accosted Bob after the panel to get to the bottom of it, and the point eventually came out to be that in his mind centrism is all about getting what you want at cost to everyone else.    His opinion of user-centrism is that it’s all about the user holding all the other parties hostage,  and that a model that strives for mutual benefit between all parties is a better thing to pursue. This could very well be the case,  but — holy cow some specifics might be useful here.  Who should be pursuing what at which level?  Protocol design?  Deployment design?   Product design?  I am left with only a vague idea that I am somehow doing something wrong but with no sense of what right might be.

Sure, there are a few blind worshippers of the cult of user-centric out there, but I firmly believe that common sense has to win out in deployment scenarios, and that various technologies should and will be used where applicable to solve problems.  I myself am perfectly aware that if information cards are a hammer, not everything out there is a nail – is that what Bob is worried about?  Either way, saying that centrism is bad does not help me to know what is good, and to be honest, it isn’t going to change how I put things together either.   If the intention is to change how I put things together, I will need a rationale.  If somebody wants to argue with the way I’m looking at this technology,  I am more than open to it, but I want a debate, not a smear campaign.

If, on the other hand,  all this is about is finding a positive, all-encompassing touchy-feely name to give to the systems-formerly-known-as-user-centric so that isn’t all about conflict, fine — pick a new name already.     I only ask that if you’re going to diss the current buzzword, can you please at least supply an alternative suggestion.  Otherwise we end up in limbo where nobody wants to use the old term, but nobody has a new term either, making us all look like indecisive idiots.

So let’s just decide, mmm’kay? If there is a conversation to be had, let’s have it so that we can move forward.  There is important work to be done that I’d like to see branded with a simple, clear message in the next little while.  Anything that stands in the way needs to be dealt with, and soon.

Unified messaging is becoming nearer and dearer to my heart as time goes on, as you’ll see when I get to my next blog entry, summarizing the talk I gave at DIDW:   The Plot to Kill Identity.

Home from DIDW ’08

I’m back from the good fun that was Digital ID World 2008.  I can’t wait to tell you all about it, but I require one more night of sleep before I can do it any justice.

I had planned (poorly) to come back yesterday, September 10th, and managed to not make it to my flight on time, resulting in a panicked rescheduling of my flight to be at 07:15 this morning:  September 11th. I was surprised at first that I was selected for a very thorough extra screening process until it occurred to me what day it was.  I am impressed that my actions didn’t escape notice.

I must admit that I like the idea of traveling on September 11th – it feels like a small little gesture, involving a certain finger and a certain genre of people whose ideology is antithetical to my own.

DIDW – Next Week!

ZOMG I’m waaay too excited about DIDW (the Digital ID World Conference) next week.  We’ve got an OSIS Interop and Matt has organized an Identity blogger meetup on Monday, and I’ve got what I hope to be a thought-provoking presentation set to go called “The Plot to Kill Identity” on Wednesday.    We’ve also got a booth for the ICF this year, and of course there is always the Ping Party,  and some great sessions and panels by folks I have the greatest respect for:   Jamie Lewis, Kim Cameron, Frank Villavicencio, Conor Cahill, Paul Madsen, Ashish Jain, Mark McClain, Dale Olds, Nik Nichols, Mary  Ruddy, Bob Blakley, Roger Sullivan, Craig Wittenberg…

And all of this is going to happen in the space of three days!

Ready to ROCK!

Ready to ROCK!

So!  If you are around Monday,  please come and say hi during the Interop sessions, which are running from 11am to 3pm.  Admission is free, and I think we are putting on little mini-workshops during that time period too, I’ve heard a rumor that we’ll be putting on some user-centric introductions and information sessions every half-hour starting from 1pm, I’ll post more information when I have it.

In case you have trouble identifying me, just look for the ditzy blonde with the utter lack of ability to sit or stand still.  That would be me :)

(photo attribution:

Catalyst Epiphany #2 – We’re a little lost.

The track I spent almost all of my time at this year’s Catalyst conference was:  “Identity Management: Are we There Yet?”

I came out of that track convinced that we have lost touch with the actual question of why we are doing all this work in the first place.    Long before I attended Catalyst, I’ve become more and more worried about the way in which companies are being “assisted” in their work around Identity Management. It seems to be all about ‘getting’ the right product/services, and not about finding a solution that fills a need.

In my opinion, and you’re very welcome to disagree here, nobody “gets” Identity Management.  It is not a destination that you can arrive at.   It is more like a tour you can take, where you can have a different experience depending on how much time you have, how much money you are willing to spend, and what your particular preferences might be.  You might take a slightly different tour every year — but you never stop taking tours, because the experience you might have can always change and improve, because there is a never-ending variance in what you can see, and because the sights are not static – the world changes.

What has happened in Identity Management in the last two years is generally a great thing — niche solutions are evolving to respond to demand that is too specialized for the big Identity & Access frameworks to build in (product fields like Privilege Management and Adaptive Access Control are examples of this).  In addition, there has been a product response to the obvious need to have accurate and complete data on which to base Identity and Access Policy upon – examples of this include Role Management and Mining.   Ideally, the result of all this innovation should be that a patchwork of products are evolving to cover more of any given company’s needs out of the box.

In reality, however, I don’t see a patchwork of complimentary products – I see a whole bunch of products with a whole bunch of overlap and no obvious or well-stated way for an Enterprise to figure out how to knit it all into an actual solution for their original problem.   Perhaps I’ve just not read the right documentation,  but I couldn’t tell you how or whether Privilege Management solutions integrate with provisioning solutions in order to have good combined audit reports.  I have no idea how an Entitlement Management solution might co-exist with an Access Management solution.   I see a fairly strong divide between “Corporate” workflow systems like Remedy and “Identity” workflow systems like those in Novell Identity Manager or Sun Identity Manager that I would like to see go away.

At Catalyst,  I learned a fair bit about each little type of Tinkertoy.  What I wanted was more of a sense of the different ways that different Enterprises might wish to assemble something useful from all the pieces.  Perhaps Burton has expanded their reference architecture to include these new niche product genres and they just didn’t present that architecture at Catalyst (or perhaps I missed it) ?  If not, I hope that such a thing is on their slate in the near future, I think it would help a lot.

So here we are, a little bit lost, I think. Certainly not “There” – but I think the expectation that anyone ever gets “There” is false anyway.  In the process of deciding that we’re lost, I had to sit and think about what exactly Enterprises expect to accomplish in buying Identity product;  I’ve come up with my own definition, in as concise a form as I can think to make it;  I’ll post it shortly and see how it stands up to scrutiny.

Catalyst Epiphany #1

I have an ugly confession to make.  I watched the rise of compliance as a business driver for Identity Management, and was pleased but not particularly interested in what it was that suddenly opened the budgetary gates for the projects I was part of.

When I thought of compliance, I would briefly consider how I was helping executives sign little pieces of paper that kept them out of hot water with the auditors, and then I would go back to thinking about organizational efficiency, process for the sake of bringing order to chaos.  It’s easy to say that compliance is important, without ever understanding why it is so.

This is before I saw Nick Leeson speak at this year’s Catalyst conference.

You can’t listen to Nick’s story without your jaw dropping.  Nick was the trader who caused the collapse of the Barings Merchant Bank in 1995.  He was able to do what he did, because he could control every single piece of information that might have led to his discovery.  His superiors didn’t understand the business, and therefore could only take Nick’s word for everything.  Same went for his auditors.   The resulting business failure was unimaginable.

Sitting in the room, listening with disbelief and amazement to this story, everything clicked for me.  Everything I do and recommend in the Enterprise Identity world is applicable to this one story.

There are two things that happen in a provisioning project that make a compliance difference I had never considered before:

  1. We create observability in systems beyond the control of the asset owner.
  2. We create referential integrity for systems such that account activity does not occur in a vacuum.

The goal is not necessarily to catch bad guys here.  The goal is to ensure that nobody can take an action and also hide that action.  When every account has to resolve to a real person in the Enterprise, and any account created that doesn’t do so shows up on an audit report without the system owner having any say in the matter – well that makes a difference.  When the reports and summaries that are generated happen out of the control of those who might wish to change the data within – it makes a difference.

And when the executive sponsorship of an Identity Management program are truly behind a project such as provisioning, and ensure that the project stays on target and that at the end,  the compliance targets match & reflect the BUSINESS (a feat that no IdM consultant can know for sure they have accomplished) — it makes a difference.

I’m not sure that I’ve expressed this well — but I can tell you that I will do my job differently from now on.  From now on, when I talk about compliance, I will not be thinking of making the lives of the CxO’s easier and/or more worry-free.  I will be thinking about how I can make sure that if there is a cause to worry, it will cross the desk of the person who can recognize it and act on it.  It is a small difference, but a critical one.

Catalyst 2008 has left the building

Ah Catalyst.   Catalyst is a force of nature.   All the right people are in the room – vendors, analysts, customers, and implementers.  It makes for some pretty intense, valuable conversations.

To me, this year was a year of revival – There were unmistakable signs of life after stack consolidation.  Walking through the hospitality suites, I saw new brands, new approaches, and new blood interspersed amongst the heavy hitters with long standing investment.

Burton changed their format a bit, and for the most part I liked the changes.  Things seemed less frenetic, and somehow the length of the breaks seemed better suited to quality conversation.  Some of the visual changes made to slide formats need tweaking, I think — My preference would be for the images to have been more tightly matched to slide text, so that I could use the image to mentally seek to a given topic, but still see the bullet points in addition.

Of all the interesting things that I experienced at Catalyst, there were two findings that really stood out for me.  I will write about each of these separately, just to keep you all on your toes :)    The first involves a lot of questions, while the second was an answer I’d never thought to quest for in detail.

With that, I’ll wish you all a Happy Canada Day and sign off!