Over time, we evolve our thinking about different aspects of the identity management market by sharing thoughts internally at Burton Group within the IdPS team – evidenced by the way we discuss the importance of relationship management, which really came together earlier this summer. Another way to accelerate this process is to get out of the office and exchange ideas in person with peers and colleagues in the industry. This past week I had the chance to spend some time with my old friend Felix Gaehtgens and we talked a lot about identity management – but this was after we settled any arguments about Belgian chocolate, Cuban cigars, fine teas, Belgian beer, and politics. Well, maybe we didn’t settle anything but just argued some more…
One of the questions Felix and I were trying to answer was: can we just stop doing user provisioning? It costs a tremendous amount of money, time, and effort to buy and implement provisioning systems – is there another way to approach this? The root cause, of course, is that applications, operating systems, etc typically require a local identity and security context – and provisioning is the way the industry establishes that context by creating accounts and setting entitlements on the local system or platform. Even contemporary applications excessively embed IdM functionality, and identity data into business applications. We can excuse legacy application developers this offense, but why does the approach persist? For several years, the industry has promoted the use of shared infrastructure services for IdM functions – but only a moderate level of success has been achieved when compared to the potential. Maybe the industry needs to consider a different concept that explains the goal state better – we settled on “stateless” as a possibly better descriptor to use.
The idea came into clearer focus the next day when I was invited to join the folks from SURFnet for a session to brainstorm how they should change the SURFfederatie service to meet future demands of the higher education market in a changing world. I was fortunate enough to be joined by identity luminaries Eve Maler and Andre Durand in this effort and it was a great session. Based on conversation during a breakout meeting, I thought we should start suggesting that applications should be stateless, from an identity perspective. That is, application designers should start with the premise that no identity data is stored locally (there will be reasonable exceptions) and this information, data, and policies are resolved during the run time process. Applications that can go any time to an explicit identity service doesn't need to be provisioned; it just needs to be connected. Therefore, if you start with the premise that applications are identity-stateless, you need to consider what identity services are required for fulfillment. Many applications in use today do not perform authentication locally – this is quite common. If applications are truly identity-stateless, we can take it a lot further.
Eventually the conversation will get around to the composition and level of abstraction for the above mentioned identity services. I’ll leave that topic to my colleague Kevin Kampman, who will be providing the latest update next week at Catalyst in Prague.
The current financial crisis is, at bottom, very simple: banks lost a bet and they couldn't pay.
But that's not the interesting part; the interesting part is WHY they lost the bet. They lost the bet because they didn't understand the odds (the New York Times has a great piece on this here). And failing to understand the odds was a failure of risk management.
It's worth giving a kind of cartoon sketch of the story.
Banks took my money and promised to give me 7% interest.
To earn that interest, they had to do something with the money that would earn them enough money to pay me the 7% and still leave a profit for themselves.
Since many of their traditional lines of business have been automated and commoditized, they looked for a new way to make money.
What they came up with was the home mortgage market, and specifically "collateralized debt obligations".
Collateralized debt obligations were new and complicated, and financial services executives did not understand them very well.
But down deep, these instruments were basically a bet that home values would continue to go up FOREVER.
As long as home values kept going up, banks didn't need to worry too much about whether home buyers were good credit risks - homeowners didn't have to have any money because the home generated its own money. The owners could just take out equity loans against the rising value of their houses and use the money to make interest payments to the bank.
This, of course, was a game of musical chairs.
The music stopped. Home prices stopped going up, and the banks lost their bet.
Now banks are supposed to retain a lot of money to ensure that they can pay their customers even when they lose their bets. The banks thought they had done this, because they counted not only cash on hand, but also assets. And collateralized debt obligations are assets - but they're not "liquid" assets. That means they can't easily be turned into cash - they have to be sold. And for a sale to happen, the buyer and the seller have to agree on how much the goods are worth. A big part of the banks' assets were the very same collateralized debt obligations which created the problem in the first place. Unfortunately, nobody knows what most CDOs are currently worth (since nobody knows how likely the homeowners are to be able to continue to make payments on their mortgages). In the worst case, the banks will have to repossess the houses which were bought using the mortgages which have been packaged into CDOs, and then turn around and sell the houses to figure out how much their assets are worth.
And that takes a long time.
Banks have therefore been left holding a lot of paper of unknown value, with no quick way to turn a big chunk of their assets into cash.
This was OK as long as no one asked them for cash. But they still owe me money - and not just my 7% interest, but my principal too.
I noticed that the bank didn't have much ready cash, because they'd gambled it all on home prices going up, and they'd lost, and they'd gotten stuck holding a lot of very confusing paper but not a lot of cash.
So I called and asked for my money before anyone else noticed - because I wanted MY cash.
A bunch of other people did the same thing. We essentially issued a collective margin call to the bank. And they couldn't meet the margin call, because they couldn't explain to potential buyers what their assets were worth, so they couldn't sell those assets in time to pay us in cash.
So the bank collapsed.
(When I say "I" called and asked for my money, I'm speaking metaphorically, of course. In reality the banks did this to each other; money managers at banks started to doubt that other banks had enough cash to cover their inter-bank obligations, and they stopped agreeing to loan each other more cash to cover short-term obligations, and the cash that creates liquidity for everyone stopped moving around. But the principle is the same.)
What's going on right now is that the US Treasury is going to "fix the problem". How are they going to fix the problem? Simple. They're going to raise my taxes, and use the tax revenues to pay me what the bank owes me. This, of course, doesn't really fix MY problem, because it essentially means that instead of losing my money to the bank, I lose it to the IRS.
But it fixes the bank's problem, because the bank is off the hook for its debt to me.
In one sense this is better than letting the bank collapse; if the government intervenes, I lose my money, but I can still get a car loan or a mortgage next year because there are still banks to go to. If the banks fail, I still lose my money, but I also lose my ability to use credit.
In another sense, though, it would be better to let the banks collapse - because if the banks collapse, the surviving bankers might learn something.
What they might learn is that they should not invest in financial instruments they don't understand.
Nick Leeson spoke to us at Catalyst North America about this. His story about the collapse of Barings Bank, for which he was responsible, was amazing in many ways, but the thing that struck me most was that nobody in Barings' management understood that the bank was in trouble, even though the signs were there for a long time. The reason they didn't understand was that they - the senior executives of the corporation - didn't understand their own business well enough to see that they were in trouble.
It would be easy to say they were a bunch of stupid, greedy executives, but that lets US off the hook too easily - and here, by "us", I mean technical and financial risk managers. We need to have a better conversation with our executives. To have this conversation, we need to better understand how the business works, and how executives talk about the business. In other words, the people who are responsible for "governance" need to learn to have a much more effective dialog with the people who are responsible for "risk management" - not just in the financial industry but everywhere else, too.
The people who are responsible for "compliance" are about to get a bunch of new rules thrown in their laps by government agencies, of course, but this will not solve the problem, because it will only protect us against the previous generation of poorly understood risks. The next crop of poorly understood risks will do the same thing to us again, unless governance and risk management can get together and work on the problem.
Risk management failures created the current financial crisis, and risk management failures have also created the personal information disclosure crisis, and the malware crisis, and a bunch of other problems which are not yet crises. We do risk management poorly in all disciplines. We do it poorly for a bunch of reasons: executives don't understand their own businesses well enough to understand their risks; risk managers don't know how to talk to executives about risk; incentives favor creating long-term risks in order to accrue short-term profits; the list goes on and on.
We'll talk about what governance really is, and how governance needs to reform risk management and compliance to get a better handle on the kinds of things that are currently happening to the finance industry. And Nick Leeson will tell his story again. It was compelling the first time around, when all we had to look back on this year was Jerome Kerviel's staggering loss at Societe Generale. It will be riveting this time, now that we have Lehman Brothers, Merrill Lynch, AIG, and possibly others as context.
Listening to Nick (and to our other speakers) won't do anything to fix the current financial crisis. But if you're a risk manager (or if you employ a risk manager) it might help you avoid creating the next crisis - which might be a privacy crisis, or a liability crisis, or an intellectual property crisis, or an availability crisis, or a data integrity crisis, or even a financial crisis. If you haven't heard Nick talk about what he did at Barings and why he was able to do it, you should be there.
A final thought. The financial crisis exists because of a failure of risk management. There will be a temptation to fix the problem using compliance mandates. Compliance mandates, however, don't fix risk management problems. All they do is prevent specific risk management failures from happening over and over again. Organizations whose risk management is weak will find new ways to fail - and these new ways will circumvent compliance regulations.
The right way to fix a risk management problem is to do a better job of risk management. In this sense what the Secretary of the Treasury is proposing (which appears likely to be a mechanism for providing the banks liquidity in exchange for their taking the losses they've earned through poor risk management) is a good thing, because it's a risk management solution. It lowers financial risk by using government money to buy time; the time is then used to establish values for questionable assets, so that they can be sold at a fair market price instead of a panic-sell-bargain-basement price which bankrupts the sellers. Congress will undoubtedly pass laws which prevent us from doing this again; those laws will be as expensive as building the Maginot Line, and just as effective.
UPDATE: Steve Adler observes that the currently proposed bailout plan has a hopelessly defective governance structure, and proposes some ways to improve it on his blog.
Catalyst 2008 went by so quickly, but that’s always the case when you are having a good time. It started off well, particularly when Bob Blakley couldn’t tell me (Kevin Kampman) apart from Mark Diodati on stage during the Market Overview. It helped that we had “Anonymizer 2008” bags over our heads, but Bob’s confusion is a good sign that lifestyle changes are at hand.
Conference attendees indicated their appreciation for the new presentation format; however, the changes are more than cosmetic. Several perspectives were presented that offer the potential to change the identity industry for the better. In particular, Bob introduced “relationships” as an overarching theme for the establishment and continuity of interactions.
Tim Weil, Vice Chair of the INCITS CS 1.1 Role-Based Access Control (RBAC) Working Group discussed their effort. His group is developing a standard for the implementation and interoperability of RBAC components described in INCITS 359-2004. Widespread adoption of the standard has been impeded by a lack of practical guidance; this effort is an attempt to resolve these issues. A military perspective was provided by Russell Reopell of MITRE, who discussed ABAC, or Attribute-Based Access Control. This approach requires qualitative attributes, such as roles and other characteristics, that can be evaluated singly or in combination by policies to make access decisions in real-time. It is particularly relevant in situations where pre-registration of users is not possible.
A practical need for role interoperability has been expressed by Darran Rolls of Sailpoint, who recently established the Open Role Exchange Forum. This forum was discussed during the Role Management and Provisioning vendor panel (including Rolls, Aveksa’s Jim Ducharme, Sun’s Nick Crowne, Oracle’s Jeff Shukis, and Eurekify’s Ron Rymon). The exchange represents an opportunity for more seamless enterprise role implementations by addressing how to normalize role definitions across multiple platforms. The panel concluded that role management and provisioning represent parallel complementary initiatives that will benefit both the business and administrative communities, respectively.
Ken Anderson, of Burton Group’s Executive Advisory Program, helped me to address a topic of significant interest to the business community: representing the value of role management. In a role play that featured Riley the Cat (a loose metaphor about conversations with executives), Ken and Kevin moved from a technical discussion of administrative trivia to a strategic overview of Return on Organization. The bottom line is that role management is a discipline, one that provides a relationship-driven perspective about the social dynamics of organizations. The point of the role play was how to speak to executives about business transparency and effectiveness, rather than administrative efficiency and compliance. The former is beneficial to the business, the latter to administration.
From a customer-centric perspective, it was standing room only for the Friday presentation and customer panel on identity services. The panel included Gavin Illingworth from Bank of Montreal, Susan Staples-Holt, MassMutual, Chris Harvison, ScotiaBank and Andrew Cameron, representing General Motors. Burton Group facilitated this year’s effort to establish the rationale and requirements for interoperable identity services. The multinational membership has grown to include contributors from financial services, manufacturing, telecommunications, and government agencies; additional interest has also been expressed by health services, pharmaceutical and educational institutions.
The current vendor efforts towards identity services are more project- than community-driven. Customers are challenged to deal with the development and integration of identity services, particularly for cross-platform and legacy purposes. While there is a general perspective about what the services should accomplish, there is no agreement on their demarcation or specifications for how they should do this. In order to develop this guidance, and to prioritize development activities, the participants have agreed to invite vendors and standards community representatives to contribute to the effort.
The area where there has been significant traction has been federation, but it has been challenged by supporting capabilities and agreement on information at the endpoints. Given the breadth of opportunities, one area for investigation includes authentication, authorization, and attribute services. Another is session and context management. Each of these represents an elephant-sized task; by working together we hope to line them up trunk to tail in short order.
Interested parties should contact me at kkampman@burtongroup.com for information on how to become involved. Our goal will be to develop shared requirements, a development plan, and an interoperability schedule to present during a joint customer-vendor panel at Catalyst 2008 in Prague.
I’ve been to many Catalysts but this was my first as a Burton Group analyst. Besides seeing how the sausage gets made, so to speak, this Catalyst was different in that I got to speak to a lot of enterprises on their struggles and successes with identity management. It was in these conversations that I heard a disturbing theme: "I’m not ready to do roles, so I won’t attempt user provisioning." This is truly a disturbing theme for both enterprises and vendors alike.
Before delving into why this theme scares me, let’s look back at the history of the market. Role management products got their start five plus years ago. At that time, user-provisioning tools had poor permission policy (entitlement) management capabilities. Although user provisioning tools did provide some means to aggregating account permissions for given systems and a semi-automated way to dole those groups of permissions out, they were a bit cumbersome and difficult to report on. Because these permission policies were difficult to deal with early adopters struggled getting automated provisioning projects off the ground. Role management (and here I am speaking of IT or technical roles) tools filled a vital gap allowing enterprises to speed up their user provisioning deployments by accelerating and strengthening the entitlement management process. At that time in history, there was something to the argument that role management tools were needed to deploy user provisioning. That argument is no longer valid. User provisioning tools have greatly improved their permission policy management capabilities and provide the enterprise adequate tooling.
Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true. By delaying a user-provisioning program (and I say program here and not project), the enterprise cannot reap the benefits of more automated deprovisioning, password management, self-service account requests, and basic user provisioning itself. Most importantly, by putting off user provisioning and waiting for role maturity to spontaneous happen, the enterprise risks putting off the most important part of any identity management program (role management or user provisioning alike) and that is establishment of governance. Establishment of governance is the most critical success factor to identity management programs and if it is not established up front, future programs and projects have a nearly 100% chance of failure.
As I said earlier, the wrongheaded notion that user provisioning requires mature roles contains danger for vendors as well. Vendors who have role management tools will find their bigger deals delayed as the enterprise waits for a sign that they are mature enough to begin their user-provisioning program. Further, vendors will end up with more shelfware deals as there are significantly more implementation teams familiar with user provisioning tools than they are with role management tools. Lastly, this disturbing theme constrains identity management to being viewed as a series of projects and not holistic programs and thus a lack of governance.
I have hopes that this theme is, in fact, observed retrograde motion of identity management. I hope that the market and its thinking is not reversing gains, but instead exhibiting a transformative behavior that we have yet to see. To close, keep in mind that both role management and user-provisioning efforts can be done in parallel and each will find benefit in the other as they mature. Provisioning requires an understanding of process and procedure, role management an understanding of relationships and responsibilities. To be successful with either, clear scoping and small iterative projects as part of an overall well governed program are advised to ensure current success and future growth.
Project Concordia is pitching in again at Catalyst this year to host a session on entitlement and policy management. It promises to be a very informative and constructive event as representatives of Boeing, Cisco, Micron, and The US Army share their insights, experiences, and requirements for standards based policy and entitlement management. Within the audience will be a panel of experts representing standards committees and product purveyors listening intently to the enterprise presentations. Imagine that, vendors and standards developers hearing real world usage scenarios – what a concept!
Of course the rest of us in the audience will learn from entitlement management aficionados talk about standards issues, challenges with performance, application integration efforts, commercial application support and the like. We’ll also get a standards update on the state of Extensible Access Control Markup Language (XACML), as noted in the agenda.
Concordia serves a vital purpose to the industry in providing a forum for customers, vendors, and standards developers to gather and share information that can inject a heavy dose of reality based requirements into the software production process. Please join us, entry is free and you only need register at this link. Hopefully you’ll stay for the whole Catalyst conference!
If you use conferences as a guide, then identity management is hotter than ever. It seems a month doesn’t go by without at least one event that is identity related and March 2008 is no exception. In fact, I’m participating in two conferences this week in Europe – where the list of interesting identity-related events continues to grow. On Monday, I’ll be at the Net ID 2008 conference in Basel, Switzerland talking about SharePoint access and identity management. I’ll also be on a panel discussing interoperability – a favorite topic of mine, so this should be fun.
Later in the week, I’ll be presenting at the ic Consult conference at BMW World in Munich. My presentation is titled “IdM Markkt, Schwerpunkt SSO” (IdM Market, Focus on SSO) in the program, but rest assured I will be doing this in English and not torturing the audience with my meager German language skills! The guys at ic Consult always put on a great program – I’ve had the great fortune to participate in their fall event that happens to coincide with Oktoberfest… In any language, it’s remarkable that, as an industry, we haven’t done more to ease the authentication burden for end users. Certainly, there are enough technologies to choose from: passwords, smart cards, PKI, federation, E-SSO, Kerberos, SPNEGO, GSS-API, and the list goes on. But the problem, if anything, is getting worse.
In addition to talking about SSO in Munich, we’ll be focusing quite a bit of attention to authentication at Catalyst this June. My colleague, Mark Diodati, is leading the charge on that topic and you’ll hear more from him about it between now and the conference.
Novell rounds out the March conference schedule with their BrainShare event in Salt Lake City. While not exclusively focused on identity, Novell includes a heavy dose of it on the agenda. And one of the better features is that this conference is local to the Burton Group headquarters. Hope to see you on the road, or on home territory this month.
Lately, I’ve been thinking a lot about the big challenges of the identity management industry as it’s currently constructed. The tag line I’ve been using is that “the end of command and control is near” – as far as the way we approach the administration and control of access to systems and resources. Our collective IT admin culture is to control every aspect of access to systems in our domains – registration, credential issuance, authentication, access administration, and so on. Such an approach is reminiscent of the x.500, top-down hierarchical ways that are so difficult to implement within dynamic, fluid organizations. This works relatively well, however, if most resources and users exist under the same roof – but that is rapidly changing as businesses and organizations become increasingly distributed. Can IdM technologies and administrative practices keep up with the pace of change?
The current generation of IdM products actually reinforces the traditions of centralized control structures. Technologies such as user provisioning, federation, and of course PKI rely on excessive coordination and orchestration to be optimally implemented. Highly distributed and massively scalable organizations can’t operate in this manner, and it’s not too far from your future to tackle problems like: onboarding 100 million new users during a weekend marketing campaign, enabling 500 new joint ventures or partnerships and decommissioning 600 others in a couple months, or operating an application that reaches a billion users. How well do you think it will work with today’s tools and approaches?
Evidence of change and evolution is all around us. The globalized economy applies pressure to and creates opportunities for modern organizations. Enterprises are driven to focus on core competencies – and outsource or offshore every thing else. Software as a Service (SaaS) companies continue to emerge and are growing steadily, some studies estimate that SaaS applications will represent more than half an organization’s business application portfolio over the next 5 years.
Executive management understands new business dynamics and seeks ways to leverage it for business advantage. IT and security departments, for the most part, haven’t gotten the message yet. It’s hard to let go of the command and control mindset that’s been ingrained in our thinking. You’ll recognize the ailment if you see or hear symptoms like:
Access to our applications is only permitted if we issue the credentials
I don’t trust their identity management systems or practices
We must collect as much data on partner users as we do for our own employees in order to vet them
“Can’t we solve this with PKI?”
Technologies like federation help us make incremental advancements beyond the command and control approach. If we permit authentication to occur outside our domain and project this information through a federation exchange, that’s a sign of progress. However, federation products, as they are currently constructed, still require considerable coordination between parties in order to establish the connection: we focused on this issue at Catalyst last year. So, it was interesting to see the recent video sparring between Sun and Ping Identity regarding what they’ve done to address this from a technology perspective. To follow up, we recorded a podcast this week with Sun, Ping Identity, and Covisint – which will be available soon on the podcast site.
More incremental change is what we can expect in the near term until different identity business models emerge. Similarly, the introduction of OpenID and information card systems purport to change the dynamic by providing more user control over identity data, but this is in name only – business still determine what attributes are required to complete an e-commerce transaction and the user can select an information card that matches the business’ criteria. Real change happens when third party identity agencies and intermediaries proliferate and are utilized by Internet properties. Identity oracles, as described here, are examples of intermediaries that are beginning to appear in the marketplace.
Identity-based intermediaries and agencies handle the heavy lifting of identifying and vetting individuals, freeing enterprises and other relying parties to concentrate on managing access to applications. It’s another step toward more scalable and manageable business applications. At Burton Group we are dedicating a fair amount of time to exploring new identity business opportunities, in addition to all of the more tactical research areas we cover. Please join in the conversation throughout the year and especially at Catalyst in June and October.
