My Dad was a farmer at heart and math teacher by financial necessity. Often, when students complained that they didn’t have time to do a homework assignment correctly, he’d challenge them “If you don’t have time to do it right the first time, when will you ever have time to do it again?”

I thought of his sage advice yesterday while speaking with one of our technical specialists. He is in the middle of a virtual fire fight at a customer site, helping to correct a design mistake made a few months ago that has now raised its ugly head.

“If they had only taken the time to do it right the first time,” he sighed. Apparently, because of time pressure, shortcuts had been taken when they shouldn’t have been, without evaluating the possible consquences. Now, the heavy price is being paid.

The lesson is the same as in the seventh grade math class — take the time to do it right the first time.

Tag: Identity

Expert: “A person with a high degree of skill in or knowledge of a certain subject.”
– Dictionary.com

A couple of weeks ago, a customer was starting to hit his head against the wall. According to his calculations, at the current rate, loading data in preparation for final test would take 13 days – plus another 13 days when they moved into production. Aaaargh!

I asked one of our Identity Management architects to address the problem. In less than a couple of days, due to his counsel and guidance, the data load time was down to about 10 hours. Not optimal, perhaps, but certainly workable. Without the benefit of experienced-based insight, our customer may still be thrashing about.

There is no substitute for knowledge and expertise earned through tough, in-the-trenches experience. A classroom is only the beginning. Expertise doesn’t magically rise from the pages of a user’s manual. Theory doesn’t automatically become best practice.

Still, too many customers think they can go it alone, perhaps thinking that an Identity Management system is as easy to implement as just another shrink-wrapped software package.

It reminds me of one of my sons. He always had to learn lessons the hard way. I could tell him over and over to drive cautiously, avoid debt and attend class. But it was the expensive traffic tickets, hard-to-pay credit card bills and failing a calculus class that taught him valuable lessons. He didn’t like to accept counsel while he lived at home, but I’m relieved that now that he is married and has gained a bit more perspective, he regularly calls home for advice.

My fatherly advice for an up and coming Identity Management client?

1. Get strong, experienced architectural guidance as you begin. We can help you select the right resources to provide this guidance.
2. Use a strong, experienced team to implement your system. You can augment the team with trained people from your staff, but don’t short change yourself by thinking a team can take a class and become immediately proficient.
3. Use a consistent series of design reviews and project checkpoints, where experts can help you stay on track.
4. Work hard, but don’t be afraid to call for help.

Like my son, our go-it-alone customers can eventually emerge on top – maybe. But learning the lessons the hard way will always be more painful, time consuming and costly than if they had trusted the expert touch.

Tag: Identity

Without any coaching from Sun, a customer recently shared a
document with us that highlighted Sun’s Quick Win
philosophy.

This document listed 10 areas of Identity and Access Management
functionality as suggested by the Gartner Group:

• Authorization Services
• Directory Services
• Enterprise Single Sign On
• Password Management
• User Provisioning
• Metadirectory
• Extranet Access Management
• Audit
• Portal
• Application Server

A second list included the
platforms over which Identity Management could be imposed.

• Operating System
• Security Systems
• Directories
• Databases
• Applications
• Physical Resources

If these two lists were represented as vertical and horizontal axes of a matrix, a 10×6
matrix of cells would occur, with each cell representing a specific area of Identity Management focus having potential benefit to the enterprise.

Our customer checked only one item on the first list, and only one item on the second. In effect, of all 60 potential areas of focus, the authors of the
document chose just one for a Phase 1 project – password management for operating
systems. Why? It has strong business benefit and is fairly quick to implement – a quick win.

The value of a quick win project should not be underestimated. A number
of advantages can accrue:

• Measureable results are quickly demonstrated
• Project momentum is maintained for future phases
• The likelihood of continual sponsorship is increased
• The system architecture is progressively validated
• Configuration components are more easily reused
• Impact on the enterprise is more easily understood

We encourage you to make this your philosophy: Segment your Identity Management project into manageable parts. Focus your attention first on the most urgent, most beneficial, most quickly implemented areas of the entire project scope. Drive directly to those areas where you will experience a quick win.

Ladies and Gentlemen, start your engines.

Tag: Identity

“Any sufficiently advanced technology is indistinguishable from magic.”
–

Arthur C. Clarke

Most of the stuff we do today with computers would seem like magic to our ancestors a couple of generations ago. Alladin had his magic words like “Open Sesame.” But I have a magic token that can open doors and authorize access to other magic things like

Sunrays.

Who knows – maybe

Javacards really are magic. And those sorcerers in the Sun labs have us all fooled.

Tag: Identity

“Don’t worry about stockholders or employees. If you take care of your customers, everything else will fall into place” –

Lee Iacocca

Yesterday, I was speaking with an Identity Management customer who
shared an interesting perspective on this subject. “We have tens of thousands
of employees,” he said, “but tens of millions of
customers. Customers take precedence over employees. But sooner or
later, if we don’t solve employee issues, it begins to affect our
customers.”

We were discussing how to set budget priorities for Identity
Management projects. His preference, in harmony with Iacocca’s
statement, was to solve customer-focused Identity Management issues
first. After all, customers pay the money to sustain our business –
customers butter our bread.

This is consistent with Sara Gates’ observations as I reported in
a recent

blog entry. By focusing on Identity Management for customer
facing applications, we can improve customer service, increase market
leverage through better partner relationships and expand into new
markets. By focusing on value delivered to customers, Identity
Management becomes a revenue enabler, a contributor to enterprise
growth.

Solving Identity Management issues for employees should not be
ignored. But business justification comes from cost reduction,
process improvement and regulatory compliance, not from revenue
growth.

Two other documents I read this week corroborated this point.
These two high-level requirements statements came from another
customer embarking on an Identity Management project. The first
document outlined the corporate IT group’s priority – password
management for employees. The second document, prepared by a
customer-focused business unit said, in effect, “We need
federated single-sign-on for our portal-based applications, so we can
work with more partners and serve more customers.” One
initiative is being driven by cost reduction and compliance, the second by
revenue growth.

The moral of this little story? Customers should always come
first. They deliver the money. But don’t forget us employees. We
have Identities, too.

Tag: Identity

I am listening to

Scott McNealy announce the

acquisition of

StorageTek by

Sun. In his opening remarks, he spoke of Sun’s ability to offer Secure Information Lifecyle Management (ILM), enabled by Sun Products such as Identity Manager, Directory Server, Access Manager and Java Card. He states in the press release that Sun will now have the “the most comprehensive data and identity management solutions.” The press release states further, “Sun will be well-positioned to help customers better manage their growing privacy, security, compliance and policy requirements.”

In the Q&A session, Jonathan Schwartz reinforced this position by saying that using Identity and Access Management products to enable compliance is the “hottest ticket in town.”

Leveraging Identity Management technology to enhance security of the information life cycle is a compelling notion. I look forward to seeing this unfold.

Go Sun!

Tag: Identity

At one time in my life, I had six individual accounts with

AT&T – long distance, personal calling card, corporate calling card, mobile phone, ISP and credit card. Yet Mother AT&T had no idea that the six Mark Dixons from Arizona were all one in the same guy.

At the time, I held a business development position with

Oracle’s telecommunications vertical business sector. We preached the gospel of Convergent Services, where traditional business boundaries and IT system silos could be bridged, ostensibly enabled by Oracle’s application and database products. In its simplest form, Convergent Services would allow all services provided by one company to be invoiced on a single bill. In its utopian form, Convergent Services would deliver all possible telecommunications services in an interoperable way (e.g. long distance for home and mobile phone on the same infrastructure; music, video, personal services on a mobile phone.)

The benefits to customers would be richer service offerings, ease of use, better customer service and simplified bill paying. Carrier benefits would include lower costs, new market penetration and “stickiness” – that elusive art of getting customers to stay with the same carrier.

Well, I didn’t stick around. I don’t think AT&T ever figured out that all those multiple accounts belonged to one person. I’m now down to one AT&T account. I’m just a lingering example of a forgotten customer in a churn-happy telecom world.

A similar issue persists within enterprises. A single employee’s Identity information may be represented in different ways on many different systems, with scant manual correlation between them. The duplicity of effort to maintain these multiple identity stores costs precious administrative time, can lead to security breaches, and frequently results in user incovenience and support headaches.

At the heart of the solution to both enterprise identity and convergent services is Identity Management. Implementing a system like the

Sun Identity Manager product can provide centralized control of Identities – for employees or customers. As Identities converge, better customer/user service can surely follow. After all, Identities represent people, and people do the work of enterprises and make the buying decisions in the marketplace.

Are you listening, AT&T?

Tag: Identity

Aldo Castaneda is building an interesting little wiki entitled

The History of Digital Identity as part of his research for a thesis about Open Standards and Identity Management Systems.

I became acquainted with Aldo when he responded to my blog entry

Identity Provisioning Systems vs. Meta-Directories.

After a bit of email interchange, Aldo published an entry in his wiki entitled

Sun Java System Identity Manager. (Scroll down to read the article.)

The same article also appears in his

blog.

Keep up the good work, Aldo. We look forward to an expanding reference about this exciting field.

In his recent Identity Management

newsletter,

Dave Kearns commented on a panel discussion he hosted at
Digital ID World with five Enterprise Single Sign On (ESSO) vendor dignitaries. Oops! Sun wasn’t represented.

The participants agreed that by “rolling [ESSO] out quickly, you not only show a fast ROI but you also make the ESSO project available as a building block for other things – such as regulatory compliance.”

Trying to get the participants to admit that full ESSO is still a way off, Dave stated, “the goal of having a “single” sign-on reminded me of

Zeno’s Paradox. That’s the one that can be summed up as follows:

“Suppose I want to walk across the room to the door. First, of course, I must walk halfway to the door. Next I must walk half the remaining distance to the door. Then I must further walk half the remaining distance to the door. I’m still not at the door, though, so I walk half the remaining distance. But this will go on forever and I will never reach the door.”

Apparently, all of the participants thought they were already going through the door. Yet, the customers I talk to see the benefits and want to proceed, but see the ESSO implementation process as a long, potententially rocky road.

To me, the issue is like the old mathemetician/engineer joke:

A mathematician and an engineer were both standing 20 feet away from this pretty girl when they were asked by another Zeno guy that if they could only walk half the distance to the girl each time what would they do?
The mathematician exclaimed “Zeno, I will stand right here because I can conclusively prove that I’ll never reach her”, whereas the engineer said, “I agree, but I can get close enough for practical purposes.”

I guess my engineering roots are showing. There is no paradox to me. If the object of my desire is compelling enough, I am will be willing to live with “Close Enough for Practical Purposes” rather than perfection.

Such is the case with ESSO. Some of our customers wisely call their ESSO projects “Simplified Sign On,” rather than “Single Sign On,” because they realize that even partial ESSO will pay large business dividends. So, rather than getting all mathematical and “Zeno”-phobic, they forge ahead, laying foundations for the future while reaping rewards as they go.

Others fret and stew as they wait for utopia to appear. They may never be able to kiss the pretty girl.

Tag: Identity

Convergent: adjective “tending to move toward one point or to approach each other” —

Merriam-Webster Online.

At one time in my life, I held six separate accounts with

AT&T – long distance, mobile phone, personal calling card, corporate calling card, ISP and credit card. AT&T had no idea that the six different Mark Dixon accounts really belonged to the same person.

At that time, I was in a business development position with

Oracle‘s telecommunications industry vertical organization. We were preaching the gospel of Convergent Services – where the different operational silos in large telecom companies would cooperate across business unit boundaries, ostensibly enabled by Oracle’s database and application software products. In the simplest convergent case, a customer would receive a single bill with charges from all accounts. In the ultimate case, the services with the different accounts would interact in a more cooperative way (e.g. long distance on mobile and home phones would use the same infrastructure; purchases made via the mobile phone would be charged to the AT&T credit card.)

The benefits to the customer were to have been ease of use, superior customer support and billing simplicity. The benefits to a telecom carrier were to have been the ability to cross sell and up sell across business boundaries, less costly billing, improved customer service and “stickiness” — the ability to reduce churn by providing better service to an integrated customer.

Well, it didn’t work for me. I didn’t stick around. With only one AT&T account left, I’m lingering evidence of a telecom company too entrenched with the old ways to really grasp the new concept of convergence. Could that be why AT&T is so healthy today?

At the heart of this issue is the need for convergent Identity. Before AT&T could converge services, they needed converge Identities of their customers. They needed to understand that the six Mark Dixons from Arizona were really the same guy. Only as their systems were able to manage that concept could they begin to implement convergent billing and convergent services.

A similar problem exists within enterprises. A single employee may have Identity information stored in each of many different information systems. To each individual system, the employee’s Identity is unique, but the concept of a single, convergent Identity for each employee is beyond the scope of each system.

An Identity Management System like the

Sun Identity Manager product enables convergent Identities. With such a system, a single Identity for each person is maintained centrally, with appropriate credential and privilege information being sent to other systems on a need-to-know basis.

This manage-centrally, provision-remotely model enables convergent Identities with a minimum of impact on the individual information systems or business unit silos. And convergent Identities enable better service to customers or employees, lower operational costs and new business opportunities.

AT&T take heart – there’s still hope! Come talk to us.