The definition of

Identity Manager?
“The Loudest Voice inside the head of a schizophrenic.”

So said

Don McMillan, who bills himself as “the only comedian working in PowerPoint.”

At the Sun CEC conference in February, Don entertained us techies one night with arcane humor appreciated only by those who dream in Java or revel in the elegance of fine HTML code indentation.

My question to Don: What about the rest of Sun’s Identity Management product line?

What about

Directory Server? Perhaps, “The guy at Mama Roma’s who brings a phone book for my kid to sit on.”

Or

Access Manager? “That big, bad dude who guards the door to the back room at Mama Roma’s.”

Identity Auditor? “A shrink who trys to find the Loudest Voice.”

Don, you can use my suggestions if you wish. Or not. But a bit of advice for the next time you address a Sun crowd — use

StarOffice.

Tag: Identity

I got a kick out of the subtle irony of the article

“Real ID to Double as Credit Card! Low APR!” The best line:
“George Orwell
is not only rolling in his grave, he is doing the worm.” But then, as I thought some more, I almost cried.

I grew up in Southern Idaho, a place where idealism and individualism are hallmarks of real manhood. The thought that the government might unjustly usurp a bit of personal freedom was heresy.

Some old farmers we knew were convinced that the Social Security Number was the “mark of the beast” mentioned in Bible
(Revelations 13:16-17): “And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.”

They predicted that the day would soon come when the government would have such


control over the economic system that “no man might buy or sell” without using his social security number. The government would ask people to voluntarily have the SSN tattooed “in their right hand,” but if they refused, the government would forcibly tattoo their SSN “in their foreheads.”

I pooh-poohed the concept then. But now we see Real ID emerging, maybe they weren’t far off.

Tag: Identity

In yesterday’s blog, I mentioned that I had been contacted by

Curt Monash via

LinkedIn. (Please note that most links in this blog require that you log in to LinkedIn. There is no charge to register if you would like to take a look.)

Curt had read my blog and posted a request for introduction through a common colleague,

Kent Petzold, who passed Curt’s request to me. That’s how LinkedIn works – people passing requests through a network of acquaintances to other people who are of interest. In some cases like the Curt-Kent-Mark chain, only one intermediary exists. Other requests can pass through up to three people before they are delivered to the final destination. Any participant in the referral chain can choose to pass the request along or reject the request.

LinkedIn is actually an interesting case of user-managed Identity sharing.

Some users, like

myself, choose to bare their souls on their LinkedIn profile so people can find them based on any facet of a diverse background.

Others choose to expose the bare minimum of Identity information. Contact information is not shared unless a member grants specific permission. The distinction between contact information (private) and profile information (selectively published) allows people to be easily found, but not contacted without permission.

Users can either allow people to contact them directly, or can require that contacts be made only by referral. I used to allow anyone to contact me, until I received too many connection requests from people I didn’t know and with whom I had little in common.

People becomed “connected” if one person initiates a connection request and the other accepts it. Some people have many connections. For example,

Ed Nusbaum, the Phoenix entrepreneur who invited me to join, has over 750 direct connections.

Others are connected only to the the person who invited them to join. I can find people in the LinkedIn universe who are up to four contact steps away from me. Theoretically, that is over 1.3 million people in my network (about half the LinkedIn total), according to LinkedIn calculations.

So, what has it done for me – other than provide an interesting exercise in evaluating social software? The results so far are admitedly limited. A few examples: I once found a consultant in Washington State who advised me on the merits of an interesting technology I had not heard of before. I connected with a prior colleague,

Chuck Day, who is now a sales manager for a key Sun partner. I have connected with a couple of former co-workers whom I hadn’t talked with in over 15 years. It turns out that one guy,

Steve Carter, is the lead architect for Novell’s Identity Management product line. And I connected with Curt Monash a couple of days ago.

I’m encouraged by the complementary interaction between my blog and LinkedIn. Both are mechanisms to expose information to a potentially large audience. LinkedIn publishes Identity information and blogs publish user-generated content, both in user-controlled ways. Both provide connection mechanisms without exposing private contact information. Both foster the formation of community among people of common interests. And the central thing that makes both work is people – individuals with unique identities and ideas who are reaching out to connect with the world.

Tag: Identity

Yesterday, I was contacted via

LinkedIn by

Curt Monash, President of

Monash Information Services and frequent editorialist at

Computerworld.

Curt posed a question that spurred a bit of investigation on my part: “Are identity management systems running off of what we would regard as full metadirectory capability, or are they more limited? I know Sun was in the metadirectory game with mixed success.”

I’ll share with you the thoughts I shared with Curt. With the caveat that I do not have in-depth technical expertise in meta-directories, let me offer a few insights. I thank my colleague Nick Crown for assisting in this response. I have focused my comments on the

Sun Java System Identity Manager (Sun IdM), rather than attempting to make architectural statements about other similar products.

The current Sun IdM product is a provisioning system; meta-directories are synchronization engines. The Sun IdM product has the capability to perform as a synchronization engine, but the opposite is not necessarily true.

A classic meta-directory is based on a join engine that aggregates and consolidates information that has been transferred or retrieved from several connected directories or other repositories. Such a system is designed to synchronize at the attribute level, with limited logic imposed in the synchronization process. The Sun IdM product is based on an Identity provisioning engine, which can synchronize at the attribute level, but more importantly, manages and synchronizes whole Identities. While an Identity can be described as a collection of attributes, this higher level of abstraction allows the Sun IdM system to perform additional business logic that would be difficult to achieve in a pure meta-directory solution.

The Sun IdM system takes synchronization a step further by allowing business logic and workflows to be inserted into the synchronization process. At the heart of the system is an engine that cannot only do simple synchronization, but more intelligent processes as well. The Sun IdM product can therefore provide additional capabilities beyond what is normally expected from a synchronization system, namely user provisioning, password management, delegated administration, user self service, auditing and reporting.

The Sun IdM system also differs from meta-directories in that it manages references to Identities on different repositories, rather that maintaining a consolidated repository of all objects and associated attributes. This “Virtual Identity” capability enables scalability and ease of operation beyond traditional meta-directory architectures.

Sun’s decision to end sales of the Sun One Meta-Directory product was coincident with the acquisition of Waveset, with its Lighthouse product, which has since evolved into the Sun IdM product. Sun stated, “More and more of our provisioning and meta-directory customers are seeking to manage all facets of identities – from accounts to profile data to identity attributes – and are looking to do this with a single solution. Sun has listened to its customers and is introducing a single solution to provide all of this identity management function. In addition customers have the benefit of a single deployment, a single set of connectors to your enterprise applications and directories and a single vendor to work with. We believe this reduces the total cost of ownership for customers by reducing the number of products to be deployed and maintained in your environment.”

The
May Edition of Sun’s Executive Boardroom featured Sun Identity
Management Vice President Sara Gates encouraging corporate leaders,
“Don’t
Sacrifice Growth for Security”

Sara proposed, “Many folks think
that identity management is fundamentally about security, but it is a
business solution as well. The question I pose is, ‘Why do cars have
brakes? It’s not so they can stop. It’s so they can go fast …
Security is becoming the brakes on the car. You put it in place not
only to keep things secure but to go as fast as you need to, to drive
your online business and partnerships … Ten years from now,
security in the corporate world won’t be driven by fear. It will be
driven by a need to accelerate the business at new speeds.’”

The traditional view of information security placed it at odds with business operations. On one hand, information security strategies favored locking the business down – making it very difficult for intruders to penetrate available defenses. On the other hand, business operations strategies favored a much more open view – make it easy for customers and partners to reach us so we can do business together.

Viewing Identity Management as a business enabler rather than just
a cost-reduction vehicle or compliance assistant allows us to think
beyond the constraints of how we do business now. Just think of how many more customers you could serve, how many more services you could deliver and how many more partner relationships you could leverage if you knew that identities of all participants were highly secure but highly connectable!

By the way, while reading Sara’ article, I found Sun’s Identity
Management Resource Center, a great resource for reports, white
papers, case studies and more about Sun’s Identity Management
products. Enjoy!

Tag: Identity

“You can buy a man’s hands, but not his heart.” –
E. James Lunt.

Jim Lunt taught me that principle as we were discussing one of our
employees who consistently went above and beyond the call for our
fledgling company. This employee’s passion for excellence yielded
results we couldn’t have paid two men to accomplish.

In early 1996, I had joined Jim and Brent Payne to found MediaPaq,
Inc., to market software which was essentially a digital photo album.
We didn’t get much traction in the retail market because there
weren’t enough digital cameras to create enough photos to convince
people they need to get organized. But we were able to sign up a few
OEM partners and ended up selling the company to one of them.

The subject of passion let me to MediaPaq. In 1995, I was
managing a team of Microsoft-certified trainers for a great little
company in Phoenix, AZ. Arnie Kuenn, now CEO of MediaChoice,
had founded MIDAK and led it to be the premier training center in
Arizona. Passionate for excellence himself, Arnie consistently looked
for ways to improve his business. One day in the fall of 1995, he
accompanied the management team of MIDAK to a local movie theater
where we viewed a set of lectures broadcast live from some distant
location. The three speakers were Stephen
Covey, Denis Waitley
and Tom Peters. Quite a high
powered trio!

I particularly remember Tom Peters getting visibly and vocally
passionate as he challenged us to follow the passion in our own
lives. As he spoke, I looked down the row at Arnie. At that moment I
realized I could give his business my hands, but not my heart. I
would continue to do a great job leading his instructors because that
is what I was hired to do, but my heart was not in the technical
education business.

It wasn’t long before the MediaPaq opportunity presented itself.
As I struggled with the decision of leaving an established company to
launch a new venture, my 14 year old daughter, Heidi left a note on
my pillow. She encouraged, “Dad, follow your heart.
We’re behind you all the way.”

Last week, I was intrigued by reading P.T. Ong’s blog entry, Why
I am passionate about Digital Identity. He speaks of an "ideal
future" that "fuses the utopia of security, privacy, and
choice.," and addresses what the digital identity community must
do to approach that ideal. This sounds like a man who is giving more
than his hands to his work. His passion has led him to assemble a
valuable weblog site with
links to a vast array of Identity Management resources. Heart plus
hands. I like that.

Thursday afternoon, I listened to

Kim Cameron via the ITConversations website, discussing his concept of InfoCards against the backdrop of his 18 years of experience in the Identity world. I even found his picture!

Kim’s major conjecture was that just like the directory space is inherently multi-centered — we will always have more than one repository for information – the identity world is also inherently multi-centered — Identity Management will never be centered in a single enterprise or organization. Just as multi-centered directory reality gave rise to meta directory concept, multi-centered identity reality demands a meta-identity infrastructure.

I have two favorite sound bites from the talk. I chuckled at the first: “People can have multiple identities.” Perhaps we should call that “Digital Schizophrenia.” (My term, not his.)

I enthusiastically applaud the second: “Simplest technologies win.” This is sound advice from the company that once bragged about how Windows 2000 was the most complex engineering feat in the history of mankind. I was with Oracle when Bill Gates made that statement at a Wireless Telephony conference in Europe. Larry Ellison immediately followed Bill at the speakers podium, and only as only Larry can do, discarded his prepared remarks and lambasted Microsoft for championing complexity over simplicity.

Interested in learning more about InfoCard, I did what many of you have probably already done – I Googled InfoCard. (Please note that Microsoft is

scared of Google.)

In ZDNet News’ article,

Microsoft revisits Passport with InfoCard, Joris Evers aptly introduced the subject by observing that “The software leviathan has launched a preview of its next identity-management offering, and is hoping it is more successful than its last attempt in the space.”

In his article for InternetNews.com,

Microsoft Examines InfoCard Framework, Jim Wagner stated “InfoCard is an identity meta-system that will initially incorporate everything from user names and passwords to smart cards to X.509 certificates, as well as new technologies created through the Liberty Alliance and other technology groups.”

Johannes Ernst provided a more interpretive view in his blog entry

What is Microsoft InfoCard? He provides a sample use case and lists the protocols and standards he believe InfoCard will employ.

Scott Mace observed in his blog,

Kim Cameron’s Infocard project, that Microsoft is making overtures towards being more open than ever before: “It’s a much more open world at Microsoft these days …
customer pressure to provide truly open standards keeps building every day.”

Mike Rowehl’s

Bitsplitter Blog was more cynical: “Microsoft wants to play? Cool, welcome to the game, nice to have you. The game might be played a bit different than what you last remember. These days the game is about conversations, and trust is built through interaction directly with the people whom you desire to win trust from.”

As we all become more informed about InfoCard, I do have some cautions for Microsoft:

InfoCards already exist in CD format.

In the Vanderbilt University Library, “all bits of information in the data library have an associated

InfoCard.”

InfoCard is available exclusively from

InfoSeal.

And InfoCards are cheap – less than

three bucks from En-Route Travelware. What is more, you can “wear the InfoCard inside a zippered pocket.”

Remember, “Simplest technologies win.”

Identity

My work as a Practice Lead in Sun’s Identity Management Practice is putting rubber on the road – making sure our Identity Management deployments really deliver for our customers. In the pit lanes where I work, we tend to think more of how to make today’s products work today within the confines of a limited deployment schedule and budget than what new products and technologies may emerge next year. The pressing challenges of satisfying user acceptance tests and solving data load problems usually supercede theoretical interchange. The color of the day is usually asphalt black, not sky blue.

However, I enjoy the stimulation of forward thought. Today I finished reading a white paper authored by

Kim Cameron, Architect of Identity for Microsoft, entitled

The Laws of Identity. He proposes a “unifying identity metasystem” that isolates applications from the intracacies of Identity Management much like device drivers isolate applications from the details of printers or other devices. He outlines Seven Laws that should govern such a metasystem.

Clearly, Kim is speaking of tomorrow’s technology and products, not today’s. Theoretically speaking, he makes some good arguments. I’ve actually got a few things to say about some of his observations, but I’ll address those individual issues in a later blog.

As I read about the Seven Laws, I thought of recent comments by

Jamie Lewis, CEO and Research Chair of the Burton Group.
He likened an Identity Management framework to an asphalt road and challenged vendors to “quit arguing over how to build the road, settle on what asphalt formula we’ll use, and focus instead on building the interoperable solutions that solve a real problem, which customers will want to buy.”

He went on to say, “And in that light, the interoperability profile for Web-based SSO between Liberty and the WS-* frameworks that Sun and Microsoft

announced today are certainly encouraging.”

Kim actually commented on Jamie’s thoughts in
his blog.

So … On one hand we have a challenge to the Identity community to build a unifying metasystem. On the other hand, a challenge to focus on pragmatic, interoperable solutions.

The article that tied these two issues together for me was entitled ”

The hottest business you never heard of” by Jon Oltsik of CNET. He projected that, “In three to five years, every large organization will have an access management middleware layer that knows the identity of every user and device, and manages who can talk to what, when and how.” How is that for forward thought? But Jon tempers that optimism with a realistic view of steps companies need to take to achieve Identity Management success — like establishing specific Identity Management Strategies, forming cross-functional “access management committees,” defining project phases and developing metrics to gauge success. These are basic, practical, but often messy rubber-on-the-road business activities that have as much to do with Identity Management success as the technology available to deploy.

I am currently collaborating with my peers on a document that will most likely emerge with a title something like “Ten Best Practices for Identity Management Implementation.” It could be called “Putting Rubber on the Identity Management Road.” Stay tuned for more.

Identity

Take 5 and reward yourself today by reading a great little satirical piece from the Onion:

Arizona Man Steals Bush’s Identity I hope you chuckled as much as I did. [Unfortunately, the Onion put this article into their archives, accessible only by paid subscribers. Sorry about that.]

It has been almost a year since President Bush Signed the

Identity Theft Penalty Enhancement Act. In the official news release, he stated that “nearly 10 million Americans had their identities stolen by criminals who rob them and the nation’s businesses of nearly $50 billion through fraudulent transactions.”

This same statistic was mentioned in

Deputy Assistant Secretary D. Scott Parsons Remarks before the Identity Management in Financial Services Summit in Scottsdale, Arizona, on May 16th.

Yesterday, I made a quick calculation based on that 10 million number and personal experience:

Two years ago, my wife’s purse was stolen out of the kitchen at our church, where she was attending a woman’s meeting. It turned out to be a professional job. Within an hour, over $700 of goods had been charged on her credit card at a local store. Over the next several days, the perpetrators successful forged her signature and mine on several checks to purchase gift cards and merchandise at large local stores. The man and woman team was finally caught and prosecuted, but the process to cancel credit cards, change bank accounts, provide fraud affidavits, place fraud alerts on all our accounts and speak with the police department representatives was exhausting. This photo shows the stack of paper generated during the process. You can only imagine the time it took to generate and chase all that paper.

So, here’s the calculation … If all 10 million Americans whose identities had been stolen generated this much paperwork on the average, it would fill a file drawer 158 miles long, stretching farther than from Phoenix to Flagstaff (for those of you familiar with the Arizona landscape). And I didn’t even include the paperwork kept by the merchants, banks, credit card companies, credit bureaus and police departments. Talk about a drag on our economy!

Of course, not all cases are this complex — like the time I got a call from Visa asking if I authorized an online transaction to ship $1800 worth of pharmaceuticals to Nigeria. But many are worse. The issues are complex and challenging. We in the Identity Management industry will play a large role in conquering this problem.

Identity

Thanks to

Pat Patterson for pointing out that “Location is certainly an attribute of identity; in fact, Liberty published the

ID-SIS Geolocation Service Specification in April this year. The Geolocation Service makes a user’s current location available (with the user’s consent, of course!) to other web services. So, for example, wireless subscribers could receive a daily SMS on their cellphone giving them the weather forecast for their current location.”

By coincidence, a local Phoenix television station ran a segment Tuesday evening on

Tracking your Teenagers with GPS.

If anyone knows of location-enabled applications that combine virtual directory services and GPS, please let me know.

Identity