Much like other conferences I've attended in the past, the first couple of days at Burton Catalyst are dedicated to "deep-dive" workshops. These presentations are meant to impart more knowledge then a shorter presentation and they normally have more time for more Q & A. I attended three.
The first was on Active Directory Bridge products. This is the name being applied to software packages which allow UNIX systems to use Microsoft Active Directory for authentication and authorization. These products are important because they simplify the management of UNIX accounts for organizations that have any number of UNIX systems. I've produced a white paper on this topic which will be released soon which hopefully will give a more in depth justification for why I think AD is an appropriate solution. The workshop was a great. Mark Diodoti did a great job of explaining and quantifying the space as well as identifying big players in this market: Centrify, Likewise, Quest, and Symark. [Full disclosure: My company is currently a Centrify partner.] The workshop included a demonstration of an installation of Centrify on a few hosts. As far as implementation and feature set go, I really like Centrify and always have. They are going beyond plain authn/authz and are trying to solve the bigger issues of audit and compliance. These are big issues for a lot of my clients. Yes, the other vendors are moving into these functional areas but Centrify has it all in one tightly integrated suite that is very simple to install. That last bit is important. It's very simple to install and deploy in large environments. After attending the workshop I'm even more convinced we made the right choice in partnering with them.
One other issue that came up from the Active Directory Bridge workshop that came up was that some of the products support linking of different UNIX identities to a single AD account. This is mainly due to the fact that people may have different login names and UIDs on different systems. It's a fact of life in most organizations. While this feature is a deployment advantage it can be a bit of a problem when it comes to managing the identities long term and it may be difficult to audit this kind of environment once the Active Directory Bridge product is deployed. You can eliminate all of this by simply collapsing your UNIX namespace but that's a lot of work and could slow down your implementation. It was also pointed out that most provisioning systems can't support this type of account linking under the users AD account since these entries are stored in other parts of the AD information tree. I'm glad this was discussed because we, i.e. HCM, have been working on a solution.
The second workshop I attended was on Identity Provisioning led by Lori Rowland and Alice Wang. The provisioning market is maturing as evidenced by the good questions from and discussions by the participants. A few interesting nuggets surfaced here. The first was a statement by the Burton folks that given the purchase of Sun by Oracle and the exit of HP from the identity provisioning space that even well established players are not a safe bet. That seems to contradict the statement that the market is maturing. I think it rather signals that there is probably some upheaval coming in this space in the short term. Especially since no one really knows for sure what Oracle will do with all of the Sun identity products. The second important take away for me was Lori Rowland's information on justifying ROI and measuring the success of IDM projects. She espoused doing this at the head of the project and for implementors to get metrics up front to form a baseline. It's difficult and next to impossible to attempt to gather this data after the fact. Great advice.
The last workshop I attended was on advanced role management led by Ian Glazer and Alice Wang. The workshop was kind of like attending a theoretical physics class because most organizations haven't implemented roles, and role based provisioning. Most efforts to do so end in failure. This is a hard problem and while the workshop offered some good techniques for thinking about roles it really got me thinking more about how confused people are about roles. What we think is role management is really the aggregation of entitlements management, entitlement certification, and the collection of entitlements into higher levels of abstraction. This has really sparked some heretical thoughts in my mind. Are roles really necessary? Is there a better simpler way? Don't we need just a better way to deal with entitlements? I think there may be a way using simple identity templates or entitlement stamps. Sure you could call the templates roles but somehow removing the R-word from the picture helps to de-politicize things doesn't it? It seems more grounded in reality. There are some details to work out. How does one not just aggregate entitlements when you change responsibilities within the organization? Who approves the content of the templates? There are more questions and I think I have some answers here. Lot of food for thought.
It's been a thought provoking couple of days. As a Catalyst noob, I'll have to see how the shorter format presentations compare but I've learned a bit over the past few days.