Monthly Archives: October 2008

Good advice on CMDBs that sounds strangely familiar

George Spafford has this to say about CMDBs:

The truth is that a great many software-led configuration efforts that emphasized the technical merits of the CMDB have failed abysmally because the process requirements weren’t understood and addressed appropriately.

In response to this, tools vendors reacted in an unsurprising manner: they created a technology-led solution called “autodiscovery”. The premise is that by using autodiscovery tools to identify new, changed or deleted configuration items in production the CMDB will be current and accurate thus overcoming all the process problems. Guess what? The results have been far from ideal because it still does not negate the need for processes.

A fairy doesn’t appear at 2 A.M. in the data center and magically change configurations and move equipment. The fact is that someone made those changes and it is to everyone’s benefit to understand why. Simply pumping the changes blindly into the CMDB with autodiscovery is a recipe for disaster.

This should sound very familiar to anyone who has worked on IdM projects.

There are two take-aways from this. First, all of these wonderful enterprise tools require a process to be used effectively; and second it all comes down to people in the end.

Relatively not too many and not too much

While the announcement from Microsoft that LiveID will now serve as an OpenID IdP is good news for OpenID, some perspective is in order. Yet again. What does a few million more OpenIDs mean? Not much really.

As I have said repeatedly, the questions is not how many people have OpenIDs, its how many people want OpenIDs and what can they do with them once they have them? The answers are, respectively:

Relatively not too many and not too much.

By “relatively not too many” I mean the vast majority of consumers who technically have an OpenID don’t know they have one, don’t know what OpenID is, and wouldn’t use it even if they knew about it. By “not too much” I mean that even though there are a large number of RPs in terms of numbers, there are few that are important in terms of actual traffic.

The part of this now tired old game that I fine annoying is that it would be easy to measure real OpenID adoption. All that is needed is for a few of the major OpenID providers (which can now count Microsoft as a member) to publish metrics of how many OpenID authentications they perform on a periodic basis.

All the skeptics like myself could be shut up with a few simple graphs.

The fact that this data is not being published speaks louder than the periodic announcement of another huge number of OpenIDs.

Microsoft and SAML 2.0

According to Don Schmidt Microsoft is finally going to support SAML 2.0:

At the Professional Developers Conference this week Microsoft is announcing the beta release of “Geneva”, the codename for its new claims based access platform.  This platform helps developers and IT professionals simplify user access to applications and other systems with an open claims-based model.  “Geneva” helps developers to externalize user authentication and identity processing from application code by using claims that are obtained with pre-built security logic that is integrated with .NET tools.  “Geneva” helps IT professionals to efficiently deploy and manage new applications by reducing user account management, promoting a consistent security model, and facilitating seamless collaboration across departmental, organizational and vendor boundaries.  User access benefits include shortened provisioning lead times, reduced accounts, passwords and logins, and enhanced privacy support.  “Geneva” implements the Identity Metasystem vision for open and interoperable identity, and includes built-in support for standard federated identity protocols.

A fundamental goal of “Geneva” is to extend the reach of its predecessor, Active Directory Federation Services, and provide a common identity programming model for developers of both web applications and web services.  To maximize interoperability with clients and servers from other vendors, it supports the WS-Trust, WS-Federation and SAML 2.0 protocols.  To maximize administrative efficiency “Geneva” automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the WSFED TC.

This is very interesting. It looks like in the Geneva release what was ADFS will now support SAML 2.0 along with WS-Federation. It also looks like Cardspace, Zermatt, and ADFS are going to be combined into a single “platform”.

Interesting times.

Tiny steps

Google, Microsoft, and Yahoo are going to announce new policies regarding how it does business in repressive countries according to this Reuters article:

Under the new principles, which were crafted over two years, the companies will promise to protect the personal information of their users wherever they do business and to “narrowly interpret and implement government demands that compromise privacy,” the Journal said.

They will also commit to scrutinizing a country’s track record of jeopardizing personal information and freedom of expression before launching new businesses in a country and to discuss the risks widely with their executives and board members, the paper said.

While I haven’t seen the whole set of principals, it’s interesting to note what they are not saying. They are not saying that they won’t give these regimes everything they ask for; they are just going to make them be specific about it.

And that’s probably the best that we can hope for.  I don’t expect these companies to stop doing business in some of the largest countries in the world just because they aren’t free.

But consumers need to know that and act accordingly.

Rocket sled to privacy hell

Some days it seems the UK is on a rocket sled to privacy hell, the rails of which are being laid with ostensibly good intentions. This ARS Technica article lays out some of the near term way points. One marker that just flew by:

Last year one of the more troubling provisions of the UK’s Regulation of Investigatory Powers Act (RIPA) finally came into effect. This piece of legislation made it a criminal offense to refuse to decrypt almost any encrypted data residing within the UK if demanded by authorities as part of a criminal investigation. The penalty for failure to decrypt is up to two years imprisonment for “normal” crime, and up to five years for “terrorism.”

As always, its all about terrorism. Or crime. Perhaps drugs. Whatever.

Another marker coming up quick:

Moving swiftly on, the British government has outlined a number of options it is considering legislating next year. Chief among these is the creation of an immense database containing information about every phone call and Internet connection made within the UK. Unsurprisingly, this has been widely branded as an Orwellian, Big Brother database.

Of course to make this database work there are rules being considered to require a passport or other form of identification to purchase a cell phone.

The joke I wanted to tell

Paul Madsen and I have been having a bit of fun linking various identity and religious concepts (you can pick up the trail here).

I do have a confession to make. There was one joke I wanted to tell, but didn’t. Frankly, I chickened out. That joke had the words “Scientology” and “Phishing” in it. I didn’t tell that joke for two reasons. First, I live in Tampa. Second, there are some organizations you just don’t taunt if you know what’s good for you.

Religious Ed

Paul Madsen relates Deism, Theism, and Atheism to various identity notions such as SAML, Info Cards, and Liberty. How about:

Polytheism – OpenID

Mythology – Kerberos

Animism – Biometrics

Cargo cultism – smart cards

 Necromancy – WS-Federation