Thoughts on Sun Identity Manager

I have made some comments about FIM, and Oracle Identity Manager.  I want to talk briefly about Sun.   After I read through the architecture documents and looking at the development my initial thought is that the performance should be quick and scalable but development and creation of workflows slow and cumbersome.  I contacted people I know who use the product in large enterprise to verify if my prediction was accurate or not and I was 100% successful.  This little sample should only be considered anecdotal, the sample was not significant and I would welcome comments from others using Sun’s solution.

For me the most bizaare element of the product is XPRESS language.  It is symbolic of the idiocy that saw XML as an answer regardless of the question.  “XPRESS is an XML based expression and scripting language,” the documentation reads.  We have symbolic expressions (S Expressions) with the ugliness of XML tags.  When Jon Bosak began to argue for XML in 1997(?), it was stated that that the tags would tell the computer what the information was,  unlike html that said what it should look like.  It was to be a data interchange standard with industry groups agreeing on standard ontologies.  It was just five years later some people on XML-Dev argued that the semantic aspect of XML never existed that it essence was syntactical so by 2003 some had already forgotten why it was first proposed.  No need to worry because it quickly morphed into a data model with it’s own query language.  In short order we were back to the seventies with the network database.  So it comes as no surprise that a language like XPRESS arrives (based on the XML fad) which is back to the 1950’s and LISP.

Thoughts on Oracle Identity Manager

I was reading through the architecture for Oracle’s Identity Manager “Best in Class” software.  And while I never gave it much thought, you would have to be blind not to notice its popularity in the United States.  The job offerings too have  jumped after Gartner declared it the best.  It was time for me to look into its architecture.  And while I have no hands on experience with product a couple of predictions come to mind after reading the whitepaper.    One it must be difficult and slow to install, and while it is infinitely extensible, it appears to be very complex and hence development time for custom work would be slow.  Any regular Oracle IdM users out there please correct me if I’m wrong.   Finally, I realized why SAP bought Maxware.  Its relative simplicity allowed for faster integration into the SAP application stack.

Steve Balmer on Efficiency & Decision Making

There is an interview with Steve Balmer in the International Herald Tribune and he makes a statement in response to a question about what’s it like to be in a meeting with him to wit;

I’ve changed that, really, in the last couple years. The mode of Microsoft meetings used to be: You come with something we haven’t seen in a slide deck or presentation. You deliver the presentation. You probably take what I will call ‘‘the long and winding road.’’ You take the listener through your path of discovery and exploration, and you arrive at a conclusion.
That’s kind of the way I used to like to do it, and the way Bill [Gates] used to kind of like to do it. And it seemed like the best way to do it, because if you went to the conclusion first, you’d get: ‘‘What about this? Have you thought about this?’’ So people naturally tried to tell you all the things that supported the decision, and then tell you the decision.
I decided that’s not what I want to do anymore. I don’t think it’s productive. I don’t think it’s efficient. I get impatient.
So most meetings nowadays, you send me the materials and I read them in advance.
And I can come in and say: ‘‘I’ve got the following four questions. Please don’t present the deck.’’ That lets us go, whether they’ve organized it that way or not, to the recommendation. And if I have questions about the long and winding road and the data and the supporting evidence, I can ask them. But it gives us greater focus.

There is a lot of missing information that I wish the interviewer had followed up with but let’s assume a charitable course.

What Mr. Balmer says does not really tell us anything about efficiency,  but speaks volumes about his mind.  He states quite clearly he is impatient and the does not like the “long and winding road”  Most likely this because he does not learn well or efficiently sitting through a presentation.  It could also be that he is intellectually lazy but this seems unlikely.   If he really  is intellectually lazy then most likely Microsoft will perform poorly under his leadership.

Note that he recognizes that Bill Gates took the “long and winding road”.  That should tell you something and if we want to go back in history and look at great  leaders they did too:  Andy Grove, Andrew Carnagie, General  George Patton, General Douglas McArthur to mention a few.  The ability to sit and listen with attention to detail does not mean analysis paralysis, it means understanding the situation properly, the context and the interrelation of it’s elements.  It means avoiding a specious understanding.  Perhaps he is doing this but it is not clear.

He states that he gets the information in advance and let us hope he did not mean in PowerPoint slides.  There are serious limitations to the kinds of information that can be put into slides.  The overwhelming majority of information in a slide deck is distilled and frequently lacking context.  This information must be communicated and explained verbally.  You wouldn’t read the table of contents of a book and draw conclusions.  Yet, if you are reading PowerPoint that is exactly what you are doing.  Its focus is on the presenter,  not on the audience and not on the content.  There is a “sales pitch” aspect to PowerPoint that destroys neutral fact based information.

Now the downside to this interview and its  lack of clarity is right now somewhere in America a mediocre manager who prides himself on efficiency  is out there somewhere instructing his subordinates to send him a slide deck in advance and he’s drawing up his four questions because Balmer uses PowerPoint in advance and four questions.

Finally, we will never really know if it is more efficient.  If he had recorded all of his decisions under the ‘ “long and winding road” ‘ method and then recorded all his decisions under the “efficient” method we may have learned what works best for Balmer.  We will certainly never learn what works best for everyone else, unless they start recording their own decisions.

note: updated for typo

Part III of Security Architecture and Design

I have posted Part III the final part of my series on security archtitecture and design at Risk Intelligence.

note: Fixed the broken link.

The other side of the article

It’s seldom that I publish more than one blog post on a single piece, but Mark Diodati’s article “Changing times for identity management ” (login required) spoke of two main themes that I felt needed to be discussed.  In an article on IdM Thoughtplace, I looked into some issues of what composes “New School” Idm.

In this piece, I’d like to comment on a couple of points that Mark makes that I particularly agree with.

First off, Mark mentions that thorough analysis and review of IdM offerings is essential.  The selection team/steering committee  needs to remember that no IdM product exists in a vacuum.  Testing against ERP, enterprise LDAP/AD and other key systems is essential, and involving a pilot group is key as well.  I’d go a step beyond what Mark specifies, by adding that your pilot group needs to be multi-disciplinary. Just IT or Help Desk folks won’t cut it here.  Make sure there’s some HR and ERP users along with other “typical” users in your organization.  You’ll need to do a little more hand holding and training earlier that you’d like, but you’ll get better responses and metrics in return.

I’m also in agreement that you should review all offerings and available features/upgrades from current infrastructure. That “buried treasure” could be the key to keeping your infrastructure secure and compliant. Also find every way possible to use and reuse your current infrastructure., it can pay off in the long run.

It’s a tough economy out there, but that does not mean that you should stop your review of  IdM improvements.  Use the current time for evaluation and planning.  Bring some vendors in for a PoC to make sure it fits into current infrastructure.  The best place to start looking is right in your server rooms and data centers.  Go to it!

The Transition from CRG to GRC

I’m an Identity and Access Management kind of guy.  I don’t pretend to deny it, however sometimes it does cloud some of my views of the rest of the enterprise. Take the GRC concept for example. As an Identity Management guy, I always looked at GRC as CRG:

• Compliance – How to I show an auditor changes that happen to a user’s identity throughout the identity life-cycle?
• Risk – How do I make sure that there’s no conflict of interest and ensure Segregation of Duties (SoD), ensuring Compliant User Provisioning
• Governance – What are the rules put into place that govern Compliance and Risk?

I also never considered how GRC works outside of the IAM world or why it’s important.  After listening to a great presentation from SAP, I got a nice, if basic education which has gotten me to change my thinking from CRG to GRC.

A firm set of governance principles and procedures must be determined before engineering any mitigation processes for risk and compliance. Without this the potential for “Compliance Creep” (risk  is assumed) will run amok.  And without regular discussion and review there is no way to make sure that all items subject to risk and compliance review will be monitored and prioritized.

The fact is that we need to be continuously checking compliance.  Almost any potential work-flow needs these checks and not always the risks that we consider in the IAM world.  We’re well ware of the issues involved with granting elevated privileges, but what about ensuring that the links to partner sites remains secure?  This are also part of ensuring compliance.

My view of risk has not changed as much, we know from a purely IAM perspective, that we need to consider segregation of duties, administrator accounts, service accounts, SSL, etc. But of course we need to think about the larger level as well.  Who provides authorization, approvals and ensures accuracy?  What do we do to make sure that users, approvers and administrators are using the system correctly?

What I got out of this is that all three concepts must be considered together and entail a three part process:

• Governance – What are our priorities in managing Risk and Compliance
• Risk – What are our risks at the process level and the operational level? How are they to be mitigated?
• Compliance – How do we monitor and record these risks?

I’m thinking this will be a large part of  Identity and Enterprise Architecture discussions for some time to come.

Unified Selection Model Whitepaper

The SGC  Unified Selection Model whitepaper is available for download.  The methodology is the culminination of research which began in May of 2000.  There is an overview white paper and a shorter business brief.  It’s a dynamic approach that responds to the degree of time pressure.

Update:  I fixed the broken link.

Part II of Security Architecture and Design

The second part of my series on security architecure and design is up a Risk Intelligence.  In this post I look at the modular operators and give examples of how they have been used in security engineering.

Importing the SAP Provisioning Framework

One of the main reasons that one goes with SAP NetWeaver Identity Management is for the integration with other SAP modules.  The main way that this is done is through something called the SAP Provisioning Framework which comes bundled with the product.

There are a couple of challenges to accessing the framework.  The first is how to load it.  By default, the Framework exsists as an import file which needs to be located. By default the import file exists in “C:\Program Files\SAP\IdM\Identity Center\Templates\Identity Center\SAP Provisioning framework\SAP Provisioning Framework_Folder.mcc”

Now that we know where the Framework is located, we can load the import/export from the NW IDM MMC console. However when loading the Framework you might get the following Error Message: “Could not import global script ‘67/custom_generateHRID’ to identity center” I could not find any setting in import/export that allowed me to prevent the script from being processed.

After some research and poking around, I remembered that the SAP Provisioning Framework_Folder.mcc file is actually XML code.  So I went through and searched on the phrase “custom_generateHRID” and found exactly one reference (Highlight added):

      <GLOBALSCRIPT>
         <SCRIPTREVISIONNUMBER/>
         <SCRIPTLASTCHANGE>2007-10-04 12:52:52.7</SCRIPTLASTCHANGE>
         <SCRIPTLANGUAGE>JScript</SCRIPTLANGUAGE>
         <SCRIPTID>67</SCRIPTID>
         <SCRIPTDEFINITION>{B64}Ly8gTWFpbiBmdW5jdGlvbjogY3VzdG9tX2dlbmVyYXRlSFJJRA0KDQpmdW5jdGlvbiBjdXN0b21fZ2VuZXJhdGVIUklEKFBhcil7DQoJcmV0dXJuICIiOw0KfQ0K</SCRIPTDEFINITION>
         <SCRIPTLOCKDATE/>
         <SCRIPTHASH>a2b6834ea85aff0bae2559222d861c78</SCRIPTHASH>
         <SCRIPTDESCRIPTION/>
         <SCRIPTNAME>custom_generateHRID</SCRIPTNAME>
         <SCRIPTLOCKSTATE>0</SCRIPTLOCKSTATE>
      </GLOBALSCRIPT>

So being the intrepid guy that I am, I deleted the highlighted line and tried the import again.  It worked like a charm!  Not sure what to take away from this, but I’m glad I solved the problem.  Has anyone else seen this problem and solved it a different way?

Late to the Party and Nothing New

There is an old cliche that goes, “The mediocre are always at their best” and that certainly applies to Microsoft’s announcement surounding ILM “2″ now officially Forefront Identity Manager 2010  (FIM).  Brad Turner thought it should be Forefront Identity Lifecycle Manager.  I submit Forefront Lifecycle Identity Management System Year 2010 would have been even better.   Somehow the extra words and the clunky sound of saying it out loud is an apt aural simile for the technologies they crashed together to create it.  The product is heralded on the web site with these words “Identity Management is about to get a lot easier(sic)”.   The clear advantage of this product is that it comes from Microsoft whatever you may wish to infer.  They are trumpeting the self service capabilities which I believe has diminishing returns; there is point at which self service is a time sump for busy people.  The creation of workflows appears to be greatly improved and easier to do.  There is little improvement in the back end  and underneath it all is Microsoft’s  metadirectory.   In the end you have to wait until 2010 to be underwhelmed.   For many it will be good enough.

In the same vein is an article at SC Magazine by one Mark Wilcox,  principal product manager at Oracle.  Mr. Wilcox re-discovers, independently no doubt,  the advantages of  using virtual directory servers for mergers and acquisitions.  Not to be unduly hard on Mr. Wilcox but that was well established  by at least 2004 and you could argue earlier.  At least they can prove the usefulness of their own product as they attempt to swallow the Sun.  My favourite line from the article is this sentence in the opening paragraph, “M&A delivers its promise through the successful integration of two organizations and their business processes.”  That strikes me as an odd statement because you can successfully integrate two companies  and never turn a profit.  Only returning money to the shareholders fulfills the promise.