Thursday, April 29

Steve Jobs on Flash

A little off-topic for Identity Management, but once a year or so I post something just for amusement.

In Jobs' open letter on why Apple doesn't support Flash, he makes some valid points. Among them, he states:

We strongly believe that all standards pertaining to the web should be open. Rather than use Flash, Apple has adopted HTML5, CSS and JavaScript – all open standards.

HTML5, the new web standard that has been adopted by Apple, Google and many others, lets web developers create advanced graphics, typography, animations and transitions without relying on third party browser plug-ins (like Flash).
So, then, what's wrong with this picture?

Hint: click to enlarge and notice the message:
This website wants to run the following add-on: 'Quick-Time' from 'Apple, Inc.'


IAM in the Cloud - from Verizon and Novell

Interesting newcomer to the Identity in the Cloud space. I look forward to seeing a side-by-side comparison of these solutions. Clearly, when organizations are ready to have their identities managed outside of their own walls (even if just external accounts), there will be a number of options available. I see an opportunity for a few good independent consultants to really understand the intricacies of all these options so they can help customers wade through all the terminology and misconceptions. ...because I don't think it'll be easy.

Wednesday, April 28

TEC 2010: Optimal IdM

The third and final TEC 2010 vendor to participate in a video message is OptimalIdM who was at the conference demonstrating their Virtual Directory solution and its ability to simplify deployment of Sharepoint 2010.

TEC 2010: Symplified

This is the second in my TEC 2010 Vendor video series. In this video, Symplified describes their TEC 2010 experience and let's you know how to get 3-D glasses for their upcoming 3-D announcement.

TEC 2010: Imanami

While walking the floor at TEC 2010, I spoke to a few vendors who agreed to provide a quick video message. The first is Imanami who was demonstrating a pretty interesting solution for managing Active Directory group memberships.

Identity Enablement

I just got out of a session led by The Burton Group's Kevin Kampman who made the point that the Identity Management conversation is changing. It can no longer be about technology. It needs to be about business needs. Don't ask what is the tool? Ask what problem are you trying to solve?

During Q&A, somebody made the point that currently, Identity Management is often mandated by the security team who is implementing it as a way to enforce secure practices and restrict access where appropriate. The business owners may not always have the right to choose where they're comfortable with increased risk and where they're not. Valid point.

I think Kampman's point, though, is that in a larger sense, as the industry moves into the cloud and becomes further distributed, Identity tools will be more about enablement rather than restriction. Identity Enablement tools such as Federation solutions will enable conversations and transactions to take place that haven't been possible in past (and current) models. So, the conversation starts with a business team that is looking to expand its capabilities rather than with a technology team who might be focused on specific tool sets.

To me, it's a whole different mindset than traditional enterprise Identity Management. And therefore, it's an entirely different conversation (not just a re-focusing of the existing conversation.)

It will be an interesting decade for identity.

Tuesday, April 27

TEC 2010: A few more notes

The Experts Conference is living up to its name. The hallway and lunch conversations are extremely technical - the right approach to move an Exchange mailbox or how to best create a stored procedure that captures some set of information beyond what the native system will do.

A few of the folks I spoke with:

- The DOT NET Factory has a user management (provisioning) solution based on Active Directory. It provides full, highly extensible work flow with full audit trails of all changes. Some customers choose to shut down all access to Active Directory

- Dimension Data is perhaps the largest company you've never heard of. The more than 11,000 employees of this $4 Billion IT services firm serve the world's largest multi-national firms. Through tight partnerships with Microsoft, Cisco, Quest, and others, they're uniquely positioned to provide integration services between those companies' products throughout Africa, EMEA, and now North America as well.

- Optimal IdM and Radiant Logic both report that the experts in the crowd are starting to finally understand the value of virtual directories. A few years ago, the conversations around virtual directories were largely educational - What is it? and Why should I care? Now, the conversations have shifted to practical implementation ideas.

btw, I overheard an interesting customer story on OptimalIdM. An organization who already had licenses for a a well-known Virtual Directory (because it was included in a larger suite) chose to work with OptimalIdM's solution because it provided point-and-click simplicity for object joins whereas the other solution required significant Java and Python code to achieve the same task. It's a nice real-world David & Goliath story.

- Rackspace is here educating people on how to deploy Sharepoint and other applications in the cloud. As with most technology conferences these days, there's a lot of discussion here about the cloud. Rackspace is clearly positioned as a leading cloud service provider. I use Rackspace for personal home file storage through its JungleDisk, which is a very cool solution.

- I also had a conversation with a principal consultant at CSS Security who clearly had a firm understanding of FIM 2010 and how to implement. They're based in Cleveland but serve the entire U.S.

Monday, April 26

TEC 2010: Active Directory Family

The day one keynote speech this morning was presented by Microsoft's Conrad Bayer. One of the key take-aways from this morning's keynote for me for a consistent theme throughout the talk that Microsoft's Identity & Access solutions are now all part of the same product group. The Identity & Access group's solutions include Active Directory, ADFS federation, RMS rights management, FIM life cycle identity management, PKI/Certificates, identity synchronization, etc.

Bayer also talked about the future of these solutions and briefly discussed that ADFS could evolve to become an authorization server. Specifically, he talked about attributes and claims being the core components of authorization. The idea would be that ADFS could sit in between local and remote directory environments and provide answers to standards-based requests about claims. Bayer was asked later about the challenges around the idea that, for AD, groups are equivalent to roles, but other systems' roles require more than just group memberships. His answer pointed back to attributes and claims as being the way to meet those business requirements and seemed to say that applications would be where you would manage roles. The application would define and manage roles while leveraging the AD infrastructure to answer access-related questions via claims. He didn't say it (or even suggest it), but I wonder if this is a move toward a completely different paradigm than one based on roles. Perhaps roles will never be the right answer since what we've all seen is that in reality, people don't fit nicely into a pre-defined set of business roles.

Another thing that caught my ear was Bayer's point that Smartcards and Certificates are becoming more important as environments move to distributed and cloud-based solutions. Could it finally be the year of PKI? BTW - I see 'the year of PKI' as a modern-day proverb about something that it perpetually about to happen but never really does. Having said that, I'm a fan of PKI as a technology and can see that his point has some validity. The fact that a particular solution is in the cloud is not necessarily the problem. The bigger problem is that there are a variety of apps moving into the cloud each with different security models and underlying security mechanisms. PKI technology might help us figure out how to provide a manageable solution for that complexity.

At the end of the day, I think Microsoft made the right move by bringing these technologies together, but it sounds like it'll be a while before we see a truly unified, native/out-of-the-box set of identity features such as point and click federation, PKI, or rights management.

TEC 2010

I'm approaching noon of my first morning at The Experts Conference (TEC).

During introductions this morning, Gil Kirkpatrick, who founded the conference years ago while at NetPro (acquired by Quest), reiterated the conference commitment to provide training and support for industry experts in Active Directory, Exchange, and now Sharepoint as well.

Adding to that support and bringing it beyond the annual conference is The Experts Community. I'll try to get more on that, but the idea is obviously a community of knowledge sharing that goes beyond basic training into in-depth knowledge sharing for expert-level practitioners.

And the audience has already proven that they fit the description of experts challenging speakers and presenters in each session. This is NOT a conference where vendors could put up a marketing presentation and hope nobody notices some omission or flaw in the underlying technical approach.

As an example, someone stood up and asked Conrad Bayer (Microsoft's General Manager of Identity and Access) during his keynote about a slide he had put up during the presentation. The slide indicated that small businesses would be faster to adopt cloud solutions because they were less concerned with security and privacy. So, the question was important. Is that true? Does Microsoft believe that small businesses care less about security and privacy? And also - is Microsoft saying that cloud solutions are inherently less secure? Bayer clarified that small businesses are certainly concerned and that the slide content was probably referring to customer perceptions around security driving those decisions - and not actual security implications.

He also went on to confirm that Microsoft is working toward creating security symmetry between cloud and on-premise solutions to eliminate the concerns about security when moving solutions to a cloud model.

...more to come.

Thursday, April 8

Governance the next Era of Identity Management

Ben Goodman, in an Intelligent Workload Management article, notes that there's a coming paradigm shift in the world of compliance. He talks specifically about the new trend of turning to identity management solutions for help with compliance. We heard more about this trend from Dave Kearns in his discussion on SailPoint expanding its Access Governance solutions into the Identity Management space and Courion doing the inverse.

I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.

Mr. Goodman can correct me, but I boil his point down to one easy statement:

Start with Security and compliance will follow.

I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.

If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:

a) Secure them to satisfaction
b) Enable auditing to prove that security is real

We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.

If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.