Building a Business Case for Identity & Access Management

When I worked for a large corporation I was frequently tasked with building a business case without a budget, that is, I wasn’t able to hire any consultants to assist me.  In some cases deadlines were relatively short so it was fairly difficult to get it completed.  When the Internet came around more than once I was saved by people willing share business cases they had developed.  Therefore I have uploaded a economic impact model that comprises two documents, an excel spreadsheet and word document that should cover the basic needs of a user.  I have other more sophisticated models besides this one (for example, a business process and knowledge management re-engineering model that compares the economics of the current state versus the future state) but for the majority this should suffice to help you get started.  If you find it useful just leave me a comment.

It can be downloaded here.

Preventing SUNburn?

So it’s finally beginning.  Identity Management vendors are percieving the departure of Sun IDM from the landscape.   CA is now offering Sun Users the ability to switch over to CA’s IDM product.

I’ve not heard much lately about what the eventual plans are for Sun IDM, but something’s going to have to be announced soon before the other IdM vendors pull the rug out from under Sun/Oracle.

How Many Problems with Persistent Data Does a Unique Identifier Solve?

The answer is zero.  A unique identifier adds nothing to any logical problem we have with our data.  Let’s see why this is true.  I have two sets of data from different systems, which represent information or attributes about a real world user.  Those data elements are indistinguishable from each other.  Perhaps they are first name, last name, city and state.  They are identical as far as I can tell.  If I add a unique identifier do I know anything more about them?  I just know they are no longer identical and yet they may be in the real world the same person. By adding a unique identifier I may have made a distinction, which is false.  It’s impact will only be deleterious never beneficial.  The unique identifier becomes ornamental.  Metaphorically it is like placing a medallion around the neck of the famous twins and still not knowing if it’s Tweedledee or Tweedledum.  At least in this case I could re-name them to something like Dee and Notdee, which would be meaningful to an observer.  However, in the foregoing example, we are dealing already with a representation of an entity and it adds nothing. Now let’s add several more attributes, for example, title and department.  If I can now distinguish easily whether they are the same person or not I have accomplished my goal and I still have not added a unique identifier.  The smallest subset of elements that distinguishes one set from another is a suitable key if the data is in a database and I still haven’t added a unique identifier.  So then how are unique identifier’s useful?  They are useful within a context in which we are programmatically creating many closely similar but not identical objects whose existence is ephemeral.  When we are combining data from many different contexts, they solve nothing; they are just another attribute.

HCM and NetWeaver Identity Management Integration Tips

The landscape document from SAP that explains how to export from HCM to VDS to Identity Center has sections that are less than clear so I thought I would list common issues that have caused problems in the past.  First the architecture.  The way the export works is as follows:

1. A report is run in SAP HCM which extracts the necessary data formated as LDAP data.
2. SAP connects to the VDS and pushes the data.
3. VDS connects to the Identity Center information store and uploads the data.

A couple common problems I have seen.

• The field names inside SAP are misnamed or the export names to LDAP are.
• The LDAP libraries in SAP Basis are not installed.
• VDS Template:  The one you want to use is this one “HR Export to IdM Identity Center.xml” this one will not work “HCM LDAP EXTRACT for IDM.xml”
• Bad credentials or passwords (of course)
• VDS Tree for HCM is broken in some way.  If in doubt recreate your setting from the template.

Troubleshooting Tips.

• First determine where you are broken.
• Turn on verbose logging at VDS and see if HCM is even connecting.
• If you are connecting to VDS but no data is reaching the Identity Store then check the LDAP extract for misspellings.   One error in your path and the whole thing breaks.
• If VDS shows database errors then check the error logs in the identity center for problems with the task configuration

Finally, because HCM does not support event triggers — which can be tricky — I usually filter at HCM LDAP report for the data I want.  In most cases a nightly run is sufficient.  SAP recommends a full upload every time but this is not practical for large numbers of employees.

Application Centric Identity?

I’ve been listening / reading to information lately on “Application Centric Identity ” and how it’s supposed to be the new wave in Identity Management.  Frankly I’m a bit confused.

Basically it sounds like what’s being discussed is the creation of an authoritative store, something I’ve been working with in Identity Management for about 5 years now.

The “newness” to this offering seems to be the implementation of SOA / Web-services architectures to make it more interesting and accessible to authentication / authorization services.

I’ve always felt that by gathering the authoritative attributes from each enterprise repository and linking them together in an authoritative store (metadirectory) you create the clearest picture of what each identity “looks” like.  Furthermore, these authoritative entries can then be used as the basis for provisioning new application entries and update existing ones.

To me it seems like the backers of this school of thought are finding a new way to talk about the integration of Enterprise level ERP systems with Identity Management.  This is not a bad thing.  The one thing we need to do is break out of the idea that Identity Management is solely provisioning or Access Management. One without the other is worse than useless given the potential for malicious behavior.

Thoughts on Sun Identity Manager

I have made some comments about FIM, and Oracle Identity Manager.  I want to talk briefly about Sun.   After I read through the architecture documents and looking at the development my initial thought is that the performance should be quick and scalable but development and creation of workflows slow and cumbersome.  I contacted people I know who use the product in large enterprise to verify if my prediction was accurate or not and I was 100% successful.  This little sample should only be considered anecdotal, the sample was not significant and I would welcome comments from others using Sun’s solution.

For me the most bizaare element of the product is XPRESS language.  It is symbolic of the idiocy that saw XML as an answer regardless of the question.  “XPRESS is an XML based expression and scripting language,” the documentation reads.  We have symbolic expressions (S Expressions) with the ugliness of XML tags.  When Jon Bosak began to argue for XML in 1997(?), it was stated that that the tags would tell the computer what the information was,  unlike html that said what it should look like.  It was to be a data interchange standard with industry groups agreeing on standard ontologies.  It was just five years later some people on XML-Dev argued that the semantic aspect of XML never existed that it essence was syntactical so by 2003 some had already forgotten why it was first proposed.  No need to worry because it quickly morphed into a data model with it’s own query language.  In short order we were back to the seventies with the network database.  So it comes as no surprise that a language like XPRESS arrives (based on the XML fad) which is back to the 1950’s and LISP.

Thoughts on Oracle Identity Manager

I was reading through the architecture for Oracle’s Identity Manager “Best in Class” software.  And while I never gave it much thought, you would have to be blind not to notice its popularity in the United States.  The job offerings too have  jumped after Gartner declared it the best.  It was time for me to look into its architecture.  And while I have no hands on experience with product a couple of predictions come to mind after reading the whitepaper.    One it must be difficult and slow to install, and while it is infinitely extensible, it appears to be very complex and hence development time for custom work would be slow.  Any regular Oracle IdM users out there please correct me if I’m wrong.   Finally, I realized why SAP bought Maxware.  Its relative simplicity allowed for faster integration into the SAP application stack.

Steve Balmer on Efficiency & Decision Making

There is an interview with Steve Balmer in the International Herald Tribune and he makes a statement in response to a question about what’s it like to be in a meeting with him to wit;

I’ve changed that, really, in the last couple years. The mode of Microsoft meetings used to be: You come with something we haven’t seen in a slide deck or presentation. You deliver the presentation. You probably take what I will call ‘‘the long and winding road.’’ You take the listener through your path of discovery and exploration, and you arrive at a conclusion.
That’s kind of the way I used to like to do it, and the way Bill [Gates] used to kind of like to do it. And it seemed like the best way to do it, because if you went to the conclusion first, you’d get: ‘‘What about this? Have you thought about this?’’ So people naturally tried to tell you all the things that supported the decision, and then tell you the decision.
I decided that’s not what I want to do anymore. I don’t think it’s productive. I don’t think it’s efficient. I get impatient.
So most meetings nowadays, you send me the materials and I read them in advance.
And I can come in and say: ‘‘I’ve got the following four questions. Please don’t present the deck.’’ That lets us go, whether they’ve organized it that way or not, to the recommendation. And if I have questions about the long and winding road and the data and the supporting evidence, I can ask them. But it gives us greater focus.

There is a lot of missing information that I wish the interviewer had followed up with but let’s assume a charitable course.

What Mr. Balmer says does not really tell us anything about efficiency,  but speaks volumes about his mind.  He states quite clearly he is impatient and the does not like the “long and winding road”  Most likely this because he does not learn well or efficiently sitting through a presentation.  It could also be that he is intellectually lazy but this seems unlikely.   If he really  is intellectually lazy then most likely Microsoft will perform poorly under his leadership.

Note that he recognizes that Bill Gates took the “long and winding road”.  That should tell you something and if we want to go back in history and look at great  leaders they did too:  Andy Grove, Andrew Carnagie, General  George Patton, General Douglas McArthur to mention a few.  The ability to sit and listen with attention to detail does not mean analysis paralysis, it means understanding the situation properly, the context and the interrelation of it’s elements.  It means avoiding a specious understanding.  Perhaps he is doing this but it is not clear.

He states that he gets the information in advance and let us hope he did not mean in PowerPoint slides.  There are serious limitations to the kinds of information that can be put into slides.  The overwhelming majority of information in a slide deck is distilled and frequently lacking context.  This information must be communicated and explained verbally.  You wouldn’t read the table of contents of a book and draw conclusions.  Yet, if you are reading PowerPoint that is exactly what you are doing.  Its focus is on the presenter,  not on the audience and not on the content.  There is a “sales pitch” aspect to PowerPoint that destroys neutral fact based information.

Now the downside to this interview and its  lack of clarity is right now somewhere in America a mediocre manager who prides himself on efficiency  is out there somewhere instructing his subordinates to send him a slide deck in advance and he’s drawing up his four questions because Balmer uses PowerPoint in advance and four questions.

Finally, we will never really know if it is more efficient.  If he had recorded all of his decisions under the ‘ “long and winding road” ‘ method and then recorded all his decisions under the “efficient” method we may have learned what works best for Balmer.  We will certainly never learn what works best for everyone else, unless they start recording their own decisions.

note: updated for typo

Part III of Security Architecture and Design

I have posted Part III the final part of my series on security archtitecture and design at Risk Intelligence.

note: Fixed the broken link.

The other side of the article

It’s seldom that I publish more than one blog post on a single piece, but Mark Diodati’s article “Changing times for identity management ” (login required) spoke of two main themes that I felt needed to be discussed.  In an article on IdM Thoughtplace, I looked into some issues of what composes “New School” Idm.

In this piece, I’d like to comment on a couple of points that Mark makes that I particularly agree with.

First off, Mark mentions that thorough analysis and review of IdM offerings is essential.  The selection team/steering committee  needs to remember that no IdM product exists in a vacuum.  Testing against ERP, enterprise LDAP/AD and other key systems is essential, and involving a pilot group is key as well.  I’d go a step beyond what Mark specifies, by adding that your pilot group needs to be multi-disciplinary. Just IT or Help Desk folks won’t cut it here.  Make sure there’s some HR and ERP users along with other “typical” users in your organization.  You’ll need to do a little more hand holding and training earlier that you’d like, but you’ll get better responses and metrics in return.

I’m also in agreement that you should review all offerings and available features/upgrades from current infrastructure. That “buried treasure” could be the key to keeping your infrastructure secure and compliant. Also find every way possible to use and reuse your current infrastructure., it can pay off in the long run.

It’s a tough economy out there, but that does not mean that you should stop your review of  IdM improvements.  Use the current time for evaluation and planning.  Bring some vendors in for a PoC to make sure it fits into current infrastructure.  The best place to start looking is right in your server rooms and data centers.  Go to it!