ian glazer's tuesdaynight

Just back from Playa Del Carmen. Went on a quick vacation for my wife’s birthday. We’ve been going to Playa on and off for five or so years. It has changed big time over the years. Playa’s gotten built up, lost a lot of its clunky charms, and become more, well, Cancun-like. That being said there are still some great things about it - notably Hotel Basico. Basico is both a hip design hotel and an unpretentious place to unwind. It has about a dozen rooms which are deliberately spartan. The real draw is the roof “pool” - consisting of a few hammocks, a few pool-side beds and two water tanks cum swimming pools. Add a bar and a great kitchen cooking up fish tacos. Top that off with a distinct lack of loud guests and you have the makings for a private penthouse experience that doesn’t cost an arm and a leg. Tourism is PDC’s major business and from all accounts business is good. It’s just a little unnerving to hear “Tequila shot. Lemondrop. How YOU doin’?” yelled at you while you walk down the street. Strangely, it felt like a Hong Kong evening on Nathan Road…

Between her open letter to application vendors and roles versus rules, Pamela Dingle is kicking up a lot of dirt. I tend to agree with most of her points as I have written about here. However her following point bothers me; I’m not saying I disagree with it completely but it sits oddly with me:

In the case where two roles are assigned to the same person, but should never be simultaneously applicable, Enterprises have limited choices. If, however, there is a layer in between the consumer and the provider that lets you mask roles based on user-chosen context, in my mind this problem goes away. I don’t see how you can do it without the user part — but perhaps I’m just not thinking hard enough

James has provided me more to work with…

Identity consolidation says that I figure out how to get user stores out of my enterprise application and instead get these applications to bind at runtime to a directory service such as Active Directory.

Ah, so identity consolidation is centralized authorization. Got it.

I am making the assumption here that when James says user store he means authorization store. (Applications in this model still need some modicum of a user store if nothing else for auditing purposes.) I am assuming the implication here is that after authentication comes a round of authorization that the directory service provides. The application would consume this authorization data, at runtime, and act accordingly. Theoretically, an enterprise policy (XACML) store could theoretically reproduce the authorization models of every application in the enterprise today and that policy tools would interact with this store. Though I think this is a very viable model for customer applications (especially J2EE and .NET), I do not see it as an enterprise approach where complex applications like mainframe security and ERP roam free.

James recently picked up on my Identity leprosy or identity zombies post and writes:

Ian believes that identity needs brains but falls into the trap of thinking about identity solely from the perspective of provisioning and while avoiding runtime aspects. I wonder if he would blog on why enterprises should consider identity consolidation over identity management?

Before I respond I’d like to get some clarity. James, give me a more to work with and I’ll happily write more. Help me understand that which you are contrasting between “identity consolidation” and “identity management.” Help me understand how provisioning doesn’t have runtime implications.

Jackson, in discussing the demise retrenchment of HP’s identity business, had this little gem:

We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

Bits falling of, eh? I’ve never heard of someone losing their core directory services because someone forgot to add XACML support. I’ve also never heard off someone loosing an ear because their provisioning system didn’t support SPML v2. Enterprise identity “stuff” is more like a zombie. It lurks in the dark corners of your enterprise. It staggers out at you at inopportune moments. Two other aspects of this ridiculous image that are valid:

I’ve been back about a week from my trip to Pune. Had a great time. The people and food were wonderful. I did get a chance to go on our company “picnic,” a three day jaunt to the beach near Dapoli. Some funny adventures along the way, like a 14 hour bus ride home featuring the bus breaking down on three different occasions. Good times. All in all, I know I’ll be back soon and hopefully have more of an opportunity to explore.

Bob, Lori, and Gerry at Burton Group have confirmed what I had heard only in rumor: HP is effectively pulling Identity Center from the market. It will continue to focus R&D on its existing Identity Center customer but will not be actively seeking new ones.I’d love to have seen what the business case was for HP’s original acquisitions into the space and then the analysis to make this decision. Tough choices.

Compliance as a Service – Counter-counterpoint

Matt and Mark have both responded to my response. Matt writes:

Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (…or set of …or service of). But I didn’t make that distinction in my previous post. But, is that the basic point you’re making? …that IT compliance is a subset of overall Compliance? Or is there more to it?

I’m headed to India in a few hours, off to meet up with everyone in our Pune office. I have to say, I am really looking forward to this trip. I’ve never been to India before and there’s nothing like a two week trip to serve as a very limited crash course. One added bonus on this trip, I’m lucky enough to tag along on our company retreat. Two days on the beach in Dapoli… sounds like fun. Pictures at 11.

My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.

Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.