Good advice on CMDBs that sounds strangely familiar

George Spafford has this to say about CMDBs:

The truth is that a great many software-led configuration efforts that emphasized the technical merits of the CMDB have failed abysmally because the process requirements weren’t understood and addressed appropriately.

In response to this, tools vendors reacted in an unsurprising manner: they created a technology-led solution called “autodiscovery”. The premise is that by using autodiscovery tools to identify new, changed or deleted configuration items in production the CMDB will be current and accurate thus overcoming all the process problems. Guess what? The results have been far from ideal because it still does not negate the need for processes.

A fairy doesn’t appear at 2 A.M. in the data center and magically change configurations and move equipment. The fact is that someone made those changes and it is to everyone’s benefit to understand why. Simply pumping the changes blindly into the CMDB with autodiscovery is a recipe for disaster.

This should sound very familiar to anyone who has worked on IdM projects.

There are two take-aways from this. First, all of these wonderful enterprise tools require a process to be used effectively; and second it all comes down to people in the end.

Relatively not too many and not too much

While the announcement from Microsoft that LiveID will now serve as an OpenID IdP is good news for OpenID, some perspective is in order. Yet again. What does a few million more OpenIDs mean? Not much really.

As I have said repeatedly, the questions is not how many people have OpenIDs, its how many people want OpenIDs and what can they do with them once they have them? The answers are, respectively:

Relatively not too many and not too much.

By “relatively not too many” I mean the vast majority of consumers who technically have an OpenID don’t know they have one, don’t know what OpenID is, and wouldn’t use it even if they knew about it. By “not too much” I mean that even though there are a large number of RPs in terms of numbers, there are few that are important in terms of actual traffic.

The part of this now tired old game that I fine annoying is that it would be easy to measure real OpenID adoption. All that is needed is for a few of the major OpenID providers (which can now count Microsoft as a member) to publish metrics of how many OpenID authentications they perform on a periodic basis.

All the skeptics like myself could be shut up with a few simple graphs.

The fact that this data is not being published speaks louder than the periodic announcement of another huge number of OpenIDs.

Microsoft and SAML 2.0

According to Don Schmidt Microsoft is finally going to support SAML 2.0:

At the Professional Developers Conference this week Microsoft is announcing the beta release of “Geneva”, the codename for its new claims based access platform.  This platform helps developers and IT professionals simplify user access to applications and other systems with an open claims-based model.  “Geneva” helps developers to externalize user authentication and identity processing from application code by using claims that are obtained with pre-built security logic that is integrated with .NET tools.  “Geneva” helps IT professionals to efficiently deploy and manage new applications by reducing user account management, promoting a consistent security model, and facilitating seamless collaboration across departmental, organizational and vendor boundaries.  User access benefits include shortened provisioning lead times, reduced accounts, passwords and logins, and enhanced privacy support.  “Geneva” implements the Identity Metasystem vision for open and interoperable identity, and includes built-in support for standard federated identity protocols.

A fundamental goal of “Geneva” is to extend the reach of its predecessor, Active Directory Federation Services, and provide a common identity programming model for developers of both web applications and web services.  To maximize interoperability with clients and servers from other vendors, it supports the WS-Trust, WS-Federation and SAML 2.0 protocols.  To maximize administrative efficiency “Geneva” automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the WSFED TC.

This is very interesting. It looks like in the Geneva release what was ADFS will now support SAML 2.0 along with WS-Federation. It also looks like Cardspace, Zermatt, and ADFS are going to be combined into a single “platform”.

Interesting times.

Tiny steps

Google, Microsoft, and Yahoo are going to announce new policies regarding how it does business in repressive countries according to this Reuters article:

Under the new principles, which were crafted over two years, the companies will promise to protect the personal information of their users wherever they do business and to “narrowly interpret and implement government demands that compromise privacy,” the Journal said.

They will also commit to scrutinizing a country’s track record of jeopardizing personal information and freedom of expression before launching new businesses in a country and to discuss the risks widely with their executives and board members, the paper said.

While I haven’t seen the whole set of principals, it’s interesting to note what they are not saying. They are not saying that they won’t give these regimes everything they ask for; they are just going to make them be specific about it.

And that’s probably the best that we can hope for.  I don’t expect these companies to stop doing business in some of the largest countries in the world just because they aren’t free.

But consumers need to know that and act accordingly.

Rocket sled to privacy hell

Some days it seems the UK is on a rocket sled to privacy hell, the rails of which are being laid with ostensibly good intentions. This ARS Technica article lays out some of the near term way points. One marker that just flew by:

Last year one of the more troubling provisions of the UK’s Regulation of Investigatory Powers Act (RIPA) finally came into effect. This piece of legislation made it a criminal offense to refuse to decrypt almost any encrypted data residing within the UK if demanded by authorities as part of a criminal investigation. The penalty for failure to decrypt is up to two years imprisonment for “normal” crime, and up to five years for “terrorism.”

As always, its all about terrorism. Or crime. Perhaps drugs. Whatever.

Another marker coming up quick:

Moving swiftly on, the British government has outlined a number of options it is considering legislating next year. Chief among these is the creation of an immense database containing information about every phone call and Internet connection made within the UK. Unsurprisingly, this has been widely branded as an Orwellian, Big Brother database.

Of course to make this database work there are rules being considered to require a passport or other form of identification to purchase a cell phone.

The joke I wanted to tell

Paul Madsen and I have been having a bit of fun linking various identity and religious concepts (you can pick up the trail here).

I do have a confession to make. There was one joke I wanted to tell, but didn’t. Frankly, I chickened out. That joke had the words “Scientology” and “Phishing” in it. I didn’t tell that joke for two reasons. First, I live in Tampa. Second, there are some organizations you just don’t taunt if you know what’s good for you.

Religious Ed

Paul Madsen relates Deism, Theism, and Atheism to various identity notions such as SAML, Info Cards, and Liberty. How about:

Polytheism – OpenID

Mythology – Kerberos

Animism – Biometrics

Cargo cultism – smart cards

 Necromancy – WS-Federation

Clear headed thinking (surprisingly)

You so seldom hear clear headed think from a government official. So when I read two recent quote from Michael Chertoff I almost fell out of my chair from surprise. In this ARS Technica article Chertoff says:

“The architecture of the Internet and the culture of the Internet is one where I’d be very careful before I suggested the government ought to… intrude in a bigger way,” said Chertoff. “We have a history in this country of everybody says let’s do a lot, pass a lot of laws… and then everybody repents at leisure.  The Internet, maybe more than any other place, has a distinctive culture that you don’t want to break in order to protect.  So, my suggestion has been we proceed in a voluntary way and we proceed in a 21st century kind of collaborative way.” 

I also liked this quote about personal data:

But he also argued that a broader shift in American security practices was required to make those data hoards less attractive to thieves. “We need to change from a model in which your assets are controlled by your, for example, your Social Security number, which is a very weak way to control your assets, to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn’t kept in a database,” said Chertoff. “You want to move away from a model which I consider inherently vulnerable, where the very information that you’re trying to protect is the information you have to disseminate in order to validate yourself.”

Reporters and bloggers who met with Chertoff were required to submit their own Social Security Numbers for a background check. No DNA sample was extracted, however. 

I have been beating on this point for a while now. We need to stop thinking in terms of protecting peoples SSNs. You simply can’t protect something that has to be given to countless organizations. We have to start making the SSN not sensitive.

Just as a tangent, how did the reporters know that no DNA was extracted along with their SSNs?

Well played

Apparently a popular web site for criminal hackers was actually a long running FBI sting (from Wired):

DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network.

The speculation is that now that Darkmarket has been shut down there will be a wave of arrests by the FBI and law enforcement in other countries.

Threat Level admires Lord Cyric’s bluster, but thinks his days in the underground are numbered.  The FBI almost certainly closed DarkMarket in preparation for a global wave of arrests that will unfold in the next month or so. The site was likely shuttered to avoid an Agatha Christie scenario in which a diminishing pool of cybercrooks are free to speculate about why they’re disappearing one-by-one like the hapless dinner guests in Ten Little Indians.

Well played.

Three things we know about personal data collection

Jenni Russell writes about three things we know about personal data collection (from the Guardian):

This is only the worst manifestation of an official intrusion into our lives that is just about to hit us, but of which we seem strangely unaware. The UK’s network of speed cameras will soon be able to track every journey we make by road under the automated number-plate recognition system. Mobile network records can already place us, at any time, within 100 yards of our phone’s location. The ID database will record every time we go to a hospital or a benefit centre, fill in a prescription or a draw a large sum from a bank. The children’s database will give access to every piece of gossip or fact about our children or their family, perhaps in perpetuity. It will record that an older sister may be alcoholic, or that a father is in jail, or that a 14-year-old is thought to be having sex. Nobody will be able to break free of this information about their past.

Most alarming of all, for its breadth of knowledge about us, the NHS database will give hundreds of thousands of staff the ability to discover when we lost our virginity, the drugs we’re on, our mental health history. And none of this information will be safe, because we know three things about the mass collection of data. The first is that the authorities will mine it where it suits them. The second is that the data will be lost. And the third is that it will leak.

Well said.