Are you a mechanic?

Frequently, technical contractors will get calls from recruiters and there are only two things they are concerned with (and by extension their clients), your technical skill and your hourly rate.   And buried within this two dimensional assessment are the following assumptions:

  • You should be grateful enormous company x is offering any work in this miserable economy
  • Get ready to adjust your rate down to work with us
  • You have to prove your technical skill despite what is on your resume because you just might be liar

The trouble with this standard script is that technical ability alone is insufficient to be successful in either IAM or GRC.  Most IAM people are not mechanics turning digital wrenches.  They are more than bit flippers.  IAM requires superior social skills the so called “soft skills” in order to be successful. In every job I have worked on in the last ten years where they said “we just need a technical person who can get it done quickly” it has been a nightmare.  When I hear that now I say no thank-you.

One of the problems is that recruiters and corporate managers tend to get ahead of themselves, they just assume that if you can prove you have the skills and the money is right you will jump at the job.  However, a technical interview should not be conducted until you satisfy for yourself you can work with them.  Business is more than just tech and they might be liars.  Just because the company is public or well known doesn’t mean they have integrity.

  • Do they pay their bills on time?  If you’re an independent you are not a bank.  Never finance a billion dollar company or one with access to capital.
  • Are they pleasant and professional to work with?  You may need to ask around first or ask to talk to a contractor working there now.
  • Do they have the right budget or is this under-budgeted slam it in work.  If it is you will be the scapegoat.
  • Does the project have management support or they trying to “fly under the radar.”  Another time bomb waiting to go off.
  • Do they do what they say they are going to do?  Missed meetings, multiple re-schedules, consistently late to interviews, slow follow-up are signs of either unreliability, they don’t think much of you or the petty exercise of power.

The foregoing applies if you are not desperate for work, and desperation should not be that you are little nervous about your bills this month.  Desperation is facing foreclosure or repossession.

SAML Sets Sail

According to Dave Kearn’s post (H/T, Matt Pollicove & Lance Peterman) it makes little sense to continue developing for SAML, that is, it is headed down the legacy path.

… Craig stood up at the podium and announced to the world: “SAML is dead.”

This was off the chart because, well, SAML (Security Assertion Markup Language) is at the heart of most of Ping Identity’s products. And Ping Identity was our host. Predictably, Ping employee tweets immediately sought to reassure their followers that SAML was alive and well. What they neglected to take into account, though, was context.

Context is important for Identity Services as I’ve said over and over again for at least 10 years (see “Identity and privacy: it’s all about context”). But context is also important for understanding the spoken word.

While Mr. Kearns has been saying context is important for ten years, the rest of educated civilization has known about it since at least Aristotle and formally since the medieval period and ignoring it.  When people respond emotionally to a claim “SAML is dead.”  It’s because the claim is having its intended effect.  Context-less shock value remarks are designed to excite.  Sound bites become tools of mass media perception management.  Opponents are taken out of context intentionally; when strong emotions kick-in, we stop reasoning.   There is always someone declaring one thing or another dead that is not.  Nietzsche declared God dead which caused a lot of furor.

Along those lines, Kearns notes the following in his article.

Most of the other analysts agreed with Craig (as did many of the attendees, especially those who were in his audience.) Some pointed out that other, seemingly dead, authentication protocols (such as IBM’s RACF and Top-Secret) were still used by many as were programs written in COBOL.

But far from being an argument against Burton’s pronouncement these are actually supporting evidence for his claim that SAML is dead. Because RACF and COBOL are also “dead,” at least in the sense Craig meant.

Good point and it pays to remember that technology does not disappear from the earth; no technology is ever really dead.  Can you still purchase, Windows for Workgroups, a typewriter, a stone ax or tan a hide with brains?  The question is rhetorical.  Pick up a Sears & Roebuck catalog from the late eighteen hundreds, you will find every item listed still available from someone.

So when people say a technology is dead they really mean it has moved closer to obsolescence.  All technologies, whether original, re-invented, rediscovered or misused from ignorance (XML for data management) will follow the S curve evolutionary path.  This has been generalized from observation across many complex systems.

Finally, it doesn’t surprise me that SAML is on the way out, in fact, I am just surprised it was used at all.  Anything we wish to represent in a computerized database requires that we build a conceptual model discarding items as we go.  Sometimes we start with simple models, adding layers of complexity as we go, other times we start with really complex models, adding confusion as we go but in both cases conceptual modeling is subjective, it is in the “eye of the beholder” as the cliche goes. And to do this process well,  it is essential that we begin with a good definition of terms  to remove ambiguity so that our model is internally consistent and used consistently.  Whenever the meaning of terms changes in a way that is not a simple extension, our “model is dead” so to speak and we are really starting a new conceptual model.  This can happen when the process/system outside we are modeling changes in an observable way, our understanding of the process changes, or a large vendor needs to sell a new solution into which they poured a lot of money and it doesn’t fit into the old model.  When this happens, industry standards groups are formed or even better the government is co-opted into making it law so it can resist innovation and all efforts to improve.

Once the concept model is built we need to capture as much meaning as possible in the computer and structure that data so we can manipulate it with constraints acting as meta-data.  Typically we do this with a database.  Once the data is stored we will need to periodically exchange it which means that we only need to know what it is we are passing (the data) and it what it means (the conceptual model).  It does not follow that one must use xml to accomplish the foregoing and since xml is hierarchical we have to parse a lot of paths to get to the data, that is not particularly easy for large specifications.  Therefore, it comes as no surprise that SAML is on the way out.

XAMCL? No Thanks

XAMCL? No Thanks

That there are no new problems seems widely understood (save for the child and naïf) but it seems rarely do people bother to understand the historical solutions to these problems, that is to say, we focus almost exclusively on the facts of the problem without ever bothering to look at the principles or rules that may already be understood.  This kind of reflective thinking, along with analysis of principles derived from the experience of our predecessors whether extant or having suffered debitum naturae, extracts a large cognitive cost.  “Math is hard,” the philosopher Barbie once observed, as is all real analysis.

What we frequently do, because it extracts a low cognitive cost, is simply to allow things to move in the direction dictated by the promoter with the large megaphone, to prattle on mindlessly like a child, to ignore what has gone before, to ignore what theory there is and prefer the clustering of like minded people even if this is nothing more than a coterie of idiot enthusiasts.  It is easier to sit on the band wagon collecting money with all the other simpletons, than to go against the flow and think for yourself.

Nothing embodies this more than the widespread use of XML for things which it is poorly suited, especially data management.  In its early stages there were vigorous arguments against adopting it, but logic and reason are no match for fads backed by large corporations motivated by “innovation”, and quarterly results.

In proposing to use xml as the common “language” of security policy the authors of the specification write the following:

“XML is a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended to accommodate the unique requirements of this application, and the widespread support that it enjoys from all the main platform and tool vendors.”

This is specious reasoning if it can be called reasoning at all.  Can anyone show me a text based format that can’t be extended to accommodate the requirements of an application? In the second half of that sentence they note that xml has widespread “support.”    Socialism had widespread support among the intelligentsia,  but it doesn’t work well either.  To exchange data we only need to agree what to pass and what it means.  All real meaning exists in the hemispheres of the brain.  Since logic ignores context, the meaning is documented so we are not left to speculate.  If that view, that concept is missing we are stuck with speculation.  Anyone who has tried reading uncommented code or peered into a database without knowing the conceptual model, know this well.  Nearly all the early claims of xml’s benefits (especially about meaning and tags) have been abandoned and we are left with these two, everybody does it and I can make it do anything.

A while back there was a question posted on a Linked-In group titled “Is Role Based Access Control a dead end and Rule Based Access the future?” inevitably several said the answer to the problem is XAMCL. I don’t think so.  What drives the problems with role design versus using rules are really fundamental philosophical questions of categorization and classification (distinctly different concepts) and how we manage complexity.  To say the solution will be adapting yet another complex xml standard is laughable.  It really shows that one does not understand the fundamental nature of the problem. Maybe xml is the way to go but I doubt there was much reflective thinking before they started writing.  My best guess is that XAMCL will be as widely adapted as SPML and most likely will spawn efforts like this for the same reasons.

Identity Management Business Case Part II

I have previously posted a straight forward method for creating an identity management business case and based on the downloads I have had it’s been popular.  I also know it’s effective because it’s been proven.    Most people shy away from the real options part, however.  Everyone seems to understand discounted cash flows, but many do not understand real options.

I am now posting a stronger model that is complementary to the other one and can be used for other initiatives besides IAM.    It combines real options with Knowledge Value Added (KVA).  The methodology is derived from the work of Johnathan Mun so if you want to go back to the source start there.

As side note, some people think it is foolish to share methodologies that you have developed and all the big consulting firms protect theirs.  A methodology is just a process, and the only thing that matters is the execution of it.  It can be downloaded at the Risk Horizon website here.

SailPoint IdentityIQ Quick Overview

I had the opportunity courtesy of CTI to train on the SailPoint IdentityIQ product.  I was impressed with the thoroughness of the product.  They are not narrowly focused but offer the  means of nailing down your application identity certifications while insuring segregation of duties and least privilege.  This product covers the enterprise and is not  just an IT ecosystem like SAP GRC.  If I have a complaint it is that it relies on too much XML when setting up an application.  XML is nearly useless with its insistence that data must be modeled as 1:N.  The brain may love hierarchies but XML with all it’s tags and so little data makes hierarchies a headache to work with.  Their developers seem to sense this too because they have moved some areas around web services to json as opposed to SOAP, an approach I have had my fill of.  If enterprise governance is a requirement for you, and you find yourself failing audits, be sure to check out SailPoint.  <shameless plug>Then call Matt Pollicove (who blogs here from time to time) at CTI when you need help implementing.</shameless plug>

IdM Reader’s Choice Awards

Information Security Magazine Readers Choice awards are out.  For Identity and Access Management it went Microsoft, IBM and RSA.  I think if you asked professionals who have worked with more than one IdM product, you would have a markedly different response.  In many cases readers vote, not based on actual experience, but with a “go with what you know” heuristic, that is, they vote on names they recognize. These kinds of votes are useful if you have to make a choice within 1-2 days.  It’s a safe bet.  If you actually have time to decide and evaluate, it would be malpractice.

The most accurate answer could be had by having people wager on the best product as measured against a set of metrics.  When people are asked to risk their own money, it becomes more than a trivial exercise.

Enterprise Portal Bug

A fellow traveler in NW IdM world, Geoff, recently encountered  a bug while provisioning 6,000 users to enterprise portal(7.0) with basic roles.  The job failed and it corrupted the portal.  Here is the error message:

Exception from Modify

ToPassException: SPML exception: Could not update user Object is invalid, most probably it
doesn’t exist anymore on the persistency: portal_content/
Turns out the bug is within portal and SAP is issuing a patch.

Is NetWeaver IdM really replacing CUA?

So far – despite all efforts from SAP on the Marketing front – I have not seen this to become a reality. CUA is no longer one of SAP’s beloved children – meaning no major functionality upgrades will be provided through enhancements. But to tell you the truth, it works. So if you only care about SAP user provisioning (like me) then CUA is good enough. On the flip side CUA has nothing to do with Identity Management. Its intend was to simplify role assignments across complex system landscapes, not to automate user management. It’s still not capable of mirroring best practices for onboarding, position changes and terminations. The manual workload is tremendous and here and there in the mist of Excel spreadsheets and e-mails from HR orphan user id’s are as inevitable as candy at Halloween.

So I say it’s time to retire the good old box and get something in place that makes SU01 and SU10 go away forever. Time it is indeed.