Thursday, July 30, 2009

Catalyst09 Sessions

The first surprising thing I heard at Catalyst yesterday morning was that attendance was only off 10% over last year and that last year's conference was their biggest year ever. Impressive. I've been to other tech conferences this year and I have noticed a drop in attendance at these events. Digging down into this a bit more, this data point isn't so surprising since a lot of the attendees are here with passes they get as part of their Burton research subscriptions. Still it does indicate that there is value in attending or at the very least with Burton Group's research.

The rest of the day was packed with a barrage of sessions, some given by customers, which were generally of good quality and filled with useful and thought provoking information. I was mainly in sessions that were part of the identity track and I particularly enjoyed the first half of the day where the current state, general trends, what's hot were discussed. The highlights:

  • Customers are demanding quicker time to value in identity deployments. (Typically, 3-6 months.)
  • Decomposition of identity products is starting to happen because customers want to mix and match solutions.
  • Standards are going to be more important and yes, SPML may get new life.
  • In some cases vendor products are ahead of where customers are in this space.
  • Identity services and identity as a service vendors are on the rise.

As an integrator I feel I'm pretty clued into what customers want, so a lot of what was said about quicker ROI on projects rang true. I'm also encouraged to here discussions that standards are important and are being demanded by the wider community. Standards are the best way to offset the instability caused by tectonic vendor M&A activity. It will be good to see standards seep deeper into identity solutions and not just deal with external interconnect. Sure, it would be great for the industry if SPML were more widely adopted. I'll bet that customers would appreciate if workflows and user form configurations would be portable between vendors as well. That's where the real lock-in occurs.

I also jumped tracks a bit to attend virtualization, cloud computing, and social networking talks but this is a fairly frustrating exercise. Most of the talks here are are short and packed tightly together. This format rewards those who just want to attend one track. However it makes it difficult to attend complete talks in other tracks. If you decide you want to hear VMware and Citrix debate performance you are guaranteed to miss either the Q&A from the previous session or the beginning of the debate. Frankly that sucks. I've been to other conferences. I know you can't attend every session but it would be nice to have the sessions scheduled in a way where you can see the whole session. A short break between sessions also helps increase the "hallway" conversations, the conference within the conference if you will. This is really why we go to these things, no? I bumped into a few customers, partners, and friends here and it was difficult to even schedule time as we were running between rooms.

So far lots of good things going on here. I'm glad I came. Next year I've got to bring my partner out so we can tag team this thing. To much to do for one person.

Wednesday, July 29, 2009

Catalyst09 Workshops

Much like other conferences I've attended in the past, the first couple of days at Burton Catalyst are dedicated to "deep-dive" workshops. These presentations are meant to impart more knowledge then a shorter presentation and they normally have more time for more Q & A. I attended three.

The first was on Active Directory Bridge products. This is the name being applied to software packages which allow UNIX systems to use Microsoft Active Directory for authentication and authorization. These products are important because they simplify the management of UNIX accounts for organizations that have any number of UNIX systems. I've produced a white paper on this topic which will be released soon which hopefully will give a more in depth justification for why I think AD is an appropriate solution. The workshop was a great. Mark Diodoti did a great job of explaining and quantifying the space as well as identifying big players in this market: Centrify, Likewise, Quest, and Symark. [Full disclosure: My company is currently a Centrify partner.] The workshop included a demonstration of an installation of Centrify on a few hosts. As far as implementation and feature set go, I really like Centrify and always have. They are going beyond plain authn/authz and are trying to solve the bigger issues of audit and compliance. These are big issues for a lot of my clients. Yes, the other vendors are moving into these functional areas but Centrify has it all in one tightly integrated suite that is very simple to install. That last bit is important. It's very simple to install and deploy in large environments. After attending the workshop I'm even more convinced we made the right choice in partnering with them.

One other issue that came up from the Active Directory Bridge workshop that came up was that some of the products support linking of different UNIX identities to a single AD account. This is mainly due to the fact that people may have different login names and UIDs on different systems. It's a fact of life in most organizations. While this feature is a deployment advantage it can be a bit of a problem when it comes to managing the identities long term and it may be difficult to audit this kind of environment once the Active Directory Bridge product is deployed. You can eliminate all of this by simply collapsing your UNIX namespace but that's a lot of work and could slow down your implementation. It was also pointed out that most provisioning systems can't support this type of account linking under the users AD account since these entries are stored in other parts of the AD information tree. I'm glad this was discussed because we, i.e. HCM, have been working on a solution.

The second workshop I attended was on Identity Provisioning led by Lori Rowland and Alice Wang. The provisioning market is maturing as evidenced by the good questions from and discussions by the participants. A few interesting nuggets surfaced here. The first was a statement by the Burton folks that given the purchase of Sun by Oracle and the exit of HP from the identity provisioning space that even well established players are not a safe bet. That seems to contradict the statement that the market is maturing. I think it rather signals that there is probably some upheaval coming in this space in the short term. Especially since no one really knows for sure what Oracle will do with all of the Sun identity products. The second important take away for me was Lori Rowland's information on justifying ROI and measuring the success of IDM projects. She espoused doing this at the head of the project and for implementors to get metrics up front to form a baseline. It's difficult and next to impossible to attempt to gather this data after the fact. Great advice.

The last workshop I attended was on advanced role management led by Ian Glazer and Alice Wang. The workshop was kind of like attending a theoretical physics class because most organizations haven't implemented roles, and role based provisioning. Most efforts to do so end in failure. This is a hard problem and while the workshop offered some good techniques for thinking about roles it really got me thinking more about how confused people are about roles. What we think is role management is really the aggregation of entitlements management, entitlement certification, and the collection of entitlements into higher levels of abstraction. This has really sparked some heretical thoughts in my mind. Are roles really necessary? Is there a better simpler way? Don't we need just a better way to deal with entitlements? I think there may be a way using simple identity templates or entitlement stamps. Sure you could call the templates roles but somehow removing the R-word from the picture helps to de-politicize things doesn't it? It seems more grounded in reality. There are some details to work out. How does one not just aggregate entitlements when you change responsibilities within the organization? Who approves the content of the templates? There are more questions and I think I have some answers here. Lot of food for thought.

It's been a thought provoking couple of days. As a Catalyst noob, I'll have to see how the shorter format presentations compare but I've learned a bit over the past few days.

Sunday, July 26, 2009

Off to Catalyst 09

I'm headed for San Diego this afternoon. Yes, I know ComiCon was last week. Maybe next year. No, this year I'm attending the Burton Catalyst conference. It's the first year I'm attending. I'll be representing HCM and I'll let you all know how it goes. As a company that specializes in identity management and one that has started a budding practice around virtualization and cloud computing I'll be keen to see if I've been missing out all these years. In any case, if your in San Diego for the conference I'd be glad to meet and share ideas over a few cold ones. I'm looking forward to the hallway conversations. See you there.


Saturday, July 25, 2009

TimeMachine backup failure fixed

My TimeMachine backups had been failing recently on all my client systems. All the computers in my house use TimeMachine to back up to a central volume served up by a Mac Mini. I found that my son accidentally renamed the backup volume on the server and my systems wouldn't mount the renamed volume. I changed the name back and things still wouldn't work. No matter what I tried I couldn't mount the backup volume from the client machines. It was odd because screen sharing worked just fine but the volume wouldn't mount. Checking the system console, I found the following error:

7/25/09 4:41:30 PM /System/Library/CoreServices/backupd[2400] FSMountServerVolumeSync failed with error: -128 for url: afp://steve@mrcrab.local/Drobo

Google searches turned up nada. I found a lot of errors related to FSMountServerVolumeSync failed but nothing referring to error -128. So I performed the only action I hadn't tried: rebooting the server. Lo and behold! I could mount the backup volume and all was right with my TimeMachine universe. Most folks may have just rebooted the server but I always attempt to correct things without rebooting. Sure I may have spent more time on the problem than someone willing to take that coward's way out, but in the process I fixed a few more issues I happened to notice lurking in the system log. I think my laptop is happier for the effort and hopefully this post will help those Googling for the dread -128.


Monday, July 06, 2009

Separated at Birth?

zach gio. Mom is there anything you want to tell me?