As the new season of conferences kicks into gear, I start to have thoughts too big to fit into tweets again. I once again had the pleasure of making it to London for the EMEA Gartner IAM Summit. There was a big crowd this year, and the best part, as it always is, was the conversations in hallways and at bars surrounding the official agenda. It’s always good to get together with lots of like minded folks and talk shop.
On stage, the conversations were intense as always. @IdentityWoman took the stage and educated a very curious audience about what identity can mean in this brave new mobile world. And there was an interesting case made that “people will figure out that authentication is a vestigial organ” by @bobblakley. But the comment that caught my imagination most of all was by author and raconteur Nick Harkaway, aka @Harkaway.
He links IP (Intellectual Property for clarity since there are a few “IP” thingys floating around now) and privacy in a way that never occurred to me before. @Harkaway says “both [are] a sense of ownership about data you create even after you’ve put it out into the world.” @IdentityWoman spoke at length about how our phones leave trails of data we want to control for privacy and perhaps profit reasons, and @bobblakley even proposed how to use that sort of data for authentication. At the core of both of those ideas is a sense of ownership. If it’s “the data is mine and I want to keep it private” or “the data is mine and I want the right to sell it”, it’s all about starting from the data being something that belongs to you.
I typically react with skepticism to IP but with very open arms to privacy. So to suddenly have them linked in this way was quite a dissonance. But what difference is it to say that I write this work of fiction and expect it to be mine even after it’s complete or I create this mass of geo-data by moving around with my phone and expect it to be mine even after I’m in bed at night? “But it’s the carriers responsibility to actually generate and maintain that data!” OK. But if I write my work using Google Docs does that alter my IP rights? Does it matter perhaps that the novel is about something other than me? Does it matter that geo-data is not creative? (Of course, some geo-data is creative)
I don’t have all, or perhaps any, answers here. But I thought this notion was worthy of fleshing out and further sharing. What do you think? Are IP and privacy in some way intimately linked?
Mark Diodati of Gartner (that was a bit hard to type right the first time) has published the results of the SPML SIG held at #cat10. I think it captures the feeling of those present very well. At about the same time the minutes of the first meeting of the SPML PSTC for a long while were published. It seems there’s a much different split there than there was at the SIG. The split is basically between folks who want to see a “clean start” with a version 3 and those who want to see version 2 revved so it’s more realistic. I’m on the latter side, and so are the folks at Quest that I’ve spoken to. In fact, both and Quest and at customers, everyone I’ve spoken to about this outside a tight circle of “identity gurus” have all agreed that SPML would best serve the larger community as means to have systems communicate. Anything beyond that is overkill. At least for now. If all the different solutions had a standard way to do CRUD operations between one another, that would go a long way to solving many practical issues in heterogeneous IT environments.
I’d like to get more involved and I’m working with Quest to see if that can happen. This is something I’d like to see done from start to end.
BF8XDEVU8PDS This is here for Technorati. If you’re seeing it it’s because you’re reading this content somewhere besides my blog site and I couldn’t hide it from you. Sorry =]
I’ve just returned from Gartner/Burton’s Catalyst 2010 in San Diego (“just” returned when I wrote the first draft, not so much now that I’m finally getting to edit and post…). One of the sessions (Wednesday morning in the identity track) featured GM presenting about their fairly advanced and very well thought out identity management processes and platforms. They had a very mature outlook on what the real sources are for identity and how to empower the business to leverage the value of those identities over time and through the lifecycle.
Perhaps the best example of that was how they manage identities that are not really fully baked, management of avatars. The presenter from GM made a great analogy to explain this. He talked about the Mii parade from the Wii. If your not a Wii person, this needs a bit of context. On the Wii you have an avatar called a Mii. In many games that Mii is what you see on the screen to represent you. Since the Wii is designed to be multi player, you can of course have many Mii’s on a system. Apparently his daughters are just like mine. They make a Mii for every kid that shows up at their home; mine even make them for characters in books and people they meet away from home. What use is the Mii if there is no one to play as them? In some parts of some games, there are parades and other places where crowds appear. And these Mii’s, played with or not, show up on those crowds.
GM will make an identity for anyone that comes to their facilities, even going as far to assign them a unique identifier. If that person eventually ends up as a contractor, then they will retain that identity. If they become an employee, they keep the same identity. And if they leave, the identity is still maintained. They also do similar things for what they termed “people of interest”. These are people like an employee’s spouse, who would be in some systems to receive benefits and there for have one of these avatars or half-baked identities. So, with all these avatars in their systems, when they go through to do large reports and such, they end up with a Mii parade with all these avatars that are not users as such showing up in the crowds.
This struck me as being deeply right. Most organizations want to reduce the identities they have at all costs. But identities are data, and data has value. Of course, Quest and I are fans of reducing accounts and points of access, but that’s quite different. This is about having many singular identities that can be used to fill out your Mii parade so that it acts and feels as real as possible. The rich context can only lead to better and fuller business decisions over time.
For those of you who made it down this far, here’s a sample of what a Mii parade can be like when you just tell the Wii to have all the Mii’s go marching:
I’ve been traveling like mad (writing this in Berlin). So this comes far too long after the show for my taste, but I really wanted to get this out there because there is some very good stuff to highlight.
The star of the Gartner IAM Summit was Earl Perkins. He has a way of saying things that makes the very obvious seem as wise as it should. The thoughts he concentrated on that left an impression on me were:
- There is too much focus on the C in GRC. Vendors are the most guilty here, since they tend to see compliance as the easiest route to sales success. If there is an audit finding or clear potential for one, you have a compelling event. It’s just as valid to talk about using IAM products in a way that removes risk and aids in governance, though; and the business uses those terms. Vendors are always looking for ways to address the business buyer vs. the technology buyer. Of course, that is also useful for the advocate of IAM projects within an organization. Talking to your customer internally about risk and governance makes them see you as proactive vs. reactive to compliance needs that arise from outside pressure.
- The auditor is your friend. I got to see Earl brief clients directly on this at the “breakfast with the analysts” session. I can’t agree more with this. Making the business take your IAM project more seriously by virtue of making it the auditor’s edict is a wonderful trick.
Reduction is another theme that came out of both the analyst and customer led sessions. All forms of reduction are good. Quest had a session highlighting our Authentication Services being used at Chevron, and that focused on reducing the overall number of identities in any enterprise by consolidating to AD for all Unix, Linux and Macs as well as many applications. But reducing the number of roles, the number of entitlement definitions and directory infrastructures was touched on again and again.
Last is a favorite of mine: reading the magic quadrant correctly. Gartner always says this clearly, but it feels like no one ever hears them. I look at the magic quadrant as three dimensional. The two dimensional graph is a ceiling where vendors who have made the cut poke through and show up in their respective areas, as if you were looking at the top of a cube. Turn the cube to it’s side and you would see the shorter lines which don’t make it to the top of the cube which all represent the vendors which are not good enough to be in the “magic ceiling”. Earl also revisited why there is still and likely to never be an IAM magic quadrant – there is no one definition to make a cohesive statement about.
A very good conference all in all. Can’t wait for the next one…
I’m always in catch up mode with my reading. I finally got to Ian Glazer’s “Access Certification and Entitlement Management” on a plane to California. If you are in the market for access certification, trying to understand how to construct and approach to managing entitlements or just want to understand the moving parts of access in any reasonably complex organization, then this is a must read. What got me thinking most was the tone of the paper. Essentially it boils down to the good advice to make sure you define boundaries for tasks well and get the people from the business who should own the information to become the owners by the end of the process. Ian also encourages you to use whatever resources you can, even if they make strange bedfellows. It reminded me very much (and I’m going to mix analyst firms here so forgive me) of Earl Perkin’s thoughts about making the auditor your friend and making sure you “care, but not too much”, which he communicated at the Gartner IAM Summit last week (and blogged about previously as well).
All this got me thinking about the actual content of such IT to business communication regarding access certification. And, since I was trapped on a 6+ hour flight with a power outlet but no internet, I came up with this small, tongue in cheek video. I know the terms will feel like nails on a chalkboard to some since they are not exact. But I really tried to exercise that “it’s more important that they get the right ideas and not the exact right terminology” notion as best I could.
Since there is so much to say about Gartner IAM Summit 2009, I wanted to break it up a bit. The first thing I wanted to do was get the vendor stuff out of the way. When I get to the topical stuff I’m sure some vendors will be involved, but there is much to say about what happened in exhibition hall.
Possibly the most talked about thing on the floor was the size comparison of the Oracle and Sun booths. Oracle had the biggest possible booth and, predictably, Sun had the very smallest. Sun was literally on the far wall alongside niche players and new entrants. Of course this just makes sense, but everyone was talking about it. I should have taken pictures. To add to this drama, the announcement about the EU’s objections to the merger was made while we were at the show and that just set people off talking about it all again after the booth comparison finally died down. The most sensible thoughts were all centered around the wisdom that it would be years before anything really happened to Sun’s IAM offerings. In fact, Gartner even said as much during the session about the magic quadrant. Yet many people were convinced, all wisdom aside, that this merger was going to be about Oracle raking Sun customers over the coals.
Aside from the Oracle and Sun drama, the show floor was not too exciting. Gartner always has a way of making sure their clients know the show is all about them – this time was no exception. All the booths were in the basement. That said, they only served lunch and drinks by the booths; so there was a captive audience at times. It seemed to me, watching the other attendees, that most folks didn’t really spend a lot of time talking to vendors. From my place in the center of the floor at the Quest booth, I could see pretty much everything. There was only 6 hours of booth time, and I’d say only half of that was really about vendor time (the other half was eating time). The people who came to our booth were either interested in something very specific, or on a mission to talk to everyone a bit and get the lay of the land.
The busiest booth seemed to be Aveksa’s. Sailpoint and Cyber-Ark got some good traffic, too. No surprises there. They are all in the sweet spots of their fields. The only booths I couldn’t see were Oracle and Novell. Of course, those were the biggest booths and they were right at the entrance of the floor. I’m assuming they got some good traffic just because of that.
It seemed to me the best user/vendor interactions were side meetings, which there were tons of, and the use cases that the vendors sponsored. That’s one of the very cool things about Gartner’s shows. The user is in the focus and everything is designed to make sure that it stays that way.
Next post in a few days (or sooner) and it will concentrate on what I took away from the sessions.