I saw this article in TechRepublic today. The gist of it is that a small sample (12) of IT managers, directors, and CIOs said they trusted Microsoft more than Google as a technology partner. Now I don’t really buy this poll.. they picked the first 12 respondents from a population of 90 TechRepublic panelists, which makes the sample neither representative nor random. Be that as it may, some of the quotes from respondents were interesting.

“Microsoft, hands down. They have a real enterprise track record and, while not always perfect, they continue to deliver on real business needs and their products eventually exit the beta stage.”

“Microsoft. We are not, nor will we be in the foreseeable future, involved in the ‘cloud’ as an integral part of our internal IT offerings.”

“Google seems to be moving too fast into too many areas. I don’t think they really have a focus on security and trust. Microsoft learned that lesson in a most painful manner.”

“Google. They’re more hungry.”

If you make the following replacements: “Microsoft” –> “IBM” (or “Sun”), “Google” –> “Microsoft”, and “cloud” –> “Windows servers”, this sounds like the same arguments people were making ten years ago when Microsoft and Windows were relative nobody’s in the enterprise data center.

Plus ça change, plus c'est la même chose.

I saw this picture this morning and my coffee nearly came out my nose. Even Linus Torvalds is digging Windows 7!

http://picasaweb.google.com/cschlaeger/JapanLinuxSymposium#5395358413061926434

A couple of weeks ago I was busy setting up ILM “2” RC0 for my session demo at TEC Europe. I’ve installed ILM “2” a bunch of times, and if you have the prerequisites properly installed, it’s pretty much a no-brainer. It normally takes me less than an hour to get from a new machine image to a running ILM “2”. This time was no different. I built my ILM “2” image, populated it, and tested the Quest PowerShell cmdlets for ILM “2” to make sure my session demos were all functioning and ready to go to Europe. Everything was fine. I shut down the machines, copied their Hyper-V images to my external USB hard drive, and moved on to cleaning up my Powerpoint slides to reflect the significant changes in FIM 2010 RC1.

When I got to Berlin, I rounded up a server from our A/V provider (an adventure in itself), cobbled up the networking to work with the hotel wired internet, copied the images, and started fiddling with them to get them to work on the new network. When I got everything sorted, I started testing my Powershell->ILM “2” demos. I couldn’t even connect to the ILM “2” web service. And as a bonus, the ILM “2” Sharepoint portal wouldn’t even start, failing with the infamous “unexpected error”. Hmmm. Why would previously working VMs suddenly start failing?

I had a lots of other things going on leading up to TEC, so I didn’t get to spend a lot of concentrated time on the problem, but ultimately I deduced that the ILM “2'” service wasn’t starting. the event log indicated that SQL “might not be installed”, but SQL clearly was installed and running. I rolled back the images to an earlier snapshhot that only had the prerequisites installed, reinstalled ILM “2”, and everything was swell. Mystery bug, fixed by reinstall, case closed. Or maybe not.

When I came back to my room to walk through my demos one last time before my session, I encountered the same problem. I couldn’t establish a connection to the web service, the portal wouldn’t run, and the ILM “2” service wouldn’t start. I rolled back the images, reinstalled, and everything was fine. I rebooted the ILM “2” server, and I encountered the same failure. I tried the sequence again, just to make sure I was seeing what I thought I was seeing. ILM “2” would run properly after install, but would fail to start after a reboot. Very curious. And I was running out of time.

Maybe there was something wrong with the prerequistes? I rolled back to a bare WS2008 image, and reinstalled the prerequisites, and reinstalled ILM “2” RC0. It worked. I rebooted. It failed. Damn! At this point I started working out how I could move the server down to the conference area without rebooting the images. But as I thought through what was happening, I realized that I was doing something different this time around compared to other times I had installed ILM “2”. In earlier versions, I installed SQL with a default instance. For some reason, this time around, I specified an instance name. So I rolled back to the base OS image, reinstalled the prerequisites, but this time specifying the default SQL instance. ILM “2” started and worked properly. I rebooted the image. And it continued to work. Aha!

So word to the wise: Use the default SQL instance with ILM “2” RC0.

I will be delivering my “Auditing in Forefront Identity Manager” talk at TEC Europe later this month in Berlin. It’s largely the same talk I gave at TEC in Las Vegas this past March, but updated for the upcoming RC1 build of FIM 2010 (which sadly won’t be available for TEC Europe, but should be available not long after). In the process of updating my session, I exchanged (Hah! Get it?) some emails with Nima Ganjeh, Program Manager on the FIM product team and learned that there have been some substantial changes in the way FIM manages and exposes it’s object data.

Auditing FIM primarily involves pulling data from the FIM SOAP Enumeration endpoint, using a modified version of the WS-Enumerate protocol. In the RC0 build, FIM implemented the Infological data model [Langefors, 1973] in the object store, meaning that all relationships (attribute-value, object-attribute, etc.) were stored, indexed by time, and never deleted. Because data was never deleted or overwritten, it was possible to retrieve objects from the RC0 object store as it existed at any point in time. So if you wanted to know what the membership of the Administrators group was on March 30th last year, you could simply query for that object using the builtin XPath filter syntax function attime(), and voila!, you would see that group object as it existed at that point in time. This was in my mind one of the most significant benefits of FIM 2010. It provided what was in effect a builtin, automatic snapshot facility that answered the auditor’s question of “who was a member of this group back when the accounting data was compromised?”

Beyond the very cool data model, RC0 also maintained the transaction history for all object update operations by creating Request objects in the store. The Request objects, in addition to specifying the target object and operation, including the initiator of the update and the update parameters themselves. So not only could you look at the state of an object at any point in time, you could easily get a time-sequenced list of all of the changes made to that object, including what was changed, and by whom. This answered the auditor’s question of “who added Bob to this group back when our accounting data was compromised?”

But maintaining a complete history of the FIM object store had a price, or actually two prices: a rapidly growing database and insufficient performance. While RC0 would perform reasonably well on smaller datasets, it just wasn’t cutting it for larger environments. The FIM team decided that the performance impact of maintaining this historical data just wasn’t worth it, and in RC1, they have completely revamped the implementation of the object store. And sadly, RC1 has completely dropped the Infological data model and maintains no object history at all beyond the Request objects. The attime(), alltime(), and betweentime() XPath filter functions are gone, as is the ability to retrieve an object’s prior state through the web service. This is a big disappointment in my mind, but I can’t fault the FIM team for it… historical data or unworkably slow? It’s not a hard choice.

So how do you solve the audit problem in FIM 2010 RC1? I’ll discuss that in my talk at TEC in a couple of weeks and in this blog, but suffice it to say its not not as elegant as it used to be.

Nima will publish the specifics of the changes in the RC1 query facility in his blog soon, so keep an eye on it.

1. Langefors B. (1973) Theoretical Analysis of Information Systems

Want to see your name up in lights? Want to make yourself known in the industry? Have you done things with (or to) Microsoft Identity and Access technologies that most people haven’t? Then you should submit a session for The Experts Conference/Directory and Identity right away! You can submit your proposal at the TEC website. If you have any questions, or you only have vague idea of what you might want to speak about, you can just ping me through my blog and we can sort it out.

Have you ever wanted to define the feature list for Active Directory? TEC Europe 2009 might be your best chance to do just that. Robert deLuca (Microsoft Senior PM for Identity and Access) and Dean Wells (Senior PM for Directory Services) will host a “Customer-Focused Design” session at TEC Europe September 14 in Berlin.

Microsoft has developed a very structured process for gathering products requirements. I’ve been through the process a couple of times in Redmond (and I’ve used something similar for my own products), and it is pretty effective for figuring out what requirements you want to focus your product team’s efforts on.

The process starts out with a bottom-up approach, where the people in the room just write down all the requirements they think are important on Post-It notes. The key thing here is volume, and for people to focus on the problem-space not the solution-space. Developers and IT Pros are predisposed to solving problems and invariably come up with ideas like “move the user account control bits to separate attributes” or “prune and graft the directory tree”. These are solutions to problems, not problems per se. The problems should be more like “I can’t control the access rights on the individual user account control bits in Active Directory”, or even better “I need to separately delegate the ability to set the No Password Required flag and the User Account Disabled flag”. See the difference? The first is a possible solution to a requirement the IT Pro has in the back of their mind. The second is the actual requirement. It’s really important to get everyone writing down problem-space statements, not solution-space statements. Otherwise the next step doesn’t work.

Once the moderator makes sure all the problems are legible and understood (IT Pros are not known for their high-quality handwriting), the second step involves sticking the Post-It notes on a wall and organizing them into affinity groups, i.e. grouping the requirements in a way that “seems to make sense”. This is a group activity, and can be really fun to participate in (and to observe!) Basically, you start moving the Post-Its around and inventing categories that seem to fit a group of them. The goal is to organize the requirements (perhaps more than a hundred of them) into a manageable number of higher-level topics. It’s always surprising how, given the vague instructions, people seem to instinctively organize things in pretty much the same way. Sometimes it takes a few attempts to get the categories right, but I’ve never seen a real argument in this process.

Now the drama begins. In the third step you need refine the categories you developed in the preceding step into full-fledged problem statements that reflect all of the requirements in that category. So everything that you grouped under “Schema” is now covered by something like “I need to manage the schema without special consideration like review committees and or replication latency and be able to provide a complete audit report of all schema changes.” Honing the requirements statements takes a lot of back-and-forth discussion between the participants to make sure the problem statement reflects all of the requirements, and that it is reasonably coherent. Sometimes you have to go back to the board and re-categorize some of the requirements, and occasionally someone will decide their particular requirement just isn’t worth the effort.

The process I’ve described so far is one I’ve used for years in developing product requirements, and was taught to me by my friend Jared Spool at User Interface Engineering about 20 years ago, and it works pretty well. One of the problems with the process is that you end up with way more problems to address than you have time or resources. How do you prioritize them? Microsoft has added two steps where the participants rank how important each problem statement is to them, and how well or how poorly each problem statement is currently addressed by the shipping product. The first ranking gives them an idea of which problems they should focus on, and the second ranking gives an idea of how much effort they should expend on addressing the problem.

Normally this sort of thing can take most of an entire day, but for TEC, Robert and Dean are developing a skinnied-down process that should provide some meaningful results in the hour or so we have available. I think they are also going to use some of the birds-of-a-feather time to work on the problem statements. In any case, it will be a lot of fun.

So if you’ve ever found yourself completely frustrated because Microsoft didn’t fix your specific issues in Active Directory, come to TEC Europe 2009 and make sure your problems are heard and make it into the queue for the next version of Active Directory.

I attended Burton’s Catalyst Conference in San Diego a couple of weeks ago. The Burton Group has always been one of the leading analyst firms in the digital identity arena, and Catalyst is certainly one of the premier identity-related conferences. Catalyst has expanded over the last few years to include SOA, Cloud, and Security tracks, but I pretty much stuck with the Identity track this year. Maybe not the best choice in retrospect; more on that later.

I was happy to run into lots of old friends from The Expert’s Conference… James Booth (formerly at Oxford, now on his own at Boothbilt… sort of like Peterbilt I guess), Pamela Dingle (formerly at Nulli, now on her own at Bonsai Identity), Felix Gaehtgens from Kuppinger-Cole, Brian Puhl and Mark Wahl from Microsoft, and Dave Kearns and John Fontana from Network World (one of the few guys who makes a ponytail look cool).

<aside>Watching John Fontana write is a lesson in literary efficiency that I never cease to be impressed by. John writes as he’s listening to each speaker (something I don’t do well), and when the speaker finishes up, John spends a minute or two tidying up his text, and presto! an article ready to be published. And based on my discussions with John afterwards, he hears and understands pretty much everything that’s said, and asks quests about the things he doesn’t. Nothing like watching a professional do his thing.</aside>

Bob Blakley provided the keynote for the identity track, titled “Upheaval in the Identity Market”. I was hoping for an indication of some sort of sea change in the identity and access business, but Bob’s comments were pretty much limited to Oracle’s acquisition of Sun; hardly what I would call an upheaval. But Bob’s a smart guy and a good speaker, so the session wasn’t a waste, just a little disappointing.

The Burton Group identity regulars (Kevin Kampmann, Bob Blakley, Mark Diodati, Gerry Gebel, Ian Glaser, and Lori Rowland) started off with a group discussion of the current state of the identity market. It was a rambling discussion that didn’t really produce anything surprising, though there were a few nuggets:

• You can’t have 18 month IdM deployments any more; you have to show value within the first 3-6 months (duh!)
• Evaluating vendor risk is different now. It’s not just “is the company successful enough to survive…”'; witness Sun.
• “Provisioning” has outgrown itself trying to encompass all of the various aspects of IdA
• Efficiency in IT has become extremely important (ya think?)
• SPML might be making a comeback with the notion of federated provisioning
• Companies with active IdM projects are outrunning their tools

That last comment is kind of interesting. I think the deployment curve for identity management is wider than that for most other technologies, meaning that the distribution of IdM projects of different technical maturities (from non-existent to extremely sophisticated) is very flat. There are many companies that are nowhere in terms of identity management maturity, and at the same time there are companies that have leveraged the available tools to their limits and are pushing the envelope beyond what the vendors can provide. It’s as if we had some companies deploying ARCNet at the same time others are deploying 10 Gig Ethernet. I don’t know why that would be, but it is interesting.

Some notes from the other IdM sessions:

Michael Barrett, CISO at PayPal regarding three-party authN models: Don’t worry about the technology, the technology is there. Worry about the business model, i.e. how do all the parties provide and derive value in the relationship. He almost mentioned that authentication does not produce a binary result; it produces a probability distribution, e.g. “this is how likely this person is who he says he is.” True dat. Double true.

Kevn Kampmann and Alice Wang, talking about roles and entitlements: Certification, attestation, role management, provisioning, access requests, etc. are all closely related, but should be treated separately.

Bob Blakley, talking about cloud economics: Running software in the cloud is not cheaper. The value proposition is time-to-value and a closer matching of cost to consumption (which presumably is cheaper, but I quibble.)

There were a couple of vendor-driven case study puff-pieces, one by a guy from Hoovers who had just deployed Cisco’s Enterprise Policy Manager (what used to be Securent). They had deployed an entire application! Whoa, hold me back! There were a couple of other similarly content-free case-study sessions that I’ve since blocked from my mind. How do vendors get customers to do this sort of thing? Does anyone from Burton look at them? I should have switched over to the Virtualization track… the case-studies were a waste.

Well, not all of them. There was one case-study that I thought was really outstanding, and that was the one by Paul Rarey from Safeway. They have an impressively large IT operation, and the scope of what they’ve managed to automate is mind-boggling. And Paul was a great speaker as well, so great in fact that I have almost no notes from his session (remember when I said I don’t write well when I’m listening to someone?)

Mark Diodati, during a survey of the Unix-to-Active Directory integration market: The market for Active Directory bridge products, Unix security products, and privileged account management is converging and is growing rapidly (he actually said “exploding”, but I don’t think something can converge and explode at the same time).

The vendor hospitality suites were the usual, although maybe a little toned down from last year. Quest’s suite was done in cool blue and white with a 007 James Bond theme. One of the screens was running clips from some of the old Bond movies, like Goldfinger. Very nicely done I thought. One thing that struck me as really funny during the Thursday suite-crawl: Oracle’s suite was covered in crime-scene tape, and next door, RSA’s suite was hosted by clowns. Hmmm. Subliminal positioning? Who comes up with these ideas? At least IBM had the Star Trek theme nailed.

So all-in-all, how was Catalyst? Meh. I was underwhelmed this year. The sessions could have all been on last years agenda. The feeling that came across was that not much had changed, and not much was changing. And yet there is a significant transition occurring the market that hasn’t really manifested itself, and that is the transition from managing identities to managing access. I’ve said for a while that identity management ultimately isn’t what you want to do; you want to control access to your resources. Identity management is simply a prerequisite, a waypoint on the trip. But the whole business of entitlement management, claims-based authN, fine-grained authZ, role management, attestation, etc. is pretty fuzzy right now. There isn’t yet even any agreement on the terminology, and that in fact may be why it feels like the industry is stagnating a bit… it’s hard to talk about what’s next when you haven’t agreed on the terminology.