The Goldilocks Syndrome

 

“Then Goldenlocks sat down in the chair of the Great, Huge Bear, and that was too hard for her. And then she sat down in the chair of the Middle Bear, and that was too soft for her. And then she sat down in the chair of the Little, Small, Wee Bear, and that was neither too hard nor too soft, but just right. So she seated herself in it, and there she sat till the bottom of the chair came out, and down she came plump upon the ground.”[i]

I’ve been making this observation formally ever since I started in the software field at a company called Magic Solutions back in the late 90s and probably informally before then. You see, it’s been my experience that when organizations roll out new enterprise concepts, particularly in IT and more specifically in IT Security and Governance, it goes through at least three revisions. I’ve seen this happen in several models whenever there is some sort of organizational hierarchy. In my Help Desk days, it was about Ticket Subject Organization, in Identity it’s usually the organization of the Directory Service (Security Groups and Organization Unit structures) or role/entitlement hierarchies.

For the record, I’ve been involved in all of the scenarios listed below, and I’ve been confident I nailed it nearly every time. As I’ve become more experienced, I mention that these structures will most likely change over time and that the first time is seldom the charm.

The first one is usually pretty much what the organization thinks they need. This might be in consultation with experts either during the sales process or when working with the implementation specialists. This frequently suffers from a lack of flexibility, in that not all use cases have been properly considered and weighted. It’s good enough for now, and the project to review how things are configured is pushed to the next version of the application / architecture review.

The second time around, the organization is looking to be flexible, so that any potential scenario can be handled. Now we have the opposite problem, where different parts of the organization have too much control and the solution becomes too cumbersome and there is little to no organization. It’s complete anarchy, audit logs become so incomprehensive that they border on being meaningless, and nobody is happy.

At the third time through the process, I believe that we are starting to maybe see a proper solution that has structure, and is somewhat flexible to new scenarios. In terms of our introduction quote, it’s not too rigid, and it’s not too open, but just flexible enough.

Sometimes this is because the structure is more open, or because there’s a stronger change control process in place. Sometimes it is because the organization itself has changed, changing in size, complexity, governance needs, or just a plain old change in culture. Change will still occur, but with the lessons learned the process should be more manageable.

---

[i] https://en.wikisource.org/wiki/The_Story_of_the_Three_Bears_(Brooke) That’s how this version spelled it. Emphasis is mine.

Identity Management as Kitchens and driving on the New Jersey Turnpike

Those of you who have been following me for years are aware of my preference for Identity Management Programs over one-off Projects.  The fact is, one might consider that a proper program goes something like this:

1. Set up the Directory/IDP
2. Define Roles
3. Set up Access Management (SSO/MFA)
4. Set up LCM processes
5. Implement Fine-grained authorization
6. Implement Self-Sovereign Identity and digital wallets

Of course, this list and its order depend on the needs and culture of the organization being served. In the long term, it is virtually impossible to do just some of this. It’s like upgrading or updating your kitchen. Now the Dining Room looks off, which makes the Den look dated, and then the carpeting, and then, of course, the bedrooms. All because one part of the house was improved.

My thinking has always been that you can’t really grant access until you have some sort of Identity store in place, which is usually the Directory Service for the Workforce and an IDP when it comes to CIAM.

Furthermore, steps two and three are somewhat interchangeable, but if you need to organize your identities, it’s likely due to an Access Management requirement, so you may want to complete this task sooner rather than later.

LCM needs are required regardless of use case, but of course take different forms. For the Workforce, this is more about how an employee progresses through their corporate career. On the CIAM side, this might involve subscriptions, optional services, and the ability to unsubscribe and be forgotten.

Refining all these processes and connecting them to additional applications will likely require some form of fine-grained authorization to ensure that all users can access only what they are intended to.

Once all of this is in place and working, we can begin to think about utilizing this information for digital wallets and establishing the foundations of Self-Sovereign identity using wallets. This will ensure that, in any given Identity-based transaction, only the minimum required attributes are shared.    

As far as the Identity Program goes, it’s like driving on the New Jersey Turnpike; the construction and work never seem to end. As soon as we finish one round of repairs and upgrades, it’s probably time to start over again.

Must it always be Virtual?

 

The only constant in life is change

-Heraclitus. 

One of the things that most people in the Identity field know about me is that I am a huge fan of Virtual Directory Services (VDS). But it’s possible this is starting to change. It’s also entirely possible that working with the technologies at Ping Identity every day has something to do with this. ¹

What I have always loved about a true Virtual Directory is its immediacy. Access the VDS, have it do the lookup, and then do something with the value. It doesn’t matter what the back end is—an LDAP directory, a database view, or even a CSV file. (Not that I ever wanted to go there.) Do the search, get the result, and move on with your life.

But do we really need this when other, less complicated tools exist? I’m starting to think that this is exactly what is happening. Let’s face it: a Virtual Directory is a real pain to set up in the posterior (although once it’s running, you tend to forget it’s there). Setting up the DIT, configuring joins of back-end sources, properly translating non-directory data into something resembling the DIT that was configured back in step 1, it's tedious and is about as error-prone a process as exists in the Identity field.

What if I told you that there were solutions that just work better?

I mean, if you just need to do some basic representations of an existing Directory and some simple transformations to handle things like mergers and acquisitions, a basic LDAP Proxy will handle this exceptionally well. There is no need to have anything else going on. A proxy also handles essential use cases such as Pass-Through Authentication, which can be helpful during “lazy migration” scenarios.

If you need to access different types of data, we need to think about what are we doing with it. Does it really need to be referenced in some sort of LDAP schema? Does inetOrgPerson (or other LDAP Object classes) necessarily give any true advantages? Most of the time when we need this information it’s to choose a course of action during an identity related process.

What are we doing with it? Does it need to be referenced in some LDAP schema? Does inetOrgPerson (or other LDAP Object classes) necessarily give any actual advantages? Most of the time, we need this information to choose a course of action during an identity-related

So, instead of the virtual attribute, why not consider fine-grained authentication tools? The whole point here is that we are looking at specific identity attributes to determine access or those involved in an orchestration flow, where both data and policies are subject to change at a moment’s notice. Being able to look up and evaluate that data with the same tool seems to make the most sense to me.

To me, the biggest value here is more efficient access to data and understanding how said data will be used. In an age where we are increasingly concerned with governance, compliance, and regulation, maybe this is the way we need to think about identity data and how it is represented for use in identity-related operations.

1 My opinions remain my own, and nothing said here represents any official positions or statements from Ping Identity or any organization I might be associated with unless otherwise specified.

Regarding the recent SAP IDM Announcement

 “Life begins like a dream, becomes a little real, and ends like a dream.” ― Michael Bassey Johnson, The Oneironaut’s Diary

As many of you already know, SAP has made public its plans on how SAP IDM will be retired as a supported offering. I’ve been stewing on this for a bit as I try to figure out exactly how I feel about this and what needs to happen next.

To be fair, I haven’t worked with the product much for just over four years, and even then, I was working more with Version 7 than with Version 8. My opinions are completely my own and do not represent my current employer, any previous employer, or SAP.

While IDM is certainly showing its age, there are some very good things about it that I would love to see as an open-source offering. First is the Batch Processing capabilities of IDM, based on the old MaXware Data Synchronization Engine/MetaCenter solutions. It features some powerful functionality to synchronize and cleanse data. It sets up fairly easily and is quite easy to configure. I’m sure the open-source community could do well with maintaining the UI (It definitely should be JAVA-based rather than the old Windows MMC) that will fit better in today’s Enterprise setting. Also, easy integration with SaaS services is a needed upgrade.

The other thing that should be released into the wild is the Virtual Directory. It also provides powerful functionality for several use cases, from pass-through authentication to assisting in M&A use cases. It’s the perfect example of a “Black Box” offering that just works. It also makes it much easier to synchronize and cleanse data by representing many different back ends via the easy-to-consume LDAP standard.

It saddens me that SAP is choosing to move away from IDM, as one of the key selling points of SAP IDM is its ability to integrate seamlessly with the SAP ecosystem. I hope SAP will help all LCM/IGA vendors connect more easily with systems. SaaS integration should be easy or standards-based, but we still need to be concerned for organizations still using on-premises SAP tools.

SAP has indicated that Microsoft’s Entra ID will be the main partner in the future, but I hope they make this information open to all vendors and that there will be continuing support of standard protocols. This article gives me some hope, but actions speak louder than words. I do have some concerns that SAP, known as a vast software ecosystem that supports itself and tends to ignore the enterprise, is handing off to another large software provider whose management tools tend to support their software ecosystem first and consider the enterprise second. Let’s face it: most of Microsoft’s Identity and Access Management efforts have been about supporting the Office 365 family of products. Don’t get me wrong; it’s better than SAP in this regard, but it’s not that high of a level to meet. For what it’s worth, I am guardedly optimistic, but I always try to remain hopeful.

Finally, I think it’s important to thank the IDM team in Sofia for all their hard work over the years, which, of course, would not have been possible without the vision and effort of the original MaXware team based in Trondheim, Norway, and associated teams in the UK, Australia, and the US. The production from these small teams helped define what Identity Management is to this day.

Will this be my last blog entry on the topic of SAP IDM? I don’t know. Part of it will depend on if there are any moves towards the Open Source world. There have been at least three times in my life when I thought I was done with this tool, and deep down, I’m pretty sure there is a little more in my future. 

In the meantime, I hope to resume blogging more regarding the Identity and Access Management field in the near future. Time will tell.

Endings, Beginnings, and Certification!

Hi folks, so it's been a while. 

That's mostly since I was blogging over on the wonderful SAP Community. Unfortunately, I will not be as active there now as my career is moving away from the wide, wonderful world of SAP as I have taken on a new position as a Regional Solutions Architect at Ping Identity.

This affords me the ability to explore new areas of the Identity Management landscape, and play with some technologies that I've always been very interested in but have not had the time to delve into. I'm hoping as I learn and experience more that I will get to share it with you folks.

Which leads me to the third item in this entry's title, certification. I guess they knew I was coming and how interested I am in getting certified in technologies as Ping has just announced a certification program!

If you use Ping products in your business, or do Ping related services work, this is something you should definitely look into, and look for.

Here's to the next stage of the career and certification journey!

#pingidentity #training #security #cybersecurity #certification

You've read my ramblings, now listen to them!

You've been reading my ramblings for years here and on SCN. Now you have a chance to listen to some of my thoughts on SAP IDM and a bit on SAP IDM 8 I was recently interviewed by long time colleague and fellow IDM Expert,Scott Eastin for his IDM Masters Interview Series. 

Please take a moment to listen to the interview and support Scott's efforts!

BTW, please let me know if this is interesting and if we should consider a regular podcast / YouTube discussion of SAP IDM, along with topics that you would like to see covered!

Thanks!

SAP TechEd 2015

Just a quick not to let everyone know that I will be speaking at SAP TechEd 2015! I will be speaking on the new version of SAP IDM:

How Will YOU Prepare for SAP Identity Management 8

This session will be on Thursday, October 22 from 11:45 - 12:45. Without giving it all away, I'm planning on talking about how this new version of SAP IDM will affect the various members of your organization as you plan and implement this exciting new version of SAP IDM.

This should be a fun and interactive presentation where we will have a chance to discuss how your organization will prepare for IDM 8.

As this link will be shared on Social Media, let me take a moment and introduce myself for people who are unfamiliar with me and with IDM in general.

My name is Matt Pollicove and I have been working with SAP Identity Management for the past 11 years, from its beginnings as the MaXware Identity Center, which was purchased by SAP in 2007 to become IDM.

Over the years I have done engineering, training, project management, architecture, blogging, and yes, speaking on SAP IDM. 

SAP IDM is the preferred system for managing user accounts (identities) in the SAP Landscape and the Enterprise as a whole.  It offers  a wide array of connectors and a dynamic framework for creating, maintaining, and deprovisioning accounts.  The new generation of this product, IDM 8, embraces new technologies and offers new approaches to Identity Management.