Paul's shared items in Google Reader

That time of the year

2008-05-13T08:00:30Z

Untold Perspectives on Identity Management

2007-07-07T14:30:00Z

Have you ever been curious as to why you haven't heard about any failures in the world of identity management?

Identity Management is one of the most oversold technologies within large enterprises within recent history. The motivation for pursuing has been to realize a productivity increase in terms of the time spent provisioning and deprovisioning the user. Under the guise of automation and the combination that most enterprises are horrible in terms of deprovisioning users once a user leaves the company which now is a SoX control caused folks to think more about compliance and less about architecture.

It seems as if identity management from the perspective of marketing (implementation is a different answer) because the grand exalted CIO Guru stands on his/her pedestal and pontificates to the masses that identity management is the greatest thing since sliced bread, will ease the burden of compliance and that all applications will expose their inner workings to the big brother tool while their other non-technical process-weenie friends in other enterprises have done the me tooo thing.

These same CIOs who are indoctrinated into falling in love with process have been savage in hiring large consulting firms which backed up the school bus and have created "strategies" which are no more than very expensive PowerPoint cartoons that enable buy-in to folks who haven't thought about why this approach may be hyper-inflated. It seems as if most of the enterprise architects are asleep at the wheel or practicing drunk driving in that they have allowed identity management to become a multiple year effort where pretty much everywhere else they have learned that long-term projects are doomed to mediocrity at best.

Lori Rowland of the Burton Group is one of the few industry analysts that has had enough insight to talk about where identity management tools run out of steam and where other tools pick up. She has been pretty vocal in terms of talking about the need for identity management tools to integrate with entitlements management tools. I wish other industry analysts would figure out the same.

Maybe this is an opportunity for me to give $100 to a worthy charity such as One.ORG who is attempting to end world poverty by asking Jeff Bohren of BMC, Nishant Kaushik of Oracle and Don Bowen of Sun to comment on where they believe identity management tools should stop and where other tools should pick up?

I have previously commented on the observation that Gerry Gebel of The Burton Group seems to be the only one talking about the need for not only entitlements but interoperability between otherwise disparate software vendor offerings. It would seem like a missed opportunity if the identity management vendors didn't do the same thing in their world.

There are a variety of standards at play including WS-Provisioning and SPML. Instead of each and every IDM vendor creating adapters, how come they can't instead advocate that each and every enterprise application instead expose their credential stores via SPML and they simply provision/deprovision via standards? Wouldn't it be interesting to see an IDM vendor interact with Pega or Lombardi in the BPM space, Documentum or Alfresco in the ECM space or even Salesforce.com or Siebel in the CRM space?

I would even think that Mike Jones, Kim Cameron, Johannes Ernst, Dick Hardt and others would also comment on the need for identity management products within the enterprise to create information cards and provide the functionality of a Security Token Service (STS)?

The one frustrating thing that I have noticed when it comes to vendors and standards is when they use them in less than honest ways. I suspect you may have noticed many tools claiming support for LDAP v3? How about asking the vendor whether they support Microsoft Active Directory Application Mode (ADAM) and watch the answer change. You will notice that they will hint that ADAM is not LDAP-compliant but can't articulate why it isn't. Taking this one step further I suspect that if you asked who is the certifying authority for LDAP compliance you will realize the game...

Pray, Fast and Be Charitable...

Escalators

2007-04-23T07:00:00Z

How to get over your fear of public speaking

2007-04-04T14:00:00Z

Does reading the title make you nervous/scared? Got that sick feeling in your stomach? The number one fear in the world, ahead of even the fear of death, is the fear of public speaking. Regardless of what some may say, the fear of public speaking is extremely common — even the most polished speakers have experienced a fear of public speaking, trust me! Being able to get over your fear of public speaking can have huge payoffs in terms of your career. Being able to speak effectively in public is a huge career draw and can almost instantly grab your boss’s attention. Employers are continually looking for employees with excellent communication skills. Think for a moment about someone you know in your workplace who is an excellent speaker. Is it your boss? Your boss’s boss? You boss’s boss’s boss? Don’t get me wrong, not all of your superiors are excellent speakers, but I’m willing to bet a good majority of them are. Having excellent public speaking skills can give your career a jump start. The following are several tips to help you get over your fear of public speaking and in turn, jump start your career.

The introduction
This article is going to be more than an “imagine the audience in their underwear” guide. Although some of these tips you might consider commonsensical, they helped me get over my fear of public speaking and hopefully you can walk away with some actionable advice.

(more…)

Hamiltonian

2007-03-02T08:00:00Z

Web of Services Workshop Summary

2007-03-01T23:15:21Z

It's not often I get to go to something like this, never mind the priviledge of co-chairing it. I think we had a really great discussion, and I certainly learned a lot. From what others said, I think that was a pretty general impression. And I think everyone really did maintain a spirit of cooperation and pitched in. We had a great mix of users, WS-* folks, and REST folks, with a couple of industry analysts thrown in, and experts on a variety of topics. I think in the end we came up with a few good ideas for improving software standards for the enterprise, and a some good suggestions for how to better join the Web services (WS-*) and Web (REST) communities. Of course, we have yet to see what will really happen. But for the past two days we had everyone into the same room, and I would say each started to acknowledge the other's viewpoints. I even heard Mark Baker say he thought one of the WS-* companies was making pretty good progress ;-) There's a lot to say, more than I can get to today. There will also be a format report, including any actionable items and recommendations. (Also the program now has all the presentations, in case you want to take a look I'll start recording a few interesting thoughts, in no particular order. I've also got a few photos that I'll upload. The innovator's dilemma Also known as why it's difficult to recognize the effects of a disruptive innovation such as the Web. I remember in the early days, when we'd talk with customers about SOAP, they'd say "well, that's fine, but I can't use it until it has better security," or reliable delivery, or transactions, etc. We had an example during the workshop, when one of the users said something like "I need a lot more capability in Web services before I can use it to replace WebSphere MQ." I just think that's the wrong way to think about it, but it's very natural. Customers rely on these kinds of "enterprisey" features every day, and when thinking about adopting new technology they look for feature compatibility. But I think the question isn't really "do Web services features offer equivalence with MQ" but "can I meet my application requirements using Web services"? Yet we keep thinking about Web services in terms of the past, an evolution of the current solution, rather than as a completely new approach, an adaptation of middleware concepts to Web technologies. The comment also was made a few times that it isn't the specs as much as how they've been implemented that creates the difficulties for Web developers, and the complexities for which WS-* gets criticized. Start with the Web If Web based businesses such as Yahoo, eBay, Google, and Amazon.com can handle hundreds of millions of users and thousands of messages a second, petabytes of data, etc. and with good response time in a browser -- you know it can be done. So for anything new, consider using Web based technologies, or at least consider following the architectural principles of the Web in your design. (Unless, of course, your business has absolutely nothing to do with the Web, and will never have to scale or change very much. There are many reasons not to consider using Web technologies. But I am thinking about the general case of a large, distributed enterprise application.) Now however if you have a bunch of old systems - or if your IT environment was created before the Web, and (like many) is a mess of heterogenous stuff, you are going to also need to tackle the problem or rationalizing or standardizing that. Here an SOA using Web services is a great approach, and one that is growing in adoption. If you want to join up your old stuff to the new stuff, Web services seem like the way to go. Yahoo was among the companies represented and they mentioned that they still like to create their own infrastructure - these "mega sites" use quite a bit of custom code - because they can't really buy what they need from the vendors. Not too long ago this was the case more generally. I remember a lot of financial services organizations inventing their own middleware and TP monitors, because their requirements were farther advanced than the features of generalized products. So this seems cyclical, a pattern that substantiates the disruptive concept. This was the reason I proposed a hybrid solution - use the Web for new applications, and adapt (or interface) existing applications using Web services. This was the subject of some debate, and about two or three ideas were given on how to best accomplish this. More later...

Dmitry Shechtman’s Undevelopment Blog

2007-01-20T23:20:28Z

So much is happening in the identity discussion it’s hard to keep up with it. Through the miracles of ping-back I came across The Undevelopment Blog by Dmitry Shechtman, and this posting on a new proposal called Identity Manager:

It seems like the OpenID community is currently bothered with the following two questions:

OpenID facilitates phishing. What can be done about this?

FireFox 3.0 will have CardSpace and OpenID support. What does that mean?

I addressed the OpenID phishing problem even before it became wildly discussed. Unfortunately, the method wasn’t foolproof, to say the least. Several other suggestions have been brought up, but none seemed to solve the problem without making OpenID unusable.

Kim Cameron of Microsoft has been repeatedly promising to elaborate on how CardSpace and OpenID could converge. Although he has yet to keep his promise, we can make an educated guess. We recently saw the FireFox extension Identity Selector act as an in-browser OpenID-to-InfoCard bridge. That is definitely something CardSpace folks would love to see as a standard browser feature, since it would effectively turn an OpenID into nothing more than a fairly insecure InfoCard.

Of course, OpenID could simply dismiss CardSpace (I was trying to get into the average kool-aid drinker’s shoes). Or it could very well learn from it. The CardSpace UI seems very intuitive:

A Sign In button on a website

An identity selection dialog

Seamless secure login

This is exactly what OpenID needs in order to become both widely used and insusceptible to phishing. And since CardSpace planned support is now a reality, why shouldn’t OpenID be integrated? This is no trivial requirement, but one that can be met with some additions to the browser logic.

The combination of UI and business logic outlined in this proposal is dubbed Identity Manager. The proposal uses informal language (should, must, be and do are used interchangeably); handle with care.

Whenever a web page presents an OpenID sign in option, the OpenID field and the Sign In button are replaced by a single OpenID Sign In button. Moreover, separate OpenID Sign In and CardSpace Sign In buttons are replaced with a Secure Sign In button.

Once such a button is pushed, an Identity Manager window is presented with a list of the user’s identities — OpenIDs, InfoCards or both, depending on what the relying party accepts. The user must be able to decline; we treat this case as trivial. The user must be able to make a persistent selection (e.g. a checkbox with the text Always use this ID for example.com).

(Dmitry’s piece continues here…)

I would never characterize OpenID as “nothing more than a fairly insecure infocard”. It is a system where the root of trust is defined to be control over the content at a URL. Folks, this is innovative. I like it as what I call an “underlying identity system” that should live within the identity metasystem. Given its theoretical starting point in terms of trust, OpenID has the security characteristics, good and bad, of the Internet which it harnesses in the name of identity. That makes it very exciting, especially for bottoms up use cases involving public personna.

But “exciting” doesn’t mean “good for every purpose.” OpenID won’t replace all other forms of digital identity!

Is it necessary to explain further?

I’m fine with blog comments being associated with my URL. But I don’t want access to my bank account to be gated by nothing more than the ability to set the header in what a system thinks is http://www.identityblog.com (I’m thinking here about all the potential attacks on DNS as well as the ways in which third parties could gain unauthorized access to my page).

My site is hosted by the good people at http://www.textdrive.com. As administrators of the shared systems there, they could certainly, for example, gain access to my pages.

Are their employees bonded? Do they practice strict separation of duties for access to web pages? Do they have HR practices that will protect them from organized crime? I don’t think so! And if they did, wouldn’t they turn into the world’s most bureaucratic mess as a web hosting service? Their flexibility and personal touch is what makes them so good. I like them just as they are, thank you very much.

So it all comes back to the Laws of Identity. There will be a pluralism of providers and technologies, optimal in different use cases. And, as the potential phishing attacks demonstrate, there remains the requirement of giving users a consistent and controlled experience across these multiple systems.

My conclusion?

Combine CardSpace (insert your favorite replacement identity selector here) with OpenID and you have the best of both worlds. You have the web-based identity system. You have a consistent anti-phishing user experience. And you have continuity between OpenID and other underlying systems in a metasystem. Wouldn’t we all want this?

As Dmitry reports, I have promised to share my own technical ideas about how to move forward but haven’t come through on my promise yet. So I’m going to do that now. One idea is very simple (and effective) - I’ll start with that. The second is in many ways more interesting (at least to me) but I need to explain a bit more about managed cards before I get to it.

Identity Crisis Podcast

2007-01-20T20:35:26Z

If you haven’t read Jim Harper’s book, Identity Crisis: How Identification Is Overused and Missunderstood I urge you to do so as soon as you can.

I was initially a bit skeptical about this book because - I hope my more politically inclined friends will forgive me - it was published by what I assume is a political “think tank”. I worried it might reflect some kind of ideology, rather than being a dispassionate examination of reality.

But in this case I was wrong, wrong, wrong.

Jim Harper really understands identification. And he is better than anyone at explaining what identification systems won’t do for us - or our institutions. He carefully explains why many of the proposed uses of identification are irrational - delivering results that are quite unrelated to what they are purported to do. In my view, getting this message out is just as important as explaining what identity will do. In fact it is a prerequisite for the identity big-bang. There are two sides to this equation an we need to understand them both.

He directly takes on the myth that if only we knew what peoples’ identifiers were, “we would be safe”. Metaphorically, he is asking what kind of plane we would rather fly in - one where the passengers’ identifiers have been checked against a database or one where they and their luggage have been screened for explosives and guns?

I think he will convey to “lay people” why a so-called “blacklist” is one of the weakest forms of protection, showing that all you have to do is impersonate anyone not on it to sneak through the cracks.

The book is full of important discussions. It has chapters like “Use identification less” and ”Use authorization more.” I have only one criticism of the book. I would like to see us separate the notion of identity, on the one hand, and individual identification (or identifiers) on the other. We need return to the original meaning of identity: the fact of being who or what a person or thing is.

As a simple example, suppose I’m a service provider building a chat room for children, and want to limit participation to children who are between 12 and 15. Let me contrast two ways of doing this.

In the first, all the children are given an identifier. To get into the room, they present their identifier and prove they are the person to whom that identifier was given. Then the chatroom system does a lookup in some public system linking identifier and age to make the access control decision.

In the second, the children are given a “digital claim” that they are of some age, and a way to prove they are the person to whom that ”claim” was given. The chatroom system just queries the claim to see if it meets its criteria. There is no reference to any public or even private identifier.

My point is that the first mechanism involves use of an identifier. The second still involves identity - in the sense of being what a person is - but the identification, so rightly put into question by Jim’s book, has been put into the trashcan where it belongs.

The use of an identifier in our first example breaks the second Law of Identity (Data Minimization - release no more data than necessary). It breaks the third Law too (Fewest Parties - since it discloses use of information to a central database unnecessary to the transaction). Finally, it breaks the Fourth Law (using an omnidirectional identifier when none is required).

The book was written before “claims-based thinking” began to gain mindshare, and so it’s missing as a category in Jim’s discussion of advanced identity technologies. But we’ve talked extensively about these issues and we have concluded that we have no theoretical difference - in fact the alignment between his work and the Laws of Identity struck us both as remarkable given that we come at these issues from such different starting points.

Jim’s book is wonderful reading. It should help newcomers better understand the Laws of Identity. And this week the Cato Institute in Washington held an event at which Jim spoke, along with James Lewis, Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International Studies; and Jay Stanley, Public Education Director, Technology and Liberty Project American Civil Liberties Union.

Download the podcast or watch the video here.