I have been seeing a lot of articles like this lately, and it seems everyone might think the sky is falling. Truth is, the smart IT guys will just move on to IT In the cloud. Really don’t think that a battle is being lost here because the business wins, and for shareholders in IT, they win too. As governance goes, we need to have better visibility and control of applications and data inside the firewall as well as across the SaaS (PaaS, IaaS, et al.) ecosystem.
Sort of been talking about this for awhile now. If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.
I love classical music and I love a Gustav Mahler symphony even more. Symphonies, to the uninitiated ear, can sound a lot more like noise than music. To the music lover, a symphony is an expression of art in the highest form, a source a great pleasure and beauty to behold.
One of my favorite composers of all time, Gustav Mahler, has been a source of inspiration to me since I was introduced to his work (and in particular his 5th symphony) by the Pastorinos of Glenn, CA (Ellen is the former music teacher at Willows High School) in 1994 and that has fueled an interest in all kinds of classical and symphonic music. Ever since, it has been a rich source of inspiration with interesting parallels to the career I landed in a few years later.
Broken off into groups of players such as horns, winds, basses, trombones, cellos, and such, a symphony is a complex arrangement of instruments, harmonies, acoustics and emotional content. The resulting work in the hands of a director such as Gustav Mahler are his earth shattering 5th Symphony or 8th Symphony “Symphony of a Thousand” which takes an impressive amount of vocal talent to pull off. In the Vintage Guide to Classical Music, Jan Swafford describes the impact of his work on the music world:
After Mahler, there was little choice for composers but to cut back in scope and size.
His life’s work culminated in his competitors deciding there was no point trying to make the symphony any bigger sounding than Mahler. His work brings to close the big symphony of the 19th century and opens the door to the smaller, more intimate quartets and soloists of the 20th century.
From Symphonies To Systems
Shawn Hunter, in his excellent book Out Think, draws the connection between the symphony and the complex networks of today:
Symphonic thinkers see the big picture; they look at the whole system and take their information from a variety of sources. They take a multidimensional approach to solving problems, seeing connections, and finding effective solutions.
The Internet, the connected devices and the amount of trust we place in them every single day has grown to such a profound proportion that there is no shortage of valuable targets for hackers and identity thieves to go after and compromise in order to gain attention, information, power or money. As much effort as businesses and individuals put into protecting themselves and stakeholder, customer and employee information, there continues to be daily revelations about new compromises, hacks, thefts and the like that undermines the trust in the network, compromises personal information, leads to public companies stock prices losing value, forces companies out of business and in some cases endangering citizens.
The systems for Identity & Access Governance are no less complex. They have risen in importance and complexity out of necessity from the digitization of our lives and of interconnected business. Once the taste of e-commerce, social media and networked devices is experienced, it is with those who partake forevermore. We can not reverse the transformations that technology and the Internet have brought upon society; the force of control, profit, efficiency and knowledge is far too great for us to ever go back without the horrific act of terrorism or cyber war.
Choose a descriptive word for complex systems as you wish: constellation, calculus, symphony, etc… to be effective, the future demands that we have much faster and far better connected systems for managing policies, users, resources and systems and that we adopt processes and disciplines that ensure we are achieving ever more towards less risk and danger than we do today. The enemy brings with it an element of surprise, so having a high degree of organization and connectedness is the price of admission. Advanced systems and tools such as SIEM, honey pots, big data, access re-certifications process, adaptive and multi-factor authentication schemes, automated on-boarding and off-boarding, and what Forrester calls “Zero Trust Identity” are increasingly critical parts of the enterprise Identity & Access Governance framework.
Whether you like symphonies or not, they suggest more humanity, irrationality, unpredictability and passion on the same emotional scale that hackers use to try and compromise your network than any of the other metaphors do. I don’t think its any coincidence that Beethoven’s 5th symphony was the soundtrack in the scene in White House Down where Skip, a black hat hacker, had taken complete control over the military defense system. argumentum ad absurdum, perhaps. Don’t wait for your network, applications or information to be compromised to take it seriously.
„Meine Zeit wird kommen“
Translated from German, one of the most quoted phrases we have from the life and work of Gustav Mahler is “My time is yet to come.” The future is serious. The cost of playing offense with effective Identity & Access Governance is almost always worth more than doing nothing. There is nothing of value to be gained if an organization will not make it a focus and find its strategic place in corporate priorities. Gustav Mahler’s time might in fact still come if your organization continues aggressively building its own Symphony of a Thousand Tongues. The careless ones, the slackers, the tired ones, and just maybe those who have their heads too far in the cloud might very well end up with something more like a Symphony of Sorrowful Songs if the program is not embraced with a greater sense of accountability, focus and optimism.
Thanks, and all the best to you and your IAM program in 2014! As always, your comments and questions are welcomed in the comment section of this post.
When I am not at work thinking about solving tough issues in Cloud & Enterprise Identity & Access management, I have music on my brain. Music has a way of calming frayed nerves…yet it also has a way of inspiring moments of pure genius. This is one of those times for me. Or maybe not – you be the judge.
Doesn’t anybody stay together anymore
I wonder why, doesn’t anybody stay together anymore
Oh I wonder why, doesn’t anybody stay together anymore
– Phil Collins Doesn’t Anybody Stay Together Anymore
The past two months I have been working with security gateways for integrating disparate systems via a token exchange service. These devices can go by many different names. Access Bridge. STS. Concierge service….(Shout out to Peter Davis/Neustar and Chuck Mortimore/SFDC for this one during a brainstorming session I convened at IIW here.) or however you want to call it. Try as we might to get every business onboard with SAML2, OAuth2, OpenID Connect, et al. it is not practical to expect that at some point in the near future that any one of these protocols will enjoy ubiquitous success across the entire Internet (cloud, enterprise, mobile) as Sir Phil Collins might opine if he were part of the Identerati: Doesn’t anybody use IdM standards anymore?
Give me a clue! What will I choose?! What will I choose??!!
This past weekend on a daddy/daughter outing with my brilliant 5 1/2 (almost 6) year-old daughter Molly, we made a stop for some candles at Pier 1 – notoriously one of daddy’s favorite stops. Molly was on her knees in the tiny little toy section, obviously conflicted about whether to spend her last $2 on a gift for her mommy or her daddy. I heard her singing (what I thought to be the lyrics to a musical of some sort but which turned out later to be her own improvised lyrics) “Give me a clue. What will I choose? What will I choose?” and I was immediately drawn into her world of conflict.
On any given day, that is the lyric of my life when evaluating vendors or projects that want to integrate with VMware Horizon and who don’t support SAML, or when trying to find a way to scale partner SSO without SFDC being brought into the picture. My fellow VMware employees may hear me singing the lyrics of my daughter’s lament down the hallways at Hilltop…. What will I choose?! Standards? Custom integration? Vote against the project? That is a lot like how an IT shop really works, until now. Now that we have choices via a STS (Access bridge, service gateway, etc…) we do not have to limit ourselves to supporting and standardizing access control to a single protocol. So the question I pose to the Identerati specifically and the industry in general, is…. do IdM standards even matter anymore when one we can use an STS or an access bridge to integrate disparate systems with different access protocols?
Come As You Are
Come as you are, as you were
As I want you to be
As a friend, as a friend
As an old enemy
– Nirvana Come As You Are
And then it hit me again. Another musical lyric that resolves all of the mysteries of the IAM universe brought to us by Alternative music royalty Kurt Cobain in his immortal lyrics.
So I couldn’t help but to imagine that this ought to be our philosophy when it comes to designing an access control system for a multi-billion dollar, multi-national enterprise such as VMware and others out there. How do you think that 85% of the virtualization market would respond if VMware restricted the ability to login to vSphere console or My VMware portal using only an x.509 certificate or a biometric password and nothing else? This concept was perhaps first ingrained into my head during one conversation I had with the brain child behind Salesforce.com Identity platform, Chuck Mortimore. His emphatic recommendation as long as I can recount was to always keep it based on URL as if to say that he has achieved a sort of protocol agnostic, nirvana state for authenticating users into Salesforce. If you are an SFDC developer or if you have talked with Chuck about this topic before then I trust that you, too, find some merit in his argument. You can access your apps and data at SFDC however you want, as long as it’s username/password, SAML, OAuth, OpenID Connect, et al. If you cannot choose one protocol, why not choose them all? With many different products in today’s marketplace, there is a mind-numbing amount of access protocol support for authentication nicely wrapped into a soft appliance.
Come to Me, all who are weary and heavy-laden
And then it also occurred to me that if Jesus were one among the Identerati, do you think he would say “Come to Me, all who are weary and heavy-laden, and I will give you rest” as though inviting closure to the on-going debate within access management standards and freeing up some of the bright minds working this age old problem to work on new challenges? Maybe there is a role based access governance problem that is worse off than the state of access protocols. Or when is the last time you ran a access re-certification or access audit in your organization? Is your privileged access management program a sound and effective one?
So that, then, is how I presume the world of Identity & Access Management to be according to three celebrities from the ancient to the modern world. The world of IAM according to Sir Phil Collins, Kurt Cobain and Jesus. I will be headed to the Gartner IAM conference in November if any of you want to meet up and debate the fine points of the intersection of IAM, music and theology.
If you are passionate about this subject and have a unique perspective to add to this thread, will you please do so?
It’s been a hectic week as more than 20,000 folks landed in downtown San Francisco for VMworld this week. VMworld has grown to nearly the same scale and grandeur of Oracle Open World, though not quite yet, though it is big enough that it seems time stands still, meetings are postponed or cancelled all week and generally one falls behind on any time bound activity.
The new reality for VMware in the last 1-2 years has been one of intense focus on and re-balance of resources to prioritize on infrastructure and cloud management technologies. In other words, for an Identity Management guy or gal there might not be a lot of interest for you at VMworld this year. Then again, you might be surprised. In Pat Gelsinger’s keynote he made mention of the user-centric future of Identity in the cloud as “Policies that follows users, not devices.” So today with regards to authorization we have SAML grants and OAuth scopes (Great explanation here) which delivers a powerful combination of authentication and authorization for cloud applications and resources. The challenge we face today is that (still) not all applications have a robust implementation of SAML or OAuth to fully realize Pat’s vision. (yet!!) If you were to use Pivotal’s Cloud Foundry and deploy your apps in the cloud, or eventually VMware’s vCHS you will perhaps discover a delightful world where the utilities for SAML and OAuth authentication and authorization are built into the platform. Or wouldn’t it great if these capabilities also existed in vSphere Suite for the apps you deploy in your private and hybrid clouds?
Security & Compliance for vCloud
Also at VMworld, I was delighted to learn about some amazing research in a session I attended called VMware Compliance Reference Architecture Framework Overview (by Jerry Breaud and Allen Shortnacy) including a reference architecture and guidance for security and compliance for your vCloud infrastructure. Security and compliance concerns prevent many of VMware customers from advancing in their cloud journey. So it is with the security and compliance accelerator program and the technologies in the VMware Partner Network that customers can confidently architect and deploy secure and compliance cloud solutions. In 2010 I presented how the virtualization layer was a superior vantage point for managing your Identity & Access infrastructure (presentation here) this year VMworld brings resources to market – again with the hypervisor as the vantage point – for achieving a more secure and compliant organization. For example, there are scanners that will inspect your .vmdk files to search for exposed credit card data and provide assurance for PCI compliance!
For more information about VMware Security and Compliance Solutions including whitepapers, videos, demos, compliance architecture reference and a compliance checker click here.
Privileged Accounts and vCloud SSO
Some awesome technologies for security and compliance are available now for vCenter or vCloud and were demonstrated at VMworld. First off, from VMware there are some awesome (though which seem like no-brainer, obviously needed) upgrades to SSO capabilities in vSphere 5.5 that might make you take a second look at how to implement within your organization. With support for multi-master replication, site awareness and even more nifty enhancements that make a compelling story for SSO right in vCenter. There is an excellent blog post about it here.
VMware Administrators are the new Uber Admin who often have privileged access into entire datacenters and applications that it makes sense to form a governance structure around administrator access to the consoles and environments that they use on a daily basis. There is a really cool vendor called HyTrust that provides a comprehensive suite of security tools to do just that. With request and approval workflows for VM Admins, policy based access and authentication into VMware environments including role based monitoring, compliance and auditability, all combined making the job a little easier to integrate VMware infrastructure into an holistic compliance and control framework. As the automation technologies such as Software Defined Datacenter evolves, this problem will become even more critical and out-of-control without a solution from the likes of HyTrust.
With all that being said, coming from VMworld as an “IAM Guy” it could not be more clear that the vSphere and virtual machines in your infrastructure should be considered as another resource that needs to be added to a growing list of resources requiring all the usual Authentication, Authorization and Audit. But typical IAM systems will not simply integrate with vSphere out-of-the-box as of now, unless you are using a STS or Access Bridge to solve access token conversions to WS-Sec/SAML/OAuth and the like. If you are a vCHS customer you can expect to see some really cool SSO capabilities (soon enough!) between MyVMware and your VM instances running inside of vCHS. In the future, I predict there to be a sufficient amount of support for various types of authentications that you won’t have to worry so much about protocol standards. However, know how and where it fits into your overall security and identity architecture and 3-year roadmap. Understand the implications it has on your policy administration, enforcement, audit, monitoring and so forth.
Imagine Dragons Rock!
I am not a VM Admin, Uber Geek, or whatever by any stretch of the imagination. So I needed just a little extra incentive to hang in there and figure out what VMworld has in store for me this year. To be sure, there were some great technical takeaways and the chance to meet some new folks (even a few VMware colleagues whom I’d never had the chance to meet before) so attending the Imagine Dragons concert on Wednesday was the icing on the cake. It was so cool to see these guys perform live, and it was much better than I could have imagined (no pun intended) – so I recorded them with my new Sony NEX6 in HD and it turned out great! If you are interested just click on the link below and watch what you are interested in and share them with your friends.
The stars are not wanted now: put out every one;
Pack up the moon and dismantle the sun;
Pour away the ocean and sweep up the wood.
For nothing now can ever come to any good.
– W. H. Auden
If you have ever (or currently do) feel that way about your Oracle or legacy IdM solution, you are not alone. The billion dollar Identity Management industry is being turned upside down by the tidal waves of distributed, claims based identity. Identity management vendors (one of which owned by VMware itself) sprung up to service the SaaS apps and the customers who require a scalable and secure way to access their applications and data in the cloud. Cost savings realized by moving corporate applications and compute to SaaS and PaaS outside of the firewall has been a strong driver for cloud based access management and SSO, but given a few years and dozens of success stories later, many companies still struggle with the “albatross round your neck” syndrome with the multi-million dollar legacy/enterprise IdM systems still in place, and finding it difficult if not impossible to get rid of.
If you look closely, the likely reasons that organizations will consider dismantling legacy Identity Management systems are understandable, and likely among them are:
Only using a fraction of the capabilities
Using it less as more of your applications and compute goes outside the firewall in favor of more cost effective SaaS/PaaS models for application and services
The more you consume now, the harder (and more expensive) it will be to migrate later
There are some things it is not good at (like provisioning, or federated SSO) and the only way to get those capabilities is to buy and integrate more of the legacy vendor’s offering
Lack of support for the latest identity standards, like SAML 2.0, OAuth2, SCIM, etc…
While I can understand the dollar signs flashing in the executives eye, we all need to take a healthy dose of reality and remind ourselves that these systems were built over many years and have many dependencies that will ultimately impact and may cause serious disruptions to the enterprise applications if not managed well. And while money may be one driver for a rip-and-replace, I am sure there are other valid reasons as well (like competitive or strategic ones) so to each their own.
The Road Ahead
While I missed the chance a few weeks ago to make my new year predictions about the future of identity management along with my colleagues, I am sure a lot of new opportunities for small and medium sized businesses and enterprises who will have a much easier time adopting cloud-based offerings such as (Identity-as-a-service) IdaaS. It is also evident that much will also remain the same. For enterprises, this is good news because the migration away from legacy IdM vendors can be done one step at a time, and the benefits measurable from the standpoint of economics of SaaS (pay-as-you-go) apps vs custom developed or monolithic enterprise ERP or HR applications.
With the onset of projects aimed at replacing and/or updating legacy IdM systems, I would like to offer the following suggestions that I hope will keep organizations and IT architects on a path to success:
There will continue to be a need for some kind of enterprise IdM systems. Even if that means (as an Identity Provider both inside and outside of the firewall) having basic LDAP repositories on your network to maintain a single source of truth for the password + entitlements of your employees, customers and partners. This will ensure that an organization can keep control over hard authentications and avoid the hassle of making 3rd parties liable, or finding and implementing some kind of audit/compliance solution elsewhere. GRC solutions in the cloud, though not impossible, is more difficult to pull off because the value is proportional to the number of applications (or identities) connected to it, and they might not all be SaaS apps.
Enterprise-washing cloud IdM systems is not the answer. Just as the early SaaS/IdaaS vendors would lay claims against enterprise vendors for cloudwashing their products, each will have to co-exist going forward, though in a greater or lesser extent. If a SaaS or PaaS vendor even has the right mind-set about how their product can and will be used, then the model will be more like bring-your-own-identity and they should not see much value at all in owning the identity of your users especially if they support multiple identity protocols such as SAML or OAuth.
There is a new category of appliance that will find its way permanently into Identity architectures that connects enterprises with the cloud and cloud to the enterprise. Embrace them! Companies like Layer7′s SOA Gateway, Radiant Logic’s Cloud Federation Service, or Vordel Security Token Service (and of course, many others as well!) which all exist to bridge the cloud and the enterprise and ensures interoperability of security protocols to provisioning and de-provisioning processes and higher levels of security and assurance.
While there are a lot of innovations that organizations can embrace to provide a more secure and scalable Identity Management service, for example the core identity service of cloudfoundry.com has supported SCIM, OAuth2 and partial OpenID Connect since March 2012, the speed of migration should be manageable due to human resources, scale of a company’s existing integrations and other variables that are likely unique to each business. Taking a step-wise approach to migrating applications to a SaaS based model while riding out an existing ELA should offer sufficient time to consider more cost-effective solutions that might replace legacy investments with, while keeping an eye on how to modernize your infrastructure economically as well.
The days of the tightly coupled identity management suites are over. Long live layered, loosely coupled, standards based security and identity management! Please leave feedback!
I have to say that I feel very fortunate that I have not had to change jobs frequently since I started my career in IT back in 1998. It hasn’t always been smooth sailing. I departed sooner than I had hoped from my first two gigs in sales working for Microsoft solution providers, though each led me to search harder and smarter and always led me to more interesting and more lucrative gigs. In order to get my break in sales I wrote a business plan to market PC and network solutions for Capital Datacorp in Sacramento, but before landing that job I canvassed Northern California by fax (I was so broke that I didn’t have an ISP account or a personal computer) and by foot searching for a job. The efforts eventually paid off, and the rest is history and will spare those details for another time.
What is there to learn from all this and why does it matter to you? My experience is not exhaustive and I am no authority on dishing career advice, but I wanted to write a few ideas as a former job seeker and an interviewer that I think really might be valuable to you.
Take the path of MOST resistance
You might be inclined to do just the opposite and take the easiest path to your destination, but I have found that there is no shortcut to landing a killer job. If you are just starting out in your career then you need to begin building your foundational tech skills by becoming an expert in LDAP or Linux or scripting of some kind (Shell, Perl, whatever) and using LinkedIn to connect with folks you meet and know. For those with more experience, you might find yourself avoiding that awful Director or Sr. Manager who always seems to have something negative to say and isn’t allowing you into his close network. I would suggest taking to battle the most difficult challenges and projects in your environment and don’t waste precious time being shy about your intentions. Make it known that it’s not about YOU, or HIM or anything personal. It is about the work! Many but not all people can get their foot in the door or climb the corporate ladder by being nice or by having an “In” with the right people, but don’t count on that person being you. Take stock in yourself and make it an all-in proposition. Go with gusto and “Either we have a breakthrough to more successful relations or all bets are off!” There is no other way. Put your egos aside and get the work done.
Who are you, anyways?
In preparing for interviews with job candidates, I search them online using LinkedIn and search engines. Whether you like it or not, for most professionals, your LinkedIn profile and online persona is your new resume and can help put you at advantage over others looking for the same job. Resumes work for submitting yourself to jobs at the big job boards and at a few of your favorite companies but once your resume is discovered, how your potential employers perceive you can be shaped heavily by what they found out about you in professional networks. If you haven’t started already, begin sharing your capabilities and achievements on LinkedIn and write some stories about them on your blog that will show your expertise. Doing so should help you prepare for the dreaded first question that start off many interviews: “So tell me a little about yourself.” You might be tempted to say something like “Duh, haven’t you read my blog?” but resist that temptation because the interviewer has already read your blog and is evaluating your speaking and presentation skills.
Taking these steps and building a “living resume” online will show that you are managing your career as diligently and skillfully as you would manage yourself and your responsibilities if you are extended a job offer. For those of you already employed, this discipline may help solidify your standing with your current employer and may help you get that promotion or raise that you have been holding out for. The best way to fail at this is to wait until you are a job seeker to begin blogging or updating your LinkedIn profile.
Hiring Suggestions For IT Managers
Most hiring managers (who are career or professional managers) do not have the background or expertise in Identity Mgmt to put architects, engineers and admins through the paces and test their technical abilities, so different tactics are needed to qualify whether you have a good fit for a position or not. Even if you do have prevous experience in this domain, the following suggestions will help avoid many of the frustrations and pitfals you are likely to encounter:
Prescreen candidates by asking them to fill out a pre-interview questionnaire (like this one) to evaluate their qualifications prior to inviting for further interviews.
Write more accurate and compelling job descriptions that will deter those who are not qualified or do not have the right skills from ever applying for the position.
Ask the top talent on your team or organization to refer their friends (who are also likely to be top talent) for the position.
Always be building your network of professionals on LinkedIn or other social networks that will help be more efficient in the recruiting process and keep a pulse on qualified professionals that you can reach out to when needed. (I.e. don’t wait for HR to do this for you)
If you are a new manager, or simply new to Identity Management, why not make the effort to build up your knowledge about the subject to make you more effective at understanding the issues and managing your team? I have found that IT managers with responsibility for integrating or maintaining IdM systems come and go, but the good ones who stick around are those with some technical background or who have more advanced understanding than an average IT manager does. And it will do a lot to help build credibility with the team you lead and the peers who have trusted you to take responsibility for such an important technology domain.
If you are patient, relentless and determined, these suggestions will work for you. I get emails from job seekers and recruiters on a weekly if not daily basis asking similar questions, and from what I can tell the job seeking and recruiting/hiring process would go a lot smoother if some of these common sense suggestions were more consistently followed. If you find that your job search misfiring and you are not having success landing a job, it might be time to contact the professionals over at TheLadders.com for a professional resume makeover and career coaching. Or it might also be time to just take a weekend (or an entire week) and go live in the mountains and get in touch with who you are, where you want to go and how to get there. Prayer. Meditation. Sabbatical. Whatever you call it, taking time out regularly to relax your mind and revive your spirit is necessary whether you are a job seeker or not. You don’t want to burn out before you get the job.
Better late than never, they say. So first of all Happy New year to you and I wish all the readers of my blog the very best health, happiness and success in managing IAM projects in 2012!
I am writing this post from Bangalore, India where I am wrapping up the final touches on a 1.5 day workshop program that I am presenting to the Operations and Management team at VMware this week on a variety of hand chosen topics that I have collected and discussed under the umbrella of Managing IdM In Uncertain Times. This name comes from the paper I wrote in 2009 and consequently inspired the theme and title of this blog. In this blog (and the paper) I attempt to identify the trends and codify the best practices and rules of thumb when it comes to managing IdM systems in a virtualized environment for running leaner and more efficient IT operations. The message I gave then is just as relevant as it is today, if not more so, as IdM functions fall under the purview of new IT management and staff who have either not worked with IdM technologies before or who haven’t been exposed to the breadth of technologies and disciplines it entails in a modern IT shop. I hope for the better, along with briefing new managers on various issues related to Identity & Access management through the years, I constantly pass this document along to new with managers whom I have the opportunity to work with directly on a project or who may be considered as a stakeholder in the success (or failure) of the IdM project. The paper is also available to anyone who works with me on my team at VMware. (And yes we are hiring 2 new IdM engineers in Bangalore – see job descriptions here and here and mention you heard about the job from my blog!)
Fast forward to late 2011 and to today, I have updated the paper and put it in the format of a book outline and proposal. The outline is as effective as a reference point for creating workshop/training content as much as it is valuable to launch into discussions with management. And the best part about the work and this writing project is in being able to apply the insights and experiences I have gained and getting to work with some of the best talent the industry has to offer.
Since I don’t really have a book to sell (yet) I am posting the outline of the book up here and I invite any and all of you who might be interested in reading and giving feedback, whether directly to me via LinkedIn or by leaving a comment here in the blog post. If you are interested in reviewing future drafts of the manuscript please indicate so in your post. As much as work and family keeps me busy at all times, I am excited at the potential that this volume has to address a critical need in our industry, as well as providing guidance and resources specifically to managers and IT professionals looking to take their careers to the next level or simply adding new core skills and experiences. I would be forever grateful and appreciative for any feedback, questions or comments you may wish to offer. I promise in return the collective wisdom and insights from the past 4 years as an IdM leader/engineer/architect at VMware will be presented concisely and in an actionable format that you can put to use immediately, as well as provide case studies and templates available which alone will be extremely valuable resources.
Thanks for reading and best wishes in your endeavors in 2012!
I haven’t blogged here for awhile, and being honest there is extraordinary change happening in our industry that anything I posted here could need to be re-written. In the meanwhile, the business of enterprise software is coming under intense pressure as I imagined it would as cheaper and more robust applications and services come online. Just today, Marc Andreessen takes aim at software giant Oracle and how economic pressure along with lower cost cloud computing alternatives to enterprise software is shaking the very foundations that information systems are built upon and how they are deployed and consumed by start-ups and the SMB market.
Within the Identity Management (IdM) space, this trend could not be more profound. As companies migrate away from enterprise software deployments towards SaaS apps in droves, the justification for enterprise IdM (or WAM) solution does not fit quite as nicely as it once did. In fact, looking at the success of SalesForce.com and availability and support of modern protocols for 3rd party SSO integration (SAML/OAuth, etc…) and many other apps following suit, the options for SaaS apps continues to present viable alternatives and following this logic, more nimble IdM deployments at a fraction of the cost. Looking at Identity & Infrastructure management from VMware perspective there is acomprehensivesetoftechnologies that can be used to build, run, deploy and secure robust business applications. Today, many of these are deployed using a Public Cloud service (somebody else’s infrastructure) but as this technology moves along on the technology adoption curve and some trust/assurance/liability questions are answered, it will gain more momentum and extend its reach into the enterprise space. In certain cases where security or high assurance is needed, an on-premise (Private Cloud) solution that can be tailored to a company’s or government’s specific requirements would be necessary.
Coming back to the Andreessen article and with all due respect to Oracle as a great and mighty successful American company, a lot more folks are taking notice to what I have been saying for some time now. From an investor perspective Oracle might be a good place to keep your assets safe, but with a growing list of compelling alternatives, if Oracle would stop charging prices like it’s 1999 (or 2007) the situation would not seem as dire as they appear they might become. Many of Oracle products are now available through their On-Demand network for more SaaS model services but will that be enough (making them available as a SaaS service) to make good with customers and keep the competition off their heels? Disclaimer: Having never used Oracle On-Demand services I can only venture to guess that even their SaaS model services are priced with premiums.
On the other hand, VMware continues to make interesting strides in virtualizing mobile platforms along with which a user’s identity and entitlements must travel. Access policies, provisioning and compliance must be monitored and controlled across mobile applications and platforms. So with VMware’s Thin App provisioning (the dev team for the latest incarnation being a great group of guys in my neighborhood right up here in Bellevue, Wa) and entitlements around who can access what, the tools available for managing identities across clouds and devices gets even more interesting!
Godspeed, dear innovation! What say you? What do you have to gain or lose with lower cost IdM implementations and more efficient computing platforms?
This week I relished in the announcement here and this Metalink article that Oracle recently made about support for running Oracle on VMware virtualized environments. Then again, for those of us who have been doing the same for awhile now, it’s not *that* big of a deal. Or is it?
Having spent a fair amount of time at the VMware booth at Oracle Open World and witnessed the intense interest in virtualizing everything Oracle, from RAC and Database servers; at the VMware Booth Dave Welch from House Of Brick Technologies attests it has had Tier 1 workloads on VMware since 2006 (and seen $ millions of capex/opex reductions), there were no shortage of folks from the audience taking note; to Middleware and as I have discussed Oracle IdM on VMware as well. Sadly, there are others from various industries who have not even begun to virtualize their Oracle infrastructures due to Oracle’s previous stance on support running their products on VMware.
The value proposition for running production loads on VMware was crystalized while still with Oracle Consulting (circa 2007) where my first 2 gigs were assisting clients with their upgrade to OAM 10g. Both clients had agreed to a 4 week stint for the upgrade. One company was from the Bay Area, who was running VMWare, and a global beverage company from Atlanta who was not on VMware. In spite of best laid plans, it’s always wise to hope for the best and plan for the worst. During upgrade experiences at the smaller Bay Area company, the issues we encountered were quickly and easily rolled back. In contrast, the same issue occurred at the larger client not running on VMware, and half days, sometimes entire days were wasted rolling back to a known good state, IN A LAB ENVIRONMENT! And we could not attribute the failed attempts to the size of the environment either, because one year prior another consultant had spent time documenting and creating the upgrade strategy. Regardless who’s to blame for upgrade failures, it’s a no brainer reverting to a previous ESX snapshot is a huge time saver, especially when modifying schemas on AD which are painfully difficult to remove!
Beyond the benefits of snapshots and virtualization for the Upgrade scenarios there are the extraordinary stories for consolidation itself to be told. Infrastructure consolidation invariably leads to other interesting possibilities such as cloning (which I talk more about here) for building out new environments, making your infrastructure portable to make building out cloud infrastructure more efficient, to even being the key to your cloud security, as Art Coviello talked about at the RSA conference this week.
So in all honesty, I don’t feel that the announcement from the Evil Empire in Redwood Shores is for me so much as it is for other large companies I know exist out there with sizable physical infrastructures. I have seen success and failures due in large part to the virtualized environment (or lack thereof) so to encourage those of you who have not gone down that path, that now you have an open doorway to bring your support issues and take another hard look across your IT infrastructure of prime opportunities for consolidation and to better realize benefits from this Age of Virtualization, which arguably is already giving way to the Age of Cloud Computing or Agility as VMware executives like to describe it.
With that being said, a huge thanks is due to Oracle, who is now only slightly less evil, for getting out of the way of IT innovations, economic recovery and for giving the power of choice back to the customer.
As always, feel free to leave your comments here in the blog thread. And if you are in need of assistance or want more resources on virtualizing your Oracle environment with VMware, head over to http://www.vmware.com/oracle for more information.
Happy New Year, everyone! It’s been a couple months since my last post, so I thought I’d better get with the program and keep fresh updates coming. In addition to a few other goals of mine for the new year, which I’m sure a lot of you have as well, writing more about IdM and the industry here in my blog is among them. So while I enjoyed reading IdM prognostications here and here, I will take a few moments and make an attempt at giving a few of my own from my tiny perspective on the world of IdM.
It hasn’t been too long since I last gave some predictions about the future of IdM, but since then there have been some interesting developments. First of all I should give the usual disclaimer that I am giving my own opinions in this blog post, and not speaking officially on behalf of VMware. With that said, let’s talk about IdM.
The industry has been abuzz with ideas about “Identity As a Service” or IDaaS for short (as if we needed more acronyms!), with different approaches layed out succinctly by Frank Villavicencio in a blog post back in 2010. However, without taking pain to spell out, it is a trend that can easily be marginalized as another service bus that must be deployed and managed in an enterprise without much thought about leveraging new deployment models such as public or private clouds. In fact, VMware has a lot of API and SOA based (so-called) Identity Services. While they are consumed very much like any Web Service, they are not being managed or deployed differently than any business application.
I remember the first time I heard about an appliance for managed IdM back in 2005 that was pitched by Oblix at a customer meeting. While we will see these technologies like Web Services, Identity APIs and SAML used throughout the organization, I think in 2011 we will see the appliance based IdM implementations accelerating and taking hold nicely and at a much faster pace. Well even if not so new, they will be embraced for sure. With new products from VMware like vCloud Director and the bounty that vCenter will enjoy from the Ionix acquisition in 2010, it will offer architects and IT leaders more robust tools for efficiently deploying and managing their IdM services and infrastructures. This is one of the biggest opportunities in the data center today, I feel, which IdM in a broader sense is positioned incredibly well to benefit from.
Which leads me to how I see the two major forces in play that will profoundly affect the way companies adopt and manage IdM in the coming year.
Consolidation – (And I’m not talking about acquisitions…) Driven by the desire to reduce costs of managing large data centers,and taking advantage of opportunities to more effectively utilize a disaster recovery zone, cloud models for computing will allow us to achieve re-use and consolidation much more efficiently than previously possible. This will be an essential strategy for Directors and managers to add to their IT playbooks as most companies will begin to move alot of their apps to some form of cloud-based computing model, and we desparately don’t want to migrate server sprawl or VM sprawl practices into the cloud.
Next Gen IdM – Back in June I keyed into the idea that Identity & Access services will be available in the “drinking water” (just look at Salesforce) and as more partnerships form, trust will be further established and companies will begin to leverage more SaaS and PaaS services where IdM is just one of the services available in that environment. With VMware’s acquisition of Tri-Cipher in 2010, imagine the possibilities of this (or what would become of any 3rd party partnership) when IdM capabilities exist in the platform that you deploy your cloud apps on (Think VMforce, vFabric, or any other vendors (which I could mention but won’t *wink*) who may be using OpenSSO, Shibboleth, Facebook Connect, etc… for their IdAM requirements.
After giving one of my talks at Open World last year, I was approached by (of all people…) a security architect from Microsoft who pressed me with the question about “What makes this any different because at the end of the day, it’s still a Web Service, right?” Well for one thing, maybe the guy attended the wrong conference because we covered a lot of ground at VMworld 2010! On a more serious note, what we are seeing is not just consuming services but the way these services are deployed and managed. Incidentally, I came across a new hash tag today, perhaps this will be the newly recognized trend in 2011 #MSHyperVfail Anybody?
All biases aside, the ways in which you will be able to deploy, manage HA and achieve distributed computing models will be fundamentally different than we have for the most part been able to achieve. But the best thing yet is that when it comes to Identity & Access management, the cost and complexity barriers will be significantly less than we know it today.
Identity Management in an Uncertain World and Other Random Things