Wednesday, July 11, 2007

Loose Coupling

I stared at the price of Microsoft Office 2007 Standard edition (£300) and then stared at the price of Microsoft Office 2007 Basic edition (£100). The difference between the two products? Microsoft Outlook 2007 which costs about £100 as a standalone product.

Basic + Outlook (£200) = Standard (£300).

Am I missing something here?

Anyway, I bought the basic as I use Thunderbird as my mail client. And I have extended Thunderbird with the Lightning extension (for calendar functionality), Google Calendar extension (for Google calendar integration with Lightning), Plaxo extension (for synchronisation of my contact details across multiple platforms) and a few other minor extensions.

The result is I have a joined-up-in-a-loosely-coupled-way PIM for free.

My understanding is that Outlook is very powerful - I couldn't possibly deny that this is the case. But I also believe it can be a drain on system resources and it does cost £100!

So, I have my T'Bird, my LinkedIn, my Plaxo, my GMail/GCal and I'm liking my web based way of working. Now, all I need is a really good online document management repository which I can share with specific people. Time for a bit of investigation...

Monday, April 16, 2007

Personal News

Back in February, I sat my CISSP examination. I completed the 6 hour test in 2 hours, then spent 2 hours checking my answers then left the examination before I started to change my mind again!

I walked out of the examination and went through various emotions:
  • Relief
  • Uncertainty - I thought I had done enough to pass, but wasn't sure
  • Forgetfulness - I could barely remember any of the 250 questions

Well, the results came through and I'm pleased to announce that I can officially use CISSP designation.

With my IBM Tivoli certifiations and ITIL certification, I'm now completely "certified".

Friday, February 09, 2007

Within Six Degrees

There is a saying that we are within "six degrees of everyone in the world". At least, that was the saying when I was growing up and we believed there were 4 billion people on the planet - maybe it is seven now!

Anyway, knowing someone, who knows someone else, who knows someone else, etc., etc. seems a little fanciful, doesn't it? Not really...

I found out recently that I am only 3 degrees away from David Kearns - a man whose work I read every week and I have the utmost respect for, though sadly, I have no contact with. Having said ithat, I did sit beside him at lunch one sunny day in 2004 at an Identity Conference in Sydney, Australia!

How did I find this out? http://www.linkedin.com/ that's how!

I know someone, who knows someone else, who knows David. Judging by the number of contacts David has on LinkedIn, I might be only four degrees away from everyone on the planet.

Anyway, http://www.linkedin.com/ is quite a powerful tool in that only people I truly respect and trust are listed as my contacts. I'm quite sure this is true of most people who use http://www.linkedin.com/. Why is this relevant? Well, the ability to verify who you are isn't just a matter of producing a passport, or entering a UserID/Password into a keyboard, or typing a PIN into a "hole in the wall", or using any of the myriad of authentication devices available today. In the old days, verifying your identity could have been as simple as having someone else "vouch" for you.

This still occurs today to some degree - joining some exclusive clubs is more a matter of who you know rather than who you are or what you know! Password resets could potentially be performed in the work-place not by the forgetful employee herself, but by her colleague who is already trusted (although ideally, two colleagues).

Can we computerise the concept of a vouch-for authentication system in the future? Maybe. And maybe, it will be social networks like http://www.linkedin.com/ that will hold the key. After all, I'm not going to let any Tom, Dick or Harry be listed as a contact against my name! My identity is too precious to have it be let down by some unsavoury type!

BTW... If you are desperately interested, my LinkedIn profile can be viewed at http://www.linkedin.com/in/stephenswann.

Thursday, February 08, 2007

Open ID get MS Backing

I typically try to talk about technology in the enterprise which is why I haven't yet mentioned Open ID on this blog - while I approve of the concept and the ideas which the Open ID group are working towards, I don't see that it is something that enterprises looking for staff authentication mechanisms are ever going to have to look into.

However, in the big bad world that is the WWW, a more joined-up approach to user authentication is no longer a nice-to-have. It is an absolute necessity. Personally, I dread to think just how many UserIDs I have online - my last count was ~150 and that is just a record of the ones I have recorded (securely, of course).

According to the BBC (http://news.bbc.co.uk/1/hi/technology/6339813.stm), the Open ID group have been given a boost by the news that Microsoft will give it their backing to the extent that they will share their own technology with the Open ID developers. This has got to be good news if only from the perspective that it will raise awareness of Open ID. After all, an article on the BBC website will only do it the world of good.

Microsoft are to bring their Infocards technology to the Open ID table. (Kim Cameron demonstrates the power of Infocards on MSDN TV: http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20060209InfoCardKC/manifest.xml). So are we likely to finally get our joined-up-thinking as for as identity and access control on the internet are concerned? Looks that way, but it's still going to take time.

Tuesday, January 23, 2007

IT Skills Shortage

The UK government has advised that there will be a massive IT skills shortage in the UK in the coming years. Demand will outstrip supply dramatically meaning that those people who are skilled will be able to command extorniate rates.

Within my world of Identity & Access Control, I can already see that some major blue chip companies are prepared to pay over the odds for their contractors. Of course, the expenditure is worth it if the result is a quality implementation that resolves their identity related issues.

Unfortunately, the reality would seem to be that the quality of the contractors is questionable. That may sound unfair, but all too often, the contractors class themselves as "Designers" or "Architects". The blue chips, however, want people who can not only wax lyrical about their chosen subject matter, but can also bang the relevant buttons on a keyboard in order to get the solution to work.

And therein lies a problem... too many theorists charging extorniate rates.

"Ah, but these guys are all certified, aren't they?" I hear you ask.

Of course they are. No employer would touch them unless they had demonstrated they could pass an exam. But remember, performing vanilla installations of Identity and Access Management tools in accordance with the vendor's documentation is not in the same league as implementing a highly available architecture, tuned for maximum performance, with enterprise robust monitoring, failover and statistical gathering in a locked down fashion with customisations.

I'm quite sure I could hire dozens of people who know how to follow a manual. I'm not so sure I could hire the right kind of people that I require to deliver the solutions that I need.

So what is the UK government doing about it? More importantly, what are the blue chips doing about it and what are the software vendors doing about it? More importantly, if I'm a smart guy, do I want any of these people to do anything about it? After all... I have a mortgage to pay!

Sunday, January 14, 2007

Federation v ESSO

It's well understood that achieving single-sign on in the enterprise is an admirable target. The complexities of rolling out such an infrastructure may mean that integrating all enterprise applications with a common security infrastructure will take some time (if it is even possible).

But what happens when single-sign on to a third party is a target?

Readers will already be aware that I am a fan of the concept of security federation but how many organisations have federation-aware applications? Over the last 2 years I have been met with a consistent answer to this question when broaching the subject of federation with third-parties. None!

Maybe we have just been unlucky with the third-parties we have been dealing with but I suspect the real answer to the question is still pretty close to "none".

So, do we force these third-parties to migrate to a federated security approach or do we just accept that our employees will have to have a separate UserId/Password for the third-party site/application? Or is there another way?

Well, I'm quite sure with just a little bit of effort we could provide a mechanism to automate the sign-on process on behalf of the employee. I'm quite sure that with a bit more effort, we could automate the process of changing passwords upon password expiry. I'm also reasonably confident that with (considerably) more effort, we could automate the provisioning process. And everyone is happy once more... until the third-party changes the various screens used for each of these functions.

You see, it would seem that most of these third-parties haven't even exposed an API catering for these functions.

However, the idea of scripting the logon process seems like a reasonable stop-gap until full federation is achievable and this is the focus of applications like Passlogix's V-GO suite (available at http://www.passlogix.com/). Indeed, this little application seems to tick so many boxes that the guys at Passlogix have struck deals to allow some of the big boys in enterprise computing to sell the software in rebranded form: IBM Tivoli and Oracle to name just two.

Are there any downsides?
  • It is a client application that needs to be deployed onto the desktops/laptops within the organisation
  • It is a Windows only application
  • It doesn't seem to support Firefox
The upsides, of course, are that is should be a relatively quick and easy approach to achieving SSO with a third-party. I can't help thinking that an amalgamation of Password Safe and Auto-It could achieve the same thing.
So, do I feel compelled to develop a freeware alternative to Passlogix's offering? No, I'm afraid not despite the fact it would be an interesting exercise. The additional features of V-GO would sway me towards buying the off-the-shelf package (although I have no idea how much it costs!)

And what about our federated security solution? Unfortunately, we are faced with a tricky situation. This type of solution requires both parties within the federation to have security federation aware systems. Deploying such systems is a "leap of faith" - faith that others will follow suit. Within my experience, none of our third-parties are ready to take that leap... yet!

Monday, January 08, 2007

Identity & Behaviour

I spend my working day devising ways of consolidating people's identities in order to help them minimise the number of UserIDs/Passwords they have to remember and in order to help them portray a consistent online "persona".

I have to admit that I have assumed that this is what people want. But is it?

It would seem that the younger generation are more fickle than that. The BBC, in a recent "bill board" article (available at http://news.bbc.co.uk/1/hi/technology/6234663.stm), reported that research in the US suggests that teenagers are happy to ditch their UserIDs or eMail Addresses in favour of new ones on a quite random basis.

Indeed, it would also seem that they are quite keen on having multiple identities portraying very different personalities. This, I can understand. After all, I have my "Identity Management Consultant" persona online in the form of this blog but I also have my "Sporting Athlete" persona online in the form of my hockey club website (available at http://www.eastantrim.co.uk/). I am very much the same person but the personality I portray through each is very different.

I can also understand that teenagers don't know who they are and will constantly change their online identity until they find an identity that they feel comfortable with. Maybe I have aged sufficiently to either be happy with my current identity or just too busy to attempt to alter it.

I will readily admit to having had the same email address and the same phone number for as long as I can remember. The kids at my hockey club seem to change both quite regularly.

So, maybe the world of Identity Management has a new challenge. Maybe there are users who would be horrified at the thought of only having a single identity? Thankfully for those users, Identity Management is still struggling to gain momentum within the enterprise world. The world where multiple identities are common place (and where those users live) is a social world within which Identity Management is not yet welcome. Does anyone remember Microsoft Passport?