I’ve been listening and watching lately, and there are some interesting independent things happening that I expect could knit into a very entertaining next 3 quarters. Something is telling me to swing away; so here goes.
Identity Management Tool Hiatus
The Sun/Oracle takeover has everyone aflutter over which tools will stay and which will go, and what the resulting stuff will look like. I think the interesting thing is that no matter what happens, you can pretty well guarantee that while Oracle sorts out what to keep and what to shelve, both Oracle Identity Manager and Sun Identity Manager will come to a developmental standstill. Coincidentally, this matches the Microsoft delay of release to manufacture of MIIS/ILM/FIM.
Navel Gazing
Even before the announcements above, all was very quiet on the home front for IdM. It seems obvious to me that all the big stack vendors have scurried off into their war rooms and are frantically trying to figure out how to set up their stacks to transparently support the rollout of cloud offerings. This means there is probably an architectural pause going on, as everyone tries to get from theoretical to concrete with their sanity and business plans intact.
Immediate Status Quo Interruption
Meanwhile back in the real world, cloud mania is causing every Tom Dick and Harry who runs a software shop to ask themselves whether they could offer their product as a service. While the think tanks are pondering the cloud as a big fat integrated platform offering, a whole new generation of application vendors are simply putting their software online as services, any which way they can.
Short Cuts and Regretful Choices
The services out there now have not had the benefit any kind of cloud philosophy. Applications are offering the usual set of poor choices for access and user management, doing the bare minimum so that they can focus on their “core” service. Lured by attractive cost and immediate gratification, Enterprises won’t see the risk, and won’t think to do two critical things: track beyond the departmental level what services are engaged, and set policies around minimum security requirements.
Stir it all together and…
So where do all these little tidbits take me when I connect the dots? I see a big issue looming on the horizon: a proliferation of untracked administrative web interfaces on the open internet, protected by unencrypted and buggy login forms which are open for anyone to probe. Even in cases where the login process itself is reasonable, Enterprise assets are at the mercy of the quality of an admin password. Ask Twitter, it’s a big problem. Crack one admin password in a poorly-secured application, and you may gain instant access to many other better-secured services – unless of course you really believe administrators will use a different password for each of their multiple services.
With the advent of these kinds of issues, provisioning could transition from being a back-room necessity with minimal business impact and no real SLA requirements, to being an activity that incurs serious risk for the organization. Enterprises will realize that they need to do one of two things; add an extra physical layer of security to each and every administration console, or pull those consoles off of the internet altogether, opting instead for an automated API call that can be locked down six ways from Sunday. You better believe that application vendors will go along for the ride; submitting to one of these choices is a lot better than having Enterprises simply abandon services and return back to intranet solutions.
The big Identity players do not have the agility to respond properly to these kinds of pain points; but the little guys do. I think that a few small agile companies are going to swoop in and provide consolidation services for administration console interfaces in the cloud. Others will create Identity Provider services and products that allow the Enterprise to distribute 2-factor authentication tokens for use at multiple sites on the internet.
Somebody is about to steal home. Who will it be? Come to my Glue Talk and we can debate in person…
Thank you for responding to my blog post Alex! I believe that you have missed the point of my rant — but you have given me a little insight into your goals and attitude.
You do not need to take my advice that your registration form is poorly written and your PFO letter extremely confusing. You can also gloss over my question as to whether Identity Management is even on your team’s radar as a valid subsection of Information Security. If all you want is massive quantities of copy going into your registration processes with an expectation of massive quantity of copy coming out the other end, you can stick with your mathematical formulas, page ranks, and technorati rankings.
If however, you grok the idea that sometimes, one person talking to 100 people can mean more than a broadcast blogger talking to to hundreds of thousands, maybe you’ll understand why I think your formulas are wrong. In my mind, bloggers are not just about publicity. The are about starting and continuing conversations, of all sizes and all impacts, with insights unique to their community. If you want to properly use bloggers in your conferences, you can’t look for the cost centers. You need to look for the hearts.
At least, that’s my belief. I’m sure you won’t take my word for it; perhaps you’ll find someone who matches your strict journalistic standards who thinks so too.
Thanks,
Pamela
Alex’s comment is printed below, dear readers, so you can see what I’m replying to.
Pamela,
I’m Alex Kirschner and I wanted to respond to your post about RSA Conference. In registering the 300+ media that attend RSA Conference over the years, we have put a standard process in place that encompasses bloggers, traditional media journalists and industry analysts. Anyone receiving a press pass must be able to demonstrate that they are being read by an audience invested in information security. Because we are making a significant dollar investment in each press person who attends, we are committed to reviewing each request with equal scrutiny to ensure those receiving a pass meet our strict journalistic standards.
Therefore, bloggers that are registered as press must meet the same criteria as traditional media. If an IDG publication is responsible for several stories a day while attending RSA Conference, we expect our bloggers to have the capacity and editorial focus to do the same or similar. As a blogger, the direct link you provide the press registration team will in fact be reviewed for its information security content and frequency of posting. We also use additional information, such as Technorati ratings, number of hits/page views and comment history to verify the credibility of the blog.
In reviewing your blog, we did not see enough posts regarding information security, a high enough number of comments, track backs or page views that would have qualified you for a press pass.
Please let me know if you have any further questions regarding our registration process.
Thanks for your analysis of my blog post on RSA James – I have the greatest respect for all of the things you do in this community, and for your work with OWASP!
That being said, in this case I’m going to have to go right ahead and quote Marge Gundersen on you: I’m not sure I agree with you a hundred percent on your police work, there, Lou.
Everything you said in your analysis was correct. Yes, conference pass revenues are tiny next to vendor booth revenues. Yes, the conference makes the same amount of money regardless of whether the sessions are brilliant or they show the same rerun of the Muppet Show in every room.
It is absolutely true that fiscally speaking the conferences are all about the vendors and the movers and shakers. Except that the only thing that can ATTRACT the vendors and the movers and shakers is the plentiful plankton in this economy: the attendees.
Most attendees don’t get to expense airfare to San Francisco just to walk the expo floor. They aren’t chosen from their department to attend parties. They don’t know the phone numbers of all the “right people” to text them and get them to meet at the Thirsty Bear for a drink.
The attendees are the ones that care whether they can go home to their managers and say that they professionally benefitted from the week. They are the ones whose interest convinces the vendor to spend money on a booth next year. They are the ones who have the problems that all of us really want to help to solve. And when they can’t find solutions to their problems at RSA, they will simply stay home next year, and the entire value proposition will collapse.
Until you I read your piece James, it hadn’t occured to me what price I paid for staying off the conference floor – I did not meet any attendees. What a price to pay, but what a price for RSA too. Perhaps not in an immediate, punch in the wallet way, but instead, in a slow, painfully diseased way. When the plankton are gone, the whales move on. So I strongly suggest that the best way to keep the plankton around is to value the quality of the sessions, find ways to keep people who are engaged in the quality of the content inside the building, and to do whatever it takes to ensure that even someone who did not walk the expo floor or go to a single party can still take a positive story home to their bosses.
Every time I attend an RSA conference (or any other conference for that matter) I write up an analysis of the conference, mentioning what I liked and did not like, what I found effective, what I found inspirational, what events were exciting in the Identity community, and what learnings I took away from the experience.
You won’t like the learnings I took away this time.
I didn’t purchase a conference pass — frankly, I couldn’t, I have just started a new business, and the fiscal reality involved in that activity forced me to be thrifty. I thought that perhaps, I could bridge this gap in my ability to be a paying member by applying for a blogger pass – after all, I have been blogging for a long time, and while I’m not exactly engadget-prolific, I think that my contribution is enough that the idea wouldn’t make anyone in the Identity community laugh out loud.
Let me be blunt: Your press registration workflow is a DISGRACE. You should be ashamed. You provided a single input box asking me to link to my most recent piece of writing, and then forced me to click on a radio button identifying me as a blogger (one of six generic types). Within the text associated with that radio button, you informed me that I needed to have posted a minimum of 2 security articles a week for the last 3 months.
First of all, somebody ought to pull you aside and point out that not every track you offer is about security anymore. Second, if you ask ANY BLOGGER to provide a single link to the most recent thing they have written, they will send you to the front page of their blog. What else would they do?
As such, I was pretty surprised to receive the email I did (shown at the end of this post in its entirety). My favorite part was the part that said:
PLEASE NOTE: You have been asked to provide a direct link to your latest written article or report. The press team will not search a Website for your article and publication home pages will not be accepted.
So. Let’s get this straight, shall we? You have rejected my blog URL without ever visiting it, but expect me to produce a single URL which will allow you to determine that I have written 2 blog posts a week for the last 3 months. About security only. Without searching the website.
Right. How could I have presumed to inconvenience the team so? Obviously I was barking up an empty tree. I registered for an expo pass and shrugged it off.
Here is the part that you really won’t like however, and it is the true reason I’m writing this. Obviously you have the right to choose who you waive fees for at this conference. Being on the outside, however, taught me that while the tracks were inside, the PEOPLE weren’t always, and that in fact by ditching any illusory pretension to education, taking advantage of the Concordia workshop for which entrance only required an expo pass, walking the expo floor, and attending the parties, I didn’t miss the expensive & time-consuming sessions.
I hope I don’t have to go into much further detail to have you guess just how dangerous my conclusions are for your organization. I am usually the most avid attendee at these things, asking a lot of questions and generally participating enthusiastically (ask anyone). I have to say that the chances of that happening in the future at this conference has lessened dramatically. I’m sure this doesn’t have you crying in your cheerios at the thought of the loss; but I suggest you examine the trend it represents; it is why you want the movers and the shakers *inside* the conference hall, not outside, as often as possible.
“Always wear clean underwear in case you get in an accident”
It’s good advice, really. The goal is to have a little foresight, and plan in advance such that you can retain your dignity in the case of an unforeseen event. It used to be that the worst indignity that your Mom could imagine was having the doctors and nurses see you in dirty holey underwear, but what is the bare minimum in dignity preservation today?
I realized what the modern equivalent was while watching the news. Somebody had been killed in my hometown, and the news program gravely displayed a picture of a smiling, happy face captioned with the following words: “Image courtesy Facebook”.
In the case where your ‘accident’ is notorious enough to be newsworthy, but not so notorious that the Facebook admins immediately take down your account, your easily searchable social media photostream is likely to supply the images that everyone will associate with whatever it is that you’ve done (or ceased to do) forever more. As such, I think that it is time for Moms everywhere to update their adage:
“Always keep one clean photo on Facebook in case you get in an accident”
After all, do you really want the last image of you to be shown or surfed on this planet to be that one time when you were really drunk and your buddy took pictures of you with beer coming out of your nose as you tried to drink from that stupid beer bong? Or worse, your photo album was empty, but somebody else took a group photo and tagged all the names (including you), and it turned out you were “scratching” your nose just when the picture was taken? Imagine that group photo on the news, with everyone else greyed out, and your nose-pick in bas-relief.
Of course, you could also say that the original advice is more true than ever; perhaps the two could be combined to say that you should always wear clean underwear in case you get a picture put onto facebook that gets shown if you have an accident. Laugh if you want, but take a look at your photo album and ask yourself which facebook photo of yours would you want shown in the case of your untimely demise? If there isn’t one, perhaps you need to show a little foresight, just like your Mama would want.
You’ve already heard my thoughts on the value proposition for conferences like TEC 2009 – but I didn’t get into details of the conference itself. Each of the tracks had a different feel – Directory Services was very mature, with most people in the audience having up close and personal experience with some form of the technology. Federated Identity consisted of more forward-looking content, and therefore the relationship between the audience was more theoretically founded. The ILM track was by far the most complex audience-presenter relationship. Some folks were diehard MIIS-era folks with already existing deployments. Others were new to the technology and looking to learn prior to the release of ILM2.
When the news broke that ILM2 was no longer expected to go live in 2009 there was a lot of disappointment, but I think that the backlash was much more muted at TEC than it would have been had the news come out at any other time, because the attendees couldn’t help but see that the most disappointed of anyone was the ILM team themselves; at the same time you could also see that in spite of their eagerness to RTM the product, they felt it was the right thing to do to hold off. Everybody was wearing their personal investment on their sleeve – the program team, the vendors whose dependent release dates were affected, and the customers who had rollout dreams for 2009. The ecosystem can’t be any more rawly exposed than this – yet the spirit of learning in the sessions stayed positive.
I did a session called the “Survivalist’s Guide to Identity Management”, which went really well I think – there was a lot of spirited discussion at the end, which is always my metric for whether the topic was interesting. I think this was my most popular slide:
Can you guess what #1 was? Ah, but that is the topic of another post :)
I think the best session that I attended was put on by Patrick Harding from Ping Identity. His presentation was an excellent big picture summary of federation as seen through the perspective of the different players – what the trends are, and also which trends had big red flags associated from various perspectives. His big picture encompassed federated provisioning too – something I believe that more people need to start paying attention to, and fast. For a first time TEC presenter, I think he definitely fell right into the spirit of TEC – digging to the heart of the overall problem with the belief that truth begets loyalty 100% more reliably than marketing shlack.
Lastly, I can’t finish a TEC wrap-up without talking about the Wook Lee Pro/Am Memorial Challenge – last year was a visual challenge – this year, the challenge was auditory. We chose to accept the challenge from Stuart Kwan to communicate the attendees’ top 10 feature requests for the next version of the federated identity suite – through the medium of an Elvis song.
Two days and a few alcoholic beverages later, we were ready – and the Quest multimedia gurus were there to make sure we could never ever live this down. Just remember – these are all highly respected members of the tech community – make fun of us too much and your implementations might mysteriously develop problems :) We had a blast putting this together, and we hope you all enjoy this in the same spirit as we did.
I have great memories of sgi. With their purchase today by Rackable, the company may be gone, but my fondness will always remain. I worked for Silicon Graphics while earning my computer science degree, slinging demo boxes and configuring memory & graphics boards for the Systems Engineers. When I got there, I was as green as it gets; I will never forget the time I put a non-functioning $50,000 graphics board in to a machine and everybody told me it was going to come out of my pay — they had me going, I was sweating bullets :) .
The environment at the time was electric – people were having a fantastic time selling and supporting a brilliant product. Times were good, and although I was around to see things begin to slide, I’ll never forget what it was like to be part of that team of people at the height of success.
My only real physical memento from that time is a screwdriver or two from the SGI graphics board upgrade kits. That silly little screwdriver makes me smile anytime I have the occasion to put it to use.
So Adios SGI. You were a shining star at a time of my life when such things could make lifelong impressions.
I’m in the airport, exhausted after another fun-filled Experts conference. TEC (The Experts Conference), formerly known as DEC (The Directory Experts Conference) is put on by Quest, focusing on Microsoft & Microsoft partner technologies for directory, email (new this year), identity and access.
I have a lot of positive things to say about the conference, the content, the people, and most importantly the shenanigans that we all got into (and yes, there is video), but before that, I’ve been thinking a lot about a conversation some of us had at lunch one day. The topic came up of what it is that this conference delivers, compared to say a Tech-Ed. My first reaction was to laugh – after all, the difference is so stark, that (as somebody else at the table said) you would have to be an IDIOT not to see the value proposition for TEC over Tech-Ed. Still, in these economic times, travel budgets are shrinking, and travel cost must be strictly justified by return on investment, so I thought I would try to come up with my thoughts and reasoning on the exact value that conferences like TEC give over the Mega Monster conferences.
When you go to an OpenWorld, or a Tech-Ed, or an RSA, you can only be the recipient of a generic experience. You assemble out of the dark swirls of a multitude of swarming faceless people to see a given session. You may participate in a question and answer period. After that however, everybody files out of the room and disappears back into the faceless swirl. You may have friends at the conference; you may even meet new friends there. Chances are, however, that the entire population of any given session are not going to file out of the room at the end and immediately all head to the bar to have a pint and debate the merits or disadvantages of that particular session.
Contrast this with TEC. At TEC, you are riding elevators with people who are doing the same things you are doing. You are eating lunch with them. You see them over and over again in various sessions. Every conversation you overhear is about something that matters to you. You begin to recognize faces, enough so that if you see somebody later that was at an earlier session, you can ask their opinion on it. Small talk with strangers isn’t about the weather. It’s talking about who you work for, and what kind of deployments you have under your belt, and what your horror stories are.
The vendor floor at a big conference is a disaster too. You walk past aisle after aisle of things that won’t help you do your job. Maybe you find the vendors you are familiar with, should you walk far enough – but how likely is it that you are going to differentiate between a vendor you are unfamiliar with because they don’t apply and a vendor you should be familiar with? Maybe you’ll see a key word that brings you in. If you happen to walk down that aisle.
At TEC, the vendor area is right beside the session rooms, not on a separate floor of the building, a hike away. People are in that room frequently, even if they aren’t looking to buy anything. It’s easy to fall into a conversation with a vendor, because they are in a welcoming environment with snacks and beanbags; there isn’t a sense of ‘us and them’ like the one you get when you’re in a massive conference hall, looking down endless rows of flourescently lit, identically shaped sales boxes complete with flocks of marketing folks in identical shirts. Additionally, many vendors at TEC have a long-standing relationship with the conference. This means that the faces of the vendors at TEC are often as well-known to attendees as those of the speakers. I don’t know any sales psychology, but I think that there is an obvious improved ability to speak with potential customers.
Then there are the speakers. A lot of the speakers at TEC are polished and experienced, but sprinkled in there are a number of technically astute speakers with little public speaking experience. It sounds risky, doesn’t it? After all, these kinds of speakers would never be accepted at the big monster conferences. The reason TEC can safely find new talent and put that talent into the lineup, is because they attend their own conference year after year. They find the outspoken folks and encourage them to propose talks for the next year, and they *remember* who has potential and give them a chance. They can only do this because they take the time to truly know their attendees. I was just such a person; For 5 years I had hopefully submitted proposals to speak at tech conferences, and I had been rejected, year after year. By taking a chance on me, and on others in this community, TEC acts to diversify the speaking pool, something that is sorely needed; something the big “play it safe” conferences refuse to do.
Last, let’s consider the two primary vendors involved, Quest and Microsoft. This was the first meeting between attendees and most of the Quest employees that weren’t part of the NetPro acquisition, as such they are newbies in this community – but I think everyone’s first impression of Quest as the conference host was extremely positive, and I have to imagine that opportunity to expose all these people to their product must be a huge win for them.
For Microsoft – well they just win win win. When MS sends their program teams to TechEd, the developers satisfy their mandated customer-facing activities, then go back to hanging out with each other. At TEC, enough of the attendees are familiar faces that the urge to ‘stick with people you know’ ends up being a large and diverse group. As a result, the program team appears to be and actually are much more accessible, meaning that people who are too shy to speak up right after their session feel comfortable enough to maybe share information and experience later, at a hospitality suite or in the hallway. Is that a rare thing? Oh yeah. The chance of running into the lead developer for the feature you’re desperate to give input on at Tech-Ed is slim to nil. The chance of it happening at TEC is pretty darn close to 100%. TEC puts the teams into the soup with the very people who have the most to say to them, but without the confrontational setting of a client meeting; they get to hear and respond to questions, comments, kudos, etc – in a way that can never happen at a big conference. The product team gets to talk to administrators of different sizes, in different verticals, not just the customers that account managers deem to be “worth it”. They get to talk to partners and Integrators. They get to hear horror stories and success stories, and they get to hear suggestions about product that may never make it to an official list, but that can give the developer a sense about their product as a whole. I believe the process of putting the product team together with customers in an environment like TEC humanizes everything — customers see the human beings behind the features (and sometimes the bugs) and the product team not only gets appreciation for what they have done, but hope and excitement for what they are doing now. Perhaps the greatest benefit, however, is in the overall goodwill that this conference wins for the Microsoft Federated Identity group. MS attendance at TechEd is expected. Coming to TEC is a labor of love, and we can all see it. It is the world’s most effective and sincere marketing campaign.
And the thing that ties this all together is the community: The MVPs, whose onsite knowledge and product expertise help to bridge the vendor-customer gap; The passionate advocates on the client side who really want the products to be awesome; The speakers, who are a great mix of all of the above. And of course the rubber chicken and the Wook Lee Challenge and the legend of Joe and Dean, and all the other things that bring a sense of humor, and a thread of history to the whole mix.
Friday was my last day as a Nulli Secundus employee. After 7 great years, I am ready to strike out on my own!
I’ve created a company called Bonsai Identity, so named because I very strongly believe that the most successful way to manage identities is not to neglect them until the pain is acute and then try to hack them back into some semblance of order, but instead to pay attention along the way, and to make enlightened choices that shape the future of the organization in a positive way.
I am extremely fired up about the future, but before I wax poetic about all the things I can’t wait to do, I want to say thanks to all of my coworkers at Nulli, and most of all to Derek and Barb, the owners. I found my passion at Nulli, and was nurtured and encouraged to develop that passion at every step. If I wasn’t absolutely sure that we will continue to cooperate and collaborate, I believe I would be heartbroken right now, but as it is, I feel ecstatic; I am changing direction, but I am blessed to do so knowing that I have incredible mentorship and friendship nearby.
Thank you for seven great years of brilliant work with and for brilliant people.
My husband recently flew to Las Vegas to see a Nascar race. On arriving at the airport, he entered a scene of mayhem. The airline, Air Canada, had overbooked the flight by something like 25%. Desk agents were begging for people to take a later flight, but everybody wanted a seat on that plane.
Obviously, the Air Canada statistical models had predicted that on your average flight from my hometown to Las Vegas at the end of February, there would be x% cancellations, y% no-show, and z% late arrivals that could be shunted to later flights. What the Air Canada statistical model did not anticipate, was that 160,000 people had purchased tickets to a Nascar race, and had to be in Vegas in the next 48 hours; when you pay that kind of money for that kind of event, you don’t cancel. You don’t miss your flight. You show up, ticket in hand, having been promised a ride to go see the pretty cars.
What are the chances that similar scenes played out in other airports across Canada that day? Pretty good, I bet. I imagine that most of the people who flew to Vegas to see Nascar via Air Canada were put into a pretty foul mood, even the ones who eventually got on the original plane. A dollar sum could probably be calculated as to the losses in both revenue and goodwill that Air Canada experienced as a result of their inability to accurately predict the number of people who could be promised a ticket.
I won’t give you a song and dance about how a flexible identity situation could have fixed this problem – because the truth is, you have to have a flexible company first. There just aren’t too many of those out there. Still, success is more and more a function of information. You can’t just gather information, you have to distribute and process it too, and do so in a timely fashion. What if you were to ask people at registration time whether they were attending an event. Suddenly, you would have the information necessary to change your statistical model – assuming you could take that information from your reservation system and mash it up with a calendar of known large events. What if someone or something was given the capability to arrive at the conclusion that an event of this size would affect attendance percentages for a certain range of dates with respect to flights to the event location.
Pipe dream right? Current companies are just not equipped. But new companies will be. Future competitors will have less legacy baggage, and a digital native’s understanding of the value of treating every internal system like the fodder for the worlds best corporate mashup. If they can build the flexibility in from the start — just think of how far they can go. And just think how tough it will be for the dinosaurs to compete.
