It
has been said that a guitar is easy to play and hard to play well.

Implementing Identity Management systems is something like that. It is relatively
easy to give a great demonstration but much harder to configure and deploy a
production system. Why? Identity Managements systems have many moving parts
that must work in harmony. Many identities, many managed systems, many data
sources and repositories and many applications that require both access and
protection.

Enterprises that implement such systems have many stakeholders, often with
conflicting interests and motivations. For example, the marketing department
is motivated to make it as easy as possible for millions of customers to do
business with the enterprise, while the security department wants to make sure
that no bad guys get in.

Just like coaxing beautiful and intricate melodies and harmonies out of a guitar
requires the expert touch of a master’s hand, getting all the moving parts of
an Identity Management system working in harmony with all the stakeholders in
an enterprise can require the skill and experience of a master implementor.
And what does that require? Much like the guitarist: knowledge, passion, skill,
practice, dedication and motivation.

It’s not easy, but the results can be extraordinary.

Tags: Identity Digital
Identity Identity
Management Guitar

A favorite old saying goes, "All the world is crazy except for me and
thee, and I’ve been wondering about thee lately."

That saying kept coming to mind as I followed the lead of SuperPat
and took the OK Cupid Politics Test.
An interesting diversion, I suppose, but I refuse to grant much credibility to a
ranking system that says John Kerry is centrist and positions me somewhere around
his left eyeball, in the same quadrant as Hillary but opposite Ronald Reagan.

Any ranking system can skew its sense of reality by choosing its own center
point, and can skew responses by choosing the questions it presents. Ask about
gun control – yes, I’m much more permissive than John Kerry. But on critical
social issues like abortion, drugs, gambling (non of which is mentioned in the
survey)? John is much more persmissive than I will ever be. Private investment
vs. government control of retirement funds? I’m way above John on the permissive
chart. But why ask such a trivial question?

So, from my self-appointed happy centerpoint in the upper left quadrant of
OK Cupid’s political grid, I’ll let the rest of the world be crazy, except for
me, and perhaps, thee.

Tags: Politics
Ronald Reagan
John Kerry
Pat Patterson

Integrity: "1) Steadfast adherence to a strict moral or ethical code.
2) The quality or condition of being whole or undivided; completeness."

My oldest daughter asked me to jot down a few of my ideas about integrity.
Please let me share them with you.

As the listed definitions suggest, integrity has two critical components:

1. Mental and physical adherence to a strict moral code
2. Undivided consistency in a persons life: in thought, speech and action,
   whether public or private.

The foundation of a strict moral code enables a person to avoid the flighty
whims and consequences of popular sentiment. Jesus recommended building houses
(our lives) on foundations of rock instead of sand because strong foundations
can withstand the virtual hurricanes of opposition we experience in our lives.

The second aspect of integrity is absolute consistency between the inner and
outer self, between public performance and private behavior, between spoken
word and demonstrated action. The word Integrity comes from the same root word
as Integral and Integrated. Both these terms imply wholeness, completeness or
consistency.

Based on these two concepts, integrity denotes complete and consistent internal
and external commitment to a concrete standard of ethics and morality.

A person with integrity lives by some simple rules

1. Always do what is right, regardless of the short-term reward for doing otherwise.
2. Be willing to accept and speak the truth, even if the truth is not popular
   or what people want to hear.
3. Promise only what you can deliver. Deliver what you promise.
4. Be true to your ideals, even in the face of criticism and ridicule.

Some examples:

1. A man of integrity does not set himself up as a paragon of faith and virtue
   in the community and then go home and beat his wife.
2. A woman of integrity doesn’t promise the moon to get an order and then weasel
   out of details when it’s time to deliver.
3. A woman of integrity has the courage to turn down a business deal if underhanded,
   illegal or unethical behavior is required.
4. A man of integrity does everything within his power and more to make sure
   he delivers what he promised, even if that means enduring demeaning ridicule
   or forfeiting compensation.

So why have integrity? Isn’t it tough to live this way? Wouldn’t it be easier
to accept popular concepts of relative morality?

People of integrity engender trust, that time-tested, foundation principle
of meaningful relationships. In the end, when the chips are down, when things
are crumbling around us, people of integrity are ones people count on. They
are the ones people turn to for advice, for counsel, for solutions to tough
problems. They are ones who can be trusted.

Why? Because morality and ethics really do count. Truth is truth. Right is
right. Wrong is wrong. I’ll put my trust any day in people whose lives are rooted
in a bedrock moral code and and live in absolute consistency with that code.

Tags: Integrity

Some
people talk. Others do. Martin
Gee, founder and CTO of IC Synergy
is a doer. He has led some of Sun Microsystems‘
most successful Portal
Server and Access
Manager projects and is in midst of some highly significant federation projects
with well-known US Government customers.

Amidst all of this real-world activity, Martin has begun to teach an impressive
course about SAML to Sun
customers. Again, many people talk about SAML. Martin does something about it.
He knows how to make this stuff jump up and dance, and is willing to teach it
to others.

Part 1 of the IC Synergy SAML course covers SAML concepts. It and provides
a general understanding of the technology for attendees, and provides a foundation
for developers and other specialists who will go on to undertake a development
project in Part 2.

Part 2 provides hands-on practical training, leading to the development of
an actual SAML project chosen by each participant. Each participant will develop
a real SAML project, in an intensive, highly supportive, practical learning
environment, providing participants with a take-away of real practical value.

Interested in SAML? I highly recommend you get to know Martin Gee.

Tags: Identity
Digital Identity
Identity Management
SAML
IC Synergy
Sun Microsystems
Access Manager
Portal Server
Martin Gee

The first Sun white paper I read before I became a Sun employee in October
2004 was entitled "The
Identity Grid: Powering the Real Time Enterprise." It presented an
articulate case for the importance of Identity Management in the modern enterprise
and gave a good overview of the critical components of an Identity Management
architecture.

Simply stated, "The Identity Grid is an organizing principle for integrating
and exchanging “people data,” or identity data, and making the data
broadly available across the enterprise. Because identity data is integral to
every relationship an enterprise is engaged in — be it with customers,
partners, or employees — identity data is in the critical path of successful
electronic business."

Produced by Waveset in 2003, prior to its acquisition by Sun, this whitepaper
presents a cohesive framework for discussing several aspects of Identity Management:

Interestingly enough, the Identity Grid Framework pictured above offers a convenient
grouping for the Sun Java System Identity Management Products:

Management Services

• Identity Manager
• Identity Manager Service Provider Edition
• Identity Auditor

Transaction Services

• Access Manager
• Federation Manager

Data Stores

• Directory Server Enterprise Edition

After my recent reading, I wouild like to suggest some updates that make this
Identity Grid concept even more relevant.

1. Add "Auditors" as a user type and "Auditing/Remediation"
as a Management Service type. Regulatory compliance is probably the number one
business driver for Identity Management implementations. Auditors must be able
to set audit policies and controls, audit compliance with those policies and
controls and remediate non-compliant conditions.

2. Change "Employee" to "Employee/Contractor." This may
be a nit, but modern enterprises all use many contractors. The distinction at
a high level might be subtle, but within the bowels of an Identity Management
system, contractors often are treated far differently than employees.

3. Add "Applications" as a user type and "Web Services"
as a user interface type. This recognizes that system users are often software
programs, not people. These applications must be identity enabled to operated
within Service Oriented Architectures.

4. Add "Federation Services" as a Transaction Services type. Federation
Services are increasingly essential for enabling interaction among trading partners.

5. Changes "Data Stores" to "Data Services." In harmony
with Management Services and Transaction Services titles, this recognizes that
Identity Management functionality is progressively delivered as sets of services,
not just independent applications.

6. Add "Virtual Directory Services" as a Data Services type. It is
increasingly evident that data access should be virtualized, wherein a data
services layer separates applications from the physical data storage contructs.

So there you have it … my suggestions for a second version of the Identity
Grid. I’d welcome your input and critique.

Tags: Identity
Digital Identity
Identity Management
Identity Grid
Sun Microsystems
Waveset

Quickly – do you know the answers to these little trivia questions?

1. How
many transistors were in the radio in the X-1 rocket plane that first broke
the sound barrier?

2. Did
Fairchild or Texas Instruments make the integrated circuits aboard the United
States’s first Explorer satellite?

3. Did
Hewlett Packard or Texas Instruments make the scientific pocket calculators
that Apollo engineers used to put a man on the moon?

The answers? All three were trick questions.

1. None. It was a tube radio.
   Chuck Yeager flew the X-1 to break the sound barrier on October
   14, 1947. The first workable transistor was made on December
   23, 1947.
2. Neither. There were no integrated circuits on the Explorer satellite when
   it went into orbit on January
   31, 1958. IC’s weren’t invented until 1959
   and not commercially available until 1961.
3. Neither. Apollo engineers used
   
   slide rules to put
   
   Neil Armstrong on the moon on July
   20, 1969. HP introduced the first scientific pocket calculator, the HP35,
   on February 1, 1972.

The moral – Don’t wait for future innovation to exercise your ingenuity, imagination and creative drive to do great things.

Tags: Transistor
Integrated Circuit
Calculator
Fairchild
Texas Instruments
Hewlett Packard
Sound Barrier
Apollo
Moon

My youngest daughter Holly loves my OpenSolaris t-shirt.

Tags:
OpenSolaris
Holly Dixon

Today,
we have a list of the benefits our customers expect from their Identity Management
Systems, based on the same set of RFPs used for the previous two days’ posts:

• Improved quality of service to our clients.
• New users gain faster access to the resources needed to perform their jobs,
  meet their changing needs and keep them satisfied and productive.
• All users gain better service by the reduction or elimination of errors
• Faster processing of requests
• Automation speeds the processing of requests, freeing security administrators
  to spend time on other important activities.
• Provisioning of client accounts takes minutes rather than days to build.
• Streamlined operations.
• Flexible, rule-driven provisioning approach allows routine, yet complex,
  provisioning processes to be automated, improving efficiency and reducing
  the possibility of errors.
• Information Security support and operating costs are greatly reduced with
  automation, delegation, and self-service features.
• Implementation of the common processes across multiple accounts will standardize
  and simplify procedures, reducing mistakes and cost.
• Enable growth with reduced need to increase the size and expertise of the
  account administrative staff.
• Improved enterprise security with complete visibility into user access
  privileges.
• Improved ability to automatically detect and react to potential risks.
• Consistent application and enforcement of security rules.
• Reduced security costs through task automation.
• Audit and reporting capabilities.
• Tighter security controls.
• Eliminated or reduced duplicate user IDs.
• Account clean-up or deletion validation across all platforms & applications
  based on single action.

In a nutshell: Improved service, increased productivity, reduced errors, increased
efficiency, improved security, reduced risk, regulatory compliance and growth
enablement.

Tags:
Identity
Digital Identity
Identity Management

Yesterday,
I listed several problems stated by customers in recent RFP’s. Here is a list
of objectives the same customers hoped to achieve by implementing an Identity
Management System:

Improve Administration

• Improve administrative overhead – Centralized account creation, suspension,
  and deletion across systems and applications
• Create a centralized view to use as a window into the digital identities
  that exist on the targeted systems.
• The proposed solution should allow out-of-the-box user administration capabilities
  on a number of common platforms and applications.
• Central, multi-system administration.
• Self managed password administration.
• Provide self service capabilities, e.g., resetting passwords

Improve Security

• Create a centralized store for provisioning processes and policies that
  govern how to conduct business securely
• Provide application developers with a seamless security infrastructure
  where security no longer needs to be coded per application
• Minimize risk
• Privacy and security compliance via role-based security for users access
  to electronic information.
• Support role-based security for our clients’ access to electronic
  information.

Reduce Complexity

• Improve information quality – Synchronization of identity information in
  various repositories/ directories
• Reduce the number of log-on credentials
• Synchronization of IDs and passwords across platforms and applications
• Simplify the ‘user provisioning’ and setup for user ids for
  various internal applications.
• Provide simple and non-technical means for managing user request options
• Provides unified login for customers and employees

Increase efficiency

• Improve Access
• Improve Service
• Reduce Cost
• Provide the ability to be self-sufficient in administering and extending
  the system.
• Correlate and clean the identity information of the targeted systems.
• Report on variances between the correlated and cleaned identities and new
  identities that are added to the system.
• Reduction of internal user account provisioning from forty-eight hours to
  minutes after approvals.
• Reduction of external client account provisioning from forty-eight hours
  to minutes after approvals.
• Rapid, reliable account termination.
• Streamlined approvals for systems access.
• Automatic provisioning for approved requests.

Improve Compliance

• Improve regulatory access/audit – Comprehensive logging and auditing of
  users’ access rights and approvers
• Provide compliance with government regulations through automation of provisioning,
  de-provisioning and reporting on current state of authorized user credentials.
• Provide audit trails for user requests

Leverage Standards

• Provide the foundation for developing a shared permission/identity infrastructure
  service – Standards-based scalability
• The architecture of the provisioning solution should be robust, secure and
  based on best industry standards.

Position for the Future

• Provide a foundation for extending Identity Management functionality
• Scalability for future growth

Enable Integration

• It should be customizable to support products from other vendors and applications
  that have been developed specifically for the current environment.
• Integrate with outside systems for event triggering, auditing and reporting.

Monday I’ll list the expected benefits. Stay tuned.

Tags:
Identity
Digital Identity
Identity Management

I
randomly selected a few recent RFPs that have come across my desk and compiled
the following list of problems stated by our customers:

Administration

• No centralized user administration process.
• Multiple teams are involved in the user administration activities.
• Increasing overhead in administration of identities
• Administrators spend a lot of time performing routine admin tasks that can
  be automated
• Different administrators often assign different IDs to the same person.
  This makes it difficult to track activity back to a single source and confuses
  the customer.

Security

• Potential security risks
• Accounts are created with unauthorized system access rights.
• Security risks occur when frustrated or overburdened admin staffs may take
  shortcuts, terminations may not be done as soon as required or permissions
  granted may be in excess of what is really needed.

Complexity

• The users of the system are located worldwide and can be customers, employees,
  temporary workers, contractors and external suppliers.
• Multiple authentication requirements for applications
• Account creation/deletion in repositories is performed by multiple groups
• Many systems and applications have different business owners, platforms,
  administrative tools, and system administrators, leading to slow performance,
  delayed or unreliable terminations and higher administration costs.
• Account creation process requires great coordination, involves many steps,
  nd involves multiple clients which must remain segregated from each other
• Support staff requires advanced training to administer accounts on so many
  varying systems.
• Employees and customers require timely access to applications and systems
  to perform their jobs.

Inefficiency

• A high number of calls are made to the support center for user provisioning
  activities including password resets.
• Terminating employee accounts is a manual process
• The process for business unit managers and application owners to sign off
  on the privileges of the users is cumbersome and time consuming.
• Proliferation of directories and identities: diverse infrastructure has
  evolved over time
• Redundant identity information
• Information inaccuracies
• Users wait longer than necessary to obtain IDs
• Managers spend time chasing a sequence of events to ensure proper approvals.
• Authorizations needed to process a request often slow the process of account
  creation or update and leads to errors and mistakes.

Compliance

• Untimely response to regulations

Strategy

• Managing for the moment, but not positioned for the future

This was not a scientific sample, but I find it interesting that in the half-dozen
RFP’s I read, compliance was not nearly so important an issue as operational
efficiency and reduction in complexity.

Stay tuned for more.

Tags:
Identity
Digital Identity
Identity Management