Rants, raves, and musings about Identity from the Old Man in the Corner, Dave Kearns.
|
About Dave Kearns IdM Journal Wired Windows Dave Kearns' Fusion newsletters on:
|
Tuesday, July 01, 2008
The role of rolesIan Glazer has just released his first post since signing on with the Burton Group, and it's a good one, about the wrong-headed notion which appears to be taking hold in the market place that roles and role management are needed before provisioning can occur. As Ian puts it:Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true.In fact, the opposite is true - roles, while not requiring it, will benefit from a good provisioning implementation. Look at it this way, even without computer-based Identity Services people need to be provisioned into the resources they will use. eProvisioning simply automates that task. While the concept of roles may be present, roles-as-a-tool is only useful within a digital context. Acquiring, piloting, prepping and rolling-out provisioning services should really be a no-brainer decision, especially today - almost 10 years after eProvisioning was first introduced - when so much of the setup and rollout is scripted, wizard-ed, template-ed and cookie cutter-ed. It's easy to demonstrate the efficiency gains (and the budget gains) from provisioning apps & services. There's also the fact that the successful launch of a provisioning service establishes a baseline and a platform for creating the rest of a full-blown identity services implementation, even beyond role management. Govenance, Risk Management, Entitlement Management, Security Audit, Simplified Signon, Priveleged Account Management and more have a much better chance of being successful if they follow a well executed provisioning rollout. Labels: Burton Group, provisioning, roles Friday, May 16, 2008
New tricks and old toolsKim Cameron follows up on Clayton Donley's post with some thoughts of his own. And ends by quoting Clayton:"The real solution here is a combination of virtualization with more standardized publish/subscribe for delivery of changes. This gets us away from this ad-hoc change discovery that makes meta-directories miserable, while ensuring that the data gets where it needs to go for transactions within an application." and adding: " As soon as applications understand they are PART OF a wider distributed fabric, they could propagate changes using a publication pattern that retains the closed-loop verification of self-converging metadirectory. " I couldn't agree more with these two erudite gentlemen. Unfortunately, today's applications, and especially yesterday's applications still hanging around on our networks, but even tomorrow's applications for some time to come won't be written to be a part of a "wider distribution fabric," especially as that fabric doesn't yet exist in any meaningful way. And, as Kim said in an earlier posting, "Here’s the problem. Infrastructure people cannot dictate how application developers should build their applications. " We can build the infrastructure that will excel in a publish-subscribe world, but getting the apps developers to buy in to that model, well, that's something else. I'm all for building the infrastructure and plumbing of the future, but we need to adapt today's tools so that we can get the job done while waiting for the new plumbing. Labels: Identity Bus, Identity Hub, metadirectory, virtual directory Monday, May 12, 2008
optimization and expenseNeil Macehiter comments on the last post:But the issue is not with the language you use to perform the query: it's where the data is located. If you have data in separate physical databases then it's necessary to pull the data from the separate sources and join them locally. So, in Kim's example, if you have 5000 employees and have sold 10000 computers then you need to pull down the 15000 records over the network and perform the join locally (unless you have an incredibly smart distributed query optimiser which works across heterogeneous data stores). This is going to be more expensive than if the computer order and employee data are colocated. The "expense" is there no matter how you do it. Putting all of your potentially useful data in one RDBMS is incredibly wasteful of storage space and comes at the cost of slowing down all queries. It also means that synchronizations need to be done almost constantly in order for the most up to date data to be available, a network "expense". But the search can be optimized before any data is pulled. For example, query the HR database for the lowest employee number issued after the first date you're interested in (assuming that employee numbers are issued sequentially). Then query the orders for PC purchases by that employee number or higher. Yes, it's two steps, but it's also faster than pulling down all the records to do a local join. And, I hold, less "expensive" than maintaining a huge silo of all potentially useful data. Labels: Identity Bus, Identity Hub, metadirectory, virtual directory Getting more violent all the timeThe distinguished Mr. Cameron has restated what he thinks is our major disagreement over synchronization and replication of identity data on the so-called "identity bus." He says:"Sometimes an application needs to do complex searches involving information 'mastered' in multiple locations. I’ll make up a very simple 'two location' example to demonstrate the issue: What Kim fails to note, however, is that a well designed virtual directory (see Radiant Logic's offering, for example) will allow you to do a SQL query to the virtual tables! You get the best of both: up to date data (today's new hires and purchases included) with the speed of an SQL join. And all without having to replicate or synchronize the data. I'm happy, the application is happy - and Kim should be happy too. We are in violent agreement about what the process should look like at the 40,000 foot level and only disagree about the size and shape of the paths - or, more likely, whether they should be concrete or asphalt. Labels: Identity Hub, metadirectory, virtual directory Saturday, May 10, 2008
The COBOLization of LDAPIn a panel discussion at the recent European Identity Conference I referred to LDAP (Lightweight Directory Access Protocol) as "The COBOL of Identity." It came amidst a discussion of future identity-sharing protocols and was intended as 1) a cheap laugh; and 2) as a short, memorable way of saying that LDAP would always be with us.I mentioned it again in a newsletter about the show ("Building an Identity Bus, Part 2") which has now been misread by a couple of people, so let me set the record straight. Jeff Bohren writes: "That’s cute, but not terribly accurate. COBOL has had competing languages almost from the very beginning. If you chose to use COBOL, you did so because you felt it met your requirements better than the other existing alternatives. So Dave, what is the alternative to LDAP today? What will it be in 5 years?" That was the point, Jeff - that, like COBOL, LDAP will always be with us. Clayton Donley opines: "There's no pressing need to get rid of LDAP in existing applications. None at all. It works. The applications support it and will continue to support it indefinitely. Exactly. It does seem that when a bold thought is made as an pithy, somewhat humorous statement that it's seen as some how denigrating the subject. so let me say it once again - Like COBOL, LDAP is so deeply ingrained in our computing arsenal that it can never be entirely replaced. Now since one is a programming language while the other is a protocol the analogy will break down upon close inspection. But I will stand by it. Labels: LDAP Friday, April 11, 2008
A herring of a different colorYou almost had me, Kim. I read your latest entry and was ready to share that olive branch. Right up to the last paragraphs when you say (about me):"...He keeps saying I propose 'a directory that gathers and holds ALL the data from ALL your other directories.' Dave, this is just untrue and unhelpful. “ALL” was never the goal - or the practice - of metadirectory, and you know it. The goal was to represent the 'object core' - the attributes shared across many applications and that need therefore to be kept consistent and synchronized if stored in multiple places. Our other goal was to maintain the knowledge about what objects 'were called' in different directories and databases (thus the existence of 'connector space'). Basically, the ”ALL” argument is a red herring..." Not at all. Let's step back a pace or two, or a posting or two, and think about the reasons for having this meta/virtual directory. Yes, it helps to normalize the data and keep it in sync. But if that were all, than a couple of keyboard monkeys could handle the chore and, at least in the case of normalization, could do it more quickly than a semi-automated process. But the real reason we want to do this is so that identity data is available to applications. Available to them using a single vocabulary and a single protocol. Not that there can't be multiple vocabularies and protocols, but any one application would only need to use one of each - each application programmer would only need to use the vocabulary and protocol she was most familiar with. But for this to be effective, the programmer needs to know that any identity data they need is available through this mechanism. And the only way any data can be available is if all data is available. The identity data must be pervasive and ubiquitous - available whenever and wherever you need it. From the application's point of view, it should appear to be a single silo but in reality, the data will be distributed throughout the fabric of the network both within and without the enterprise, the identity provider or other data store. The promise of the meta/virtual directory is that it can serve up the current, correct data on demand from wherever it resides. And to do that, it has to aim to provide all identity data. Now, to forestall some people, let me add that the security of this system is a given- there need to be strict and fine-grained access controls for the data. There need to be well designed mechanisms allowing for whoever controls a bit of data to authorize its release. Without these things the system is useless because no one would use it. But this systems needs to aim to have available all identity data, every conceivable bit of it. Because without that, the application programmer can't be sure that the bit he needs is there and so will set up alternative storage for the bits that that application needs. We're not there yet, but we need to go that way. Labels: enterprise, IGF, metadirectory, virtual directory Wednesday, April 09, 2008
Your mother was a hamster and your father smelt of elderberries!Here I'd thought I'd offered Kim Cameron a bit of an olive branch in the virtual/meta/uber directory discussion. But did he take it? Yes, he did, then attempted to whack a bunch of folks about the head and shoulders with it!In a further attempt to clarify what he meant, Kim says: "By 'next generation application' I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and application developers must to be able to interact with them without knowing LDAP." Why Kim feels that LDAP is beyond the ken of today's application developers is beyond me, but the darker part of this is that he seems to say that only through the use of the Microsoft-controlled WS-* protocols (you can read their propaganda at their web site) can this be achieved. Nonsense. Still, if any developers feel that only XML based scripting is acceptable to use, then I'd suggest they consider the very good LDAP replacement, DSML which has, sadly, languished for a number of years. Or there's SPML (for provisioning services). Even XACML could be used (although it would need a bit more work). The point is that there are open protocols, openly arrived at, that will do the job and today's application designers are bright enough to know how to use them. I'm reminded by Phil Hunt's post on this issue that his work on the Identity Governance Framework, now an OpenLiberty project, also satisfies the requirement of open protocols, openly arrived at. Labels: IGF, liberty alliance, metadirectory, saas, virtual directory Monday, April 07, 2008
Another one bites the dustWell, that might be too strong, but another veteran independent Identity vendor has been acquired. M-Tech announced today that Hitachi had acquired a majority interest in the Calgary, Alberta firm.M-Tech owns a large segment of the provisioning business in Canada, especially government (federal and provincial) provisioning. But beyond provisioning, M-Tech (now officially called Hitachi-ID) offered the full panoply of the Identity suite - password management, authentication and authorization, role management, audit and entitlement, etc. It'll be interesting to see how long it takes Hitachi to digest the acquisition (I don't think it will be very long) as well as how this will change the playing field (especially in Asia) for Sun, IBM and the others in this space. It could get very interesting. Labels: acquisition, enterprise The blind philosophes of IdentityKim has now responded ("Through the looking glass") to my Humpty Dumpty post, and we're beginning to sound like a couple of old philosophes arguing about whether or not to include "le weekend" and "hamburguer" and other Franglais in the French dictionary.We really aren't that far apart. In his post, Kim recalls launching the name "metadirectory" back in '95 with Craig Burton and I certainly don't dispute that. In fact, up until 1999, I even agreed somewhat with his definition: "In my world, a metadirectory is one that holds metadata - not actual objects, but descriptions of objects and their locations in other physical directories." But as I continued in that Network World column: "Unfortunately, vendors such as Zoomit took the term 'metadirectory' and redefined it so it could be used to describe what I'd call an überdirectory - a directory that gathers and holds all the data from all your other directories." Since no one took up my use of "uberdirectory," we started using "metadirectory" to describe the situations which required a new identity store and "virtual directory" for those that didn't. So perhaps we're just another couple of blind men trying to describe an elephant. Labels: Burton, identity, metadirectory, virtual directory
|
|
![[Powered by Blogger]](http://buttons.blogger.com/bloggerbutton1.gif){kind=small}