The UK government has advised that there will be a massive IT skills shortage in the UK in the coming years. Demand will outstrip supply dramatically meaning that those people who are skilled will be able to command extorniate rates.
Within my world of Identity & Access Control, I can already see that some major blue chip companies are prepared to pay over the odds for their contractors. Of course, the expenditure is worth it if the result is a quality implementation that resolves their identity related issues.
Unfortunately, the reality would seem to be that the quality of the contractors is questionable. That may sound unfair, but all too often, the contractors class themselves as "Designers" or "Architects". The blue chips, however, want people who can not only wax lyrical about their chosen subject matter, but can also bang the relevant buttons on a keyboard in order to get the solution to work.
And therein lies a problem... too many theorists charging extorniate rates.
"Ah, but these guys are all certified, aren't they?" I hear you ask.
Of course they are. No employer would touch them unless they had demonstrated they could pass an exam. But remember, performing vanilla installations of Identity and Access Management tools in accordance with the vendor's documentation is not in the same league as implementing a highly available architecture, tuned for maximum performance, with enterprise robust monitoring, failover and statistical gathering in a locked down fashion with customisations.
I'm quite sure I could hire dozens of people who know how to follow a manual. I'm not so sure I could hire the right kind of people that I require to deliver the solutions that I need.
So what is the UK government doing about it? More importantly, what are the blue chips doing about it and what are the software vendors doing about it? More importantly, if I'm a smart guy, do I want any of these people to do anything about it? After all... I have a mortgage to pay!
In a world where technology is supposed to make things simpler, why is it that the world seems to be more complicated? This blog is made up of the ramblings of an IT Security Consultant specialising in IBM Security software with a heavy focus on IGI, ITIM/ISIM, ITAM/ISAM and ITDI/ISDI. All opinions expressed are my own and have nothing to do with any employer past or present. I hope you find them useful.
Tuesday, January 23, 2007
Sunday, January 14, 2007
Federation v ESSO
It's well understood that achieving single-sign on in the enterprise is an admirable target. The complexities of rolling out such an infrastructure may mean that integrating all enterprise applications with a common security infrastructure will take some time (if it is even possible).
But what happens when single-sign on to a third party is a target?
Readers will already be aware that I am a fan of the concept of security federation but how many organisations have federation-aware applications? Over the last 2 years I have been met with a consistent answer to this question when broaching the subject of federation with third-parties. None!
Maybe we have just been unlucky with the third-parties we have been dealing with but I suspect the real answer to the question is still pretty close to "none".
So, do we force these third-parties to migrate to a federated security approach or do we just accept that our employees will have to have a separate UserId/Password for the third-party site/application? Or is there another way?
Well, I'm quite sure with just a little bit of effort we could provide a mechanism to automate the sign-on process on behalf of the employee. I'm quite sure that with a bit more effort, we could automate the process of changing passwords upon password expiry. I'm also reasonably confident that with (considerably) more effort, we could automate the provisioning process. And everyone is happy once more... until the third-party changes the various screens used for each of these functions.
You see, it would seem that most of these third-parties haven't even exposed an API catering for these functions.
However, the idea of scripting the logon process seems like a reasonable stop-gap until full federation is achievable and this is the focus of applications like Passlogix's V-GO suite (available at http://www.passlogix.com/). Indeed, this little application seems to tick so many boxes that the guys at Passlogix have struck deals to allow some of the big boys in enterprise computing to sell the software in rebranded form: IBM Tivoli and Oracle to name just two.
Are there any downsides?
So, do I feel compelled to develop a freeware alternative to Passlogix's offering? No, I'm afraid not despite the fact it would be an interesting exercise. The additional features of V-GO would sway me towards buying the off-the-shelf package (although I have no idea how much it costs!)
And what about our federated security solution? Unfortunately, we are faced with a tricky situation. This type of solution requires both parties within the federation to have security federation aware systems. Deploying such systems is a "leap of faith" - faith that others will follow suit. Within my experience, none of our third-parties are ready to take that leap... yet!
But what happens when single-sign on to a third party is a target?
Readers will already be aware that I am a fan of the concept of security federation but how many organisations have federation-aware applications? Over the last 2 years I have been met with a consistent answer to this question when broaching the subject of federation with third-parties. None!
Maybe we have just been unlucky with the third-parties we have been dealing with but I suspect the real answer to the question is still pretty close to "none".
So, do we force these third-parties to migrate to a federated security approach or do we just accept that our employees will have to have a separate UserId/Password for the third-party site/application? Or is there another way?
Well, I'm quite sure with just a little bit of effort we could provide a mechanism to automate the sign-on process on behalf of the employee. I'm quite sure that with a bit more effort, we could automate the process of changing passwords upon password expiry. I'm also reasonably confident that with (considerably) more effort, we could automate the provisioning process. And everyone is happy once more... until the third-party changes the various screens used for each of these functions.
You see, it would seem that most of these third-parties haven't even exposed an API catering for these functions.
However, the idea of scripting the logon process seems like a reasonable stop-gap until full federation is achievable and this is the focus of applications like Passlogix's V-GO suite (available at http://www.passlogix.com/). Indeed, this little application seems to tick so many boxes that the guys at Passlogix have struck deals to allow some of the big boys in enterprise computing to sell the software in rebranded form: IBM Tivoli and Oracle to name just two.
Are there any downsides?
- It is a client application that needs to be deployed onto the desktops/laptops within the organisation
- It is a Windows only application
- It doesn't seem to support Firefox
So, do I feel compelled to develop a freeware alternative to Passlogix's offering? No, I'm afraid not despite the fact it would be an interesting exercise. The additional features of V-GO would sway me towards buying the off-the-shelf package (although I have no idea how much it costs!)
And what about our federated security solution? Unfortunately, we are faced with a tricky situation. This type of solution requires both parties within the federation to have security federation aware systems. Deploying such systems is a "leap of faith" - faith that others will follow suit. Within my experience, none of our third-parties are ready to take that leap... yet!
Monday, January 08, 2007
Identity & Behaviour
I spend my working day devising ways of consolidating people's identities in order to help them minimise the number of UserIDs/Passwords they have to remember and in order to help them portray a consistent online "persona".
I have to admit that I have assumed that this is what people want. But is it?
It would seem that the younger generation are more fickle than that. The BBC, in a recent "bill board" article (available at http://news.bbc.co.uk/1/hi/technology/6234663.stm), reported that research in the US suggests that teenagers are happy to ditch their UserIDs or eMail Addresses in favour of new ones on a quite random basis.
Indeed, it would also seem that they are quite keen on having multiple identities portraying very different personalities. This, I can understand. After all, I have my "Identity Management Consultant" persona online in the form of this blog but I also have my "Sporting Athlete" persona online in the form of my hockey club website (available at http://www.eastantrim.co.uk/). I am very much the same person but the personality I portray through each is very different.
I can also understand that teenagers don't know who they are and will constantly change their online identity until they find an identity that they feel comfortable with. Maybe I have aged sufficiently to either be happy with my current identity or just too busy to attempt to alter it.
I will readily admit to having had the same email address and the same phone number for as long as I can remember. The kids at my hockey club seem to change both quite regularly.
So, maybe the world of Identity Management has a new challenge. Maybe there are users who would be horrified at the thought of only having a single identity? Thankfully for those users, Identity Management is still struggling to gain momentum within the enterprise world. The world where multiple identities are common place (and where those users live) is a social world within which Identity Management is not yet welcome. Does anyone remember Microsoft Passport?
I have to admit that I have assumed that this is what people want. But is it?
It would seem that the younger generation are more fickle than that. The BBC, in a recent "bill board" article (available at http://news.bbc.co.uk/1/hi/technology/6234663.stm), reported that research in the US suggests that teenagers are happy to ditch their UserIDs or eMail Addresses in favour of new ones on a quite random basis.
Indeed, it would also seem that they are quite keen on having multiple identities portraying very different personalities. This, I can understand. After all, I have my "Identity Management Consultant" persona online in the form of this blog but I also have my "Sporting Athlete" persona online in the form of my hockey club website (available at http://www.eastantrim.co.uk/). I am very much the same person but the personality I portray through each is very different.
I can also understand that teenagers don't know who they are and will constantly change their online identity until they find an identity that they feel comfortable with. Maybe I have aged sufficiently to either be happy with my current identity or just too busy to attempt to alter it.
I will readily admit to having had the same email address and the same phone number for as long as I can remember. The kids at my hockey club seem to change both quite regularly.
So, maybe the world of Identity Management has a new challenge. Maybe there are users who would be horrified at the thought of only having a single identity? Thankfully for those users, Identity Management is still struggling to gain momentum within the enterprise world. The world where multiple identities are common place (and where those users live) is a social world within which Identity Management is not yet welcome. Does anyone remember Microsoft Passport?
Subscribe to:
Posts (Atom)