Archive for July, 2009

Identity 101 — build a consolidated, clean view?

Thursday, July 30th, 2009

I’m at the Burton Group’s Catalyst conference this week in San Diego,
where interesting conversations about identity management, entitlement
management, role management and more are everywhere.

One conversation got me thinking about the (what seems like) old strategy
of building a “master system of record” as a pre-requisite to deploying
an enterprise identity management system. We used to work with our
customers to do just that, back when our company was called M-Tech.
I take it that most of our software vendor peers and our collective
systems integrator partners did the same thing.

A couple of years ago, when we were designing the then-next/now-current
generation of our identity management suite, we examined this idea more
closely, and came away with the conclusion that it wasn’t really necessary.

Yes, you read that right. It’s not necessary to consolidate all your
systems of records and construct a “gold standard” directory of users,
from which your identity management processes will flow.

Our conclusion is based on a few ideas:

First, it’s expensive and time consuming to build this database … so
if we want rapid deployment of an enterprise IDM system, it’s preferable
to skip the huge data cleansing project.

Second, there’s the observation that the user population is a moving
target and it’s very difficult to get a perfect data set about all
those users, since they keep getting hired, fired, moved, name-changed,
responsibility-changed and so on.

So if we don’t put together a “gold standard” data set, what will happen?
To answer that, we should first think about how that data set is intended
to be used. Mostly, I think it’s useful for automated provisioning,
de-provisioning and identity synchronization between systems. If you have
a pure and clean HR feed, for example, you might synchronize it with
your corporate AD, RACF system, SAP user base and so on — and then those
would be perfect too.

But really – you don’t want to look at every user on every system on every
pass through the automation process. That’s expensive – and slow. Instead,
it makes more sense to look at changes to a system of record — who got hired
today? Who got fired today? Who changed jobs? Whose surname got changed?
Those changes are a much smaller data set, and each of them presumably
represents a state change — either to correct an error in the data or to
update data that used to be correct to its new state.

So if we capture changes and propagate them out into the enterprise,
we’ll gradually improve the quality of data on all systems, but without
having to clean everything up in one fell swoop.

And for that matter, what’s so special about systems of record? Why
don’t we monitor *every* system for changes that were initiated outside
of the IDM system. Any change could merit a response — it could
be a new e-mail address set in the Exchange server, which we should
replicate to HR. It might be a change in the user’s cubicle number
in a white pages application, which might be handy to copy to AD.
It might even be an unauthorized addition of a user to the Administrators
group in AD, which could trigger automatic removal and a security alert.

It’s not just HR we should be watching…

This approach is auto-provisioning based on propagating change events,
rather than directory synchronization based on comparing the full state
of two systems. It’s also the difference between our old ID-Compare
automation engine and our new ID-Track engine.

This strategy means that you can deploy a system that makes data cleaner at
every step, without having to make data perfect before you go live.

Another way to think about it is that “perfect” is the enemy of “good,”
and I think what we really want is “good,” without the pre-requisite of

Export controls, crypto as a munition

Thursday, July 23rd, 2009

OK – this blog post may be 20 years too late, but it’s interesting that
this nonsense is still going on.

We just completed an internal review of our corporate export
controls. Despite the fact that “cryptography is a munition” is idiotic,
the fines that companies can face if they are caught exporting it without
a license are nothing to sneeze at.

In the process, we learned that the US – and a variety of other countries
– still have strong export and import controls over cryptographic
technology. The biggest offenders are the US, France, Israel and Hong Kong
(oddly enough).  China is also threatening to require that all crypto
in their country be “Chinese-origin” (and presumably Chinese-back-door).

Now of course this is nonsense. Algorithms don’t explode, so classifying
cryptography as a “munition” only makes sense to the mentally
challenged. Moreover, if a criminal/terrorist/bad guy really wants to
protect their communication, of course they will do so – SSH, PGP and
other tools all support strong encryption and are all free and easy to
download. The Windows OS and even Blackberry phones also incorporate
strong crypto – world-wide.

This means that “we want to keep crypto out of the hands of bad guys”
is a completely nonsense argument. Nobody buys it.

And if keeping crypto out of the hands of bad guys is not the objective,
then the only remaining possibility is that export controls are intended
to keep cryptography out of the hands of law-abiding citizens.

Think about that for a minute. The US government wants to make it
more difficult for the citizens of other countries to communicate
securely. Since bad guys will presumably use crypto anyways, this
means that they what they really want is to violate citizens’ privacy –
domestically and abroad.

With that in mind, consider what happened in Iran recently – popular
unrest and a violent government crack-down. One would think that what the
US government really wants is exactly the opposite of that: to empower
citizens everywhere to communicate freely and safely, without fearing
government interception. That wouldn’t endanger benign government (like
the US?) but it would definitely cause headaches for dictatorships like
those in Iran and China.

Maybe the protesters in Iran would have had an easier time organizing
if they all had mail clients that embedded PGP. That would surely be in
the US national interest!

So export controls on cryptography are backwards!  If US foreign policy
interests are really the motivation, then the US should *promote* strong
cryptography for citizens everywhere.  That wouldn’t cause real harm to
US law enforcement or intelligence services, since the objects of their
surveillance already have strong crypto. On the other hand, it would
cause harm to those governments where the US (and the West in general)
would like to see regime change.

So what’s wrong with this picture? When will this old, cold-war thinking
finally give way to a pragmatic realization that crypto-for-all is good
for the US?

Copyright laws in Canada

Wednesday, July 22nd, 2009

Today I learned that the Canadian federal government is seeking public
input in order to refresh copyright law. So I offered some — copied

If we are to update copyright legislation in Canada, the first question
is to ask what social good the law is supposed to promote?

I think everyone will agree that copyright exists to make it possible
for creative people and organizations to be (financially and otherwise)
compensated for their effort. If I write a book, I expect to be able
to profit from its publication. If I write and play a song, the same
is true.

I don’t think this principle is any different in the digital age.
What has changed is the technical ease with which consumers of
digitally-encoded content can break copyright law and redistribute
content in a manner which does not reward the original creative person
or organization.

This has caused content brokers (e.g., music distributors, movie studios)
to panic, because it threatens their business model. Note that music
is not threatened, and it’s likely that movies aren’t either — it’s
the companies that “buy content wholesale and sell it retail” who are

While it’s important to reward content creators, it would be much harder
to argue that a broker, who purchases content from its creators,
promotes that content (i.e., marketing) and sells that content deserves
the same protection by law.

The Internet has a powerful effect of removing friction from the
marketplace. It replacies business models based on brokerage with
ones based on adding value to a product or service.

Real estate agents, stock brokers and travel agents have all already
learned that in the Internet world, they must add value to a transaction
or go out of business. The same should be true of book, music and
movie distributors.

Consumers have rights too. I think it’s unreasonable to have to
pay twice for the same content, if I want to use it in a different way.
For example, if I purchase a CD, I should not have to pay again to
listen to it on my MP3 player. If I buy a movie, I should not have
to pay again to back it up, play it on a different device or invite a
friend over to watch it with me.

So what can we conclude from all these observations?

* Copyright is a useful tool and should continue.
– But … it should protect the author, not the broker.
– This means that it should be reasonably short — say 10 or 20 years,
and definitely no longer than the life of the author.

* Copy protection is an impediment to fair use. While content
publishers and brokers should be free to try to sell content that
has been encumbered by copy protection, they should not be
encouraged by the legal framework to do so:
– Publishers should be required to advertise what sorts of
copy protection are embedded in their products, so that
consumers can make an informed choice about whether they
want to buy such encumbered products. Publishers may
quickly learn that consumers don’t like being restricted!
– Mechanisms that allow consumers to bypass such copy protection
should be explicitly legal. This is sort of the opposite
of the DMCA – an ill-conceived US law.

* Some use cases will continue to be complicated and we’ll have to
figure out, as a society, how to support them:
– How does a library work in a DRM-free digital age? If I borrow
a CD from the library and encode it into an MP3 so that I can
play it on my commute, that seems like a legal use case. But if
I return the CD and keep the MP3, that’s a copyright violation.
How will we, as a society, persuade people to not do that?
– If I’m an artist and I embed audio and video snippets into
an A/V compilation video, that should be legal. But if I embed
a whole 3.5 minute song, or 10 minutes of video from a commercial
movie, that probably shouldn’t be allowed, unless I pay for
the rights. Where is the threshold between these scenarios?

With updated copyright legislation, content authors should be protected
by law (not by technology!). Content brokers will probably have to
come up with new business models, where they truly add value to a product,
or else go out of business.

Business models should never be based on “we will prevent you from doing
X” — they should always be based on “we will enable you to do Y.”

Using the Internet, content authors are already able to survive and
thrive without large, corporate-style brokers in any case — the argument
that the sky is falling because music labels have declining revenue is
complete bunk, as anyone who searches for indepdently-published music
online can see.

Just my $0.02. 🙂