Fries or Baked potato? I think I'll have the Bruschetta

I recently had two discussions with two very different organizations about identity management. One was a global wired/wireless telecom provider and the other was a State government.

Ice cream and dump trucks from a similarity perspective, but my answer to them was the same – it’s all about the process. What was the question? It was:

Should we use Sun Identity manager or IBM’s Tivoli Identity Manager?

Why was my answer the same for both organizations? Because one of the two most important parts of an IdM deployment – the business process that will be enabled by the technology – directly impacts the ultimate success of a project.

Do you *really* think it matters what product you use? They both do the same thing at the end of the day, and it *really* doesn’t matter what product you use. Maybe if you spend $100M with IBM every year you’ll get a better price, but functionally they are basically the same.

They are the same in another way too – if you screw up figuring out the business process and focus on the as-is process and implement how things work today, then you will have a broken business process enabled by a shiny new piece of expensive software that may impress your peers, but will give your CFO heartburn, and let’s face it – that’s not good.

Spend your money on someone who understands process and will help you defend it, vs. someone who can tell you how different the feature sets are.

So if I should be asked again – what would you use - _______________ Identity management Solution or _____________________ identity management solution? My answer will be the same – how well is your process defined?

Extra credit - Anyone care to venture what the other most important part of an identity implementation is? Answer in my next blog entry…

Cataclysmic Catalyst

cat·a·clysm (kāt'ə-klĭz'əm) Pronunciation Key
n.
A violent upheaval that causes great destruction or brings about a fundamental change.
A violent and sudden change in the earth's crust.
A devastating flood

I munged Catalyst and Cataclysm in a discussion with a friend of mine, and as it turns out the two are not unrelated. Catalyst has nothing to do with the earth's crust directly, however being in San Francisco it is tangentally related. Fundamental change? Check. A Flood? Of people? Check.

Yes I'll be there, and I am pulling together some friends to catch up in between meetings with customers in the East Bay. I will not be wearing my kilt this year (a travesty for the ladies who count on seeing my revered kneecaps, and the scar I got at Dunvegan Castle on the Isle of Skye I know) but I will be there none the less.

I happened to catch Ian Glazer's post about needing a new watering hole in San Francisco and there are a few I would recommend, however none of them are where the majority of the hotels are:

Vesuvio at 255 Columbus Ave. Kerouac used to hang here. 'Nuff said.

The Carnelian Room - Hands down the best views in the city. It's at the top of the Bank of America building 555 California street. I was at the post IPO party of ATG there with guys (at the time) worth more than John Hancock. Literally.

Ace Wasabi's in the Marina. Great Sushi, hip crowd, and saki. Opens at 6 pm

The Grove in the Marina is a fantastic place to people watch and you can't go wrong with the oatmeal for brunch.

identitystuff@gmail.com

State of Ohio Identity Whoops!

I can't help but wonder what will happen to pensions. I know that the SSN's of folks have a value of $2-5 but what if you were able to get to the state pension systems? There would be a field day in there, especially with the folks who have given 19 years of service, those would likely be some good checks up for grabs...

I wonder where the intern is headed next...


The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said.

An additional review of data revealed that the storage device also held information on 53,797 participants enrolled in the state’s pharmacy benefits management program, as well as names and Social Security numbers of about 75,532 dependents, the governor’s office confirmed Saturday. Strickland has asked Ohio Inspector General Tom Charles to investigate.

BlackDog Project = Echo Identity Systems

I had posted last year that I had bought a BlackDog as my latest and greatest toy, which was a linux box with a biometric scanner built in that plugs into a USB port on your notebook and uses the computer display and keyboard and USB power. I still don't have any idea what to do with it, but someone figured out how to use it for an Identity Application - Echo Identity Systems in Salt Lake.

There is no news and it looks like the bought the assets of Project Black Dog and turned it into an identity play by using the linux server as an identity server, and the built in biometrics as one of the factors for authentication. These guys may be fun to watch...

From their page:

The Echo iD3 Ultra-Mobile Server is a self-contained mobile computer that contains its own processor, memory, and storage. This allows the Echo iD3 to interact with the host PC as a peer or server instead of as a peripheral.

The Echo iD1200 Management Router extends data, applications, and services to enterprise end users via a secured computer like the Echo iD3, in a managed and secure fashion. Deployed at the edge of the enterprise network and easily integrated with existing IT infrastructure, the Echo iD1200 Management Router provisions applications and establishes authorization for Echo iD3 users.
Users employ a Echo iD3 Ultra-Mobile Server connected to any computer in any location to safely access the applications, resources, and data they need.
Administrators control thousands of iD3s from the iD1200 Management Router.
Financial concerns are alleviated with a drop-in system that significantly reduces IT support costs.


1. iD1200 Management Router. Activates Echo iD3 devices, updates software applications that run on the iD3 Ultra-Mobile Servers, and provides access to corporate applications and resources. Also instantly disables or deactivates Echo iD3 Ultra-Mobile Servers, immediately rendering them unable to access enterprise resources through the VPN tunnel.

2. The Administration Console. Used to access the iD1200 Administration web application.

3. (Optional) Application Servers. The servers with enterprise applications available to which the Echo iD3 connects. These application servers can be Citrix, RDP, Web, or other types.

4. (Optional) The LDAP Server. The server that provides directory services to the Echo iD1200 Management Router.

5. The Host Computer. Provides keyboard, mouse, monitor, and Internet connection for the connected iD3.

Together, the Echo iD3 Ultra-Mobile Server and the Echo iD1200 Management Router address what is likely the single biggest security issue facing enterprises today -- the use of unidirectional trust models. Users no longer have to navigate multiple layers of security, presenting credentials at each level. They are also completely confident they are accessing the proper enterprise resources. Administrators are likewise confident that only authenticated users can access backend resources. This bidirectional trust model is in place even while using untrusted resources such as PCs, even those compromised with malware.

Typical Use

1. The user connects the iD3 to the USB port of a host PC and authenticates on the iD3 using the built-in biometric scanner. When connected to the host PC, the iD3 uses the host's keyboard, mouse, monitor, and Internet connection to provide a familiar and rich user interface.

2. The iD3 and iD1200 work together to automatically establish a VPN connection, providing a secure, encrypted data tunnel.

3. While connected to the host PC, the iD3 user accesses all their applications, resources, and data - both local and remote. Access to these applications, resources, and data is controlled by the profile established on the iD1200 for the user. To help ensure security and maintain the integrity of the iD3 Ultra-Mobile Server and its association with the enterprise network, the iD3 user cannot download applications, files, or malware, even by accident.

4. As necessary, administrators automatically update iD3 applications and configurations and can instantly change or deny access to any or all enterprise resources.

SafeTspace - Variation on a Theme

I got a notice in my Google Alerts today about this company, SafeTspace, that was an offshoot for a post I did a while ago- back in August of 2005 actually - where I talked about this very kind of model. Don't worry SafeTSpace, I'm not going to go all William Reid on your ass.

It does however validate a theory, and one that I saw coming with HSPD-12 which is - there is no better way to manage identity than to have a human involved at some level.

identitystuff@gmail.com
aka Mark Mac Auley