Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit - do I hear a muffled sobbing, or - is it somebody screaming loud and running away in pain?

The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights - and especially restrictions! - may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go:
imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany.
Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like - could and would this be done by internal resources?
I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills!
With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the “external editor” model. So far - so good!
Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps - the way through the HR hiring process - will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers.
In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or - even worse - that guy would need administrative access to some production machines!
Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources - thus making exceptions the norm.
Really sounds like a nightmare huh?
Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session “Managing External Identities”!
Looking forward to meet you in Munich and find ways to wake up from that nightmare!

I talked to my Sensei-san, Dr. Kpatcha Bayarou of Fraunhofer SIT, recently and allthough only having a few minutes, we came to some extreme views on what User Centric IAM really was about.

Power!

The power to control who gets access to what of my content and information! You are reading this text without disclosing anything about yourself, which is due to  my totally hedonistic way of “sharing the knowledge” . Ok, one might say it is to lure some of you into registering for this site, for our newsletters and even some of the reports. That is, to get YOUR IDENTITY and YOUR MONEY ;-)  Do you get a feeling where this will go?

Until recently, anybody who had something to offer on the internet (or elsewhere in the brick&mortar world) would request your registration to do business with you. This was tedious, had lots of flaws and still puts a  lot of burden on us consumers, especially the ones with the infamous “Geiz ist geil” attitude, always hunting for the best price of a merchandise. These bargain hunters would willingly subscribe anywhere and register with any online-shop where they would be able to buy something marginally cheaper of get their hands on a shiny new gagdet first. Well, we all did this sometime, somewhere, didn´t we? It may even have been just to get a special software that we would need to get something done quickly…

There the bargain hunters end up with a multitude of logins and passwords, as if we had known it. The background is the same everywhere: somebody who has something we want won´t let us have it until we sacrifice/disclose some of our identity information. Actually these people have power over us, and they are executing it freely. We seem to ignore this fact, as we are so much used to “register for free…”. This is seldomly “free”, we pay with facettes of our identity, and those are valuable to me.

Ok, nothing is more boring than yesterdays news, I guess!

Despite this oh so true statement, especially in the blogosphere, I would like to rant about SUN’s recent acquisition of VAAU, a small company that offers tools around role mining and role engineering as well as compliance.

I had the sincere pleasure to work with some of the VAAU EMEA people and found both their tools and their approach to be very exciting. SUN in Germany is also very excited - at least the SUN guys I talked to lately - and they are eager to put their new tools to work exclusively, bearing in mind that VAAU was open to most IAM vendors before and will now probably go exclusive with SUN ID Management solutions. I´d say this is quite a punch for the remaining bunch…

Same as SAP has to prove that their Maxware deal was worth the prize, SUN now has to make sure that the competitive advantage of exclusive access to VAAU technology can be supported with special ties and deeper integration with their IAM solutions. I intend to closely watch these guys next year, and probably have a chat or two with representatives of both sides! This is an invitation - but you know that, don´t you?

See you all soon

Sebastian

Welcome to my world of Digital Identity - hopefully it will be as entertaining (and hopefully at least slightly insightful) for you to read as it is for me to write!

First of all, I would like to post my vision own of digital identities - which might slightly differ from what others think… there are some people out there who have rather far fetched visions, driving the future of how our digital lives will look like in some five to ten years or even beyond that. What I would like to sketch is rather short sighted for being called a vision, nonetheless this is far from being reality, to my own regret!

Let us start with our normal daily identity treadmill - booting my PC and… logging in… Ok, well…starting my Email client and… logging in! Getting a nice message that my Blog is online, and these & that are the credentials to… log into it. Catch my drift? Anyway, we all know this and there are products out there to tackle these problems, some doing a great job, some only improving the situation slightly. Most of these solutions come as enterprise packages, with lots of administration and a beautiful (or not so beautiful) GUI to tweak and turn. So, my work place identity/-ies are taken care of. Nice! But what happens with the “other” digital identity, my personal, private one? There is no admin to take care of it, there is no ID management tool that coordinates and keeps track of everything. And if there was - how would this thing cope with me being on the road all the time?

Well, there are tools for this also, one might say. And yes, some of them are pretty elaborate, mainly those based on some sort of USB memory stick with security functions. None of those do offer me the security and usability I would be looking for, though! What happens if I loose the USB stick? What happens if I change the password to access it, and then forget the right password due to me being only a lazy human?

As I had the pleasure to speak at a security conference lately, I was bound to ask: where is my digital drivers license? (courtesy of Dick Hardt, some will remember!). But could Dick be more accurate? His analogy holds true in most scenarios! Often I only need to proove that I am of certain age to access “content” - and we have our own little identity crisis here in Germany around this since the BGH (Federal High Court) ruled that XXX content needs to be protected by proper age verification. In other scenarios, it is only necessary to prove that I am that certain guy who registered some account and needs access to it. No need to disclose “real” personal info - just a verification that I have a valid claim to access the information in question. Thus, claims based ID management, such as discussed by Kim Cameron, come into play (but this is really the future, I guess- I won´t start wishful thinking until next year!). 

One could come with more and more of these scenarios, each with small but significant deviations from each other. Most of those could be tackled with some sort of digital drivers license, I presume. And I would be mre than happy to get my hands on Dick Hardts’ digital drivers license any time soon… just to check out if I could buy Vanilla Stoli with it in Canada!

Cheers and a wonderful christmas time as well as a perfect New Years Eve!

 See you all soon

Sebastian