• 5470-elon-musk-s-hyperloop-train-could-travel-from-los-angeles-to-san_1440x900-e1376375568928-2

    Discovering your “Edge” in Identity & Access Management

    Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years.

  • WP_20141125_15_24_22_Pro

    Evolving The IAM Architecture

    To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind.

  • 110902CVDsm

    IT Reimagined – Better Governance Ahead

    If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

  • From Gustav Mahler to Identity & Access Governance
  • Doesn’t Anybody Use IdM Standards Anymore?


I love classical music and I love a Gustav Mahler symphony even more. Symphonies, to the uninitiated ear, can sound a lot more like noise than music. To the music lover, a symphony is an expression of art in the highest form, a source a great pleasure and beauty to behold.

One of my favorite composers of all time, Gustav Mahler, has been a source of inspiration to me since I was introduced to his work (and in particular his 5th symphony) by the Pastorinos of Glenn, CA (Ellen is the former music teacher at Willows High School) in 1994 and that has fueled an interest in all kinds of classical and symphonic music. Ever since, it has been a rich source of inspiration with interesting parallels to the career I landed in a few years later.

The arrangement of a symphony

Broken off into groups of players such as horns, winds, basses, trombones, cellos, and such, a symphony is a complex arrangement of instruments, harmonies, acoustics and emotional content. The resulting work in the hands of a director such as Gustav Mahler are his earth shattering 5th Symphony or 8th Symphony “Symphony of a Thousand” which takes an impressive amount of vocal talent to pull off. In the Vintage Guide to Classical Music, Jan Swafford describes the impact of his work on the music world:

After Mahler, there was little choice for composers but to cut back in scope and size.

His life’s work culminated in his competitors deciding there was no point trying to make the symphony any bigger sounding than Mahler. His work brings to close the big symphony of the 19th century and opens the door to the smaller, more intimate quartets and soloists of the 20th century.

From Symphonies To Systems

Shawn Hunter, in his excellent book Out Think, draws the connection between the symphony and the complex networks of today:

Symphonic thinkers see the big picture; they look at the whole system and take their information from a variety of sources. They take a multidimensional approach to solving problems, seeing connections, and finding effective solutions.

The Internet, the connected devices and the amount of trust we place in them every single day has grown to such a profound proportion that there is no shortage of valuable targets for hackers and identity thieves to go after and compromise in order to gain attention, information, power or money. As much effort as businesses and individuals put into protecting themselves and stakeholder, customer and employee information, there continues to be daily revelations about new compromises, hacks, thefts and the like that undermines the trust in the network, compromises personal information, leads to public companies stock prices losing value, forces companies out of business and in some cases endangering citizens.

The systems for Identity & Access Governance are no less complex. They have risen in importance and complexity out of necessity from the digitization of our lives and of interconnected business. Once the taste of e-commerce, social media and networked devices is experienced, it is with those who partake forevermore. We can not reverse the transformations that technology and the Internet have brought upon society; the force of control, profit, efficiency and knowledge is far too great for us to ever go back without the horrific act of terrorism or cyber war.

Choose a descriptive word for complex systems as you wish: constellation, calculus, symphony, etc… to be effective, the future demands that we have much faster and far better connected systems for managing policies, users, resources and systems and that we adopt processes and disciplines that ensure we are achieving ever more towards less risk and danger than we do today. The enemy brings with it an element of surprise, so having a high degree of organization and connectedness is the price of admission. Advanced systems and tools such as SIEM, honey pots, big data, access re-certifications process, adaptive and multi-factor authentication schemes, automated on-boarding and off-boarding, and what Forrester calls “Zero Trust Identity” are increasingly critical parts of the enterprise Identity & Access Governance framework.

Whether you like symphonies or not, they suggest more humanity, irrationality, unpredictability and passion on the same emotional scale that hackers use to try and compromise your network than any of the other metaphors do. I don’t think its any coincidence that Beethoven’s 5th symphony was the soundtrack in the scene in White House Down where Skip, a black hat hacker, had taken complete control over the military defense system. argumentum ad absurdum, perhaps. Don’t wait for your network, applications or information to be compromised to take it seriously.

„Meine Zeit wird kommen“

Translated from German, one of the most quoted phrases we have from the life and work of Gustav Mahler is “My time is yet to come.” The future is serious. The cost of playing offense with effective Identity & Access Governance is almost always worth more than doing nothing. There is nothing of value to be gained if an organization will not make it a focus and find its strategic place in corporate priorities. Gustav Mahler’s time might in fact still come if your organization continues aggressively building its own Symphony of a Thousand Tongues. The careless ones, the slackers, the tired ones, and just maybe those who have their heads too far in the cloud might very well end up with something more like a Symphony of Sorrowful Songs if the program is not embraced with a greater sense of accountability, focus and optimism.

Thanks, and all the best to you and your IAM program in 2014! As always, your comments and questions are welcomed in the comment section of this post.

When I am not at work thinking about solving tough issues in Cloud & Enterprise Identity & Access management, I have music on my brain. Music has a way of calming frayed nerves…yet it also has a way of inspiring moments of pure genius. This is one of those times for me. Or maybe not – you be the judge.

Phil Collins

Doesn’t anybody stay together anymore
I wonder why, doesn’t anybody stay together anymore
Oh I wonder why, doesn’t anybody stay together anymore

   – Phil Collins Doesn’t Anybody Stay Together Anymore

The past two months I have been working with security gateways for integrating disparate systems via a token exchange service. These devices can go by many different names. Access Bridge. STS. Concierge service….(Shout out to Peter Davis/Neustar and Chuck Mortimore/SFDC for this one during a brainstorming session I convened at IIW here.) or however you want to call it. Try as we might to get every business onboard with SAML2, OAuth2, OpenID Connect, et al. it is not practical to expect that at some point in the near future that any one of these protocols will enjoy ubiquitous success across the entire Internet (cloud, enterprise, mobile) as Sir Phil Collins might opine if he were part of the Identerati: Doesn’t anybody use IdM standards anymore?

Give me a clue! What will I choose?! What will I choose??!!

This past weekend on a daddy/daughter outing with my brilliant 5 1/2 (almost 6) year-old daughter Molly, we made a stop for some candles at Pier 1 – notoriously one of daddy’s favorite stops. Molly was on her knees in the tiny little toy section, obviously conflicted about whether to spend her last $2 on a gift for her mommy or her daddy. I heard her singing (what I thought to be the lyrics to a musical of some sort but which turned out later to be her own improvised lyrics) “Give me a clue. What will I choose? What will I choose?” and I was immediately drawn into her world of conflict.

On any given day, that is the lyric of my life when evaluating vendors or projects that want to integrate with VMware Horizon and who don’t support SAML, or when trying to find a way to scale partner SSO without SFDC being brought into the picture. My fellow VMware employees may hear me singing the lyrics of my daughter’s lament down the hallways at Hilltop…. What will I choose?! Standards? Custom integration? Vote against the project? That is a lot like how an IT shop really works, until now. Now that we have choices via a STS (Access bridge, service gateway, etc…) we do not have to limit ourselves to supporting and standardizing access control to a single protocol. So the question I pose to the Identerati specifically and the industry in general, is…. do IdM standards even matter anymore when one we can use an STS or an access bridge to integrate disparate systems with different access protocols?

Come As You Are

Kurt Cobain

Come as you are, as you were
As I want you to be
As a friend, as a friend
As an old enemy

   – Nirvana Come As You Are

And then it hit me again. Another musical lyric that resolves all of the mysteries of the IAM universe brought to us by Alternative music royalty Kurt Cobain in his immortal lyrics.

So I couldn’t help but to imagine that this ought to be our philosophy when it comes to designing an access control system for a multi-billion dollar, multi-national enterprise such as VMware and others out there. How do you think that 85% of the virtualization market would respond if VMware restricted the ability to login to vSphere console or My VMware portal using only an x.509 certificate or a biometric password and nothing else? This concept was perhaps first ingrained into my head during one conversation I had with the brain child behind Salesforce.com Identity platform, Chuck Mortimore. His emphatic recommendation as long as I can recount was to always keep it based on URL as if to say that he has achieved a sort of protocol agnostic, nirvana state for authenticating users into Salesforce. If you are an SFDC developer or if you have talked with Chuck about this topic before then I trust that you, too, find some merit in his argument. You can access your apps and data at SFDC however you want, as long as it’s username/password, SAML, OAuth, OpenID Connect, et al. If you cannot choose one protocol, why not choose them all? With many different products in today’s marketplace, there is a mind-numbing amount of access protocol support for authentication nicely wrapped into a soft appliance.

Come to Me, all who are weary and heavy-laden


And then it also occurred to me that if Jesus were one among the Identerati, do you think he would say “Come to Me, all who are weary and heavy-laden, and I will give you rest” as though inviting closure to the on-going debate within access management standards and freeing up some of the bright minds working this age old problem to work on new challenges? Maybe there is a role based access governance problem that is worse off than the state of access protocols. Or when is the last time you ran a access re-certification or access audit in your organization? Is your privileged access management program a sound and effective one?

So that, then, is how I presume the world of Identity & Access Management to be according to three celebrities from the ancient to the modern world. The world of IAM according to Sir Phil Collins, Kurt Cobain and Jesus. I will be headed to the Gartner IAM conference in November if any of you want to meet up and debate the fine points of the intersection of IAM, music and theology.

If you are passionate about this subject and have a unique perspective to add to this thread, will you please do so?


VMworld 2013 Banner

It’s been a hectic week as more than 20,000 folks landed in downtown San Francisco for VMworld this week. VMworld has grown to nearly the same scale and grandeur of Oracle Open World, though not quite yet, though it is big enough that it seems time stands still, meetings are postponed or cancelled all week and generally one falls behind on any time bound activity.

The new reality for VMware in the last 1-2 years has been one of intense focus on and re-balance of resources to prioritize on infrastructure and cloud management technologies. In other words, for an Identity Management guy or gal there might not be a lot of interest for you at VMworld this year. Then again, you might be surprised. In Pat Gelsinger’s keynote he made mention of the user-centric future of Identity in the cloud as “Policies that follows users, not devices.” So today with regards to authorization we have SAML grants and OAuth scopes (Great explanation here) which delivers a powerful combination of authentication and authorization for cloud applications and resources. The challenge we face today is that (still) not all applications have a robust implementation of SAML or OAuth to fully realize Pat’s vision. (yet!!) If you were to use Pivotal’s Cloud Foundry and deploy your apps in the cloud, or eventually VMware’s vCHS you will perhaps discover a delightful world where the utilities for SAML and OAuth authentication and authorization are built into the platform. Or wouldn’t it great if these capabilities also existed in vSphere Suite for the apps you deploy in your private and hybrid clouds?

Security & Compliance for vCloud

Security & Compliance for vCloud

Also at VMworld, I was delighted to learn about some amazing research in a session I attended called VMware Compliance Reference Architecture Framework Overview (by Jerry Breaud and Allen Shortnacy) including a reference architecture and guidance for security and compliance for your vCloud infrastructure. Security and compliance concerns prevent many of VMware customers from advancing in their cloud journey. So it is with the security and compliance accelerator program and the technologies in the VMware Partner Network that customers can confidently architect and deploy secure and compliance cloud solutions. In 2010 I presented how the virtualization layer was a superior vantage point for managing your Identity & Access infrastructure (presentation here) this year VMworld brings resources to market – again with the hypervisor as the vantage point – for achieving a more secure and compliant organization. For example, there are scanners that will inspect your .vmdk files to search for exposed credit card data and provide assurance for PCI compliance!

For more information about VMware Security and Compliance Solutions including whitepapers, videos, demos, compliance architecture reference and a compliance checker click here.

Privileged Accounts and vCloud SSO

Some awesome technologies for security and compliance are available now for vCenter or vCloud and were demonstrated at VMworld. First off, from VMware there are some awesome (though which seem like no-brainer, obviously needed) upgrades to SSO capabilities in vSphere 5.5 that might make you take a second look at how to implement within your organization. With support for multi-master replication, site awareness and even more nifty enhancements that make a compelling story for SSO right in vCenter. There is an excellent blog post about it here.

Uber Geek

VMware Administrators are the new Uber Admin who often have privileged access into entire datacenters and applications that it makes sense to form a governance structure around administrator access to the consoles and environments that they use on a daily basis. There is a really cool vendor called HyTrust that provides a comprehensive suite of security tools to do just that. With request and approval workflows for VM Admins, policy based access and authentication into VMware environments including role based monitoring, compliance and auditability, all combined making the job a little easier to integrate VMware infrastructure into an holistic compliance and control framework. As the automation technologies such as Software Defined Datacenter evolves, this problem will become even more critical and out-of-control without a solution from the likes of HyTrust.

With all that being said, coming from VMworld as an “IAM Guy” it could not be more clear that the vSphere and virtual machines in your infrastructure should be considered as another resource that needs to be added to a growing list of resources requiring all the usual Authentication, Authorization and Audit. But typical IAM systems will not simply integrate with vSphere out-of-the-box as of now, unless you are using a STS or Access Bridge to solve access token conversions to WS-Sec/SAML/OAuth and the like. If you are a vCHS customer you can expect to see some really cool SSO capabilities (soon enough!) between MyVMware and your VM instances running inside of vCHS. In the future, I predict there to be a sufficient amount of support for various types of authentications that you won’t have to worry so much about protocol standards. However, know how and where it fits into your overall security and identity architecture and 3-year roadmap. Understand the implications it has on your policy administration, enforcement, audit, monitoring and so forth.

Please “Like” and comment on this post and add to the conversation!