Massive Step forward

As of very recently, I have had the pleasure of working on contract for Ping Identity – and I have been dying for today, because I can finally talk about what the combination of PingConnect and Google can accomplish.

Traditionally, the ability to integrate a disparate set of cloud applications for a userbase was predicated on the non-trivial task of first creating a Start of Authority.   As a bare minimum, you had to (a) create an authoritative user repository and (b) enable some kind of service to perform an initial authentication and leverage the resulting session to facilitate federation to various parts of the cloud.  After that, you still had to figure out who could consume what you had worked so hard to be able to establish.

Now, you can make Google your Start of Authority, and instantly get to a laundry list of 60 applications with PingConnect.  All without a Windows domain, a WAM server, or a federation server, and best of all, by utilizing an existing repository that is likely to be maintained regularly.  AND, there is actually useful stuff to get to.   This may not sound like a big deal to the companies who all have Windows domains anyway, but I believe that this could push back the need for a growing small business to get a Windows domain quite significantly.  To me, the start of authority problem was a massive barrier to adoption for federation, and that barrier has been obliterated, not just on the cost front but on the effort front too.  They say it takes a village?  Well now we actually have one worth hanging out in.

Interesting times.


In researching a few products for a client, I came across an e-book on Managing Linux & UNIX Servers by Dustin Peryear.  I managed to get access to a chapter without registering, and I liked what I saw so much that I had to have the whole book.
The thing that is remarkable about this book to me, is that it is NOT a book about technology, commands, program execution or coding.  It is a book about what to get done and why.   There are so few of these kinds of books – the ones that assume that once you have a comprehensive plan for getting things done,  finding out how is the easy part.  The books that get that the mapping works better from the top down than the bottom up: all the man pages in the world will not help you if you don’t have the context to know which of them you should be reading, and what the end result should be when you apply that knowledge.  It is the guidance that makes the difference.

GuidanceI very badly want a book like this for information card Relying Parties, specifically the PKI functionality of an RP.   I have work to do on my RP:  right now I know I’m missing several critical checks to ensure integrity and non-repudiation for the messages I’m accepting and trusting.   But how do I know that I have covered all the bases?   I have this list of interoperability issues.  I have a set of api calls into security libraries like xmlseclib and openssl that could possibly solve my issues.    What I do not have is guidance.   I feel like I’m assembling an entertainment unit from IKEA, and I have detailed engineering information on every screw and every panel in the entire IKEA inventory:  thousands of weights, heights, screw thread pitches, you name it.  While I technically have access to everything I could possibly need to assemble my entertainment unit,  it is left up to me to figure out which and how many of the inventory items I need, how they fit together, and what order they must be assembled.

I suppose what I’m saying is we need to step above RTFM (Read the Fsking Manual) to KWFMTR (Know Which Fsking Manuals to Read).

(photo credit:

Future Shenanigans

I’ve been listening and watching lately, and there are some interesting independent things happening that I expect could knit into a very entertaining next 3 quarters.  Something is telling me to swing away;  so here goes.WTF?

Identity Management Tool Hiatus

The Sun/Oracle takeover has everyone aflutter over which tools will stay and which will go, and what the resulting stuff will look like.  I think the interesting thing is that no matter what happens, you can pretty well guarantee that while Oracle sorts out what to keep and what to shelve, both Oracle Identity Manager and Sun Identity Manager will come to a developmental standstill.   Coincidentally, this matches the Microsoft delay of release to manufacture of MIIS/ILM/FIM.

Navel Gazing

Even before the announcements above, all was very quiet on the home front for IdM.  It seems obvious to me that all the big stack vendors have scurried off into their war rooms and are frantically trying to figure out how to set up their stacks to transparently support the rollout of cloud offerings.  This means there is probably an architectural pause going on, as everyone tries to get from theoretical to concrete with their sanity and business plans intact.

Immediate Status Quo Interruption

Meanwhile back in the real world, cloud mania is causing every Tom Dick and Harry who runs a software shop to ask themselves whether they could offer their product as a service.  While the think tanks are pondering the cloud as a big fat integrated platform offering,  a whole new generation of application vendors are simply putting their software online as services, any which way they can.

Short Cuts and Regretful Choices

The services out there now have not had the benefit any kind of cloud philosophy.  Applications are offering the usual set of poor choices for access and user management, doing the bare minimum so that they can focus on their “core” service.  Lured by attractive cost and immediate gratification,  Enterprises won’t see the risk, and won’t think to do two critical things: track beyond the departmental level what services are engaged, and set policies around minimum security requirements.

Stir it all together and…

So where do all these little tidbits take me when I connect the dots?    I see a big issue looming on the horizon: a proliferation of untracked administrative web interfaces on the open internet, protected by unencrypted and buggy login forms which are open for anyone to probe.  Even in cases where the login process itself is reasonable,  Enterprise assets are at the mercy of the quality of an admin password.   Ask Twitter, it’s a big problem.  Crack one admin password in a poorly-secured application, and you may gain instant access to many other better-secured services – unless of course you really believe administrators will use a different password for each of their multiple services.

With the advent of these kinds of issues,  provisioning could transition from being a back-room necessity with minimal business impact and no real SLA requirements, to being an activity that incurs serious risk for the organization.  Enterprises will realize that they need to do one of two things; add an extra physical layer of security to each and every administration console, or pull those consoles off of the internet altogether, opting instead for an automated API call that can be locked down six ways from Sunday.  You better believe that application vendors will go along for the ride; submitting to one of these choices is a lot better than having Enterprises simply abandon services and return back to intranet solutions.

The big Identity players do not have the agility to respond properly to these kinds of pain points;  but the little guys do.  I think that a few small agile companies are going to swoop in and provide consolidation services for administration console interfaces in the cloud.   Others will create Identity Provider services and products that allow the Enterprise to distribute 2-factor authentication tokens for use at multiple sites on the internet.

Somebody is about to steal home.   Who will it be?   Come to my Glue Talk and we can debate in person…

TEC 2009

Thanks Axel for highlighting my TEC 2009 talk abstract — you’re much better at publicizing my upcoming speaking plans than I am, something I need to improve upon!

My plans for TEC 2009 are indeed to talk about a Survivalist’s Guide to Identity Management.  In my years working in this space, I can’t help but note that most of the things that companies pay me to unravel are things that a little foresight and planning could have rendered unimportant – often they come down to configuration decisions made arbitrarily in the absence of any guiding principle.  I believe that if you can introduce some simple discipline into IT practices early on in a company lifecycle, you can drastically reduce the complexity, and therefore the cost of automating your processes and applications when the time comes.  My goal is to document that discipline in very simple terms, and then to demonstrate how  a pragmatic IT department can go on to derive benefit from that discipline.

I can’t tell how much I’m looking forward to this presentation – It is a topic very near and dear to my heart, and something I hope to enlarge upon whenever I can, for a long time to come.

Just got off the Schemas WG Call

I love working with smart people.  I went into the ICF schemas working group call with my set of gobbled-together proposals, and everybody seized on it and started breaking those ideas down into their separate pieces, using language with far more structure than my own words.

There were some excellent points made:

  • What are the expectations of the “Display Claim” versus the actual claim in providing human-readable claim values?  Is it reasonable (or even preferable) to define a claim value that is not human-readable and trust that the STS will be responsible for mapping that value to something useful?
  • Is it expected that the selector will do a metadata discovery on each and every claim passed?  I had never even thought of such a thing, so will have to learn more.

I will keep you up to date with the conversation, which is expected to continue on the working group mailing list this week.  The mailing group is:,  I believe anyone can read, but you have to be an ICF member to participate.   If you are keen to participate, let me know.

We MUST get this Right

During IIW, the ICF Schema Working Group proposed and approved its first standardized claim definition.  I’ve been following the workings of the schema group but not closely, and I was taken by surprise at the values defined as part of this precedent-setting claim element:

Claim Name:  age-18-or-over

Proposed Values:

  • 0
  • 1
  • 2

What?  Want to know what the values MEAN?  Sorry, you’ll have to look that up.  What you see above is what a Mother or Father will see when they view values passed between the Identity Provider they are trusting to make claims about their children’s age, and a website that may restrict content based on that value.

Do you see the problem?  Why on earth even have a selector if the standard claims we propose are not understandable by end users?  Why use a meaningless number?  To make it easier for the machines?  For the developers? That’s crazy!  Why don’t we make it easier for the people that are making selector-level security decisions on a daily basis?  These schema types have to be created so that whenever possible, the data passed is legible to those attempting to understand the context of identity data flowing around them.  Heck, if we created a vocabulary for content that could be distinctly identified and parsed by Selectors, we could even localize.

It’s taken me since IIW to really get my head around this – but I believe we need to set some very specific best practices around these schema elements, first and foremost being the primary design principle that these atomic elements should be designed for regular people, not for developers, and not for machines.

I’m going to do my best to argue this point today on the ICF working group call.   If you think this is important, whatever your stance on the issue might be, I urge you to join the Information Card Foundation and to make your voice heard.   Contact me if you aren’t sure what you need in order to join, I will put you in touch with the right people.

I think that best practices around claims schema is THE MOST IMPORTANT thing happening right now.  It is worth taking the time to get this right.  We’ll only get one shot at it.

The public version of the claim catalog is here:

Can’t look this gift horse in the mouth

Today was an interesting day for the Identity geeks of the world.  A viral outbreak of concern broke out among twitter users over site called “Twitterank”.    Twitterank asks for your credentials and displays a number theoretically outlining your theoretical socal viability in the twitterverse.

Once the word “phishing” became attached to the service, people became fascinated.  I have no idea of the order of it all – but several things happened:

  • A ridiculous number of people decided to try out the alleged phishing site.  Some of them even changed their password afterwards.
  • References were passed around to a site called “Twitterawesomeness” that appears to exist as a very pointed statement about how easy it is to phish a site like twitterank. The disclaimer states:

I’m in ur Twitterz, stealin ur credz!
It’s ok, 178 other people gave their passwords too!

  • The author of Twitterank came out with this statement:

I’m not out to steal ur twitterz. Frankly, I wish I didn’t have to ask for your account info, but Twitter doesn’t offer APIs using any other authentication mechanism (according to the docs). So blame them.

So let’s see then:

  1. twitterank is right.   The best way to protect the passwords of the users of your service is to provide alternatives to giving away your password.   Granting permission for another entity to see your data is something Twitter can securely enable – or ignore.  We know where they stand so far.
  2. twitterawesomeness is right too.  It doesn’t matter whether twitterank is crooked or honest.  Anyone who wishes to spend the 10 minutes to emulate twitterank’s main page can harvest passwords, if they can get people to click on a modified link.  Obviously not a difficult task – especially when people only see a “tinyurl” for most of the links they click.  Heck, just register “”.  People will come to you.
  3. To all you folks who changed your password — do you use that password anywhere else?  Cause if I were going to steal username/password combinations, it certainly wouldn’t be to read a twitter stream.  But I’m sure nobody would be crazy enough to use the same combo at twitter and at their bank…  what about the password you might have had when you tried the service a month ago?
  4. In fact – even if you don’t use that combination at your bank, I might be able to still get there. I would use the credentials to harvest your email address from twitter, and then try to login to that email account.    If I was lucky and got a hit, I could then start putting your email address into password recovery pages for all sorts of interesting places.  Once you have email, you have the keys to the kingdom.

Of course, I could also just phish your bank site.  Occam’s razor applies here.  Still, the point has been proven.

Mashable Link

ZDNet Link

Of Trolls & TOSs

Electronic Arts has just backed into an interesting twist to the TOS story.   They are linking your online terms of service to the physical video games you buy — if you violate their online TOS, your right to run every video game linked to that account will be revoked.

This adds a massive lightning stroke of accountability into the affair, doesn’t it?   Suddenly, the forums aren’t just a “value-add”, they are also a potential “value-take-away”.   I have this picture in my head of Family Member A explaining to Family Members B and C how A lost his/her temper in the EA forums last night, and now the whole family has lost not only their access to their games, but possibly their game statistics & reputations too, depending on what EA does to enforce the ban and the subsequent serial number invalidation.    Ah, it all comes back to Identity mgmt and asset mgmt, doesn’t it?

I suppose you could consider this the Real-time Blackhole List approach to reputation & social networking.

Pessimistic? Heck No!

As lost as we might be right now, the future is very, very bright.    One of the biggest forcing functions that I see on the horizon is cloud computing.    It’s one thing to have a whole bunch of internally controlled silos that don’t talk to each other — but imagine all those silos spread across the internet.

Cloud computing is a practice that garners high risk without disciplined Identity Management.  Enterprises have traditionally had the luxury of laziness when it comes to application integration because removal of physical and network access can compensate for late or non-existent deprovisioning of internal accounts.  There is no corporate perimeter to save you with cloud computing. Automated Enterprise control of at least web access or account status is the only way to mitigate the risk for customers of any size – and this is a great thing, because it means that practically every customer of a cloud service has an identical worry.  When the vast majority of the the client base has an issue, that issue gets vendor attention.

In addition, it is obvious that a huge number of SMALLER Enterprises are going to subscribe to cloud services.  More than anything, I’d like to see resources in place such that at the time a smaller company makes that jump, they can find and follow a few cookbook Identity practices that most Enterprises don’t think to care about until they have severe pain.   If we can help smaller companies to institute solid, integrated Identity practices BEFORE they buy big HR products and massive internal help desk systems and complicated document management software, maybe we can ease the pain before it ever starts, rather than having to apply band-aids after the fact.   Preventative medicine is so much cheaper for all, isn’t it? Perhaps when faced with the choice of adopting an easy-to-integrate cloud service or an impossible-to-integrate in-house software product, companies will choose easy-to-integrate.  If that happens, suddenly those big, lumbering software vendors might get a clue that they cannot operate in a vacuum, and that ease of integration matters.

Case in point: the company I work for, Nulli Secundus.  We recently abandoned our Sun Messaging Server installation for a cloud service.  One of the biggest complaints about Sun Messaging Server was its complete and utter inability to facilitate integration of the web client into our SSO infrastructure – not being able to integrate is pretty embarrassing for a company that specializes in Web Access Management.  With the cloud service, SAML support is already there, waiting for us.   The decision was a no-brainer, the cloud service made it unbelievably easy to switch.   I imagine a lot of small companies are doing the same thing. Once we get SAML integration working for this first service, integration of following SAML-enabled services will be effortless – application sales & marketing teams with any kind of intelligence should see that this waiting and available infrastructure is great sales leverage.  These are the trends that turn into tipping points enacting massive change – we just need to seize the opportunity and provide guidance & pressure in order to maximize the benefit while things are forming and flexible.

So – our current state doesn’t keep me up at night.  Not when we have all of this opportunity in front of us…

Catalyst Epiphany #2 – We’re a little lost.

The track I spent almost all of my time at this year’s Catalyst conference was:  “Identity Management: Are we There Yet?”

I came out of that track convinced that we have lost touch with the actual question of why we are doing all this work in the first place.    Long before I attended Catalyst, I’ve become more and more worried about the way in which companies are being “assisted” in their work around Identity Management. It seems to be all about ‘getting’ the right product/services, and not about finding a solution that fills a need.

In my opinion, and you’re very welcome to disagree here, nobody “gets” Identity Management.  It is not a destination that you can arrive at.   It is more like a tour you can take, where you can have a different experience depending on how much time you have, how much money you are willing to spend, and what your particular preferences might be.  You might take a slightly different tour every year — but you never stop taking tours, because the experience you might have can always change and improve, because there is a never-ending variance in what you can see, and because the sights are not static – the world changes.

What has happened in Identity Management in the last two years is generally a great thing — niche solutions are evolving to respond to demand that is too specialized for the big Identity & Access frameworks to build in (product fields like Privilege Management and Adaptive Access Control are examples of this).  In addition, there has been a product response to the obvious need to have accurate and complete data on which to base Identity and Access Policy upon – examples of this include Role Management and Mining.   Ideally, the result of all this innovation should be that a patchwork of products are evolving to cover more of any given company’s needs out of the box.

In reality, however, I don’t see a patchwork of complimentary products – I see a whole bunch of products with a whole bunch of overlap and no obvious or well-stated way for an Enterprise to figure out how to knit it all into an actual solution for their original problem.   Perhaps I’ve just not read the right documentation,  but I couldn’t tell you how or whether Privilege Management solutions integrate with provisioning solutions in order to have good combined audit reports.  I have no idea how an Entitlement Management solution might co-exist with an Access Management solution.   I see a fairly strong divide between “Corporate” workflow systems like Remedy and “Identity” workflow systems like those in Novell Identity Manager or Sun Identity Manager that I would like to see go away.

At Catalyst,  I learned a fair bit about each little type of Tinkertoy.  What I wanted was more of a sense of the different ways that different Enterprises might wish to assemble something useful from all the pieces.  Perhaps Burton has expanded their reference architecture to include these new niche product genres and they just didn’t present that architecture at Catalyst (or perhaps I missed it) ?  If not, I hope that such a thing is on their slate in the near future, I think it would help a lot.

So here we are, a little bit lost, I think. Certainly not “There” – but I think the expectation that anyone ever gets “There” is false anyway.  In the process of deciding that we’re lost, I had to sit and think about what exactly Enterprises expect to accomplish in buying Identity product;  I’ve come up with my own definition, in as concise a form as I can think to make it;  I’ll post it shortly and see how it stands up to scrutiny.