My blogging efforts have been on an extended hiatus recenlty as I have focused on becoming familiar with the new Oracle landscape.  Perhaps there is no better way to return to the blogosphere than to announce the winner of the Sun VBOF Stork naming contest.

A bit of explanation is in order …

In December and January, I hosted a short-lived series of “Virtual Birds of a Feather” (VBOF) sessions, held via teleconference and Webex.  These sessions, which were open to Sun employees and SI partners, covered such interesting topics as:

• Identity Roles and Personae
• Current Trends and Issues around Entitlements Certification
• Identity and Access Management in Cloud Computing

We had people from literally around the world participating in these live sessions, and collectively learned much through cooperative discussion of Identity Management topics.

As I was searching for an appropriate artwork to use for VBOF presentations, I stumbled across a photo of a gallant old stork in the Sun artwork collection.  We adopted the old bird as the VBOF mascot and launched a little election to determine what to name him.

The winning name was nominated by Dr. Rene Klomp, Senior Solution Architect  from the Netherlands, who suggested that Apollo is:

“God of the Sun, who had an Oracle in Delphi. Also ‘Apollo’ can be read ‘a pollo’ which means ‘a chicken’ which is of course a virtual stork! Oh well, they’re both birds so what the heck.  Last but not least, Apollo took us to the moon, which gives us light after the Sun has set.”

Today, I finally received a photo of Rene wearing the one and only Apollo/VBOF shirt, which he received as winner of our little contest.

Congratulations to Rene for both nominating the winning name and wearing the shirt so stylishly!

I don’t know yet whether we’ll revive the VBOF concept within Oracle, but if we do, I’m sure Apollo the VBOF Stork will be waiting in the wings.

On a recent trip out of town, while waiting in the Phoenix airport to board my flight, I suddenly become aware that I had really used a lot of apps on my iPhone that morning. So I counted the ones I had used – all 15 of them – before 10am.

1. Mail
2. Phone
3. iPod
4. Safari
5. Messages
6. Calendar
7. Toodledo
8. Evernote
9. Tweetie
10. Facebook
11. Brightkite
12. Livestrong
13. AP Mobile
14. Weather Channel
15. Tripit

I went on to use some more apps later in the day, but this all goes to prove that the iPhone has become an indispensible part of my life – helping me be more productive, connected and responsive to the people in my life.

What apps are a critical part of your everyday life?

When he learned I would be re-joining Oracle after my time at Sun Microsystems, my son suggested that I take a drive down Oracle Street in Mesa, Arizona, to celebrate.  It is a small street with a big name, located about a mile from my house.  Here is evidence that I took the trip.

To support recent discussions about Identity Management and Cloud computing, I divided the types of Identity Services that might be needed to support Application services into three major categories as shown in the following diagram and explained in a bit more detail below:

The specific services provided in each category could include:

Identity Administration Services

• Create, update, delete identities
• Password/credential management
• Entitlement definition/management
• Provision/de-provision access privileges
• Role engineering/management
• Policy definition/management

Identity Enforcement Services

• Authentication
• Authorization
• Access control
• Federation
• Web services security

Identity Audit Services

• Reporting
• Evaluation
• Attestation
• Validation
• Remediation

Did I miss any services that you think should be present?  Any input on the categories or types of services?  Any input or criticism would be most welcome.

The following chart may be helpful as we consider the different types of users that should be addressed by Identity and Access Management (IAM) technology and processes in cloud computing.

At the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) layers, the only users are administrators of the platform or infrastructure services, respectively.  However, these administrative users may be either on the provider side or on the recipient or enterprise side.  End users, whether within the enterprise (employees or contractors) or external to the enterprise (customers and partners), only exist at the application layer or Software as as Service (SaaS) layer.

This illustrates how cloud computing introduces increased complexity into IAM. Not only do the different layers (PaaS, IaaS and SaaS) have unique requirements, but multiple organizations (e.g. provider and enterprise) need to be considered.

For example, the nature of PaaS services will require provider administrators to have root access to the operating system, while enterprise administrators at the SaaS level may only need access to application configuration functions and external SaaS users only need to access to selected application functions.

Hopefully, this provides food for thought as we explore IAM in cloud computing.  I’d be grateful to hear your comments.

Boomerang:

• noun, “a bent or curved piece of tough wood used by the Australian Aborigines as a throwing club, one form of which can be thrown so as to return to the thrower.”
• verb, “to come back or return, as a boomerang”

I first joined Oracle in 1997, as a pre-sales consultant on the Oracle Telecommunications sales team, and then spent an intense three years literally travelling around the world in support of Oracle sales activities to many telecommunications companies.  I learned much, worked with outstanding people, had great experiences, and then was lured away to a Silicon Valley startup just before the .com bubble burst. A series of interesting experiences with small companies led me to Sun.  It turns out that the executive who initially hired me at Oracle was the same one who referred me into Sun.

So now, after nearly a decade,  I will be leaping back into the Oracle fold with my Sun colleagues, eager with anticipation, looking forward to many more exciting years.

As Sun transitions into Oracle, the bright expectations of new opportunities have been accompanied with the gut-wrenching impact of learning which friends were not invited to make the leap.  Thursday and Friday were difficult for me, as I heard from outstanding people I have learned to admire and trust that they were opening new doors in their lives.

As a tribute to them and all other friends I have come to know and respect during my sojourn at Sun, I offer a few lines I penned several years ago …

A Tapestry Of Miracles

Like brilliant golden strands
Woven delicately yet boldly
Among more dreary threads
To create a magnificent tapestry,
Our lives converge
In brief but sparkling brightness,
And then intertwine into
Radiant relationships
Borne of common hopes and dreams.

Countless encounters
Of human souls,
Guided by an unseen hand,
Link our lives together,
Creating cascading
Miracles of light,
Illuminating our hearts and minds
Amidst the harshness and the gloom
Of mortal life,
Ever weaving and preparing
The glorious, eternal tapestry
Of humankind.

Mark G. Dixon
November 15, 1996

Photo credit: A quilt entitled “The Woodpeckers” by Kathy Swartz, based on a tapestry of the same name by William Morris.

Last Thursday, January 21st, I gave a presentation at the Sun Horizons conference, “Healthcare Integration Through a New Perspective.”  The title of my talk was “Identity Management: Securing Information in the HIPAA Environment.”  I explored how the complementary functionality of Identity Management and Master Patient Index technologies can enable effective Patient Consent Management, a vital requirement for online health information networks.

A copy of my presentation deck is available for download here.

At the heart of my the presentation was the following diagram, which illustrates major components required in a Patient Consent Management system:

A brief explanation of key components follows:

Identity and Role Repository

IAM technology and methods provide the foundation for an effective patient consent management system.  An Identity and Role Repository contains Identities, roles and access control credentials necessary to support the consent system.  This repository includes:

• Patients
• Providers
• Access Rights
• Roles (map business responsibilities to access rights)
• Override Rights (Only users with specific roles can perform override without consent)

Consent Registry

A consent registry is required to specify what permissions have been granted by patients, within the allowable limits specified by each applicable jurisdiction.   Some of the key attributes include:

• Consent Permissions for
• Patients
• Organizations
• Users
• System-wide mask (everyone)
• Fine gained access
• Include or exclude attributes
• Accommodation for multiple jurisdictions

Master Patient Index

A Master Patient Index enables correlation of patient data across multiple repositories.  This is essential because patient records are typically help in multiple locations.  In other cases, if patient records exist in the same physical data warehouse, they are often logically separated. 

Federated Data Access

If patient data is located in physically or logically separate locations, Federated data access controlled allows access across domain boundaries without compromising the privacy or integrity of individual patient record repositories.

Data Access Services

By providing a set of centralized data access services governed by IAM, the Consent Registry and the Master Patient Index, a secure method of patient data access is possible.

I recently replaced the wheels on my roll-aboard suitcase with inline skate wheels.  So much for a run-of-the-mill black-on-black look for my luggage!  I hope the fact that I chose orange rather than red doesn’t get in the way of success with Oracle.

In August, 2007, the Sun National Sales Conference featured Oracle/Sun luggage tags for all attendees, which was terribly ironic for those of us in the software business, which competed head to head with Oracle.  Little did we realize at that time how prophetic those luggage tags would be!