• 5470-elon-musk-s-hyperloop-train-could-travel-from-los-angeles-to-san_1440x900-e1376375568928-2

    Discovering your “Edge” in Identity & Access Management

    Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years.

  • WP_20141125_15_24_22_Pro

    Evolving The IAM Architecture

    To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind.

  • 110902CVDsm

    IT Reimagined – Better Governance Ahead

    If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

  • From Gustav Mahler to Identity & Access Governance
  • Doesn’t Anybody Use IdM Standards Anymore?

I have been seeing a lot of articles like this lately, and it seems everyone might think the sky is falling. Truth is, the smart IT guys will just move on to IT In the cloud. Really don’t think that a battle is being lost here because the business wins, and for shareholders in IT, they win too. As governance goes, we need to have better visibility and control of applications and data inside the firewall as well as across the SaaS (PaaS, IaaS, et al.) ecosystem.

Sort of been talking about this for awhile now. If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

Scope for better governance

Scope for better governance


I love classical music and I love a Gustav Mahler symphony even more. Symphonies, to the uninitiated ear, can sound a lot more like noise than music. To the music lover, a symphony is an expression of art in the highest form, a source a great pleasure and beauty to behold.

One of my favorite composers of all time, Gustav Mahler, has been a source of inspiration to me since I was introduced to his work (and in particular his 5th symphony) by the Pastorinos of Glenn, CA (Ellen is the former music teacher at Willows High School) in 1994 and that has fueled an interest in all kinds of classical and symphonic music. Ever since, it has been a rich source of inspiration with interesting parallels to the career I landed in a few years later.

The arrangement of a symphony

Broken off into groups of players such as horns, winds, basses, trombones, cellos, and such, a symphony is a complex arrangement of instruments, harmonies, acoustics and emotional content. The resulting work in the hands of a director such as Gustav Mahler are his earth shattering 5th Symphony or 8th Symphony “Symphony of a Thousand” which takes an impressive amount of vocal talent to pull off. In the Vintage Guide to Classical Music, Jan Swafford describes the impact of his work on the music world:

After Mahler, there was little choice for composers but to cut back in scope and size.

His life’s work culminated in his competitors deciding there was no point trying to make the symphony any bigger sounding than Mahler. His work brings to close the big symphony of the 19th century and opens the door to the smaller, more intimate quartets and soloists of the 20th century.

From Symphonies To Systems

Shawn Hunter, in his excellent book Out Think, draws the connection between the symphony and the complex networks of today:

Symphonic thinkers see the big picture; they look at the whole system and take their information from a variety of sources. They take a multidimensional approach to solving problems, seeing connections, and finding effective solutions.

The Internet, the connected devices and the amount of trust we place in them every single day has grown to such a profound proportion that there is no shortage of valuable targets for hackers and identity thieves to go after and compromise in order to gain attention, information, power or money. As much effort as businesses and individuals put into protecting themselves and stakeholder, customer and employee information, there continues to be daily revelations about new compromises, hacks, thefts and the like that undermines the trust in the network, compromises personal information, leads to public companies stock prices losing value, forces companies out of business and in some cases endangering citizens.

The systems for Identity & Access Governance are no less complex. They have risen in importance and complexity out of necessity from the digitization of our lives and of interconnected business. Once the taste of e-commerce, social media and networked devices is experienced, it is with those who partake forevermore. We can not reverse the transformations that technology and the Internet have brought upon society; the force of control, profit, efficiency and knowledge is far too great for us to ever go back without the horrific act of terrorism or cyber war.

Choose a descriptive word for complex systems as you wish: constellation, calculus, symphony, etc… to be effective, the future demands that we have much faster and far better connected systems for managing policies, users, resources and systems and that we adopt processes and disciplines that ensure we are achieving ever more towards less risk and danger than we do today. The enemy brings with it an element of surprise, so having a high degree of organization and connectedness is the price of admission. Advanced systems and tools such as SIEM, honey pots, big data, access re-certifications process, adaptive and multi-factor authentication schemes, automated on-boarding and off-boarding, and what Forrester calls “Zero Trust Identity” are increasingly critical parts of the enterprise Identity & Access Governance framework.

Whether you like symphonies or not, they suggest more humanity, irrationality, unpredictability and passion on the same emotional scale that hackers use to try and compromise your network than any of the other metaphors do. I don’t think its any coincidence that Beethoven’s 5th symphony was the soundtrack in the scene in White House Down where Skip, a black hat hacker, had taken complete control over the military defense system. argumentum ad absurdum, perhaps. Don’t wait for your network, applications or information to be compromised to take it seriously.

„Meine Zeit wird kommen“

Translated from German, one of the most quoted phrases we have from the life and work of Gustav Mahler is “My time is yet to come.” The future is serious. The cost of playing offense with effective Identity & Access Governance is almost always worth more than doing nothing. There is nothing of value to be gained if an organization will not make it a focus and find its strategic place in corporate priorities. Gustav Mahler’s time might in fact still come if your organization continues aggressively building its own Symphony of a Thousand Tongues. The careless ones, the slackers, the tired ones, and just maybe those who have their heads too far in the cloud might very well end up with something more like a Symphony of Sorrowful Songs if the program is not embraced with a greater sense of accountability, focus and optimism.

Thanks, and all the best to you and your IAM program in 2014! As always, your comments and questions are welcomed in the comment section of this post.

When I am not at work thinking about solving tough issues in Cloud & Enterprise Identity & Access management, I have music on my brain. Music has a way of calming frayed nerves…yet it also has a way of inspiring moments of pure genius. This is one of those times for me. Or maybe not – you be the judge.

Phil Collins

Doesn’t anybody stay together anymore
I wonder why, doesn’t anybody stay together anymore
Oh I wonder why, doesn’t anybody stay together anymore

   – Phil Collins Doesn’t Anybody Stay Together Anymore

The past two months I have been working with security gateways for integrating disparate systems via a token exchange service. These devices can go by many different names. Access Bridge. STS. Concierge service….(Shout out to Peter Davis/Neustar and Chuck Mortimore/SFDC for this one during a brainstorming session I convened at IIW here.) or however you want to call it. Try as we might to get every business onboard with SAML2, OAuth2, OpenID Connect, et al. it is not practical to expect that at some point in the near future that any one of these protocols will enjoy ubiquitous success across the entire Internet (cloud, enterprise, mobile) as Sir Phil Collins might opine if he were part of the Identerati: Doesn’t anybody use IdM standards anymore?

Give me a clue! What will I choose?! What will I choose??!!

This past weekend on a daddy/daughter outing with my brilliant 5 1/2 (almost 6) year-old daughter Molly, we made a stop for some candles at Pier 1 – notoriously one of daddy’s favorite stops. Molly was on her knees in the tiny little toy section, obviously conflicted about whether to spend her last $2 on a gift for her mommy or her daddy. I heard her singing (what I thought to be the lyrics to a musical of some sort but which turned out later to be her own improvised lyrics) “Give me a clue. What will I choose? What will I choose?” and I was immediately drawn into her world of conflict.

On any given day, that is the lyric of my life when evaluating vendors or projects that want to integrate with VMware Horizon and who don’t support SAML, or when trying to find a way to scale partner SSO without SFDC being brought into the picture. My fellow VMware employees may hear me singing the lyrics of my daughter’s lament down the hallways at Hilltop…. What will I choose?! Standards? Custom integration? Vote against the project? That is a lot like how an IT shop really works, until now. Now that we have choices via a STS (Access bridge, service gateway, etc…) we do not have to limit ourselves to supporting and standardizing access control to a single protocol. So the question I pose to the Identerati specifically and the industry in general, is…. do IdM standards even matter anymore when one we can use an STS or an access bridge to integrate disparate systems with different access protocols?

Come As You Are

Kurt Cobain

Come as you are, as you were
As I want you to be
As a friend, as a friend
As an old enemy

   – Nirvana Come As You Are

And then it hit me again. Another musical lyric that resolves all of the mysteries of the IAM universe brought to us by Alternative music royalty Kurt Cobain in his immortal lyrics.

So I couldn’t help but to imagine that this ought to be our philosophy when it comes to designing an access control system for a multi-billion dollar, multi-national enterprise such as VMware and others out there. How do you think that 85% of the virtualization market would respond if VMware restricted the ability to login to vSphere console or My VMware portal using only an x.509 certificate or a biometric password and nothing else? This concept was perhaps first ingrained into my head during one conversation I had with the brain child behind Salesforce.com Identity platform, Chuck Mortimore. His emphatic recommendation as long as I can recount was to always keep it based on URL as if to say that he has achieved a sort of protocol agnostic, nirvana state for authenticating users into Salesforce. If you are an SFDC developer or if you have talked with Chuck about this topic before then I trust that you, too, find some merit in his argument. You can access your apps and data at SFDC however you want, as long as it’s username/password, SAML, OAuth, OpenID Connect, et al. If you cannot choose one protocol, why not choose them all? With many different products in today’s marketplace, there is a mind-numbing amount of access protocol support for authentication nicely wrapped into a soft appliance.

Come to Me, all who are weary and heavy-laden


And then it also occurred to me that if Jesus were one among the Identerati, do you think he would say “Come to Me, all who are weary and heavy-laden, and I will give you rest” as though inviting closure to the on-going debate within access management standards and freeing up some of the bright minds working this age old problem to work on new challenges? Maybe there is a role based access governance problem that is worse off than the state of access protocols. Or when is the last time you ran a access re-certification or access audit in your organization? Is your privileged access management program a sound and effective one?

So that, then, is how I presume the world of Identity & Access Management to be according to three celebrities from the ancient to the modern world. The world of IAM according to Sir Phil Collins, Kurt Cobain and Jesus. I will be headed to the Gartner IAM conference in November if any of you want to meet up and debate the fine points of the intersection of IAM, music and theology.

If you are passionate about this subject and have a unique perspective to add to this thread, will you please do so?