Thoughts on Oracle Identity Manager

I was reading through the architecture for Oracle’s Identity Manager “Best in Class” software.  And while I never gave it much thought, you would have to be blind not to notice its popularity in the United States.  The job offerings too have  jumped after Gartner declared it the best.  It was time for me to look into its architecture.  And while I have no hands on experience with product a couple of predictions come to mind after reading the whitepaper.    One it must be difficult and slow to install, and while it is infinitely extensible, it appears to be very complex and hence development time for custom work would be slow.  Any regular Oracle IdM users out there please correct me if I’m wrong.   Finally, I realized why SAP bought Maxware.  Its relative simplicity allowed for faster integration into the SAP application stack.

Steve Balmer on Efficiency & Decision Making

There is an interview with Steve Balmer in the International Herald Tribune and he makes a statement in response to a question about what’s it like to be in a meeting with him to wit;

I’ve changed that, really, in the last couple years. The mode of Microsoft meetings used to be: You come with something we haven’t seen in a slide deck or presentation. You deliver the presentation. You probably take what I will call ‘‘the long and winding road.’’ You take the listener through your path of discovery and exploration, and you arrive at a conclusion.
That’s kind of the way I used to like to do it, and the way Bill [Gates] used to kind of like to do it. And it seemed like the best way to do it, because if you went to the conclusion first, you’d get: ‘‘What about this? Have you thought about this?’’ So people naturally tried to tell you all the things that supported the decision, and then tell you the decision.
I decided that’s not what I want to do anymore. I don’t think it’s productive. I don’t think it’s efficient. I get impatient.
So most meetings nowadays, you send me the materials and I read them in advance.
And I can come in and say: ‘‘I’ve got the following four questions. Please don’t present the deck.’’ That lets us go, whether they’ve organized it that way or not, to the recommendation. And if I have questions about the long and winding road and the data and the supporting evidence, I can ask them. But it gives us greater focus.

There is a lot of missing information that I wish the interviewer had followed up with but let’s assume a charitable course.

What Mr. Balmer says does not really tell us anything about efficiency,  but speaks volumes about his mind.  He states quite clearly he is impatient and the does not like the “long and winding road”  Most likely this because he does not learn well or efficiently sitting through a presentation.  It could also be that he is intellectually lazy but this seems unlikely.   If he really  is intellectually lazy then most likely Microsoft will perform poorly under his leadership.

Note that he recognizes that Bill Gates took the “long and winding road”.  That should tell you something and if we want to go back in history and look at great  leaders they did too:  Andy Grove, Andrew Carnagie, General  George Patton, General Douglas McArthur to mention a few.  The ability to sit and listen with attention to detail does not mean analysis paralysis, it means understanding the situation properly, the context and the interrelation of it’s elements.  It means avoiding a specious understanding.  Perhaps he is doing this but it is not clear.

He states that he gets the information in advance and let us hope he did not mean in PowerPoint slides.  There are serious limitations to the kinds of information that can be put into slides.  The overwhelming majority of information in a slide deck is distilled and frequently lacking context.  This information must be communicated and explained verbally.  You wouldn’t read the table of contents of a book and draw conclusions.  Yet, if you are reading PowerPoint that is exactly what you are doing.  Its focus is on the presenter,  not on the audience and not on the content.  There is a “sales pitch” aspect to PowerPoint that destroys neutral fact based information.

Now the downside to this interview and its  lack of clarity is right now somewhere in America a mediocre manager who prides himself on efficiency  is out there somewhere instructing his subordinates to send him a slide deck in advance and he’s drawing up his four questions because Balmer uses PowerPoint in advance and four questions.

Finally, we will never really know if it is more efficient.  If he had recorded all of his decisions under the ‘ “long and winding road” ‘ method and then recorded all his decisions under the “efficient” method we may have learned what works best for Balmer.  We will certainly never learn what works best for everyone else, unless they start recording their own decisions.

note: updated for typo

The other side of the article

It’s seldom that I publish more than one blog post on a single piece, but Mark Diodati’s article “Changing times for identity management ” (login required) spoke of two main themes that I felt needed to be discussed.  In an article on IdM Thoughtplace, I looked into some issues of what composes “New School” Idm.

In this piece, I’d like to comment on a couple of points that Mark makes that I particularly agree with.

First off, Mark mentions that thorough analysis and review of IdM offerings is essential.  The selection team/steering committee  needs to remember that no IdM product exists in a vacuum.  Testing against ERP, enterprise LDAP/AD and other key systems is essential, and involving a pilot group is key as well.  I’d go a step beyond what Mark specifies, by adding that your pilot group needs to be multi-disciplinary. Just IT or Help Desk folks won’t cut it here.  Make sure there’s some HR and ERP users along with other “typical” users in your organization.  You’ll need to do a little more hand holding and training earlier that you’d like, but you’ll get better responses and metrics in return.

I’m also in agreement that you should review all offerings and available features/upgrades from current infrastructure. That “buried treasure” could be the key to keeping your infrastructure secure and compliant. Also find every way possible to use and reuse your current infrastructure., it can pay off in the long run.

It’s a tough economy out there, but that does not mean that you should stop your review of  IdM improvements.  Use the current time for evaluation and planning.  Bring some vendors in for a PoC to make sure it fits into current infrastructure.  The best place to start looking is right in your server rooms and data centers.  Go to it!

The Transition from CRG to GRC

I’m an Identity and Access Management kind of guy.  I don’t pretend to deny it, however sometimes it does cloud some of my views of the rest of the enterprise. Take the GRC concept for example. As an Identity Management guy, I always looked at GRC as CRG:

  • Compliance – How to I show an auditor changes that happen to a user’s identity throughout the identity life-cycle?
  • Risk – How do I make sure that there’s no conflict of interest and ensure Segregation of Duties (SoD), ensuring Compliant User Provisioning
  • Governance – What are the rules put into place that govern Compliance and Risk?

I also never considered how GRC works outside of the IAM world or why it’s important.  After listening to a great presentation from SAP, I got a nice, if basic education which has gotten me to change my thinking from CRG to GRC.

A firm set of governance principles and procedures must be determined before engineering any mitigation processes for risk and compliance. Without this the potential for “Compliance Creep” (risk  is assumed) will run amok.  And without regular discussion and review there is no way to make sure that all items subject to risk and compliance review will be monitored and prioritized.

The fact is that we need to be continuously checking compliance.  Almost any potential work-flow needs these checks and not always the risks that we consider in the IAM world.  We’re well ware of the issues involved with granting elevated privileges, but what about ensuring that the links to partner sites remains secure?  This are also part of ensuring compliance.

My view of risk has not changed as much, we know from a purely IAM perspective, that we need to consider segregation of duties, administrator accounts, service accounts, SSL, etc. But of course we need to think about the larger level as well.  Who provides authorization, approvals and ensures accuracy?  What do we do to make sure that users, approvers and administrators are using the system correctly?

What I got out of this is that all three concepts must be considered together and entail a three part process:

  • Governance – What are our priorities in managing Risk and Compliance
  • Risk – What are our risks at the process level and the operational level? How are they to be mitigated?
  • Compliance – How do we monitor and record these risks?

I’m thinking this will be a large part of  Identity and Enterprise Architecture discussions for some time to come.