Directory Trek Wars - Act II

Well, I'm glad I didn't offend anyone with my previous post on the ongoing Directory debates (at least not that I'm aware of). I told myself I wasn't going to bother doing anything like that again, at least not for a while. Unfortunately, I couldn't help myself. Perhaps I'm not in the mood to talk seriously about Identity stuff this month.

The following is VERY LOOSELY based on reality. I'm not going to add my 2 cents this time because I think enough's been said for now. Although I sort of am if you read between the lines. If you can't figure out which side of the fence I'm on after reading this, read it again. If you're still unsure, accuse me of fence sitting and I'll be more blatant about what I think.

Disclaimers:

1. Any lines without a reference and link to a fellow blogger are completely made up by yours truly.
   
2. I didn't quote anyone. I paraphrased and took a lot more artistic license this time around (possibly too much because in some parts, I'm probably being too cryptic). References to blog entries being paraphrased are posted in brackets after the statement.
3. Because I have an opinion, I'm probably being too harsh on the side I don't particularly agree with. So please take that into consideration when reading.
   
4. I apologise in advance for any offense caused to the people mentioned or anyone reading this.

To set the scene, Act I was Meta-Directory vs. Virtual Directory. This time, it's Active Directory vs. Virtual Directory.

That said, let's see if I successfully piss anyone off this time...

(Cue music)

AD: Hi, I'm an AD.

VD: And I'm a VD.

AD: Tee hee, he's a VD.

VD: No, not that kind of VD. Grow up AD and stop looking at me like that.

AD: Pffft LDAP! I learnt how to speak that in 1st grade. If you want to be on my Gates-lactic level, learn to speak ADSI. I've been on 85% of the voyages on the USS Enterprise to the final frontier. (Jackson Shaw)

VD: But you do things differently from everyone else. I give people free choice and free will. (Clayton Donley) You also start to get cranky when too many people ask you questions. And then you lock people in with your death grip. Who in their right mind would have you as their only friend? (Clayton Donley) People just talk to you because you have the biggest house. But those who don't want to commit leave the party with me. (Nishant Kaushik) By the way, anyone for some CARML? I made it myself with the help of some friends. (Clayton Donley)

AD: Everyone on the Fortune500 council is my friend...well, except for those fools on the Sun. People should be able to choose their friends. In other words, me! And those smart people up at HQ are probably working out how to make me more like you anyway! Going with me is a no brainer. (James McGovern) And what's wrong with being locked in with me? You all drive with Windows don't you? I'm just like all the rest of you directories. Windows just happens to be my bestest buddy! Don't be a playa hater just cuz Windows and me go way back. CARML? Yeah I'd like some of that. It goes well on desserts and stuff. Is that not what you meant?(Jackson Shaw)

Moderator: AD makes a good point. If Windows drives you everywhere, then AD can be a very good friend and you won't need too many of those other pesky friends anymore. (Jeff Bohren)

VD: Seriously AD, do I need to remind you that you choke when you get too many questions? And you really don't like it when people try to change things about you. What's more, you don't give a crap about anything that your buddy Windows doesn't care about and you don't actually use the same type of box as the rest of us to store your stuff, which means if we give you some of our stuff it won't fit. (Tim Paul) AD, you need to face up to the fact that you're one of many. You're not THE ONE. You're just used when people want to get to your best buddy Windows. And since we're talking about your buddy, go ask why he refuses to play nice with the rest of us while all our friends MUST play nice with you? (Nishant Kaushik) By the way, what happens to people who have you as their only friend when their parents get together and then all of a sudden there's a few versions of you wanting to be everyone's only friend? Or worse still, they don't have another version of you but they have all my friends in there that don't like you? (Mark Wilcox)

AD: I'm afraid I have to tell you that I'm everywhere. You know when you go to the doctor? I'm there too. I also have trainers that do a much better job of teaching people how to play nice with me. You and your friends just release books and tell people to go read them. Did I mention I'm cheaper to feed by the way? (James McGovern)

VD: That's because you eat fast food. Which means you get fat and bloated and can't move around.

Moderator: I would ask you both to stop being tools and just agree to disagree, but that's exactly what you both are. Tools! (Matt Pollicove) Not only that. Most people just talk to AD to ask if they can talk to his buddy Windows! We should also keep in mind that most people only care about their accounts. They don't bother with this identity stuff. Why? Because it's expensive and the high commander just wants to stay out of prison at the lowest cost. Oh, can I get you to comment on your buddy Oracle's arch enemy SAP's commendable actions of late in Identityland? (Jeff Bohren)

VD: Interesting you should mention my buddy Oracle. He sends his apologies that he can't be here right now because he's sailing around on his galactic yacht. He was asking me the other day why people don't just standardise on him. He knows a lot about them anyway. They tell him all their secrets, forget them and then ask him what they said. All they ever tell AD is their name and their email address. Did I mention I'm good friends with people of all ages? Even those old geezers with walking sticks that sit in the park playing chess all day with Garry Kasparov. AD is only good friends with people from the Gates-lactic Universe. As for why I'm hanging around, it's because I'm needed. One day when I'm not, I'll get on "The Bus" and be on my way. My buddy Oracle also wants to remind you that your good friends Gartner and Forrester are his bestest buddies at the moment and they don't like SAP. Anyone care for dessert? My CARML has been cooking and is mmm mmm good! You know you want it. (Clayton Donley)

AD: Been meaning to ask you this VD. Are you actually just a proxy for all your friends? (James McGovern)

Metaphysical Directory Virtual Storm

Or MDVS for those that like acronyms (hi all you current/ex-IBMers - if you don't get what I'm talking about, you've never heard an IBMer complain about PBCs, IDPs, RDMs, PDMs, SSM, RMs...I could go on but I won't).

For those that are unaware, there's a bit of a debate going on about virtual directories and meta-directories.

I think Jackson Shaw may have started it back in March this year and for some reason it got a whole lot noisier this week.

There's a lot to read if you haven't been following the thread so here's a timeline with the gist of each post (paraphrased/summarised by yours truly, so I'm not quoting directly - if I manage to offend anyone along the way, my sincere apologies as that's not my intent :-)):

Jackson Shaw: The meta-directory is dead.
Dave Kearns: I hope Microsoft is listening because ex-Microsoft/Zoomit meta-directory guru Jackson Shaw says the meta-directory is dead.
Kim Cameron: Claims are "the electrons that flow" on the Identity Bus. A meta-directory is the most advanced technology around to transform and arbitrate claims, and distribute metadata.
Nishant Kaushik: Meta-directory? What do you need that for? Just use a virtual directory and combine it with some provisioning!
Matt Flynn: The meta-directory isn't dead. It just got older. But hey, 50 is the new 30 isn't it?
Matt Pollicove: "Metadirectories and Identity Attributes are the molecules and atoms of the Identity universe which came long before any concept of Identity 2.0, which as a newcomer to the Identity Universe which might wind up being Compounds." (Note: Direct quote - Matt P didn't need paraphrasing.)
Jeff Bohren: It's about choosing the right tool people. Stop trying to be Philosophers.
Jackson Shaw: What Jeff said. Oh, and what Matt Flynn said too. Let's consolidate the suckers (directory technologies, not Jeff and Matt). (Note: Jackson didn't actually say "suckers"...and he definitely didn't say it in such a close proximity to mentioning Jeff and Matt - that was just artistic license on my part.)
James McGovern: Why don't we all just use Active Directory? We all have one!
Nishant Kaushik: Matt F, you can just use a virtual directory plus provisioning. Using a meta-directory is a point solution and you'll have to cludge your way around it down the track because of business processes and controls. Oh and aren't more vendors starting to support Active Directory because of the emergence of the virtual directory anyway? And using Active Directory locks you in to Microsoft. A virtual directory is much more flexible and abstracts you from things like that nasty Bill Gates nerd directory...I mean Steve Ballmer. (Note: Nishant made no such reference to Bill or Steve or a nerd directory. Again, artistic license on my part.)
Jeff Bohren: Some dude from the ApacheDS project wrote a comment saying all existing virtual directories are hacked together solutions with the end goal being an acquisition.
Dave Kearns: What's ApacheDS guy smoking?
Ash Motiwala: Did Nishant really just say that the reason for a "groundswell" of people building native Active Directory support into their apps is because of the emergence of virtual directories?
Jeff Bohren: Soooo Nishant, you think instead of being "locked-in" to Active Directory we should be "locked-in" to Oracle Virtual Directory? By the way, it's not that difficult to write code that supports multiple LDAPs.
Nishant Kaushik: Oops. I mis-stated what I was trying to say. I didn't mean to say that applications are supporting Active Directory directly as the identity store by using a virtual directory. I meant to say the reason for a "groundswell" of people building native Active Directory support into their apps is because of the emergence of virtual directories. By the way Jeff, virtual directory "lock-in" doesn't seem to be a big issue with customers. (Note: Is it just me or did Ash actually understand what Nishant was really trying to say and Nishant just thought that Ash thought that he meant the other thing? In which case Ash's question still stands. Is anyone confused yet? I am.)
Clayton Donley: Hey guys, what's up? Back from a great holiday. What the?! I go on vacation and all of you kick up this mini-storm on directories. Jeff, writing code for different directories is easy for an experienced LDAP guy like you, but for a lot of people it's a real pain in the a**. Virtual directories make things more dynamic and configurable if you decide to change the directory infrastructure. Just change some settings and away you go. As for virtual directory vendor "lock-in", that's why we're working on standards like the Identity Governance Framework and CARML, which will improve virtual directory interoperability.
Clayton Donley: As for all you Active Directory fan-boys, "What's more likely: 1. everyone standardizing on Active Directory, or 2. everyone not standardizing on Active Directory." Say "aye" for option 1...(dead silence)...
Clayton Donley: Yeah, what's that ApacheDS project guy smoking?!

By now, I doubt anyone cares what I think. But that's never stopped me before. So here goes:

• Use the right tool for the right purpose. I may be over-generalising but here are some examples:
  
• If you want to keep disparate data sources updated with the right info "auto-magically", use a meta-directory.
• If you need to tie some business processes around the modification of information, go with a provisioning tool. Usually this is tied to some access control needs. e.g. changing an attribute might drive a dynamic role which suddenly gives you more access than you should have, which may be perfectly fine but requires the granting of dispensations and approval by a business or system owner.
• If you want to be able to get at data from a known, semi-standardised access point and not have to worry about where to get all this various bits of data you need, go with a virtual directory.
  
• There's enough room today (and in the foreseeable future) in an Enterprise Identity Ecosystem for a provisioning tool, a meta-directory, a virtual directory and obviously an actual real directory (or more likely, a few directories)...oh and let's not forget the "annoying uncle in the corner we don't like to invite to the party except for the fact it's his house", Active Directory (I know it's technically a directory too, but it's a little "different" - you all know what I mean).
  
• If you can get an organisation to go with a service-oriented approach to security, the debate goes away. Everything becomes a service. How all these services get implemented will be largely up to the vendors. It may be a meta-directory underneath the covers. Or maybe it's a virtual directory. If I'm the person writing the code, I don't really care. Just point me at the service and stop preaching to me about security.
• Meta-directories aren't dead. They're evolving. They're also aging as Matt Flynn says, but I'm not sure it's the fine wine type of aging. Nishant is somewhat correct in referring to meta-directories as point solutions. But what's wrong with that? If you have a requirement that a meta-directory solves perfectly (and you know what it will and won't do) then go with it. Matt and Nishant's comments aside, the concept of a virtual directory and meta-directory as separate types of "tools" will probably go away. I have a feeling they'll converge as vendors build out their feature sets. In typical "me-too" fashion (big vendors do this all the time), meta-directory products will add features to make them more "virtual directory-like" and vice versa. Maybe they'll get a new name. Integration Directory? Yeah that's a boring name. I'm sure someone will come up with a better one. Perhaps the evolution will lead to the meta-virtual-directory being the spine of the Identity Bus everyone keeps talking about. It won't need a name any longer. It'll just be a component.
  

So there you go. Problem solved. Well, that's just wishful thinking on my part :-) Debate is always healthy...especially with this many people involved.

Now I'll just sit here and wait for the surge of people telling me that I mis-interpreted them. Either that or people telling me I'm a fool :-)

Seriously, if I did please correct me either via the comments or send me a message (there's a form on the right side of my blog that sends me an email).

Can Identity Management really be outsourced?

I wrote about this a year ago (almost to the day). At the time, I said outsourcing Identity Management (IDM) and its related activities was "a hard sell". Although I was pretty negative on the idea, I didn't say it would never work or that it wasn't a good idea. I just felt like the market wasn't ready for it yet. That said, I still don't think the market is ready for it in an absolute sense, but we're making some baby steps forward.

To summarise that post for those that don't want to read the whole thing:

• Outsourcing IDM is like giving away the front door key to your house and letting someone else decide who to let in and what they can do. Something I didn't say at the time was that this implies you are relying on them to tell you what happened while you were out and they can also give out your back door keys without you knowing.
• IDM is not about technology. It's about people and business processes. Outsourcing works best when trying to solve technology pains. Not only that, IDM lies at the core of your organisation. Because of this, your organisation NEEDS to own it.
• The day when you can comfortably outsource ALL of your IDM-related functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service while being automated and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.

Matt Pollicove, Matt Flynn, Ash Motiwala and Mark MacAuley have been talking about this lately (timeline of posts - Matt P, Matt F, Ash, Matt P, Mark). Ash even quotes my post from last year, specifically where I used a "bake a cake and eat your dog food" analogy (it'll make sense when you read it...I hope).

I'm also reminded about earlier this year when Mark MacAuley, Ian Glazer and Matt Flynn talked about compliance as a service and Dave Rowe added his thoughts on the issue (timeline of posts - Mark, Matt F, Ian G, Ian G, Dave).

I tried to summarise everyone's thoughts but it just got very confusing, so you'll have to read them at your own leisure. Everyone was talking about very similar things but with slight variances on their interpretations of terms and concepts. I think people (myself included) would agree with each other about certain aspects if they could just set a baseline and have a glossary of terms and definitions...and write their posts based on this glossary. That takes time though...and we are writing blogs after all, not whitepapers :-)

There are a bunch of different things in play when we talk about IDM as a discipline and Outsourcing/Managed Services. I won't over-complicate things but at the risk of over-simplifying, I will point out the following:

• There is the business, people, process and compliance side of things in IDM.
• There is also the IT/technology side of things in IDM.
• Managed Services can be on-site or off-site.
• Software as a Service (SaaS) is becoming a real option.
  

I don't think there's going to be much argument when I say that the technology to outsource IDM is there today, whether you want to have an on/off-site model or SaaS (although the SaaS model is not as mature).

If an organisation decides today that they want to do it, there are service providers that have the experience and will give you all the assurances in the world that your data will be protected, all security measures have been taken care of and that they can meet the Service Level Agreements (SLAs) you set for them. Large organisations like IBM, EDS (acquired by HP), Wipro and Infosys (there are others, but I won't bother listing them all) can do it. Smaller ones like Ash's company Identropy can do it. If it's SaaS that you want, the choices are more limited, but Fischer and Symplified come to mind.

The key here is IF an organisation wants to do it. Ash said it himself:

"In my opinion, the reason is more emotional that rational. The market just isn't ready, emotionally, to completely outsource the management of their IdM systems. The whole thing seems so tied to their environment, to their business processes, that handing the management over to a third party just feels wrong."

The first hurdle is always emotional. Once you get beyond that, ask if it's the right thing to do. I still don't think an organisation should outsource it all. An organisation should ALWAYS own the business aspects of their IDM initiatives. Now let's take a look at the technology side of things.

Matt Flynn points out that:

"most companies are already outsourcing IdM – they just do it on a project basis"

He is of course absolutely correct. So from an emotional standpoint, you already have people looking at sensitive data that are not part of the organisation. What's the difference if you formally outsource it to a managed service provider? The difference is mostly psychological. People just don't look at bringing external people or companies in as "outsourcing" so they don't realise that external people already have visible access to their sensitive data (of course, this brings up the issue of data leakage, but let's not complicate the issue any further for now). I should also note that just because it's done today does not make it right. My main objection was to "giving away the keys". If you don't own the solution within the organisation, then that's exactly what you've done.

"Giving the keys away" aside, if the decision's been made to outsource IDM somewhat, the next question is going to be the location. Do you feel comfortable not owning the infrastructure and more importantly, are you comfortable knowing that all your sensitive information is sitting in an environment owned and controlled by another company? Many organisations would not be. That's why it's a hard sell.

Don't think it's a problem having your organisation's data outside of your infrastructure and not on your premises? Then perhaps you can also take the SaaS approach and outsource all of the other painful IT management aspects around trying to manage software deployments and infrastructure. If you're willing to accept the risks associated and "give away the keys", then why not get the SaaS benefits as part of the deal? There are pros and cons in going with SaaS over an off-site Managed Service, but I won't go into them as that's besides the point.

Ash may be onto something when he says:

"I think that the only solution is a pragmatic one, where there is shared management. The customer can still feel "in control", but hand over day to day ops to a third party."

If you read my blog regularly, you'll hopefully get that I'm all for the pragmatic approach to anything. I would modify that statement somewhat. They not only need to feel in control. They really need to be in control and the onus is on the service provider as the subject matter expert to make sure that happens.

He follows up by adding:

"(Customers) get to gradually let go, and initially lean on the service provider as a very knowledgeable augmentation to their staff. Once the comfort level sets in, customers can lean a bit harder, grant "persistent approvals" for break/fix scenarios, and reduce management staff for identity."

The decision to outsource your IDM (whether it's on-site, off-site, SaaS) should not be a big bang approach. It needs to be gradual, and what Ash suggests makes sense if the decision is made.

Ultimately, it boils down to the following:

• You must still own it. Never take your hands completely off because then you won't know what's going on if it all falls into a heap or when the auditors come knocking. Matt P's statement sums this up nicely:

  "If I were the person in charge of Compliance and Risk management, I'd want to be able to look at the auditors, police/FBI, Upper Management and lawyers after an incident and be able to say exactly what I did to protect my data and not say, "well the hosting company told me they were secure...""

  
  
• There's a difference between outsourcing the business aspects and the technological aspects. Keep the business aspects (people, process, compliance) internal. If you must outsource, only outsource the technical bits you don't want to have to deal with on a day-to-day basis that will not make any difference to the business no matter how it's done.
• The on-site/off-site debate is all about comfort level. How much do you trust your outsourcer with your data? What happens if something happens to the data? Who is accountable? Is this written anywhere in the contract? If you can't answer this question, don't do it.
  
• It's all about the risk you are willing to accept for the amount you have to spend. Perhaps an anonymous commenter to my original post said it best:

  "The level of security one intends to achieve would depend on the amount of money one is willing to spend. Some would rest on this judgment alone to give an IdM provider the keys to their gates. I am sitting in chair just like that right now. Security is business driven."

If you read my original post carefully, you'll realise I haven't really changed my stance too much. If anything, I'm perhaps a little less harsh today about why it's a "difficult sell" and have tried to address it from different points of view. I still don't think organisations in general are ready to outsource IDM completely, and they shouldn't. At least not until standards, processes and solutions mature to the point where most of the moving parts are commoditised and better understood. However, I do think the market is better placed to at least start to take a look at outsourced IDM and make informed decisions. The most dangerous thing to do with outsourcing IDM is to jump in the deep end. Take little baby steps, people.