Thursday, December 28, 2006

VMWare for Mac in beta

It's about time VMWare got their act together and released a version of their software on Mac (even if it's only in beta release)! Of course, I didn't care about this before I actually bought a Mac.

Previously, there were only 2 ways of running Windows on a Mac:
  1. Using Apple's boot camp (which installs Windows natively on the machine)
  2. Using Parallels Desktop for Mac, which is a VMWare competitor and beat them to the punch in stitching up Mac users who wanted to run a virtualised environment.
Why am I posting about this? Because running a virtualised environment is much easier than installing an OS from scratch natively - not because it's hard to install but because it's annoying having to reboot to change operating systems. In a virtualised environment, it's as simple as firing up the virtualisation software (if you can't tell yet, I'm a long time VMWare user).

Oh, the other thing is that you have to pay for Parallels. VMWare has a free version of their product, and we all LOVE free (although I'm not sure if VMWare intend on charging for the Mac version once it's out of beta).

Friday, December 22, 2006

My first post using my new MacBook Pro

This post isn't really identity related (although one could argue that one's mobile phone and choice of notebook says a lot about one's personality and sense of identity, but I digress), but it is somewhat technology related.

So I decided to buy myself a Christmas present and went for the MacBook Pro 15-inch. And boy is it a powerful piece of technology: Intel Core 2 Duo 2.33GHz processor, 2GB RAM and ATI Mobility Radeon X1600 graphics card with 256MB of GDDR3 SDRAM.

It is by far the best looking notebook on the market as you would expect from Apple. I considered other notebooks but ultimately went for the MacBook Pro because of the power and the looks. Of course, if it didn't contain an Intel chip and wasn't capable of booting up in Windows, I would never have considered it...not because I want to use Windows, but because I need Windows to play games. Games are also the reason I forked out the $$$s for this thing, otherwise the plain old MacBook (at half the price) would have been good enough.

So far, I'm quite impressed. Apart from having to get used to Mac OS X, it's really quite nice. I expected usability and I certainly got it. Initial setup was a breeze. No need for banging my head against the wall or trying to pull my hair out. It was a nice to have technology just work. The only annoying thing so far (and it really is just a little thing) is that the keyboard doesn't have the "End" key that takes you to the end of the line when you're typing. I use that quite often and not having it there is kinda bugging me. Maybe it's there and I need to hit some weird combo of the "apple key" and some other key. For now, I just have to use the mouse or the arrows to move me manually to the end of the line. Apart from that, (Ed Note: I finally found the "End" key. It's on there, I just didn't look closely enough. To use it, I have to use the "apple key" and the right arrow button together). I'll probably be using the Mac OS as my default environment and only use Windows whenever I REALLY have no other option. At this stage, I'm expecting this to only occur when I want to load up my games.

Apple's also made it relatively easy to help load Windows up on a Mac with their Boot Camp beta at least I have a "Mac newbie" way of doing it.

As for why I needed a new notebook when I already had one (I actually had 2)...2 reasons:
  • It's about time I had my own notebook to do my personal things on.
  • I'm about to lose the 2 notebooks in a month or 2 because they are technically not mine. ie. They belong to the company I work for. So I would have been without a machine in the near future if I didn't take a proactive approach to things. Why will I be losing the work notebooks? You can probably guess...but more on that in due time.
Now...I guess I'd better go get that Windows XP CD...

Monday, December 11, 2006

Attempts to consolidate my online identity brand

I've started to take an interest in this concept of a personal online identity brand lately. I first mentioned it a few posts ago here. It's interesting to me because:
  • It's fairly new.
  • It's a form of identity management, but with a very strong marketing focus.
  • It makes one look at identity from a non-technical perspective.
  • It elevates the concept of identity commonly mentioned amongst the technical community to something that the average Joe can identify with.
  • It further "rounds out" the concepts around our "digital identity".
  • One day, someone may offer you a job because of your online identity brand.
  • One day, you may be fired because of your online identity brand.
What got me thinking about this again today was a news story on titled "Send us a resume and URL". I'm starting to see this take effect on a more personal level hence heightening my interest.

I get unsolicited emails and phone calls from companies and recruiters asking about my interest in roles they have that they want me to consider. I usually have no idea how they get this information as I'm not applying for any jobs explicitly. Hence they must be doing it some other way. I've started to ask these people where they get my details and it is probably no surprise that a fair few are from personal referrals and people who know me or at least know of me (my day job gives me some level of a public profile in the technical community).

However, there seems to be an increase of people (not just locally, but overseas as well) who say they found my details via online social/business networking sites like and the like. It's no surprise that Internet savvy recruiters love business networking sites such as as it gives them a new channel and transparency into the masses out there that they would have never dreamed of gaining via traditional means. This trend will only continue as time passes and recruiters research new ways to gain a competitive advantage over their competition for talent.

If recruiters can gain access to potential candidates via publically available information, this obviously has implications with regards to prospective employers and people in general who may want to know something about you. I won't even begin to talk about the privacy implications here, but in most cases you give up a level of privacy if you choose to disclose information about yourself online. In these cases, it's simply your own fault. But what about the information you have no control over and things that have been posted about you without your knowledge? This is the reason we're starting to see an uprising of companies who claim they can "manage your online brand" and help you erase any negative information out there. My question to them is simply how do they expect to have the ability to erase anything about anyone on the public Internet where information you want to erase is more than likely not within your control? Are they really expecting that the site owners will remove the information if they ask nicely? Are they going to threaten legal action? How are they expecting to prove that the information is incorrect? Sites have every right (in most cases) to publish information they deem to be accurate - especially if we've clicked the "I agree to give up all ownership of any information I give you to allow you to publish it however you choose" button that is a pre-requisite to sign up to most sites out there. You know, the terms and conditions text box we NEVER read! Who's going to pick up the bill? The consumer? It's just a legal, potentially costly minefield. In other words, it's a very difficult thing to attempt to do without some form of standardisation.

Let's expand on this and look at identity theft. I'm not talking about the commonly known term you see in the news nowadays where someone steals your details to get access to your bank account or credit card details or whatever else is of value so they can commit fraud and cost someone (hopefully not you) a lot of money and in the process profit from it. I'm talking about stealing your online identity brand. What if someone claims to be you and signs up to all sorts of things all over the place under the guise of claiming to be you? They are never challenged. How can you get that back? Our online identity brands are much easier to steal than our bank account details. The losses we incur may not be financial (at least not directly) but what if we lose a job because of false information out there about ourselves? Can we call it financial loss then? It's certainly personally damaging one way or another.

Companies such as ClaimID are attempting to address some aspects of this issue by giving you a place to point people at for anything and everything you know about yourself online. It's essentially just a page of links that relate to you. Profiles, books, blogs, photos, comments, references to you in articles etc. The thing about ClaimID is that you have to find all the information about yourself, by yourself. No 3rd party is going to do it for you unless you pay them. e.g. InfoSearch media as mentioned in this press release. It's easy to link to information about yourself, meaning I can "claim" information about someone else to be mine. For example, in my case, there's a rather well known doctor who is an expert in nutrition and weight loss with the same name as me. I could simply just link to all the information about him and claim I'm this doctor. I have to give ClaimID some credit in attempting to get around this issue by using the concept of a verified link. The problem I have with the way they do it is that I need to have the authority to edit the web page I'm linking to because the way they do the verification is by searching for a specific unique "MicroID" that tags the page as yours...or at least tags it to be owned by your ClaimID identity/brand. Anyone see the biggest problem here? Well, I really only have control over a handful of pages out there. The other ones I have no say over. Meaning they can never be verified unless I manage to convince the site owner to embed the relevant MicroID into the site. In other words, the problem isn't really solved. Anyone can still say they are anyone else because it's difficult to have a properly verified link and people will simply ignore the "verified link" concept. I'm not trying to put ClaimID down in any way. In fact, I'm quite appreciative that they are at least trying to do something about it. I'm merely pointing out that this is not an easy problem - especially when your online identity brand is so easily stolen. Anyone who can turn on the computer and fire up a browser could do it.

One could argue that Google is the main source of our online identity brand. Most of the world uses it as the starting point for search. Most people have "Googled" themselves at some point. Most importantly, other people have also "Googled" you at some point in time (e.g. employers). How do we attempt to "control" our online identity brand in the more generic sense? Unless ClaimID becomes some sort of standard (I'm sure they'd be extremely happy if that happened) and they improve some of their processes (e.g. the verification step), we've got this potentially large (I won't say huge...yet) problem on the horizon that no one has started to look at solving properly yet. Or to put it another way, we've got a few companies out there trying to do something about this in isolation, but we know what happens when things get done in isolation don't we? They don't get solved...or they take a VERY LONG TIME to come to some sort of resolution because we end up with many different methods to do the same thing.

The point I'm trying to make is that in this case, it's our reputation at stake. One could argue that our reputation is worth more than anything financial. It's MUCH more difficult to recover from a damaged reputation than it is to recover from a financial loss.

I don't claim to have the answers, but I'll continue to ponder the issues and comment on them from time to time. I'm simply stating that this is on the horizon and will need to be looked at. Anyone want to put their hand up? You guys at Google labs reading this (ha! I can only hope) want to volunteer?

Wednesday, December 06, 2006

Identity & Access Management products and customers - a list

A common question from people interested in the Enterprise Identity & Access Management space is "which customers use this product"? So I thought I'd take a step towards helping figure this out.

I've compiled a list of products and the customers using them. This is not a full list. It is simply one I compiled using publically available information on the web. Each entry in the list should have a link to the relevant article I found.

I'll have a permanent link on the right side of my blog so it's always available. I figured it was better than relying on people having to dig up this post to get to the list everytime (unless you've bookmarked the list directly of course).

Increased competition in the Enterprise Identity Management space

The recent spate of announcements made by the large Enterprise Identity Management (IDM) vendors has made the competitive landscape very interesting for the suite vendors (IBM, Oracle, CA, BMC, Sun, HP).

Oracle just released (OK so it was in August, but that's still quite recent) version 10g release 3 of their IDM suite with much more tightly integrated components and increased functionality.

The very recent Gartner Identity and Access Management summit has also yielded announcements from HP and CA. HP has announced increased functionality in their suite, although I'm not convinced they are that integrated yet. Their focus has not been on their IDM business and as a result, they've taken a little longer to integrate all their acquisitions. CA announced new versions of the major products in their suite. They coupled this with the announcement of an OEM agreement with Ping Identity to incorporate their federation technology into the eTrust SiteMinder product. They're also further along in their acquisition integration journey than some of the other vendors so by now they have probably gotten their act together and have an integrated suite to rival IBM. It'll be interesting to see what happens in the next year or so in this space with IBM yet to announce new versions of their products this year (other than the new Tivoli Federated Identity Manager Business Gateway for SMB).

Next move, IBM? Or maybe some kind soul will finally integrate Sun's suite for them as they've pretty much "Open Sourced" everything. They can only hope.

Tuesday, December 05, 2006

Manage your online identity brand -the final frontier?

Much of the work being done in the area of identity is centred around the following areas:
  • Enterprise Identity Management (e.g Provisioning, Access Controls, Authentication, Single Sign On)
  • User Centric Identity (e.g. Microsoft CardSpace, OpenID, Sxip)
Both have everything to do with IT systems. In other words, they are concerned with trying to identify who you are, what you can get access to, how you can easily get access to other things (propogation of identities between systems), personal identity related information you provide and how this is protected amongst other technology related things.

There's also quite a few sites out there that claim to help you manage your reputation. After all, your identity is directly related to what people think about you. It's not about who you think you are - it's about who other people think you are. This directly relates to trust and integrity of you as a person. The more respect you have (ie. the better your reputation), the more likely it is that people will listen to what you have to say (Side note: Google's famed "PageRank" algorithm is actually based on the "apparent reputation" of pages. The better a page's reputation, the higher it is on the list of search results). At this stage however, work around the "reputation area" is a little bit less focused on than identity and as a result it's a bit of a "wild wild west" when it comes to this topic. There has not been as much effort around consolidating and standardising the efforts being made around reputation. It's the typical cycle I suppose. Reputation is in the infant stages of development and everyone has their own way of trying to solve the issues. Heck, we're still trying to figure identity out. I'm sure this will eventually be done...once we sort out identity. This brings us to a rather interesting issue though. How do we control what people say about us? What if it's untrue? What if there's information out there in the great unwashed Internet that we don't want anyone to know about? How do we protect our "personal brand"?

I came across an announcement by InfoSearch Media that claims to do just this. It is yet to be released (Q1 2007 apparently), but it seems appropriate that a company that deals with marketing and content would come up with such an offering. There's probably going to be a need for this from a marketing perspective initially, but it only makes sense that this ties in with all the work around the other areas of Identity Management eventually. It rounds out the identity picture. After all, there are many individuals out there whose "personal brands" are the key to their livelihood. High profile celebrities come to mind, but this could apply to the average Joe. What if you did something in your younger days that you regretted and had the photos posted on a site you did not have control over? Even if you did, the Google search engine would probably still have the offending copy of the site in its publically available cache. What this "personal brand identity management" does is take the whole identity concept to the next level. It aims to help to figure out what the Internet says about us as individuals and provide a way to somehow control that information. I have no idea how InfoSearch Media are going to do this because we don't really "own" the information out there. At least not in the traditional sense. It's our identity data yes, but those constant "privacy policy disclaimers" we click blindly usually result in giving up our rights to the 100% ownership of the data that we provide the 3rd parties. So even if we know what's out there, how do we prevent the dissemination of that data? With this in mind, it's no easy task. In fact, Google probably has the best shot at doing this properly given that they are the "access point" into the Internet for most of us. Maybe they're doing this as a beta project. Who knows.

With this in mind, it looks like the whole identity journey has a ways to go...even more than most originally thought:
  • Step 1: Enterprise Identity Management - We're only starting to solve this one.
  • Step 2: User Centric Identity - We're beginning to understand this, but we're a long way from solving it.
  • Step 3: Reputation - There's a small percentage of disconnected companies and entities trying to think about this, but we probably won't even be able to get started properly on this for awhile.
  • Step 4: Personal Brand Identity - This is going to be much harder to solve and it's probably going to be a long time before we even scratch the surface here. Where would we even begin to solve this one? Is Google the answer? Perhaps.
In the meantime, the rest of us can continue to work on our metaphysical identity...on the age old philosophical questions that has been around since the dawn of time - "What am I put on this earth to do? What is my purpose? What is my personal Identity?" Few of us will ever find the answer to this question I'm afraid.

Entitlement Management is NOT a new concept

Seems to be a fair bit of hype and marketing about the supposed "new" area of Identity Management called "Entitlement Management" and a particular startup called Securent., NetworkWorld and DigitalIDWorld (to name a few) have all talked about it as being the "new frontier" even suggesting that Securent is the only startup in this area.

I beg to differ and I'd be willing to bet any vendor or startup out there dealing in network or application access control will no doubt have something to say about that. It's just that it hasn't been marketed well enough in the past. This type of "entitlement management" technology has been around for YEARS. In fact, many of the access management products on the market are built on this type of idea and most offer APIs to allow the externalisation of entitlements. The only thing missing with many of the existing products out there is an XACML interface into them - and I dare say this is being rectified in a hurry.

All the hype-mongers out there should look a little deeper into the solutions out there before "announcing" the arrival of the "next big NEW technologies" and further adding to the hype. Perhaps organisations are starting to take a look at "entitlement management", but it's not new. The only thing that's happening at the moment is that marketing is catching up with the technology. Maybe the marketing departments have leaped on this concept as the next thing to go after because most of the other areas have been marketed to death.

It kind of makes sense because vendors are now beginning to work their way down the application stack in the identity space. Perhaps market research has also helped determine that the security maturity lifecycle of organisations is at this stage in their identity and access implementations. Regardless of the reason, the industry seems to have reached the point where it makes sense to specifically market fine-grained authorisation as a key component. In the past, this was simply "value-add". goes so far as saying some vendors don't have solutions in the "entitlement management" space and singles out IBM in particular. The writer of that article should really do his research a bit better. I have a tip for him - go read up on IBM Tivoli Access Manager.

Friday, December 01, 2006

Top 10 Tech Leaders

Sage Research and NetworkWorld did a survey earlier this month of the top 10 technology companies. They survey rated the companies against the following categories:
  • Executive Management Leadership
  • Leadership Qualities
  • Customer Service
  • Key Technology Industry Leader
  • Product Excellence
  • Strategic Supplier
  • Sales Experience
  • Technology Vision Leadership
  • Whether respondents were likely to buy from the vendors within a year
The top 10 companies in each of these categories can be found here as a slide show.

Survey participants were gathered from a combination of NetworkWorld subscribers who are also decision makers within their respective organisations and Sage Research's Technology Panel members. The top 10 overall companies pretty much rated in the top 10 for each category. Overall standouts were:
  • IBM
  • Cisco
  • Apple
From a vendor's perspective however, I'd be MOST interested in the "whether respondents were likely to buy from the vendors within a year" category. Sure, it's nice that people think a vendor is great at customer service, has good technology and has strong executive leadership - but are they going to buy anything anytime soon?! With this in mind the following things jumped out at me:
  • Cisco rated highly everywhere and rated highly on the "likely to buy" list.
  • Microsoft doesn't rate in the top 5 anywhere except for being 2nd on the "strategic supplier" list and 1st in the "likely to buy" list!
  • IBM rates top 3 almost everywhere EXCEPT on the "likely to buy" list. It is 5th here.
  • Apple rates similarly to IBM and Cisco, BUT is NOT in the top 10 on the "likely to buy" list.
So am I to conclude the following:
  • Cisco is doing just fine.
  • Microsoft have ruled our desktops for so long that our laziness and aversion to change have made us accept that even though we don't like them, at least we know that to shut down we have to click the "start" button and if anything stops working, just reboot.
  • Are IBM too expensive for our tastes? Otherwise I don't know why it's not in the top 3 of the "likely to buy" list.
  • Apple have GREAT marketing and design departments and their stuff is VERY cool...but would you use a frigging MacOS? How are we supposed to play games?!
Read the full article for yourself here.

Thursday, November 30, 2006

Oracle announces identity governance framework

Oracle announced a project around managing the proliferation of identity information across the enterprise. They called it...wait for it...the Identity Governance Framework (IGF). Hmmm, no points for creativity here. At least it's clear.

Apparently the goal is to hand this over to a standards body like OASIS or Eclipse eventually. It also as the support of the following vendors:
  • Ping Identity
  • Sun Microsystems
  • Securent
  • CA
  • Novell
There's 2 notable absentees. IBM and Microsoft. Maybe they're taking a "wait and see" approach. After all, this might go nowhere. Stranger things have happened before.

Update 8 Feb 2007: Oracle released this to the Liberty Alliance royalty free.

Wednesday, November 29, 2006

Commoditisation of Federated Identity software

Federated Identity software products will be commoditised. OK, so I'm not saying anything anyone couldn't have figured out for themselves. But this will happen much sooner than many of us expect.

Most software eventually goes the way of commoditisation unless the vendor innovates to the point where it morphs into something different. I won't even mention hardware as this market is largely commoditised and vendors are having to differentiate themselves using "bells and whistles" like performance improvements and aesthetic qualities (e.g. an Apple Mac laptop).

Back to software...

Take the following obvious examples of recent times:
  • HTTP web servers
  • J2EE application servers
  • Relational databases
  • LDAP servers
We can probably all agree that these are all are pieces of critical software infrastructure that form the basis of many of our IT environments. Microsoft is a different proposition. It is its own market and should be treated as such. Why? Because they are not known for interoperability. If you buy Microsoft, you will typically have non-commoditised products because they operate the "Microsoft way". ie. they are not like the other products on the market simply because they refuse to be. I don't mean this in a good way of course. It is simply a fact and makes life harder for the IT community at large because of it (unless an organisation goes 100% Microsoft - which is essentially Microsoft's preference).

So why did all these examples become commoditised? Not only did they become commoditised, then did it very quickly. There's 2 common threads between all of them:
  1. They are all essential building blocks for most IT environments.
  2. They all conform to standards.
Point number 2 is the key. The reason for the fast and widespread success of these technologies is the exact same reason why they became commodities so quickly. Open, standardised interoperability begets almost forced implementation of the relevant accompanying technology to "keep up with the Joneses". If you wanted to be able to "e-business-enable" your organisation, you better have an easy way lower ongoing development costs and reduce the risks involved with implementing ever-evolving technologies. Standardisation does that. Every software vendor of note wanted in. They saw these technologies as key pieces of software that would allow them to seed more software on top of them. The Operating system wars of years past were now being fought on a "higher plane" further up the application stack. These technologies put together have become the "operating system" of everyone's "e-business". As far as vendors were concerned, it would cost more in the longer term to NOT be in the game.

So it didn't matter that vendors did not make money from these technologies, as long as it meant they had a seat at the table for future software evaluation activities. In fact, most vendors give their LDAP and web servers away for free, with application servers just trailing behind in the "free stakes". Relational databases aren't explicitly free, but they are usually given away as part of another software offering. Or if someone is willing to go for the SMB option, they could download the open source relational database.

In the Identity and Access Management arena, the LDAP plays a big part. Like I said, this is usually free. Moving up the stack, we get to the meta-directories, synchronisation, provisioning and access control tools. It's been said for quite awhile that the access control solutions around have become commodities. To an extent, that is true. But that's simply what it looks like from the outside. The real reason in my opinion is that IBM Tivoli and CA Netegrity own most of the access control/application reverse proxy market. So if you talk access management, you're probably "standardised" the Tivoli way, or the Netegrity way. I know I'm ignoring RSA Cleartrust, but they have a MUCH smaller market so I'm treating them as a non-factor. In other words, this "commoditisation of access control" is only a perception. I dare say that's not really the case. Can you say "I want an access management solution so I'll do a design and just buy the cheapest product out there and my design will work"? Hell no! You could however, say this if you're talking about an LDAP design or a J2EE design (yes I know there are small differences between each vendor's implementation, but these end up being configuration, deployment/infrastructure and tuning tweaks rather than real business design issues). In other words, access management solutions are not really commoditised. They just seem to be because of the total market domination of IBM and CA in this space. I dare say, it'll be awhile before they truly become commoditised (disclaimer: "awhile" in the IT world is not really that long - I'm just saying this bearing in mind that we're talking within the IT context). XACML will need to be widely adopted and implemented in all access management products before we can say this area is anywhere near being truly commoditised. As for the meta-directories, synchronisation and provisioning tools, it may be awhile longer before we see commoditisation of these things. The next one after access management will probably be provisioning. Why? SPML goes some way towards some sort of standard. Even so, all that does is to give us a standard way to talk to the provisioning endpoints. It does not standardise the provisioning policies, processes, transactions, workflows, roles, delegation, reporting, audit and compliance requirements (and so on) and how they are implemented. ie. all the important business things. So, we have a ways to go here.

Back to my point. The next piece of technology in the Identity space to be commoditised (even before the access management products) will be the Federated products. The reason? Standardisation of the protocols. Yes I know we have a few around today:
  • WS-*
  • Liberty
  • SAML
  • Shibboleth
So there's 4 at the moment. This will very quickly become 2. Microsoft, and the rest of us. So what else is new. Shibboleth is the BIG thing in education circles, but it's essentially SAML 2.0 with some extra bits. Liberty is also a subset of SAML 2.0. So, what are we going to be left with? SAML and WS-*. Non-Microsoft vs Microsoft. Much like J2EE vs .NET. What this means is that we'll be left with everyone being able to "speak" SAML and some being bilingual and able to translate between SAML and WS-* and Microsoft only being able to converse in WS-*. So with everyone being able to interoperate (sort of), organisations will be left with 2 decisions to make. Which protocol to use (maybe both) and which vendor's product to buy or download for free. e.g. if I want to use SAML 2.0, I just need to pick a vendor that supports it. In other words, any vendor not named Microsoft. This means my decision will centre around the price, support agreements, company stability (whether I like them and if I think they'll still be around tomorrow) and business relationships I have with the vendor. Nothing technical in my decision making process. Of course, all the vendors will argue scalability, reliability, product maturity, ease of deployment, references, happy customers, blah blah blah - which is exactly what hardware manufacturers do. Sounds like a commodity to me!

All the identity vendors are in the federation game of course (there's also a few niche players out there like Ping Identity.). They can't afford not to be - except this time, they are positioning Services Oriented Architecture (SOA) as the endgame and saying that Federation is the key to security in the SOA world (it is of course key...if we're talking about identity exchange, propogation and trust - but there's more to security than just identity). So starting at the SOA and web services layer to get the "foothold", they are instead working down the stack. With this, vendors can now work at potential customers from both ends of the application stack. For example, if someone buys the application server, the vendor sells software up the stack leveraging the application server. If someone buys the SOA and federated stuff, vendors simple sell down the stack and push the "tight coupling" and "close integration" aspects of the non-commoditised software products.

I dare say, in a year or 2 the federated identity landscape may look like this:
  • JBoss application server will support SAML federation natively (JBoss is already working on JBoss Federation SSO using a SAML token. It's all Open Source of the JBoss way).
  • BEA WebLogic will follow suit (BEA doesn't have identity products).
  • Microsoft will WS-* the hell out of anything and everything and include lots of "CardSpace working with WS-*" examples to "quick start your customer applications".
  • Apache Geronimo will have some sort of SAML federation extension.
  • Oracle Application Server will ship with Oracle Identity Federation "light".
  • WebSphere Application Server will have IBM Tivoli Federated Identity Manager "express" natively installed.
So which application server do you want? Hopefully it'll dawn on us at the time when we're all feeling a sense of deja-vu why it is so.

Wednesday, November 15, 2006

Yet more bank stupidity

I wasn't happy with the bank's answer that I could not transfer EVERYTHING from my old credit card to my new one (refer to my post on this issue) so I rang again for a 2nd opinion on the off chance that I'd be able to get someone to actually do it for me (either due to lack of training, or more training depending on how experienced the person I talked to the other day was).

As usual, I had to authenticate myself verbally and proceed to explain to the person on the other end of the phone my situation. I should just record my explanation and replay it back to them each time. I've called them enough times to warrant such an action. Much to my surprise, the customer service representative I spoke to told me I could actually do it! I asked "does this mean my credit limit, balance and reward points get combined too?" He responded with a "yes". I then asked if it would cost me anything. He assured me it wouldn't. So he proceeded to do whatever it was that needed to be done in their crappy system and asked if I would mind being put on hold. I agreed. Next thing I knew, I was cut off. Now I don't know if it was because the telephone company coincidentally decided to cut me off at that particular point in time or if it was because he simply hit the wrong button. I'm inclined to think it was the latter. I waited for a few minutes to see if he would call me back (they have my number). Nothing! I wasn't surprised.

I'm quite used to bad service from this bank now, so I just called them again and had to authenticate myself once again (although this time, I knew the drill too well and gave them all the answers before they asked the questions - so they decided I sounded dodgy and asked me more questions) and explain the situation...again. This time however, I was told that I could NOT transfer EVERYTHING. I simply had to use all my points and then cancel the old card. This was what they told me before. I wish they could just get their story straight!

At this point, I'd had enough of the bank's crap and insisted that I was told by them it could be done. I decided I would settle for simply having my points transferred to my new account. Anything else just seemed to difficult for them. I eventually managed to get them to transfer me to their rewards department...whom I also had to explain my story to again! Once that was done, they somehow could not see that I had another card with them (although the customer service representative I spoke with before could). Beats me how they survive with such a bad CRM system. After some insistence on my part about how I was told it could be done and that I did not see why they could not just do it given that I owned both cards AND the rewards points. They put me on hold then came back and said that they would do it. I was put on hold again for a few minutes and they eventually came back to tell me it was done. I thanked them and was about to hang up only to have the "rewards department" now try to sell me more insurance and credit protection services (which they had tried to sell me every other time I'd called up in the past week). I'd had enough and just said I knew about it and had said no each time they offered me these same products. They then had the nerve to tell me that I was probably thinking of another product and then proceeded to tell me the name of the one they meant. I said I'd also said no to this one multiple times! They knew I wasn't a happy camper and eventually let me go. Oh the pain!

To further add to my pain, this bank had recently upgraded their online systems to have customers log in using a username rather than their account numbers. I use the term "upgrade" very loosely. First of all, they didn't tell me they had done it. I tried to log in only to find that it all looked different and I now had to register for the right to use their new "improved" system. So, I registered only to find that it only let me link my online username to one card. I thought that this surely could not be the case! A modern global bank like this one surely could not be so archaic - especially in light of the fact that the system was just "upgraded". I called them again (I should start charging them for my phone bill) to ask what the deal was. I was then advised that each username could only be linked to a single credit card. To have online facilities for my new credit card, I had to register again! In other words, I needed a separate login/username for my other credit card. We have enough trouble trying to remember all our logins to multiple websites and systems and here I have a single bank trying to get me to remember multiple usernames and passwords for the same system! I don't know how they can call this system an upgraded one without laughing!

Maybe I should go to talk to the IT department (I don't know if they deserve to be called that) and make myself (and the company I work for) some extra $$$ by fixing their sorry excuse for an IT infrastructure!

But for now...I have to go figure out a new username and password to use for my other credit card!!!!!

Monday, November 13, 2006

More on the bank credit card saga

Well, the credit card I made a previous post about finally arrived. They obviously approved it after my less than happy conversation with them where I told them to cross reference my existing credit card for the information they wanted.

I suppose I should give a little bit of background to set the context. The new card is EXACTLY the same as the old card. ie. same bank, same type etc. They are IDENTICAL except for the credit card number. The obvious question to ask here is why did I bother getting an identical card. Well, as with any typical credit card, the old one has an annual fee. About a month ago, I found out I was eligible to have this type of card with no annual fee as part of a "limited marketing promotion". Essentially, it's free (I know nothing's really free and we could get into a philosophical discussion about costs associated with giving up data for marketing and sales purposes and the potential long term effects, but in the simplistic sense of looking at it in terms of subscription costs, it's free).

I called the bank to ask if I could simply have the special rate code applied to my card instead of the one that says I have to pay an annual fee. I was advised that I had to apply for a new one. From a customer service perspective, this is a REALLY stupid and annoying thing to make your customers do and creates unnecessary paperwork at the back end (which means the customers just get charged more to fund this extremely inefficient process). Now, I'm no expert on bank regulations and there may indeed be laws prohibiting them from simply giving me the special rate code on an existing card, but I have a feeling it has more to do with an artificial process set up to ensure that someone in marketing or sales within the bank could have the marketing code linked to all "new" credit cards issues within the promotional period. So with this in mind, I accepted the fact that it just had to be done. The customer service representative however, decided that they would make me "feel better" by telling me that it wasn't a big deal to have to apply for the new IDENTICAL card because once it was approved they would automatically transfer EVERYTHING from my old card to the new one and automatically cancel the old one (once I had activated the new one) and notifying me. Now I took EVERYTHING to mean the balance, the credit limit and my reward points. So, I hung up at least satisfied in the fact there was some sanity in this inefficient and unnecessary process - although I was skeptical that this would be automated. I half expected that I would have to call to get it actioned.

I eventually called to activate my card and as with most bank IVR systems it didn't want to let me activate it the prescribed way. You know, the recorded voice tells you to enter the card number followed by "#" then it asks for your date of birth and then it should activate your card automatically without having to talk to a customer service representative. Well, true to form this didn't work and I was sent to a customer service representative. Problem with this was that I called to activate a card and while waiting what seemed an age, they managed to read a few pre-prepared statements trying to sell me insurance I don't need and offered the fact that I could get a cash advance on my credit card while paying their low interest rates. They're also taught to not ask if you want something. They're taught to say "would you like option 1 or option 2". I of course said that I would like neither and would just like my card activated. Then came the "are your sure sir" to which I replied "yes I'm sure I don't need that".

After a few more sales pitches, they finally came through and told me my card was now active and that I should remember to sign it. You know, the usual. I thought right then and there would be a good opportunity for me to ask about transferring EVERYTHING from my old card to my new card. I explained the situation (twice) and was met with the response "I'm sorry sir, but you cannot do that." I was incredulous! I started to explain the situation (again) but this time I mentioned that when I called the first time, I was told by one of their colleagues that this was indeed possible and was the norm and they fully expected that customers would ask for this and that they would do it willingly...actually, they said they would do it AUTOMATICALLY! Despite my insistence, they stood firm and said I simply had to pay off the balance on my old card and use my points up before cancelling it. So not only did they not do the transfer automatically (like I suspected they would not be able to do), they fed me incorrect information in the first place! I wonder if they did it on purpose just to get me to sign up for the new card.

I'm not unhappy at the fact that I had to get the new card. I would have done it anyway because of the "free" aspect. What I didn't like about the way they did it was that I was not told the real story up front. Now it may have truly been a lack of education on the part of the customer service representative I spoke to initially, but that's still a problem! If you don't know the answer, don't give one. Say you have to find out and get back to me with the right answer! It's all about customer perception and right now, this customer has a rather dim view of this bank! (Aside: Reminds me certain shady deals in Asia specifically targeting tourists where they do not fully disclose where they will take you. e.g. You sign up for a tour which promises 2 specific tourist attractions but what they "forget" to tell you is that there's about 5 other "tourist attractions" disguised as shops which pay the tour operators commission for bringing tour groups to the store.)

Now I'm stuck with 2 IDENTICAL credit cards, one of which I have to pay for until I figure out how to use all my reward points up on things I probably don't really need right now. It's either that or I simply lose all the points.

I've managed to come up with the following observations as a result of this rather painful experience:
  • If this bank cannot have their internal systems linked in such a fashion where they can provide an efficient and single view of a customer (which one can argue are the most important pieces of information/data held in ALL of the bank's systems), what hope do they have of providing me with acceptable security on my identity data and my banking experience let alone anything with privacy implications? They don't even "identity manage" my data from a customer management perspective (classic CRM stuff) - so based on my experience with companies in my day job (companies fix business related things before they fix IT related things), there's no chance in hell that they'll have any acceptable security measures in place from an identity and security standpoint! Or in IT speak, they don't manage my identity in their business critical applications, so it's unlikely they'll bother with proper identity management at the IT infrastructure level. BIG problem. Somebody at this bank better fix this...and SOON!
  • I've pointed out that their processes leave a lot to be desired from a security standpoint. My previous post on this issue showed how they are subject to phone phishing. They should really get someone in to fix their enterprise security. Right from the policies and procedures to their infrastructure and application security.
  • Training of call centre employees is of the utmost importance. To us customers, they are the voice/face of the bank. An experience like the one I've just had sullies the whole bank's image, even if it's the fault of a single employee (who may not have been at fault - you could argue it is the bank's fault for not training this person properly).
  • This bank uses an offshore call centre. I don't want to get into a "to offshore or not to offshore, that is the question" debate. It obviously made financial operational sense to do it in the case of this bank otherwise they would not have done it. But is it really worth saving that kind of money if you annoy the crap out of all your customers? I'm sure I'm not the only one who's been jerked around by the bank and their call centre (or indeed any bank with an offshore call centre). All I want to say is, if you offshore, it is even MORE critical that you ENSURE the employees are properly trained and are provided with the correct information and relevant internal support infrastructure to allow them to get the right messages out to customers. Don't give an answer if you don't know it! Because if you do and you're wrong, then the customer just feels like the bank lied to them! Not good!
  • I will NEVER use this bank for anything other than my "free" credit card from now on.
  • Where's the bank's customer feedback form?!

More pet peeves

In a similar vein to my previous post regarding the use of "your" and "you're"'s another common mistake made by people. Knowing the difference between "their", "there" and "they're".

Again, it's not difficult to get right!
  • Their - Implies ownership or possession. e.g. "This is their book".
  • There - Location or at a particular place. e.g. "He is over there at the moment."
  • They're - Short for "They are". Need this be any clearer?
Fools who get this confused will have a fun time trying to write something like "They're there at their home".

Wednesday, November 01, 2006

Now for the compelling event

I applied for a new credit card the other day with a bank that shall remain unnamed. I won't go into why I did so given the numerous other credit cards I already have because that's not the point. As with any new application, the process involves verification checks on the details I provided as per the mandatory fields in the application form. Why some of the details are mandatory is beyond me...probably for marketing and sales purposes, but I digress.

Interestingly enough, I'd only just read the Burton Group's post about the Law of Relational Symmetry. Essentially, it notes that natural interpersonal relationships between people don't rely on IDs (as is the case with IT systems) but rather the relative symmetry of the connection between endpoints (or identities). The more symmetrically balanced a relationship is, the less chance there is of exploitation of one party by the other because each participant shares rights equally. In other words, if a friend begins to really annoy me or take advantage of me, it is no longer a symmetric relationship and I'm more than likely to terminate the relationship with that person. This is all within my control. IT systems however, are inherently asymmetrical. More often than not, IT relationships involve a corporation (e.g. a bank) on one end, and a user on the other.

How many times do we give up information about ourselves for the right to have an "identity" created at an institution without requiring that we get any information back? I'd dare say 99% of the time. Take a bank for example. We fill in mandatory details to apply for a bank account. We're not even guaranteed an account. We give up the information hoping we get one. We have to, otherwise we don't get the service we want be it a bank account or a credit card. We're so accustomed to this fact that we simply accept it as a fact of life and move on (in my humble opinion, this is also part of the reason why Phishing attacks work on certain people). The bank's attitude is "I don't care if you don't like it. This is how it is". And we just sit there and take it. This is partly the reason why there's so much focus on user Identity and privacy nowadays. We need to get away from being forced to engage in these asymmetric relationships where we have to give up all sorts of private information that in most cases are simply not required.

Bob Blakley's (ex-IBM and now of the Burton Group) blog is one which I read from time to time. His comments on the need for a Meta-Identity System (read the post here) are spot on. We do NOT need to give up specifics relating to pieces of information about ourselves. We should only have to give up meta-data (e.g. yes/no answers to specific questions). For example, does the bank really need to know someone makes $50,000 a year or do they really only need to know that they make "more than $35,000" a year? After all, that's the criteria for being allowed to have a certain type of credit card. That and the fact the person is "Over 18". Must they know someone is 30 years old? Not really. I'd be more comfortable knowing that all the bank knows about me is that I make more than $35,000 a year and that I'm over 18. They don't need to know I'm X years old and that I make Y dollars a year! I don't care that if they know how much I make and how old I am, it helps their bottom line by using targeted marketing campaigns on me. It does not benefit me one iota!

So that was the first issue. Now, the real compelling event that pushed me onto the "Blogosphere" occurred when the bank called me as part of their verification process.

Here's how it went:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application. For verification purposes, can I just confirm a few details with you?
Me: Uhhhh...ok.
Bank: What's your full name?
Me: Ian Yip
Bank: What's your date of birth?
Me: (I gave it to them)
Bank: What's your mother's maiden name?
Me: (I gave it to them)
Bank: What's your full address including postcode?
Me: (I gave it to them)

OK, even those among you that aren't in the security business can see that this conversation has all the hallmarks of something very suspicious. I don't know why I didn't notice it at the time...maybe for the same reasons why people on the street will give up their passwords for a small "reward" (I'm not kidding - this was a proper study done by some scientists...or some journalists...can't remember). We're simply too trusting and have been conditioned to just give our private information up! In my own defence, they DID know my mobile phone number (they called me), they knew my name and they knew I applied for a credit card so perhaps that's why I let my guard down. If you think about it though, this could easily have been a standard line used against a whole list of people and they may get a few who actually fit the criteria of having applied for a credit card. It's essentially phishing by phone.

They then proceeded to ask me to authorise my employer to validate my information for them. You know, things like proof of employment and the fact that my salary in the application form was indeed correct. I the time. This then brings me to the question of how my employer is supposed to actually validate that it is REALLY the bank calling them for my information? I have no idea, but I'm thinking there isn't a nice answer here so I'm probably better off not knowing...which brings me to my next reaction.

After kicking myself (metaphorically speaking) for the rest of the day after the call, I eventually decided I was going to do whatever it took to NOT have to authorise my employer to give up that information. I was also still unsure if I had just been "Phone Phished". So, I called them today to validate they did indeed call to ask me those questions and to authorise the release of information from my employer. Luckily for me, it was them (phew). So I had just established that I dodged a bullet. I then proceeded to ask them if there was any other way for them to validate my information. I may be a little paranoid, but apart from the reason I mentioned above (how does my employer validate that the bank is indeed the bank), I also didn't want to authorise my employer to release any of my information to ANYONE in case they screw up in future and take my authorisation as meaning they can freely give it up to anyone claiming to be a bank. I tried getting the bank to allow me to fax them a payslip. They apparently also wanted proof of employment via my letter of employment (which has outdated pay information anyway, so they would probably have called me to ask what the deal was) and they also wanted proof of address. So I would have had to fax them a copy of my driver's licence. Fun...NOT. They wanted more information that one could argue they didn't need. I then piped up (because I was getting rather frustrated at their lack of customer management procedures and processes) by saying...

Me: "I know this is all standard process for a new credit card, but may I ask why I need to provide all this information again when I already have an account (I actually have an existing credit card) with the bank and you have no doubt already validated I am who I am when you issued me that card?"
Bank: Oh you have an account sir? Would you like us to cross reference against that"?
Me: Yes. If that is possible and would save me all this hassle. Would you like my existing account number?
Bank: Oh no sir, that's ok. I can find it on the system and you have also quoted it here in your application.
Me: Yes I did.
Me (in my head, not out loud): and why the F*$& did you not notice that in the first place rather than putting me through all this?
Bank: Thank you sir. Will there be anything else today?
Me: No.

Now, if I've learned something from this, it's that banks should REALLY change how they verify things with customers on the phone...AND that we should behave differently to force them to change their procedures. They are all so busy locking down their Internet facing systems (as they should) that they've neglected trying to secure the traditional means of communication. As people commonly say, they try to deadbolt the back door with all sorts of locks, but forget the front door is wide open.

Here's how my first conversation should have gone:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application which you submitted on (exact date). For verification purposes, can I just confirm a few details with you?
Me: Ok.
Bank: What's your full name?
Me: Ian Yip
Bank: I will now tell you what year you were born in. (Tells me the year I was born in). Now please tell me your date of birth?
Me: (I give it to them)
Bank: I will now tell you the last letter of your mother's maiden name. (Tells me the last letter of my mother's maiden name). What's your mother's maiden name?
Me: (I give it to them)
Bank: I will now tell you the street you live in. (Tells me the street I live in). What's your full address including postcode?
Me: (I give it to them)

Now, while this is not perfect, it is definitely more secure than the current standard practice we all accept when speaking with the bank over the phone whenever the call is not initiated by us. Sure, the bank is not giving me any details about them but that's not the point. They are authenticating themselves to me by giving me exact details about myself. i.e. My surname, exact date of application (this is KEY - there is no way to know this unless you are the bank, you were looking over my shoulder when I submitted the application, I told you when I did it or you have a keystroke logger or network sniffer on the machine that I used), year I was born, last letter of mother's maiden name and the street I live in. And I'm authenticating myself by filling in the blanks. This is mutual authentication (albeit rather low-tech). The way they do it now is simply by performing client authentication. There is no authentication by the bank to the person involved, which is just plain wrong and lends itself to the proliferation of "Phone Phishing". In other words, the bank is not protecting users from identity theft over the phone.

From now on, we should ALL force our hand by taking the necessary steps on our end to ensure that we are actually speaking to who we think we are speaking to, especially when we are not the initiator of the phone call. Hopefully the banks wake up soon and change this procedure. I applaud any banks who have already realised this problem and are taking the necessary steps to rectify the HUGE potential problem. If we think "Phishing" attacks online are a big issue, I'd dare say this poses a far greater risk due to the fact that Internet banking users are only a subset of all banking customers. All customers (especially non-Internet banking users) still communicate with their banks over the phone at some stage do they not?!

I'm not the first person to write about this issue. Many have talked about this so I'm not exactly saying anything groundbreaking. I just felt the need to make myself heard and hopefully feel a little less silly.

Disclaimer: I know I'm picking on a single bank here, but I have dealt with other banks for other issues and they are not much better when on the phone so this has the potential to be a VERY big problem.

Before I move on...a pet peeve

I'll keep it brief.

Why don't people know the difference between when to use "you're" and "your"?!?!?!

It's infuriating. I see the incorrect use of these terms more often than I see them used correctly. What's so hard about it? "You're" is the abbreviated version of "you are" and "your" is usually used when referencing something belonging to you. e.g. "This is your needless rant on the deterioration of the English language". This sends a chill down my spine more than fingernails on a chalkboard...well, maybe not but almost as much.

Phew. Finally got that one off my chest. It's been bugging me for years and I've had no one to complain to.

I've finally relented and joined the masses

New blogs are being added daily at an astounding rate (I could find out exactly what this is, but where's the fun in that) so I thought I'd add to the clutter. It also gives me somewhere to jot (Gees, it's been awhile since I used that word - consequence of the computer generation I suppose - no one jots anymore. Now they ping, type and blog) down my thoughts that I think are worth taking down for future reference...who knows, maybe one day I'll look back and realise what I fool I was when I made various posts.

Note: I live (and grew up) in Australia hence I use the "Queen's English" to spell. So for me, "realise" is the correct spelling and NOT "realize".

I'm not a diary writer. I did that once and my brother decided it would be funny to spend his days looking for it and when he found it, he read it...all of it. I vowed never to write another diary again. A blog isn't a diary I suppose...or at least I'll be sure only to publish thoughts that have been through my "embarrassment filter".

I've always thought about starting a blog. It usually takes a compelling event however, for me to relent to doing something I think about doing...but never get around to. I'll post about this in a separate entry to keep the thread "pure".

It also dawned on me as a result of the aforementioned compelling event that I've now been cursed (or blessed depending on your point of view) with having my day job seep into my subconscious and actually dictate how I feel about certain issues and how I behave in relation to certain everyday situations.

Lastly, my day job is very much about what is currently commonly referred to as "Identity Management" and I've realised the dearth of information and opinions relating to this topic (that is now apparently close to my heart given I'm now blogging about it) outside of North American (and some European) "Identity luminaries". So, being the patriot I am, I thought Australia (being one of the most stringently regulated countries in the world in terms of privacy) should be represented!

Of course, if no one ever reads this, then I'm pretty much talking to it's pretty much like what happens to me daily then.