Identity & Access Management Predictions For 2010

I should point out that I am not psychic. I haven't found a way to see into the future just yet. (If I had managed to do that, I'm quite sure I wouldn't be writing this article!)

Identity and Access Management has promised much in recent years and in the case of Identity Management, the promise has yet to be realised in a lot of deployments. I hear potential customers making claims that there has never been a successful identity management project and any organisation intent on attempting to realise the benefits of such a project are doomed.

Thankfully, I have been involved in many successful deployments that have realised some, if not all, of the anticipated benefits. The problems I've seen have typically been political issues rather than technical issues. Does that sound familiar?

It would seem to me that there is a disconnect between what technology can offer, what businesses can afford and the political will-power to ensure that an IAM programme will succeed. Which brings me on to my predictions...

1. Ding-Ding - Round 2
The early adopters of IDM technology went through the pain and heartache of spending big on new technology in an effort to leverage their legacy technology in the "always connected" world. Their 18 month programmes a number of years ago are probably starting to provide some benefit around about now and the political collateral required to leverage their infrastructure will be in place because it has become too darn expensive to rip out all that kit that was deployed all those years ago. In other words, the initial hype surrounding the technology that was followed by disillusionment is now starting to pay for itself.

The rotation of staff around the various enterprises that exist will ensure that every enterprise now has "someone" in their team who has been involved in a successful IDM deployment. These people will become crucial in pushing their new employers down the path of embracing IDM as a workable solution.

2. Risk
I'm on thin ice with this one but the days of locking down everything because a manual said it could be locked down are disappearing. We used to live in a world which had adopted the 80/20 rule. An 80% delivery rate on a project was usually enough to get businesses working effectively and the remaining 20% was usually too expensive and made a mockery of the original business case. I see those days returning. For example, a two-factor authentication system for high-net worth banking users or treasury departments may be a great idea bearing in mind the risk of a security breach for either user but such a system may not be necessary for the thousands of people who only have a few coppers in their deposit account.

The same rule can be applied within the enterprise as well. Do we want to lock-down our enterprise systems to the point where they become difficult to use? Do we want our users fed-up with the tedium of trying to do their job with a system that seems hell-bent on preventing them to do so?

IT Security professionals will finally find the word pragmatism in their dictionary and understand that they are there to help rather than hinder.

3. Personal Ownership
For many, the notion of an Identity Management System may seem crazy. Surely it is up to the individual to manage their identity properly rather than delegate such responsibility to a "system". 2010 will see IT users taking ownership of their identities (and not just those binary-speaking geeks we all like to poke fun at). Real people performing real duties in the real world will start to take more care of their online persona. Facebook and Twitter have become vital tools  - they are no longer being used to merely jabber on about what was on television the previous night!

Most people are sensitive about how others perceive them. Now is the time to protect our online personae. It is time to manage our own identities.

4. Compliance
Enterprises need to demonstrate that they have control over their processes. In a nutshell, that seems to be what Sarbanes Oxley is all about. How an enterprise demonstrates their control, however, is up to the enterprise. Quill and Parchment record keeping may actually suffice.

There are tools available which can help an enterprise keep control over its systems. Identity Management systems typically look after the provisioning aspect of a system and can certainly be beneficial in achieving compliance. But what about those systems that aren't managed by such a clever tool? Log file scraping and database dumps can provide an auditor with the necessary data to determine how an application is being managed but unless she is super-human, she will need an analysis tool to help her make sense of the information.

Compliance has always been a tricky topic because there are legacy bespoke systems which contain data that nobody else on Earth could possibly understand. How do you build a tool capable of analysing information from every possible application without major customisation and significant up-front consultancy fee hell. How can "SOX IN A BOX" be achieved?

This year should see the major vendors of IDM solutions attempt to address this area.

5. The Cloud
I've written about "The Cloud" before and 2009 has already seen a quickening in pace of Cloud Services and IDM solutions specifically for The Cloud. I can see one or two niche players operating in the "IDM proxy" world being gobbled up by the big boys.

Until now, enterprises have attempted to manage access to The Cloud from within their perimeter. 2010 will see the start of a mirror-imaging of this approach, ie The Cloud will start to manage access within the enterprise.

Conclusion
The above five predictions are safe bets, to be honest. All of these things are already happening so I guess my predictions aren't really predictions. Maybe they are "realisations"? This year will be the year that the IT user base will become more aware of the above.

The Power Of Twitter & God's IT Usage

When I posted my musings on "Identity & Access Management In The Cloud" the other day, I did something I don't normally do. I advertised the fact that I had posted something via Twitter.

Now, my blog is mainly a way of recording my own thoughts as I travel through space and time and I treat it like an online diary that I can look back on with fondness. I don't really expect anyone to read the stuff. I certainly don't expect anyone to agree with my thoughts. And the notion that people would even take the time to comment on the ramblings never entered my head. But then there was Twitter!

My "tweet" mentioned the words identity, access, management and cloud and seems to have been picked up by quite a large number of people - comparatively speaking! I had 3x more visitors in one day than I normally do in a month!

If anything, this turn of events impresses upon me the following:

• People are interested in the Cloud
• People are interested in security when it comes to the Cloud
• If people are interested in what I have to say, I need to be very careful what I say!

That last one might seem strange, but I've always been careful with my online persona - I think. I don't use bad language whether it be within my blog entries, on Twitter, on Facebook or wherever. There's no need for it and we should remember that it's permanent! I'm also a little nervy about writing anything that is controversial. (I guess I just wanna be loved and can't bear the thought of upsetting anyone?)  In other words, my reputation is obviously very important to me.

Facebook & Twitter
There has been a lot of online discussions surrounding the management of identity with regards to online services such as Facebook & Twitter. While enterprises won't be too impressed with this notion, it is quite understandable that the likes of Facebook & Twitter could emerge as identity provider kings! I can't afford to have my Facebook account suspended and I certainly don't want my Twitter feed to suffer any kind of service interruption. As such, behaving appropriately when using these services is important to me. And, of course, because I'm a well behaved boy on these services, there's a good chance that they could be used to assert my identity quite faithfully.

Think about it. Would I be keen to authenticate myself to a dubious website using my reputable Facebook credentials? Reputation management, for me, is just as important as identity management (if not more so).

God
DISCLAIMER: If Pope Benedict and Richard Dawkins were lined up in the school playground pulling together their "gangs", I'd line up behind Dawkins. Sorry Benny.

Someone told me today that they doubted whether they would make it to heaven because they reckoned that God's choice of IT components would be akin to how government's go about their purchasing of IT components. It got me thinking...

• Would God choose Oracle, DB2, MS SQL Server or MySQL? Nobody ever got fired by buying IBM, but who could fire God?
• Would God choose Windows, AIX, Solaris or Linux for his servers?
• Would God go Mac?
• Would God deploy IIS or WebSphere?
• Would God embrace open-source?

And what about Dawkins? Presumably he would prefer to select IT services based on the survival of the fittest model?

I'm having a laugh, of course. But the selection of any IT component can't possibly be determined to be right or wrong based on the component itself. It can be determined to be right or wrong based on how it interacts with the user and other IT components but I can't tell you that Macs are better than PCs. I can't tell you that Apache HTTP Server is better than Sun's offering. I can't tell you that PHP is better than Python which is better than COBOL which is better than C#, etc.

And the point? Well, I was asked yesterday whether I could help a customer select a database vendor and the options were Oracle and IBM. My answer? Technically, I come from the "a DBMS is a DBMS". The real questions are:

• Do you have in-house skills in one of the technologies
• Do you have existing relationships with either vendor
• What is the cost to you - TCO-wise

Technically? Maybe I'm past caring. The "religious" questions are so much more important!

NOTE: The answer is DB2. No. Oracle. No. MySQL. Yeah. That's the one. Oh. Maybe not :-)

Self Promotion

I had the pleasure of attending a wonderful wedding at The Manoir last weekend.

I was fortunate to be asked to be "Best Man" at the event. Of course, I had to give a speech which was quite nerve-racking but it went down a storm.

Speaking at such an event is a great way of getting introduced to people. Everyone came to me after I had spoken to congratulate me and tell me how much they enjoyed what I had to say. Would they have been so eager to speak to me if I had been a mere mortal at the event?

So lot's of strangers spoke to me and the usual conversation ensued: "How do you do?"; "Nice weather, isn't it?"; "What do you do for a living?".

Normal run of the mill stuff you might think and you'd be right. However, I did get some interesting questions:

• How do you get business and how do you promote yourself?
• How do you keep on top of your reputation?
• Would you be my friend on Facebook?

I guess the answer to these questions differ depending on the business that you are in, but for me, getting business and self-promotion is all about the following:

• Reputational enhancement through constant delivery
• Ensuring the right people are made aware of the delivery success
• Promotion through social networking (LinkedIn, Twitter, Website, Blog, etc.) and being careful what I say on each medium
• Standing up in front of people and speaking - getting noticed

Indeed, giving a Best Man's speech, while important for the recently married couple in question, is another means of self-promotion I guess - unless you make a mess of it!

So how do I keep on top of my reputation? Time... might just take a few minutes each day to post to Twitter; maybe 15 minutes to write a blog entry (like this?); and just a few moments each month to check that my website is still relevant.

It doesn't take much and there really is no excuse for people allowing their reputation to waver!

As for being a friend on Facebook? Again, it might be reputationally damaging for me to be friends with certain people - I don't do too many randoms! Gain my trust first please.

Socialising

So I have my Facebook account (which I actually like using); a Bebo account (which I never look near); a Twitter account (which I've only just started using in order to find out what the fuss was about); a LinkedIn account (which is useful for my career); a Blogger account (thus this posting); a Plaxo account (in an attempt to synchronise my contact details across my various client machines); a Flickr account (which I rarely use and may be tempted to ditch in favour of Picasa); a Friends Re-United account (which doesn't seem to be a school friend hook-up tool anymore).

What I have created, however, is a social network which is difficult to maintain! I want to be able to find out what my friends are doing and tell them what I am doing. Facebook seems to fit the bill in that regard, though I guess Twitter would probably achieve the same thing.

I'm not into the Facebook applications to be honest. "What's Your Real Age" and "What Lord Of The Rings Character Are You" may seem like fun, but they are fairly trivial and quite franking a waste of time. So I find myself updating my status and writing on friends' walls (though mainly updating my status).

I've managed to get Twitter to update my Facebook status automatically which is great and I've installed a Twitter addon to Firefox which allows me to update my status through the address bar.

All fine and dandy but...

When I signed up to Twitter, I managed to get a "follower" immediately. A pretty young girl from somewhere I've never been to. Why was she interested in me? My first posting said something like "This is my first posting" so it can't be for the intellectual stimulation I provide. Ulterior motives, for sure.

I get friend requests through Bebo from people I've never met. Friend requests from people who were in my year at school (though I never spoke to them then and can't think why they feel the need to speak to me now).

Do social networking sites actually have a negative impact on our sociability? I'm guessing if I write on someone's wall, then I can feel that I've "connected" with them to an extent which removes any obligation to actually go and visit!

I'm also guessing that my "school chums" want to connect with me in order to get their friends number as high as possible? (For the record, I have about 20 friends on Facebook which I think is a lot bearing in mind that I probably only have 2 or 3 friends and they don't even use Facebook!)

The really concerning thing for me, however, is that these applications communicate with each other and share my user details. If one of these applications gets compromised, I maybe in bother! A Google search of my name yields some very disturbing results. Some results are links to pages I have created either on my personal website, this blog or LinkedIn. Some, however, have been created automatically by sites that have skimmed information from my primary sites without my permission. Even though I only have a couple of friends and just a handful of acquaintances on Facebook, it seems that I am a fairly popular guy net-wise.

Herein lies the problem. I want to use these tools to connect with a select few people and while these tools manage to do that, I can't help but worry that too many of my personal details are now public knowledge.

Right... I'm off to tell Twitter that I've blogged some old nonsense in the hope that Twitter will update Facebook with a link to this post!

Within Six Degrees?

There is a saying that we are within "six degrees of everyone in the world". At least, that was the saying when I was growing up and we believed there were 4 billion people on the planet - maybe it is seven now!

Anyway, knowing someone, who knows someone else, who knows someone else, etc., etc. seems a little fanciful, doesn't it? Not really...

I found out recently that I am only 3 degrees away from David Kearns - a man whose work I read every week and I have the utmost respect for, though sadly, I have no contact with. Having said ithat, I did sit beside him at lunch one sunny day in 2004 at an Identity Conference in Sydney, Australia!

How did I find this out? http://www.linkedin.com/ that's how!

I know someone, who knows someone else, who knows David. Judging by the number of contacts David has on LinkedIn, I might be only four degrees away from everyone on the planet.

Anyway, http://www.linkedin.com/ is quite a powerful tool in that only people I truly respect and trust are listed as my contacts. I'm quite sure this is true of most people who use http://www.linkedin.com/. Why is this relevant? Well, the ability to verify who you are isn't just a matter of producing a passport, or entering a UserID/Password into a keyboard, or typing a PIN into a "hole in the wall", or using any of the myriad of authentication devices available today. In the old days, verifying your identity could have been as simple as having someone else "vouch" for you.

This still occurs today to some degree - joining some exclusive clubs is more a matter of who you know rather than who you are or what you know! Password resets could potentially be performed in the work-place not by the forgetful employee herself, but by her colleague who is already trusted (although ideally, two colleagues).

Can we computerise the concept of a vouch-for authentication system in the future? Maybe. And maybe, it will be social networks like http://www.linkedin.com/ that will hold the key. After all, I'm not going to let any Tom, Dick or Harry be listed as a contact against my name! My identity is too precious to have it be let down by some unsavoury type!

BTW... If you are desperately interested, my LinkedIn profile can be viewed at http://www.linkedin.com/in/stephenswann.