Posts Tagged ‘federateddirectory’

Administration of identity & access must level up due to cloud.

October 29, 2010 Leave a comment

First of all, I’ll define what I mean by cloud in 10 words: cloud is outsourcing some layer of services from you infrastructure. This thought comes after meeting a large healthcare organization that’s putting their “back office” operations in an MSP. This is having a significant impact on how they are viewing administration of IT. When you own operations and administration, you can easily blend the two. If you have an administrative issue that would be made easier by shifting something about the operations of your IT resources, you do it. But when operations is a black box, then you actually have to make your administration solve all your challenges. That is new for many.

This organization is putting most of the non-clinical systems in an MSP, or in the cloud if you prefer, and that means there are many IAM challenges. Where do accounts originate? Who controls the authoritative data about users? Because so many clinical and other applications require it, they are keeping much of the directory infrastructure in house. How do changes flow in both directions when there are automated process and human admins and operators on both sides? How can all the changes from both ends be tracked? How can the state, the changes and the policies be kept in line with regulatory requirements? It’s a daunting set of challenges.

Right now they have their hands full just making it all happen. And they have plenty of parties (each site, the central IT organization, various consulting organizations, all the vendors) that are all involved in the project as it’s ongoing. When I sat down with them and many of these parties, it was hard enough just playing catch up to see who was responsible for what. We were there to discuss many of the pains they are experiencing in the phase they are in now and where Quest can help. What I immediately started to envision were the pains of the next phase. I think Quest can help with those, too, but I’m hoping they were receptive to my suggestions about it all. My basic message was that they are going to have to arm their administrators with a new kind of toolset and those administrators were going to have to have a new, leveled up approach. They were going to have to think less like technologists and more like data architects. What will matter most going forward is having very sound and robust models for data, policies and processes. Otherwise they would fall back into old ways of thinking and likely find themselves without the ability to make those level of changes to the MSP hosted systems. Or, even worse, waste time fighting with the MSP to change operational details – a fight where they finance both sides of the battle and take both sides’ losses as well.


ghosts of the interscaler directory at #cat10; let’s do it!

There were a lot of points at Catalyst 2010 where Kim Cameron’s Interscaler, Federated Directory and Identity Schema came up in my mind, though went unmentioned by the speakers. I know I wasn’t alone, either. It was there like a ghost in every discussion. When Anil John spoke about Background Attribute Exchange (BAE), one of the first questions was about how to ensure schemas would be in sync. When Nishant Kaushik spoke about federated provisioning, again questions had everyone talking about how directories would be able to rely on attributes being “exchangeable” across domains. And when the folks from GM gave their talk the second or third question was about how they decided what attributes would be included in their avatar identities and which would not.

How does this move forward? I get dizzy when I look at all the standards bodies around identity. I’ve got a lot of energy to offer around this and don’t know where to push it. It’s not about a product or a vendor. I’d like to see this be an industry thing that everyone can benefit from.

an identity schema: less is more

June 22, 2010 1 comment

My degree is in philosophy; specifically I studied what would be called cognitive science or philosophy of mind. I still read papers and articles about the field occasionally as they come to my attention. Doing some pleasure reading this father’s day weekend I came across this passage in a paper called “Conceptual Problems in Memetics in a Multi-Level View of Evolution and Behaviour” which seemed to call out a problem that is worth considering for those contemplating the next generation of directories:

Consider the problems of ostension for a mother who points out and names the species of a bird that is singing in a tree to her infant child. How does the child know what precisely is being given a name: the name could refer to all trees containing birds, or all small, noisy objects, or of that particular bird, or of the underside of its belly? To avoid ambiguity, the child needs some low-level schemas, perhaps reflecting the nature of taxonomy and the economy of expression, which act as “attractors” for the acquisition of new higher-level schemas. These aspects might allow a child to surmise firstly that the mother is referring to the bird in itself, and not as part of its relation to this particular tree, or the fact that the bird happens to be singing. Secondly, these aspects should allow the child to realise[sic] that it is the “whole” object of the bird that is being referred to, rather than, say, only its underside. While the child has not yet developed a detailed knowledge of birds and their general relations to other very basic categories in the world, he or she is unlikely to expect the mother to be referring to detailed aspects of a bird.

We all know what someone means when they say “there is a need to track all the accounts and rights granted to those accounts that are associated with any specific person”. There are definitive ideas of an account, a person and a right – though a right is likely the one most likely to admit something inexact into the conversation. But these very concrete things are not first order objects in directories, they don’t have their own schema. Instead they are all persons or, worse, accounts, and the very obvious classes they fit into described in that simple to understand requirement are merely attributes assigned to them. That seems like something worth fixing. When the technical and real life descriptions diverge that much, it can never be good for your ability to get things done.

If you look at the language I’m using, my prejudice becomes clear. The concepts of object oriented programming seem to be very useful in this problem space. The idea of having a base class, like a person, and having classes that extend that to be an employee or similar flows very well. It also fits very well with reality. All these entities are people after all. And that base object becomes implemented through a schema for entries in a directory. If one organization relies heavily on contractors and another does not, it’s likely that contractors will have very different “schemas” defining them in each. If those two organization now want to share data about identity including the contractors, they may find themselves with a big job of mapping. If they had a shared basic schema that has been used by another more complex one as a parent in the more contractor reliant shop, there are well established ways for those interactions to take placed based on patterns from object oriented designs. And imagine how much better that could be using something similar to a common schema everyone used.

Doing things along these OO lines would also allow us to do more with less.  Since the base classes are shared, changes to those would make their way through everything.  And as new use cases arise, simple inheritance would allow for quick work making these new classes of schemas that map to the needs.


#eic10 part 2: lacking policy, lagging XACML, authZ not so externalized

I’m not sure why, but the theme for me at EIC10 was policy. It wasn’t that the sessions or discussions were intent on going there. If anything, it was quite the opposite. I sat in on one of the “pre-conference” sessions that was titled “Moving beyond the Perimeter: Identity & Access Management for a Networked World“. That was what set the tone. I went in expecting a lot of discussion about how organization could, should and have been able to overcome the tricky policy barriers to open themselves up and manage access. The reality was that we spent a lot of the time discussing how to get over the challenges of making IAM work inside the perimeter so they can start thinking about the outside. For those that had some established outside presence for identities accessing other resources or accessing their own (and it was only a few), they were set back on their heels by my questions about policy and challenges to explain the legal implications of those access points. Later on, in a session titled “It has been Quiet around Federation. Is this a good Sign or a bad one?“, asked what challenges were faced by your organization when trying to federate, I answered that we (Quest) had faced numerous legal challenges to getting federation done. Each time has been a meeting with lawyers and lawyers meeting with lawyers and so on. The shocked looks from the general audience didn’t quite drown out the few nodding heads that clearly knew exactly what I meant. It shouldn’t surprise me that technology outstrips policy and that technologists don’t see the policy lagging behind until it’s too late, but somehow it always does.

Of course, technology is still my preoccupation so I was equally into the technology of policy that seemed to pervade EIC10. XACML was everywhere. Or maybe it only seemed that way because I attended so many of Felix Gaehtgens‘s sessions. However, there were a few stark contrasts that struck me. First, there were no fewer than 5 vendors on the floor offering XACML based or compliant solutions for externalized authorization. Despite that, I didn’t see one keynote mention it, nor customer story talk about having that be built into their architecture. Even the big vendors, when directly questioned about it, immediately submersed it into an acronym soup of SAML, claims, and other federated related stuff. It seems like many are now using “federated” interchangeably with “externalized”, which is sensible on some level but seems to lose some of the important distinctions between the two (e.g. trust is explicit with federation and implicit with externalization). By far my favorite externalized authorization moment was in a panel titled “How to make your Software Security Architecture Future-Proof” when Felix asked Kim Cameron, who had just made his interstellar announcement, the following: “if the application has to have internal logic to handle claims, then the authorization has not been externalized, right?” Kim made no real answer. But I think Felix said what a lot of people were thinking. Claims are the bees knees, but WIF still embeds all the authorization logic right in the application itself.

This will be the last on the conference. It was a real blast and I got to meet some of the folks who have haunted my mind via twitter for a long time in person. Good stuff.

%d bloggers like this: