My Thoughts on IdAM for 2011

Happy New Year, everyone! It’s been a couple months since my last post, so I thought I’d better get with the program and keep fresh updates coming. In addition to a few other goals of mine for the new year, which I’m sure a lot of you have as well, writing more about IdM and the industry here in my blog is among them. So while I enjoyed reading IdM prognostications here and here, I will take a few moments and make an attempt at giving a few of my own from my tiny perspective on the world of IdM.

It hasn’t been too long since I last gave some predictions about the future of IdM, but since then there have been some interesting developments. First of all I should give the usual disclaimer that I am giving my own opinions in this blog post, and not speaking officially on behalf of VMware. With that said, let’s talk about IdM.

The industry has been abuzz with ideas about “Identity As a Service” or IDaaS for short (as if we needed more acronyms!), with different approaches layed out succinctly by Frank Villavicencio in a blog post back in 2010. However, without taking pain to spell out, it is a trend that can easily be marginalized as another service bus that must be deployed and managed in an enterprise without much thought about leveraging new deployment models such as public or private clouds. In fact, VMware has a lot of API and SOA based (so-called) Identity Services. While they are consumed very much like any Web Service, they are not being managed or deployed differently than any business application.

Latourell Falls, 2003

I remember the first time I heard about an appliance for managed IdM back in 2005 that was pitched by Oblix at a customer meeting. While we will see these technologies like Web Services, Identity APIs and SAML used throughout the organization, I think in 2011 we will see the appliance based IdM implementations accelerating and taking hold nicely and at a much faster pace. Well even if not so new, they will be embraced for sure. With new products from VMware like vCloud Director and the bounty that vCenter will enjoy from the Ionix acquisition in 2010, it will offer architects and IT leaders more robust tools for efficiently deploying and managing their IdM services and infrastructures. This is one of the biggest opportunities in the data center today, I feel, which IdM in a broader sense is positioned incredibly well to benefit from.

Which leads me to how I see the two major forces in play that will profoundly affect the way companies adopt and manage IdM in the coming year.

  • Consolidation – (And I’m not talking about acquisitions…) Driven by the desire to reduce costs of managing large data centers,and taking advantage of opportunities to more effectively utilize a disaster recovery zone, cloud models for computing will allow us to achieve re-use and consolidation much more efficiently than previously possible. This will be an essential strategy for Directors and managers to add to their IT playbooks as most companies will begin to move alot of their apps to some form of cloud-based computing model, and we desparately don’t want to migrate server sprawl or VM sprawl practices into the cloud.
  • Next Gen IdM – Back in June I keyed into the idea that Identity & Access services will be available in the “drinking water” (just look at Salesforce) and as more partnerships form, trust will be further established and companies will begin to leverage more SaaS and PaaS services where IdM is just one of the services available in that environment. With VMware’s acquisition of Tri-Cipher in 2010, imagine the possibilities of this (or what would become of any 3rd party partnership) when IdM capabilities exist in the platform that you deploy your cloud apps on (Think VMforce, vFabric, or any other vendors (which I could mention but won’t *wink*) who may be using OpenSSO, Shibboleth, Facebook Connect, etc… for their IdAM requirements.

After giving one of my talks at Open World last year, I was approached by (of all people…) a security architect from Microsoft who pressed me with the question about “What makes this any different because at the end of the day, it’s still a Web Service, right?” Well for one thing, maybe the guy attended the wrong conference because we covered a lot of ground at VMworld 2010! :P On a more serious note, what we are seeing is not just consuming services but the way these services are deployed and managed. Incidentally, I came across a new hash tag today, perhaps this will be the newly recognized trend in 2011 #MSHyperVfail Anybody?

All biases aside, the ways in which you will be able to deploy, manage HA and achieve distributed computing models will be fundamentally different than we have for the most part been able to achieve. But the best thing yet is that when it comes to Identity & Access management, the cost and complexity barriers will be significantly less than we know it today.

Oracle Open World 2010 Wrap-up

It’s been a little over a week since OOW, and finally getting back into the swing of things. I should say up front that while I spoke at Oracle Open World, this was not a general session like VMworld, but instead I spoke from the VMware booth at Oracle Open World. Not only was it great hanging out with some really cool folks from the marketing teams from VMware (which I never get to do) I also had the chance to speak directly with Oracle and VMware partners and customers about the cool things that me and my team at VMware have been working on over the past 18 months. It was a throwback to my consulting days at Oracle, which were great, but with the liberty to share more about doing things with VMware than the ordinary Oracle Consultant does.

My short presentation was focused on helping Oracle IdM customers get a handle on the top pain points that a company might encounter from an operations perspective, and I offered some insights on the challenges one will face and a VMware specific solution to the problem. In essence, if you can build your Oracle IdM foundation on VMware vSphere starting Day 1, it will lend itself to dramatic time/cost savings and speed with regards to building out new environments and horizontally scaling those environments as your business and IT infrastructure evolves.

Also, as an EMC company, VMware employees enjoy a great partnership and access to world-class tools and support for managing the Oracle database, which is the very foundation for Oracle IdM. As such, another of the practices we use at VMware, which I also discussed in the talk at OOW, is not as much VMware focused as it is on the EMC technology, but it has to be included to paint a complete picture for improving efficiency of your operations environment. Of course, some of you were quick to point out that EMC’s SRDF isn’t the only company to provide block level copy of Oracle data, we happen to think it’s a really good one worty of your consideration. For more about this process, you can view my VMworld presentation on managing Oracle data with SRDF, or you can get more from your local DBA or straight from EMC, such as EMC’s own Oracle Storage Guy.

For those of you who didn’t attend either talk or catch the link on my Twitter post, here is my OOW presentation. Being only given 30 minutes I could not go into too much technical detail here, so please forgive me. You can, however, talk with your in-house IdM Architect/Admin or IdM consultant about how you can build your Oracle IdM environment similar to the way I talk about in my presentation.

View more presentations from Steve Tout.

In addition to presenting at the VMworld booth I also got a chance to talk to a director at Oracle about collaborating on some white papers for publication on OTN on best practices and configuration specs for building and running Oracle IdM on VMware vSphere. There is nothing like this that I am aware of, and if there is (please share your stories with me) then this will just make it an official collaboration between VMware and Oracle. We are just getting started, and I would expect this to be available to the public sometime in Q1 of 2011. You can follow my blog’s RSS feed or my Twitter as that is where I will make the announcement when these papers are available. Another way is to check for the latest updates on this collaboration.

On a final note, I received some some sad news last week on the heels of Oracle Open World that Oracle will be losing Rohit Gupta to run another company in the Bay Area. Rohit has been around the Oracle IdM space as long I can remember Oracle being in this business (circa 2005) in field enablement and product management. I got a chance to hear Rohit speak in person at Burton Catalyst this year, as the last speaker to an audience of very thirsty IT guys and a bunch of long winded corporate sponsors, he hit the grand slam with a speed 2 minutes under his allotted time with grace, humor and a technical acumen that’s refreshing coming from a VP. Rohit, you will be missed by many and I’m confident you will succeed famously at BMC as you did at Oracle. And if not, I’m sure there could be an open door for you at VMware. :P

Have a great week, everybody and feel free to comment here on my blog and get some conversations going about how you’ve put any of these ideas to use in your environment.

Automated Refresh of Oracle Data with EMC at VMworld

Do you want to learn how VMware manages Oracle Data and Oracle Identity Management middleware with EMC and VMware technologies? Are you curious how VMware rapidly builds new Oracle OID and Access Manager environments with it’s own products?

I will be in San Francisco at VMworld next week presenting “Automated Refresh of Oracle Data” during the Oracle Storage Guys session at VMworld. Look for Session ID: EA7061 on the topic of Creating an Internal Oracle Database Cloud Using vSphere in your handbook. I will be sharing how we shaved days off our Environment Refresh processes and significantly reduced error rates using EMC’s SRDF/TimeFinder and custom scripts managed via PPM workflows to achieve greater levels of efficiency and accuracy.

It will be presented twice, so you can catch this session on Monday or Thursday at the following times.

Monday: Moscone South Room 308 @ 12:00-1:00 PM
Tursday: Moscone West Room 2007 @ 10:30-11:30 AM

Also, if you are headed to Oracle Open World in September, look for me at the VMware booth. I will be there to talk about how VMware, in addition to the EMC/SRDF solution described at VMworld for bootstrapping Oracle DB instances, uses vSphere to clone and build out new Oracle Identity Management environment. I blogged about how awesome this is awhile back, but this will give you a chance to hear a 6-month progress update and ask any questions. Stay tuned for more details on which days and times.

See you there!

Quick Photo Tips for New Canon 50D Owners

Have gotten a few inquiries about Canon SLRs and 50d in particular, from those considering or who have recently purchased one. So I decided to share a few of my thoughts on this amazing machine with everyone.

1.) Practice your photog skills to perfection with the Canon EF 50mm f/1.4 USM prime which all the greats use, and produces beautiful out-of-focus backgrounds due to its shallow depth-of-field. Most kit zoom lenses can make you lazy and usually is quite slow (unless you pay a lot of extra money for a faster zoom) and often produce images of sub-par quality, especially in low light. An excellent quality zoom for the 50d that won’t break the bank is the Tamron AF 17-50mm F/2.8 SP XR Di II VC.

2.) Use Auto ISO – because it works extremely well on the 50d and it’s one less thing you need to worry about in 80% of shooting situations. However, to produce the cleanest (noise free) images make sure you are shooting at ISO 800 or less. Unless you like that really grainy, gritty look for artistic effect, then shoot at 1600 or higher, but focusing can be difficult in low light so you might need to manual focus, itself a fine art.

3.) Perhaps the main reason anybody buys a 50d instead of the EOS Rebel T2i its speed. Your 50d comes with a whopping 6.3 frames per second, twice as fast as the T2i, which is quite nice for action shots, kids or anything on the move that is important to get right so don’t be afraid to occassionaly set this puppy on multi-exposure setting and take a bunch of captures in short burst. But don’t overuse this, because you will end up wasting a lot of disk space and spending a lot of time asking whether this or that image is best.

4.) One of the biggest mistakes amateur photographers make is producing under exposed images. So commit to learning Manual mode, Aperture priority, Shutter priority, EV compensation or all of the above. Getting images properly exposed in the camera makes for editing, sharing and printing your photos a lot more enjoyable. This also means avoiding extreme lighting conditions, or extreme variations in lighting E.g. where there is extremely bright and really dark areas in your viewfinder.

Camera RAW 101 5.) To really take advantage of the 50d, you need to learn about RAW image capture and how to fine tune RAW conversions in your favorite photo editing software such as Adobe Lightroom (my favorite) or Photoshop Elements, which is also a good choice. Shooting in RAW produces the largest files for which to base a master file for printing, and is an excellent capture mode for landscapes or formal portraits. RAW capture will give you about 2 stops protection in either over or under exposure, which you compensate for in RAW conversion process. The 50d also allows you to capture a RAW+Jpeg so you can save the RAW as a permanent archive, and get straight to the Jpeg to share online with friends, and if you practiced all of the above and use follow your creative vision, you will capture Jpeg images that are excellent prints up to 16×20.

6.) Keep the camera in “Evaluative metering” mode. It makes the best use of pre-defined exposure settings that are programmed into your camera in most shooting situations. Explore other exposure modes at your risk; there are some scenes (like black tux and white wedding dress) that are better suited to center-weighted or spot exposures, but unless you are planning on becoming a pro, the Evaluative metering mode is your best bet.

7.) There are many different preset picture styles that come with the 50d, such as standard, portait, Landscape, neutral, faithful and monochrome. If you are shooting RAW, none of these settings really matter, but if you are shooting RAW+Jpeg or Jpeg mode, then select a shooting mode to suit your taste. I prefer the Neutral or Faithful mode as it renders colors closest to reality. I then set to adjust saturation, hue, constrast, etc… in Lightroom in post-edit session.

8.) If you get into shooting with a Canon Speedlight, you are in for a real treat because the 50d has a great Auto-Mode and a very fast 1/8000th of second sync speed. For most non-pro photographers, using Flash can be hit or miss because it’s so easy to misuse. For example, it’s nice to use a flash when taking pictures of people in sunlight because it prevents eye sockets from going dark. And balancing flash with natural light takes practice, but once you get the hang of it will dramatically improve your photography. If you want to use your Speedlight and take professional looking pictures, buy a Lightsphere Collapsible by Gary Fong.

So I hope you didn’t expect “50 Tips for shooting with Your New 50D” because nobody would every read, let alone remember 50 great tips. These 8 tips are practical as they are challenging, and you will likely spend many months (and hopefully years) ahead practising and improving the same basics over and over. There are never really any advanced moves or secrets to taking great pictures, but basic moves executed with vision and foresight.

On a final note, you probably know that I have been a very happy 40d and 50d owner until one day this past Spring I decided it was getting too much of a chore to take out all my equipment and lug around for casual and social shooting situations. Thus the humor in my friend Bryan Dormaier’s question at a 15 year reunion “Where are your lenses and shit?” I laughed so loud, I was nearly in stitches! So Bryan, FYI… I don’t carry them anymore since I traded down for a Canon S90, which is by far easier to carry around and is easier to grab casual photos which are perfect for what I want to do with them. On the downside, as great they can be, smaller cameras are much easier to steal, be treated like a plastic toy or drop into a toilet by your 2 year old.

All the products I mentioned can be found in the Photography section of My Favorite Things.

Good luck shooting, and I will look forward to seeing your photos online!

Virtualization, Clouds and The Future of IAM

In response to a few thought provoking questions from a colleague on whether Oracle VM, VMware or IBM would be better prositioned to lead virtualization of Java, I had to form a few responses and decided to share them with everyone, and gather insights and comments from others who read my blog.  So after much rumination on hot technologies (all biases aside as best as I could) I can share what’s been stewing up in my mind for the past few months. 

So, running WebLogic on the hypervisor is compelling, but I doubt many companies will want to migrate to Oracle VM in order to obtain this advantage.  Check out the recent Gartner report that VMware is alone in the Leader Magic Quadrant for virtualization, so this is no slam dunk for Oracle, Microsoft, or any other vendor.   But challenges are ahead for Oracle in virtualization on hypervisor, as one article puts it, “Either they (Oracle) promote VMware, and abandon their own product, or they abandon their customers, but keep their product.”   I haven’t really expressed much of an opinion here, as much as I have doubts about customers reaction to the technology that’s available.  I’m not so much of a virtualization guy as I am an IdM guy, but time will tell, and with any luck Oracle may relax their position of resistance against virtualization from their Palo Alto brethren.

The Big Switch
The Big Switch

But going beyond the datacenter, now many customers have the option to run Java apps in the cloud rather than their own infrastructure using VMForce.  My bets are that history will repeat itself, and  this trend will only continue as companies abandon in-house server farms and infrastructure, and as Nicholas Carr aptly describes in The Big Switch: Rewiring the World, from Edison to Google, will opt for deployment to Cloud machines much the same way companies abandoned generating their own power and began using centralized electricity provided by the power grid in the early part of the last century. 

With that said, IdM technology is in for a roller coaster ride as the tidal waves of change come and we look at how to manage and scale IAM services across a broad spectrum from internal IT to private clouds to the public cloud for partners, customers and employees.  It is looking like the cost and complexity of extending Federated SSO across multiple protocols (not all customers will have SAML, WS-Sec) will be a hassle unless you factor in the potential of cloud services and a hub & spoke model.  It makes me wonder if IdM will go the way of the centralized power grid and Cloud Services (IaaS, PaaS, et al) or maybe it’s already happening.   And as Coby Royer points out in a recent blog post, “I can install the old style IAM tools, this is missing a huge opportunity for cost savings—putting standard infrastructure for IAM into the “drinking water” is the wave of the future.”  In an economy like this, that logic is becoming much easier to buy into than say in 2008 before the recession started to hit IT budgets. 

As an old hand at Oracle IdM (going on 10 years now) it is a bit hard for me to digest, but my instinct tells me that survival means adapting to the seas of change rather than trying to run from them.  There is a bright future and a lot of pent up demand in cloud services, where new models will soon overshadow the shortcomings of client/server and internet architectures.   The old school IAM stacks are not going away anytime soon, but the IdM professional will need to learn new models and standards to keep pace with where this industry might be heading.

Anyways, time will tell.  Leave a comment if you think differently.

My thoughts on Peter Gabriel’s new album Scratch My Back

Peter Gabriel's Scratch My Back
Peter Gabriel's Scratch My Back

This update was too long for Facebook and Twitter and I’m too much of a Peter Gabriel fan to limit my comments to 420 characters, so for you regular readers I hope you don’t mind this little bit of personal wandering, I will get back to IdM soon enough…

I enjoyed listening to Peter Gabriel’s new album called Scratch My Back from beginning to end this morning. I never wanted the songs “Red Rain” or “I Grieve” to end, and this album is like a continuation of that experience, but somehow on an even more personal level. Peter is getting older (His “So” album released in 1986) and in a way hearing this album is both reassuring humanity and inspiring at the same time.

The mellow tempo is sustained through the entire album, with some moments of legendary Peter Gabriel genius shining through.  For this reason, a lot of critical commentary came out regarding ,  confusing critics and disappointing many fans, but I instantly connected with it and appreciated the focus on his arrangement and vocal performance.  I love the orchestra in the background, and Peter’s voice breakting through during moments of deep conviction.

I’m looking forward to hearing artitsts responses and their covers to our favorite Peter Gabriel songs.

Self Motivation or What gets me out of bed in the morning?

If you have built castles in the air, your work need not be lost; that is where they should be.  Now put the foundations under them.

~ Henry David Thoreau

Burn out, frustration, defeat, misery, helplessness and a host of other career-stunting feelings at one time or another affects us all.  As much as I’d love to acknowledge every individuals situation and assure them that everything will be OK, I have to take a step back and drink a healthy dose of humility and suggest that there are so many factors in your success, career satisfaction and work-life balance than I can possibly give an answer for.  Some success is attained overnight, defying all logic. Yet for others it may take decades, or even a lifetime of patience, determination and commitment. 

Unless you have a monster for a boss who likes to micromanage every minute of your day, then the disciplines and behaviors required for achieving your career goals are largely going to be your own responsibility and doing (as they should be.)  So instead of waiting for opportunity and success to come to you, I think it’s best to take initiative and begin taking actions every day that will help improve your reputation, your career and ultimately your level of income.

Awhile back a colleague asked, “How do you keep yourself motivated?  I see that you are very energetic and working well etc. I would like some advice.”  I didn’t even try to answer in a brief Facebook chat, so I resorted to a mention of anecdotes (it takes time, insights, etc…) and headlines of the day (marriage is beneficial for your health, another security breach), at the same time assuring her that I was inspired by this question and that I wanted to make time to write down my thoughts on the subject and share them in my blog.

The short answer is that I don’t know any shortcuts to success.  Most days I struggle just like everyone else to keep up with deadlines, responding to emails, attending meetings and all the while still managing to get real work done and the like.  However, if you are willing to take the long view of your life and career, then I would offer the following habits and attitudes which have proven to be valuable to me over time. 

The long answer:

1.) Align yourself with a larger-than-life issue that you feel passionate about

I will pass on the horrible clichés which other writers have used here, namely that writing down your goals (on paper) and putting them some place where you can see (near your alarm clock, blah blah blah) and reciting them to yourself is bunk.  I’d wonder most about what if what you write down the wrong things?  Have you put much thought into your life goals?  It doesn’t matter if you write them down, memorize them, blog about them, or scream from a mountain top, they would be useless if they don’t help you look at what you care about most and what you’re personally capable of.    Using the S.M.A.R.T (specific, measurable, achievable, realistic and time based) tool for setting goals is a good way to quickly tell whether you are on the right track or not.  But let’s not stop there.

Many people can too easily get caught up in the aim-to-please mentality, making priorities and setting goals that others expect to hear from them.  But what about you?  What do you want to spend *your* time doing?  Make the time, frequently, to listen to your dreams and aspirations.  Dream big dreams.  Don’t learn from others mistakes, but instead make and learn from your own mistakes and personalize those experiences as your own success stories.  Imagine being the very best in your city, in your state, and in the world at what you do, and then pursue that thing for as long as you can endure it.

As for me? I fantasize almost daily about a time when I wake up and turn on my computer and work to protect national security interests around the globe, and our people from the threats of cyber terror and cyber warfare.  So, every day that I wake up and read blogs and headlines in Google Reader about cyber terror, computer fraud and the like is a renewal of my life’s aspirations.  I don’t have to write it down to remember it.  The context is updated every day by journalists, bloggers and authors all across the country who all work for me, informing me what is happening in business, government and in the world of cyber warfare.  Talk about renewable energy sources!

This brings me to my next suggestion…

2.) Develop your appetite for reading.Feed Demon Blog Reader

I was told very early by a very smart and beautiful lady who I am proud to call my mom that there isn’t much you can’t learn from reading.  I was self-taught in computer programming since the 6th grade and received straight A’s while studying German mostly due to the amount of time I dedicated to reading and self-study.  Reading is important, and in my experience it is the only way to gain a deep understanding of trends in your industry and acquire the perspectives to create value for your employer and its customers and shareholders. 

I have a daily reading schedule where essentially I have a pre-defined reading list of just over 100 blogs that I catch up on (from my mobile phone) every morning while drinking coffee and lying in bed with Cami and Molly.  Blogs are excellent because you can get connected with some of the smartest people in your industry who are willing to share their knowledge and experiences, and who are almost always better trained and more relevant to your day-to-day than newspapers and books.  I use Google Reader and more recently (FeedDemon) to organize, tag, star and share the most valuable posts I come across, and refer to them months if not years. 

3.) Find a Mentor

Mentors help keep me motivated, and help me to learn things about myself (strengths, weaknesses) that my friends and family might be too afraid to share.  Mentors can come from unexpected places, but in every case I think it’s important to identify with someone who you admire and feel you could learn things from or at the very least who can ask challenging (and revealing questions) that get you to see problems from a new perspective.  I sometimes get made fun of by my wife because often after I buy a new book or discover a new blogger I will email them directly, initiating a dialogue to see what may become of it. It doesn’t mean I send emails with a biographical sketch and a dozen of questions, but rather, a quick introductory note with how you are using the knowledge and skills the author writes about, and that may lead to a single question which perplexes you the most.  Chances are the author or blogger may see your question as a challenge and be willing to impart with insights to fuel your innovation.

Once you find a mentor and see your relationships grow, so does the frequency of contact and these should come as a welcome break from being in the trenches as the “technician” in your business. The main thing is to let you spend time thinking about the big picture and receiving feedback and suggestions from somebody who has overcome the same obstacles.  That is to say, it should focus on you and your opportunity for growth and development in your career, not about ways to give more of yourself to your current employer.  As you spend time developing and refining your sense of vision and direction for your career, you will indirectly benefit your employer which can in turn lead to an internal job promotion and pay raise, a well-deserved recognition or bonus pay.

4.) Walk the halls

This and the next suggest are about honing and developing excellent social, verbal and writing skills, without which your career will progress at a much slower pace, preventing you from being as effective as a professional as you can and should be.  Unfortunately the programmer stereotype of a geeky looking guy or gal with glasses, working 15 hour days and sleeping under his or her desk is a poor self-image to nurture of one’s self.  While this might be OK to do occasionally, the path to progress and accomplishment, working on personal and career related goals must go hand-in-hand with communicating clearly with those around you and developing meaningful relationships with peers and managers who can help promote and support your cause.

There is nothing like being greeted with a smile by someone who sees you infrequently, who has positive experiences with you and understands and is willing to support your “great cause” (discussed in my first suggestion) which you no doubt already spend countless hours/days/years of your career working on.  I make appointments with myself to walk the halls through my company twice per week (when I’m at HQ anyways) with the sole purpose of finding hallway conversations that can spark interesting ideas, resulting in a lunch date or a deeper conversation which can greatly help you innovate in your career.

5.) 1500 words at a time

I never really considered myself to be a writer.  In fact, for years I struggled with writing effectively and thought that any form of writing was for English majors and college students working on their thesis.  I constantly had “writers block” and dreaded being responsible for preparing documentation or email correspondence.    But at some point in time I hope you will come to realize the need for and benefits of effective writing as not merely a responsibility but much more of an opportunity for having your ideas heard by your colleagues and helping management make decisions that can have the net result of positive change in your organization.

Now with that said, your writing does not have to be like Tom Cruise in the movie Jerry Maguire writing about a moral epiphany that is going to get you fired.   Unless, of course, you feel compelled to write that way, but to be clear that’s not the style of writing I am recommending in a business context.  Writing in a plain, concise manner that primarily aims to clarify and elaborate on a given topic is a more productive style.  Occasionally there will be a need to write persuasively about something you feel strongly about, but I have found that writing more frequently in a short and informational format is more effective than ranting and complaining once per quarter.

On a final note, have fun with your writing.  I have enjoyed writing 1500 words per month for a column in a popular photography magazine, which has proven to be more beneficial to me in building the discipline and skill of writing than any material benefits it otherwise provides.  It’s a sufficient amount of space to convey ideas, to inform others and increase your influence within your organization.  So borrow from writing editorial style if it helps.  Introduce your subject by making an outrageous claim (as long as it’s true) or rendering your opinion, provide supporting evidence and then go out with a BANG!  It may feel awkward at first, but like anything, it takes practice.  The more you do it, the better you become at not only writing as a way to get work done, but also gaining authoritative expertise as seen by your industry.

So let me know what you think.  Share the love, or leave a comment.

VMware shows its prowess Cloning Oracle IdM

I grew up in a painting family and was raised by a father who was a skilled crafstman, an expert with a lifelong career in painting.  The thing you would expect, that our house would always have a fresh coat each season, or a fresh paint at all, is far from reality.  It’s like the saying cobblers children have no shoes.  As I grew old enough to form my own values and ideals about the future, I vowed to never let my family or my children go without shoes so to speak.  At VMware, we are pursuing the dream of IT As A Service, putting new kicks on our feet, and accelerating the use of virtualization across our own IT landscape.

And virtualize, we did.  I am involved on a crush team who’s objectives include streamlining and automating the build and refresh of environments using VMware virtualization technology, EMC SRDF and BCV technologies.  Since the very beginning Oracle IdM has ran on VMs at VMware except for RAC, but even now that is changing.   In spite of how compelling virtualization is for businesses and IT, it’s not as simple as running IdM on a VM.  Having hard-wired references to hostnames and PKI baked into a cloned copy makes “Instant On” a stretch of the imagination without taking appopriate steps to transform a cloned copy of say Production to make it operate as a completely separate and independent entity.

Cloning OID

VMware worked with some smart consultants at Identigral to create a procedure for reconfiguring a cloned instance of Oracle Internet Directory (OID) which is not exactly a supported and documented feature provided by Oracle, but is in any case effective for the purpose of rapid deployment.  This procedure gave the foundation for executing on my vision of clone automation for Oracle IdM that I shared with Identigral consultants.

Oracle’s OID Product Mgmt team reviewed the solution and suggested (as I would expect) that this is not a procedure to be used for building production instances.  Also, there is the risk that cloning OID will cause some problems with patching and upgrading.  But taking a step back and looking at why we want to rapidly build or refresh an environment in the first place, it’s for testing purposes, not to build a clean or new production environment.  So we have clearance from Oracle on OID cloning methodology, with the usual caveats.

Testing of the procedure proved its effectiveness so far in 2 of 2 exercises.  So now, we have a cloned VM, running a cloned OID, which is setting the table for either cloning OAM or installing it from scratch, or a hybrid of cloning and re-installing.

Cloning OAM

Cloning OAM is not as easy nor as straight forward of an approach.  There are certainly shortcuts for building any new OAM environment, or refreshing an environment (affecting only user data) but for a company whose ambition or need is to build numerous test instances for whatever reason, the argument for taking shortcuts and even automating to a certain extent is compelling. 

To start, as quick as it is to install new servers, and ensuring that there are no corruptions or issues when building the core configuration, the fresh install of OAM servers is a good safe bet.  Once the core foundation is installed, policies and configurations can then be exported from a source, lets say a golden copy from production, and modified to fit the needs of your target environment. 

Here is where the black art of Oracle IdM environment management comes into play.  Attempts by Oracle to offer migration tool set has not been received well, so this creates room for Oracle Consulting, and their partners to add value to IdM customers.  Typically, IdM consultants with years of experiences can have an intuitive knowledge about what should be copied from a source environment, how to massage the data, and then import it into the target environment in a manual approach spanning several days depending on the environment complexity.   This is a valuable, and critical competency that any IdM Administrator should have, and of course the organization who has OAM.  Multiply this exercise of say 40 hours by how many environments you plan to use for testing and development in the coming year and then by $125 or more, and you come up with a figure for annualized maintenance costs just for instance management.

Extreme Cloning

Taking the project to an even more extreme level, a person could justify automating the clone procedures by writing their own scripts to export, transform and deploy on the basis that the one-time development costs are less than the annualized maintenance costs.  The ROI formula I came up with looked something like this:

  • Approx. number of hours to build OAM manually = x
  • Hourly rate of IdM Admin = y
  • Number of environments you will build this year = z

With that you can come up a figure with the following formula:  Annual instance management cost = (x*y)*z

In contrast, lets say that we could develop and deploy scripts to automate a large portion of this work. 

  • Approx number of hours to design and build scripts to automate clone activity = x
  • Hourly rate of expert programmer who has 3+ IdM experience = y

Then we can perform a basic ROI measure that should allow you to calculate your break even point.  Management will need to know how many environments would need to be built in order for investment in clone automation to pay off.  Depending on how aggressive your IdM initiatives are, it may take more than a year of utilizing your new tool set to see any ROI, not to mention that there are opportunity costs that should be factored in.  (E.g. Your expert programmer is going to be taken off of some other high priority project which can be a setback.)

And to make things even more interesting, recent VMware acquisitions add even more technical capabilities that should ultimately help reduce costs and complexity of  instance management.  I’m looking forward to the assimilation of Spring Source and Ionix into VMware virtualization platform so we can create and share templates for IdM configuration management.  Imagine configurable templates as a feature of your platform that transparently supports duplicating and managing IdM environments without the risk and cost of custom software, including having all of the appropriate monitoring (E.g. Zenoss, EM grid agents) deployed right next to it.

I’d love to hear ways you use VMware to make managing and deploying Oracle IdM easier.  Leave comments here in this blog post or send an email to steve at stevetout dot com.

Password insanity!

Authentication and password policies are the bane of my existence.  I really feel sorry for millions of consumers who have no idea whats going on (exactly) with the crazy and absurd requirements that companies put in place for logging in to view account balances or make payments.  As I have a few ideas about whats going on,  the fact that I have to call into a customer service help desk on almost a monthly basis for a password reset can only highlight that neither customers nor businesses are having much fun.   Banks and other online bill-pay sites seem compelled to make remembering passwords so difficult that I could pull my hair out.

so many password restrictions!!!Here is the password policy of one very large financial institution… seriously?  I have and use a hand full of passwords for various online accounts which I have used since the beginning of time.  Most people will run out of variations on the common pass*word* that they will begin to form really bad habits, making their online accounts less secure.  Like say, writing passwords down on paper or saving them in a insecure file on my computer (which I do from time to time) undermines the very security that was meant to be in the first place. 

Then there’s my wife’s headaches of working with the online account tools of a local bank in a suburb of Seattle, that forced her to have password reset codes sent to her cell phone repeatedly because the bank’s website no longer recognized the browser or PC that she used to login.  That’s typically a problem when your identity is tightly embedded into the PC or browser via cookies or registry values that is supposed to help prevent unauthorized access.  Over course of several days, using one of several different PCs in our house, she managed to re-verify herself and lock out her account 3 times.  What s dreadful password policy that other smart people undoubtedly have endured….  As if we don’t have enough phone calls to make or things to do in one day. *sigh*

 So what’s the answer?

Listen to your customers!   Balance end-user compassion with account security and privacy mechanisms.  Password policy need not be so complex.  Some solutions, such as Oracle Adaptive Access Manager, work on the back end monitoring login attempts based on signature files and patterns of hacking activity, which in turn can result in a huge boost of compassion for your end-users.

So what are your experiences with insane password policies?  How many passwords do you have?

My IdM Christmas Wish List

Oracle IdM by Marlin Pohlman
Oracle IdM by Marlin Pohlman
While I actually have enjoyed these items on my wish list for awhile, they are very practical and fresh full of usefullness and insights year after year. I use and would recommend any of the following wish list items to my colleague or friends who make his or her livelihood through professional Identity & Access management. Feel free to leave comments and share your wish list items with those who stumble upon my list. Thanks in advance.

Oracle Identity Management by Marlin Pohlman. This is IdM & GRC 101 as far as Oracle is concerned, folks. It’s comprehensive in scope and decidedly biased towards the incredible technology from the largest software company in the world. After giving a nice overview of each technology in Oracle’s IdM suite, it gives a comprehensive and accessible reference on governance and compliance for multi-national businesses. A must read for any IdM engineer looking to rise above his or her reputation as IdM Admin, and also for managers looking to get a better grasp of the wide ranging technology in the IdM Suite.

A Subscription to Dr. K’s blog Talking Identity – The Dr. is in and he will see you now. Here’s another wish that shows my Oracle bias. The blog contains architectural gems in the world of IdM, and is blazing trails in security and identity issues for cloud computing. Best of all, it’s free!

LDAP Browser/Editor v2.81 – Here it is. The lightest weight LDAP browser/editor on the planet (that I’m aware of) and it’s yours for free, assuming you can still find it. The internet went silent in early 2009 and the publisher’s original download URL disappeared. Where did our friend Mr. Gawor go, anyone? Any ways, the first and last thing I’d ever need to do in IdM is browse, search and edit basic information like user profile attributes, and the occassional import or export of an ldif file. There are no schema editing capabilities, but how often does one really need that? I’ve been doing this job for 10 years and of all the tools I have used, this is at the top of my list.

Oracle Unified Method – Another one of Dr. Pohlman’s brain children, OUM is the next best thing to working with Oracle Consulting, although you may need to work with OCS to get your hands on a copy. This is a wealth of resources to ensure smooth delivery of your IdM projects. From Detailed Design, to QA, Support and Training, it’s all in there. A more or less Oracle flavor of RUP.

Microsoft OneNote – Every now and then Microsoft works out something very cool. Think Windows 7 and Zune HD for example. Love em or hate em, Microsoft is a part of (most) all our daily lives. OneNote is one tool that helps me take names and kick butt every single day. You want a business justification on the mertis of OAM vs. ESSO? Meeting minutes with in-line commentary? Technical analysis and post mortem of the latest production outage? OneNote is an extension of my brain, a place to capture and share all of that unstructured data that is all around. When it’s time to compare notes, present ideas or persuade others quickly without writing a book, just Send > Email Page As PDF and go on with the rest of your day. It’s easy to use, efficient and just amazing tool! My colleagues rarely (if ever) see anything but PDFs from me, and all by design. It’s a game of knowledge management, sharing, presenting and persuading, and for that Office in General and OneNote in particular is your new best friend.

openid-netOpenID – The value proposition for OpenID is teriffic! If you tire of filling out registration forms or challenged by remembering your password for the nth time, then it’s time for you to get your OpenID. Not that this hasn’t been tried before (Passport, anyone?) I can’t seem to think of any other way than this time it’s going to be different. It’s not owned by Microsoft or any one vendor, is already being used by some very big hitters like Google, Yahoo, Flickr, etc… and I’m sure there will be lots more in 2010 that come on board. This nifty tool will not only save you time and headaches, as someone more career minded in the Identity and Security industry, it will help you stay engaged with and supportive of the issues that the industry faces right now.

box_store-workstation7-200x200VMware Workstation 7 – And last but not least, VMware Workstation 7 (and not because I’m an employee either *grin* ) – I can step into nearly any business regardless of size, OS, DB or App version and build a slightly replicated environment to test anything from bug fixes, interoperability issues, enhancements or upgrades. It’s an invaluable tool for anything from development to QA, and can save an insane amount of time and money on your IdM projects. I admire any company who bakes this (or VM ESX or Infrastructure) into their development lifecycle. It’s an amazing technology!

Merry Christmas, everyone!

Identity Management in an Uncertain World and Other Random Things