Truer words were never spoken

Mark Dixon nailed it with his post on software being only a part of identity management. He sums with two great points.

1. Accept the fact that Identity Management projects are inherently complex. This is not because the software to be implemented is complex, but that Identity is at the core of how a business is operated. Many people will use the system. Many disciplines must be involved in making it work.

Everyone out there about to embark on an IdM project read his first sentence. When you are knee deep connecting legacy applications, figuring out which workflow deleted your CIO’s email account, and determining which challenge response questions will pass Legal’s muster, remember that sentence.

Identity being at the core of how business operates is a subtle point. Those of us who have been working with aspects of identity, and certainly those trying to implement IdM products, see how identity is core. But… For the other 98% of the world, this isn’t so obvious. Yes, identity management requires multiple disciplines. People that you never thought would touch the system end up being integral. But I have to disagree… The software to be implement is complex. This is not because vendors have low quality products or difficult interfaces. Just look at provisioning or password management products. Consider that they all have workflow engines, notification systems, cryptographic engines, and data transformation and transportation components. Any of these on their own is a product unto themselves. Just because they are unified components do not make them any less complex. This complexity isn’t inherently bad, but it is something you have be ready for.

2. Don’t skimp on dynamic project leadership. Projects like this, with many stakeholders and inter coordination, demand strong communications skills and relentless, proactive attention to detail.

Yes! Yes! Yes! Good project leadership, especially project managers, are critical. I know a couple… but their utilization rate is higher than their blood pressure.

While I am on the subject of identity management and implementations, I wanted to introduce Mark MacAuley. Mark joined us at the beginning of the year and brings a wealth identity experience along with him. Great to have you aboard, Mark!

Technorati Tag:

Looking back to look forward: Thoughts on HP acquiring of Trustgenix

So another player in the identity market has been absorbed. HP
is acquiring Trustgenix Reading Andre’s blog entry on this subject got me a nostalgic. Maybe its the season. Maybe its the leftover turkey’s tryptophan.

Being part of the 1st generation of user provisioning tools in the market, and having been acquired by a “suite” vendor, I’ve had a ringside seat to watch the industry expand and contract. There was the first wave of expansion with Access360, Business Layers, Waveset, BMC for provisioning and Oblix, Netegrity, Securant, DASCOM, Entegrity for web access control. There was Courion and M-Tech for password management. Among the meta-directory group you had iPlanet, Novell, Siemens, Zoomit. OctectString and RadiantLogic were there for virtual directory services. Then there was the first major market contraction. The bubble had burst. We had blown through our cash. The dreams we had of making a squillion dollars vanished… now we had to actually work for our money. In this first major contraction, we saw CA eat Netegrity who ate Business Layers. IBM swallowed Access360, DASCOM, and Metamerge while Sun consumed Waveset. RSA bought Securant. Microsoft got Zoomit. Oracle bought Oblix and, recently, Thor and OctectString. (The ink has barely dried on this one but I consider the tail end of the first market contraction.)

As the first market contraction was going on, the second wave of expansion was beginning. This centered around web services, federation, SOA, and the like. In this second wave, there are players like: Trustgenix, PingIdentity, Sxip, SOA Software, Layer 7, Symlabs. We have started to see the second contraction as HP acquires Trustgenix. There will be more to come. The real question is will the identity suite vendors buy companies from this wave, or more traditional middleware vendors snatch these players up? Federation and web services deals more with a business interaction as it happens. They deal with identity issues on the fly. Vendors from the first wave focused on the setup and tear down of identity around the business interaction. The BEA Weblogics and IBM Webspheres of the world deal with business interactions in flight and probably are more interested in the second wave vendors than the pure identity suite vendors.

What’s going on now? The third wave of identity is rolling along now. The third wave focuses on activity in applications, information governance, identity in the network, and role / privilege analysis. Here we find us, Eurikify, Bridgestream, Prodigen, TIzor, Consul, Virsa, and others. This wave brings a new perspective, an identity-focused perspective, to old subjects like network and application activity. This new perspective was long in coming.

Where is this market going? We have yet to see a second and third wave of contraction in the market, and we are bound to. The quest for the complete identity suite is winding down as vendors realize how hard it is to stitch together all the peices they need. Instead of unifying policy tools, we’ll get unified reporting in the name of compliance. Business orchestration tools will consume a lot of the federated and SOA players out there.

As one vendors gets absorbed into another, new ones spring up. We are starting see a lot of activity reputation, portable identity, Identity 2.0, etc. As this market matures, it keeps getting more and more interesting.

Technorati Tag:

A me shaped hole in the web and other thoughts from Internet Identity Workshop 2005

There’s a hole in the web
The web has a hole in it. That hole is shaped just like me. Anyone, with sufficient time and desire, could find the scattered bits that make up my composite identity and pour them into the hole. Between Google, Zabasearch, Technorati, and others you could fill the me shaped hole in the web.

But then again, I can do the same with the you shaped hole in the web.

And if we can do this with free or nearly free tools, just imagine what you can get with a little cash and some research. (Maybe this thought ought to be titled, “How I learned to stop fearing Eschelon.”)

So how can I prevent you from filling the me shaped hole in the web? I could attempt to change the shape of the hole. The problem is that in order to do that I have to change myself. Since this isn’t a self-help blog and we really don’t have time to delve into the vast array of my quirks, let’s move on to another approach. What if I could somehow generate more scattered bits about me than could fit in the hole? More me than is really me? If I could flood the usual channels with bogus identity information that was close enough to me to fool systems that you use to triangulate me and fill the me shaped hole, then I could make it impossible to tell the bogus bits from the real ones. You couldn’t be sure that you really filled the me shaped hole with real me bits. (By the way, I am in no way endorsing some sort of strange identity-based breakfast cereal… Me Bits, Now with more self-asserted claims!) The best place to hide something is in plain sight.

In order to mask myself from the web, instead of trying to remove all my bits from the web, I flood it with more me than is me. (This is starting to sound a bit like Smith from the second Matrix.) What I am rambling about here is a pink noise generator for identity. On an individual basis this is a little impractical. I’d have to spend a bunch of time and effort trying to create the systems to generate a me-flood. That isn’t going to happen any time soon.

But what about communities I belong to? Would the hosts of my various communities create the technology to mass produce its members on web as a value-add? Would you join a group which offered the ability to mask you or your membership from the web by making a you-flood?

I have to thank Jan Hauser for impetus for this one.

I don’t get it
Why are the identity problems of the enterprise so different from the individual? It became immediately obvious to me that my past experience in enterprise identity management was not going to be directly applicable to the issues and use cases that IIW2005 was addressing. The identity needs of the individual are clearly different than those of an enterprise comprised of individuals. Fair enough. But why is there such a gap?

If you examine an employee in an enterprise do they have similar identity problems to private citizens? An employee and a citizen (I am using citizen here to represent a regular user like my grandfather) clearly operate in different contexts. I think the SocialPhysics gang would say that this difference in context is the root of the difference in identity needs.

It just strikes me as odd that all good work of Sxip, NetMesh, OpenID, and their kin don’t seem to merge with the hard work of Sun, IBM, Novell and their kin. This inside versus outside of the enterprise context really eats at me. This division between the two seems artificial.

Make identity issues meaningful
It’s great that there are groups like the Identity Gang. They care about real meaningful issues.

But those issues that are meaningful to those familiar with them are often hard to explain to outsiders. (And let’s not forget that the outsiders here at 99.999% of web users.) Sometimes you have to turn to outside sources to help explain issues that mean a lot to you. I think that Dick’s presentation is great for doing just that. I also think that this video from Red Versus Blue (sorry for the wmv file) does much the same… with the added bonus of guns, herbal Viagra, and Halo goodness. Enjoy.

Technorati Tags:

Thoughts on the Internet Identity Workshop 2005 Day 1

Overall, I am really enjoying this workshop. It serves as a great high speed primer for a variety of identity issues and technologies.

Some highlights from the presentations so far:

Doc Searls – Identity in the marketplace: The Rise of Fully Empowered Customer
It’s always good to hear Doc give a talk. His belief that the web is a marketplace, a place for business and culture definitely has a Diamond Age feel to it. His example of customer freedom from vendor CRM shackles is an interesting one. Though his example of renting car is certainly valid and demonstrates the reverse nature of our world today, I’d love to get the vendors’ perspective on this. There are a few people from Yahoo in the audience and I am sure that they have some strong opinions about the freeing of identity.

Brad FitzpatrickOpenID

Brad put on the best show of the day, by far. It was a very Dada affair full of self-criticism. It was a simple talk about how OpenID works and why it does what it does. A simple tool for a specific problem… frickin’ brilliant. OpenID is a way to prove you own a URL using an identity provider you trust. Fairly simple. I sat there wondering why, when we see a simple solution, we say, “That’s all it does?” Why is it that we seem to always want some grandiose solution to a massive problem. What happened to elegant, simple solutions to problem? For that matter, what happened to problems that can be expressed in a few words and not an onslaught of slides?

Paul TrevithickSocial Physics and The Higgins Trust Framework

Paul and co’s work has lead them to the conclusion there is no identity independent of context. Context is the real king here. Not individual demographic attributes. Not roles. Not protocols. It the the context of interaction between users, trusted parties, vendors, etc that is the real domain of identity.

I applaud the group’s work around creating the Framework. It is an abstraction layer that helps tie the vast array of user information to contexts appropriately. Paul’s honesty on the subject of implementation are hard was definitely a welcome admission.

After hearing his presentation, I was a little annoyed that I hadn’t heard of this before. You’d think if you have read my Shadows of Identity piece that I would have already been an versed in Higgins. Nothing could be further from the truth. Strange how things happen sometimes.

Other thoughts:
Although these presentations today do not represent the entirety of the identity world, they are a sketch of the problems and solutions out there. It seems to me that there is so much attention to possible solutions, technologies, protocols, and the like that we are losing sight of the problems we have set out to solve. To me, there are two general classes of problems. First, there are the problems of an individual. How do I manage my identities out there? How do I describe what data about me I will allow to be disclosed? Who can get that data? The second class of problems are relationship-based where the relations involve more than two parties. How do I share my perferences and needs with an entire market? One question I keep coming back to is, if we figure out a way to solve both classes of problems, who is going to pay for it?

Technorati Tags: