Tuesday, September 30, 2008

The Managed Identity Services brick wall

I've been wondering if each data loss incident is a brick in this wall I'm referring to, so I thought I should take a closer look.

I read about a survey today (I'm all for surveys at the moment) that found at least 80% of the British public don't trust companies to hold their personal details securely. Apparently, 89% also think that repeated incidents should be a criminal offence.

Here are a few tidbits:
  • Most think there should be no second chances for data loss offenders.
  • Most don't think they'll want to give up any information to a company that has had a data loss incident.
  • Half think the single worst offender is the UK Government.
  • Most people don't do a thing to protect their information with some not even knowing how to ensure the security of their online transactions.
I didn't list all the findings, but basically people don't see it as being their problem. They believe it should be up to companies to ensure security.

This survey is UK centric, so I dare say the same numbers don't apply across the rest of the world (thanks to the UK Government's well publicised, regular data loss incidents in recent times). But I don't think the perceptions will be too different elsewhere, although the figures may be a little be less drastic.

I'm not trying to focus on consumer perception as such. What I'm trying to link up is the fact that decision makers within organisations are also consumers, which means these perceptions matter in the enterprise solution marketplace.

This is one of the things I'm trying to get a better handle on through the Managed Identity Services Survey. What's the big stumbling block stopping people from outsourcing anything where it involves enterprise identity details? Do people automatically equate "identity" with "personal data"? It's a rhetorical question because I think we do. As I've said before in the past, it's mostly psychological but that means everything and makes outsourcing Identity Management a "hard sell".

I should probably cover my bases and mention that there's typically also the concern that external people are able to have access to your enterprise identity information if you outsource any identity-related services, but this is really a moot point. Who's to say your insiders are any more trustworthy than the employees of the service provider (yes I know we could argue this point back and forth and get nowhere - the point is that internal people should not be trusted either, because that's usually how data leaks)? Matt Flynn's also pointed out in the past that whenever you have external consultants working on your internal systems, they too have access to all your precious identity information. In other words, this is a stupid point to be debating. Internal or external, someone is going to look at it and you should assume they are a security risk (even if they don't mean to be)...which is where data security measures come in, but that's a topic for another day.

Now that we've conveniently parked that debate, we can address the other typical concern: the storing of identity information on infrastructure that is not controlled and/or owned by the organisation. Is there actually a good reason to be so concerned about letting enterprise identity details be stored outside of the organisation? Consider the following...

I'm going to pick on the poster-child for Software as a Service (SaaS), SalesForce. I do this because they are the extreme case in that everything is completely hosted and managed by SalesForce. An organisation that uses SalesForce does not own any of the infrastructure. In fact, it's completely exposed to the Internet. How much more of an exposed example can you get? Organisations simply log in and use the software. Also, more often than not when you speak to someone about using SalesForce, the concern over sensitive company details being held in an environment not owned by the organisation and being potentially accessed by external people doesn't come into play. If you ask them, they typically say something along the lines of: "oh but that's all just CRM information".

Think about that statement for a moment. Now, can anyone seriously tell me there's not a S*&%-load of personal data in there? SalesForce is primarily used as a CRM platform, which means that it's full of contact details! Things like: name, job title, employer, business address, phone numbers and email addresses at a minimum. I'm not even including all the other bits and pieces companies might store against each record. For example, the notes may include things like "this guy is an idiot but he signs the contract so be extra nice".

Let's move on to the type of information companies REALLY NEED to be holding in their enterprise identity stores: Unique identifier (usually an email address or employee number), authentication credentials (e.g. encrypted or hashed passwords - if you have passwords in clear text someone should be fired), group (or role) memberships, applications that employees have access to and the corresponding privileges (or entitlements) for each application. You don't even REALLY need someone's name, although most of the time it's stored for display purposes. We could extend this set to include things like manager, department, applicable workflows and so on. A lot of this is dependent on the identity service in question and the business logic involved, which is why on occasion you might see things like salary floating around (although this is not exactly a good thing - you really should be using a third party service that spits out an assertion that "their salary is above $40,000" instead of "salary=$49,890").

I may be over-simplifying here, but this post is long enough as it is so I don't want to put you all right to sleep (or maybe you already are). My point is that at the very basic level, identity stores don't need to contain personal information. They only need to contain information relevant for determining the correct authorisation levels an individual needs to do their job (to be governed by compliance policies which on their own do not store personal details either - at least none that can be tied to an individual). And as far as authentication is concerned, if you're not comfortable having things like credentials stored externally, you could always use Federation (and I don't mean the Star Trek kind).

In short, if you model your identity and access control models correctly, you can do it without personal details. And even if some personal details do creep into the identity stores for legitimate business reasons, it's unlikely to hold more information than one would find in a CRM contact record. What does this boil down to? Your identity stores shouldn't contain more personal data than SalesForce!

Here's where I think the core of the perception problem is:
  1. The Media - They link EVERYTHING about personal data to the word "identity", usually throwing the word "identity theft" around as a catch all because they don't understand enough about the subject matter. Those of us in the field know it's a stupid term because you can't steal a person's identity. You just commit fraud by stealing personal data. Of course, even those who know better can't help but be sucked into the whole thing when all we hear about (other than the credit crisis) is data loss and identity theft. When will they understand identity DOES NOT equal personal data?
  2. Lazy consultants - They look at the HR system and just suck EVERYTHING out of there because it's easier. They make the false assumption that data is safe within an organisation's walls and that some of the information might be required later on so they're saving everyone lots of work by making it available up front. Well, they're not because there's now an additional egress point for data to leak from, which means more work (and cost) is required to secure that information. Because of lazy consultants, you've now got systems all over the place that HAVE personal data. So anytime a person looks at an "identity system", they see personal details all over the place and automatically assume that's the way it has to be.
  3. People are self centred, even when they don't mean to be - Employee details aren't typically stored within CRM systems. In other words, the decision maker doesn't care because their own details aren't sitting on SalesForce's infrastructure. When it comes to an identity store however, they immediately think: "hang on a minute, that's my identity information sitting there! There's not a chance in hell I'm letting my details sit within a service provider's environment or let an employee of an outsourcing provider look at them!"
To summarise:
  • Consumer perception and fear of data loss directly contribute to organisational fears about outsourcing identity management.
  • Identity stores do not need to contain personal data (unless authorisation rules dictate - even so, there are other ways like leveraging assertion services).
  • Identity != Personal Data
Of course, if you aren't even allowed to use outsourced services or software because corporate policies forbid the storage of data on infrastructure not directly owned and under the control of the organisation, then you have a whole other problem. You should probably take the time to question the underlying reasons for this policy however. For example, was it written over 5 years ago and based on fear? Was this fear valid or based on paranoia? Should it be changed? If so, can it be changed or does your organisation submit to the "if it ain't broke don't fix it" mantra?

Are there other factors are play here? Are there "different coloured bricks" in this wall that you're concerned about?

Let me know by completing the survey! Or if that's too difficult, then just leave a comment.

A good primer on Authoritative Identity Stores

Just a quick one. Many of us spend too much time thinking about and dealing with all these new, shiny Information Security "toys" (a lot of which is just hype and marketing). The problem is that we sometimes lose sight of the core pieces.

One of the basic, important steps in implementing an Identity Management infrastructure is the planning around where your new, shiny provisioning engine is going to get all the identity information it needs. Sometimes the answer is very straightforward (e.g. "oh, we just suck all the information out of the HR system"). Unfortunately, life is not always this simple. Quite often, you need to think about where your disparate, authoritative sources of identity information are. Once you figure that out, you then need to determine how to get that information easily (in a manageable and maintainable way) on a regular basis, preferably in an automated fashion.

Your friendly sales rep at whatever software vendor you deal with will immediately throw a tool at you. This said tool will probably be one of the following:
  • An LDAP directory which includes synchronisation capabilities with other data stores.
  • A Relational Database (RDBMS) which includes synchronisation capabilities with other data stores.
  • A plain old synchronisation tool that transports data between various sources.
  • A Meta-Directory (which could leverage an LDAP or RDBMS depending on the architecture).
  • A Virtual Directory (which could leverage an LDAP or RDBMS depending on the architecture).
Before you bring your favourite software sales rep in to beat you over the head with their tool, take a step back and think about how you actually want to solve the whole Authoritative Store issue. If you're not sure where to start, Matt Pollicove's written a whitepaper outlining how one might go about doing it (actually released over a month ago, but it's been on my "to-read" list until today when I finally got around to it). It's a pretty good read for those that want to get an informed start on the things you need to be considering and how you might go about putting a solution together. Matt also does a good job of talking more about abstract concepts instead of telling the reader which tool to use in each situation (because there's no right answer - it depends on what your requirements are).

I'll stop now because I don't particularly want to start the "Directory Trek Wars" again despite the fodder it would provide me to do part III :-)

Friday, September 26, 2008

Is the Managed Identity Services Survey too difficult?

I relaunched the Managed Identity Services Survey a week ago with an added incentive to participate courtesy of Identropy. There's been a decent number of responses to date, although we have yet to hit the target of 50 responses (remember, the rules stipulate that unless I get 50+ responses, the results will not be published - which also means Identropy don't have to hand over the brand new iPod touch to a lucky survey participant).

At this point, I thought it may be of interest to provide an update of sorts in the interest of openness and transparency...

While I didn't set out to create a particularly difficult survey, it seems to have turned out to be less than trivial. I've re-read the survey questions over and over again to determine exactly how difficult they are and this is what I've concluded: the questions aren't that difficult but do require some thought...and that's a good thing.

In going through the responses so far, I've been analysing the "bail-out" responses with particular interest. I'm referring to the half-filled surveys where the participant got to a certain point and decided not to continue. Here's what I've found: most people "bail-out" at either question 9 or question 10. Question 9 is the first Identity Management related question. Answering this requires that you know something about what your organisation is doing in this area. Question 10 is one of two questions within the survey that require some level of effort because it's a matrix of options that need to be selected.

My guess is that people who are in it only for the iPod touch but know nothing about Identity Management are typically the ones that stop on questions 9 and 10. Some are honest in that they get to question 9, realise they know nothing about the subject area and just bow out gracefully. The ones that are unfazed simply click a random option to "answer" question 9 and continue. They then hit question 10 and stop because it's just too hard for them. I guess you can call questions 9 and 10 the "filter" questions.

Question 14 is the other question formatted as a matrix. This happens to be the last question in the survey before the participant is allowed to provide their details for the giveaway. Your reward for answering it is the chance to enter the giveaway (should you choose to provide your details and agree to the terms and conditions).

Sure, there are persistent types who will complete the whole survey without knowing a single thing about Identity Management. But "frivolous", completed surveys have been rare so far (there's 1 or 2 at this stage). I'm a little disappointed that the person claiming to be from "Horse and Hound" magazine didn't keep going though. I wonder if it was Hugh Grant? If you're reading this with a puzzled look, you haven't seen Notting Hill so ignore what I just said.

If you have another reason for not completing the survey, please let me know via the comments or by sending me a message (you can use the "Email Me" form on my blog).

Now we just need to get to 50. There's an iPod touch at stake and just over a week left before the survey closes. Most importantly, we want to see the results so what are you waiting for?

Note: I should point out that I didn't place questions 9, 10 and 14 in their respective positions to act as filters. I just wanted to know the answers and thought they belonged in those positions. The fact they turned out to be good filters is a happy coincidence.

Friday, September 19, 2008

Managed Identity Services Survey relaunch - iPod touch Giveaway

I launched the Managed Identity Services Survey just over a day ago. Once again, thanks to those of you that have completed it thus far.

Upon the release of the survey, Ash Motiwala got in touch and asked if his company (Identropy) could help encourage people to participate in the survey. He suggested a "giveaway" where Identropy would provide the prize. We both agreed that we didn't want this to turn into a sales or marketing exercise and that I would maintain full control. Identropy's interest in the survey is in line with mine - to better understand the state of the market with regards to Managed Identity Services. Remember, the plan is to make the results freely available here.

Without further ado, I'm happy to launch (again) version 1.2 of the Managed Identity Services Survey in conjunction with the "iPod touch Giveaway" (courtesy of Identropy).

For those that don't want to read the fine print, here's an overview of the giveaway:
  • Participation in the giveaway is optional. You can complete the survey and simply leave the contact details empty.
  • I am ineligible for participation in the giveaway, as are Identropy employees.
  • The survey results will only be released when there are 50 or more responses.
  • The survey will be closed at 11:59pm GMT (London time) on Sunday 5th October 2008 unless the target number of 50 responses has not been reached. (Update, 6th October 2008: The deadline has been extended to 11:59pm GMT (London time) on Sunday 12th October 2008 - full details here).
  • The giveaway draw cannot be conducted until the results of the survey have been published.
  • The draw will be made by an impartial 3rd party.
  • The core questions of the survey remain the same. Nothing has been changed with each iteration of the survey except for modifications made to support the logistics of the giveaway.
The obvious question here is: "what about those of us who filled in the previous versions of the survey?!" (I didn't give anyone the option to leave their details in the previous versions of the survey)

Answer: If you don't want to participate in the giveaway, you don't need to do a thing. I'm planning to keep all versions of the survey running and will aggregate the results (i.e. your responses still count). If you do want to participate in the giveaway, you can do one of 2 things:
  1. Tell me the approximate time you submitted the survey and your answer to any 2 questions. If you really can't remember, just contact me and we'll see if we can work something out.
  2. Complete the new survey and don't forget to provide your details. It would be nice if you could tell me approximately what time you submitted your first set of responses so I can make a note not to include them in the results.
You can contact me via the "Email Me" contact form on the far right column of my blog.

If you have any questions, please let me know (you can do this via the comments too).

Note: You might have noticed I've changed the survey engine. The old one (Pollograph) was just too buggy and unpredictable. Hopefully this new one works better (please let me know if you run into any issues).

Here's a link to the survey once again for good measure. What are you waiting for? An iPod touch awaits (potentially)!

For those that like fine print, here are the full details of the giveaway:

iPod touch Giveaway Details

A "giveaway" will be conducted when the results of this survey are released. Identropy have kindly offered a brand new Apple iPod touch as the prize.

Disclosure: Identropy provides consulting, integration and managed services for Identity Management technologies. For more information, please go to http://identropy.com.

If you would like to be enrolled into the "iPod touch Giveaway", please provide your details in the relevant section of the survey. Note that this is optional and you do not have to enter if you do not wish to.


  • Each individual is limited to a single entry in the giveaway. Please do not answer the survey more than once as this may skew the results.

  • The giveaway is open to participants worldwide (except where your own local laws prohibit you from participating).

  • Participants who reside in a state or location that considers participation in research as "consideration" in exchange for chance to win, or requires license, permit or similar legal permission to conduct giveaways are disqualified from the "iPod touch Giveaway".

  • Ian Yip is not eligible to receive the prize.

  • Employees of Identropy are not eligible to receive the prize.

  • The survey results will only be released when 50 or more responses have been captured.

  • The survey will be closed at 11:59pm GMT (London time) on Sunday 5th October 2008 unless the target number of 50 responses has not been reached. (Update, 6th October 2008: The deadline has been extended to 11:59pm GMT (London time) on Sunday 12th October 2008 - full details here).

  • The draw to determine the recipient of the iPod touch will be conducted upon release of the survey results by an impartial 3rd party (the identity of the individual will be disclosed after the draw has been completed).

  • Further announcements regarding this survey will be made at http://blog.ianyip.com.


  • The questions within this survey have not been modified in any form since the original release on 17th September 2008 (before Identropy's involvement). Additions (e.g. this page and the contact details form) have been made to support the logistics required to conduct the "iPod touch Giveaway".

  • Ian Yip is in no way employed by or associated with Identropy. Identropy are not paying Ian for their involvement with this survey nor is he benefitting financially in any way (directly or indirectly).

  • Identropy do not have access to survey results (until publication) or contact details (except for those of the iPod touch recipient). Ian Yip is the only person with access.

  • Widgix Software (SurveyGizmo), the company providing the survey engine can potentially access the information as it is hosted on their system. It is highly unlikely they will access the survey results or related details, but this possibility cannot be completely discounted as neither Identropy nor Ian Yip are associated with Widgix Software in any way.

  • Any personal details captured as a result of this survey will NOT be retained beyond the publication of the survey results and subsequent giveaway.


  • This survey is version 1.2 of Ian Yip's Managed Identity Services Survey. Versions 1.0 and 1.1 are still available on the original survey hosting site (http://pollograph.com). The decision was made to move this version of the survey to a different platform due to the numerous minor bugs found within the pollograph.com survey platform.

  • There is a limit of 250 responses for this survey. This is not a limitation set by the author. It is a software limitation due to the fact this survey is hosted on a free account.

Wednesday, September 17, 2008

Managed Identity Services Survey

The notion of Managed Identity Services and Outsourcing has been popping up all over the place for me lately.

I've written about it recently (here and here). Corbin Links added his thoughts in response to my post. Ash Motiwala dished out some love to Symplified. Jeff Bohren responded to Ash's post.

I've also been discussing the positives and negatives offline with various people around the traps and realised that there are many differing opinions depending on people's backgrounds, experiences and who they work for. I've already said it's a hard sell. But I'm also curious...

When will the market be ready? Will it ever be ready? What are organisations actually worried about? What are the barriers to adoption? Is it all perception? Are there other concerns we don't know about?

It would be great if I could get everyone who had an opinion to write blog posts about this or even leave a comment. But that takes a non-trivial amount of time and thought. So I've decided to make an attempt at the next best thing: a survey. Less thinking, less writing. Just answer the multiple choice questions.

The problem with a survey is that it's useless unless there's a decent number of responses. With that in mind, I've decided to only publish the results of the survey if I can get a useful sample set to present (I'm willing to take suggestions regarding what constitutes a useful sample set). That should be enough incentive (for those interested in the results) to complete the survey and encourage others to participate as well. I'm not trying to target a particular demographic. The more the merrier.

So what are you waiting for? Take the survey now! Update (19 Sept): New version of the survey is here. Full details here.

Note: This is a first draft survey. It could very well suck, in which case you're more than welcome to tell me and suggest improvements. Perhaps I could post a version 2.0 survey up in due course.

UPDATE: This survey engine should be labelled "Alpha", not "Beta". I've just noticed that it changed some minor settings (or maybe it just didn't save my settings properly) and I can't fix them because once a survey's been published it can't be modified. The most obvious/annoying one being that I set the "what country do you live in" question to be optional, but the thing insists that people fill it in! I also wish they allowed for "survey cloning" because I've just had to copy all the questions and response options manually from the old one to create the new one! Anyway, I've updated my original link to point at the new version of the survey (labelled version 1.1), but here it is again. (Update 19 Sept: New version of the survey is here. Full details here.) I've left the old one running in case people saved the link for use later. Thanks to those of you that have already taken the survey. Your responses have been saved (so you don't need to take the new survey - the questions are exactly the same) and I'll include them if/when I publish the results. If anyone finds issues with the new version of the survey, please let me know.

UPDATE 19 Sept:

You can now participate in the "iPod touch Giveaway" by completing the new version of the survey. Please read the full details here before proceeding.

Friday, September 05, 2008

Encentuate blue rinsed

One of IBM's press releases today announces that IDC has named them as the "Overall Leader in Worldwide Identity and Access Management Software".

Frankly, I don't care. Each analyst has a favourite and if you make your purchasing decisions solely based on what your favourite analyst says, you need to have your head examined (yes I know software vendors care about this - remember that I used to have to stand up in front of people and point at slides showing how much selected analysts loved IBM Tivoli). IBM just happens to be IDC's favourite in the Identity and Access Management software market.

I bring this up because buried within the press release is a sub-announcement of sorts:
"IBM also today announced the availability of new IBM Tivoli Access Manager for Enterprise Single Sign-On software, redesigned based on technology from IBM's March 2008 Encentuate, Inc. acquisition."

In other words, IBM have finished "blue rinsing" Encentuate's product which they acquired earlier this year (read what I had to say about the saga here, here, here, here and here).

Interestingly enough, I can't seem to find a separate press release announcing the new version of IBM Tivoli Access Manager for Enterprise Single Sign-On so I'm wondering if they let the cat out of the bag a little early. That said, the product documentation is available so maybe not.

The press release also mentions that:
"Portland General Electric, Oregon's largest electric utility, uses IBM Tivoli Access Manager for Enterprise Single Sign-On and plans to upgrade to the new version 8.0 as part of its security technology strategy to help the utility company drive productivity and save costs on IT and help desk support. The effort has simplified password management for employees, who otherwise could have more than a dozen passwords to access over 20 different enterprise applications."
Two things:
  1. Version 8.0?! Did they skip a whole version number? The latest version (up until this point) was version 6.0. What happened to version 7.0? In fact, IBM were quoted as saying version 7.0 would be the first incarnation of the Encentuate product re-badged as IBM Tivoli. So I'm a little confused. It's not a misprint (the product documentation labels it as being version 8.0). So I guess it's just some weird numbering system?
  2. More importantly, has anyone told Portland General Electric what they're actually in for (read my first post on the acquisition if you don't know what I'm talking about)? I can't seem to find any instructions in the product documentation regarding how to upgrade from version 6.0 to version 8.0 (disclaimer: I haven't read the documentation cover to cover, so maybe it's buried in there somewhere). Are IBM actually going to help people upgrade gracefully or were they just paying customers lip service when they were assuring us that they would make it easy to do so? Here's Nishant's opportunity to suggest Portland General Electric switch to Oracle Enterprise Single Sign-On :-)

Update - Phill left the following as a comment:
"IBM has created a dedicated team of project managers and technical consultants to help customers in their migration of Passlogix to Encentuate - free of charge! This team has actually been assembled for sometime and out in the market place transitioning our clients."
It looks like IBM are doing something about it.

Tuesday, September 02, 2008

Another view on outsourcing Identity Management

I wrote about outsourcing Identity Management back in July, which was an extension to another post I made in 2007.

Corbin Links left a well thought out, rather lengthy (in a good way) comment in response and makes a couple of good points.

He submits that businesses do not care about security and best practices:
"I’m sure I may ruffle a few feathers by saying this to some, but business -- by and large -- does not care about security. (Except for providers of security-related products and services...) Or rather, business only cares to the extent that market forces, customers, and regulatory agencies demands it."


"businesses invest in security because they have to, not because they want to."

and that best practices
"are the practices all organizations think they should be practicing, but in actuality do not. It’s a term that helps sell frameworks, tools, and conference passes, but that has very little tangible impact in many organizations."

He goes on to say:
"What businesses *do* care about, is processes, methods, and tools that can facilitate making money, improving bottom and top-lines, improving customer satisfaction, improving end-user experience, reducing time to marketing, reducing help desk costs and calls, streamlining processes, etc."

He brings up the point that industries that do not traditionally buy Identity and Access Management solutions would like them, but just don't have the expertise or the budgets. In this respect, they would gladly pay for the service and outsource it all:
"For many, the premise of outsourced management of IAM is very attractive. Because, many organizations realize that they:

1)Do not have the core competencies
2)Will never have the core competencies
3)Will never be in the business themselves of providing IAM-related services
4)Do not have their processes modeled
5)Do not have enough information or expertise, or time to define their current, much less future-state business processes
6)Are not qualified to determine accurately what risks really exist, levels of data protection needed, data classification levels, etc."

I agree with some of what he says through his comments, particularly regarding the fact that the "non-traditional Identity Management buying market" (particularly SMB) just don't do it because they can't justify the costs and effort required. A managed offering would certainly be more attractive in this respect.

I still don't discount the fact that there are data, privacy and security concerns that need to be worked through. Sure, some organisations will not care too much (probably because they don't have the big regulatory stick being waved at them) but it is up to us as professionals to make sure they care, especially if we're the ones providing the service to them. We have an ethical obligation to do so. And if in the process of educating organisations they decide not to buy anything, so be it (I can see all the sales people saying "nooooo why are you saying that?!?!").

As for the statement that business does not care about security and best practices (or only care as much as they need to), it depends. A majority behave this way (and I've been in many sales situations where we play on this fact), but I've also met C-level executives (including CEOs) that certainly do care about security. Sure, most of the time it's because they "don't want to be on the front page of the Wall Street Journal". It is rare that someone will care just because of ethical reasons and want their overal security posture to be sound (or dare I say, world class). But they do exist. And the ones that care know that they MUST have security in mind because they "do not know what they do not know." That is, they need to be proactive about security rather than reactive. Unfortunately, most organisations fall into the reactive category and so Corbin is mostly right.

I encourage you to read the comments and submit your own thoughts.

The union strikes back against IBM Australia

My better half sent me a link to this story today. It's about a bunch of IBM Australia employees at IBM's Flightdeck in Baulkham Hills having voted overwhelmingly to "strike for better pay and conditions". When they received no response from IBM, they tentatively agreed to strike this week on Thursday or Friday.

At first, it's surprising that IBM employees would strike given the industry and also the reputation of the company. You don't typically associate IBM with the unions. But the more I think about it, the less surprising it becomes.

Many of you know I used to work for IBM and hence I have some insight into what it's like, especially within IBM Australia. Some parts are better than others. I served time in support, consulting services and sales. By far the worst part of IBM to be in was operations. In IBM, operations roles are typically within managed service environments where an organisation has outsourced IT functions to IBM. Many of Australia's big banks have done this and the article did mention that Westpac (one of Australia's biggest retail banks) would be among the organisations affected.

The managed services/outsourcing area of the company just sucks the life out of most people, and being part of the business as a graduate straight out of university made me vow NEVER to work in support or operations ever again if I could help it (I know, never say never). Needless to say, I made a decided effort to run as far away from that role as I possibly could. To IBM's credit, they did manage to get me a different role because I whined enough and because they could (given that IBM are huge and have so many different types of jobs in different business areas) and hence kept me with the company.

I should point out that my time in consulting and in sales was much more enjoyable, so I'm not putting IBM down as a company. In consulting, you're still treated like a resource so at times you feel like a number but working conditions by and large are much better. My time with IBM Software Group sales was by far my most enjoyable within IBM. Absolutely no complaints about the conditions there. As a bonus, the people I worked with were first class and I remain in contact with many of them even today (don't forget I live in a whole other country now - but I always catch up with my ex-colleagues whenever I'm in Australia).

Conditions aside, one thing IBM has always lagged behind in has been salary. They DO NOT pay market rates. I'm not sure they ever will. As an example, a few years ago I turned down a concrete offer to join CA (with almost a 50% increase in salary - Update: I should probably point out that at the time, people with Identity Management skills were very much in demand and companies would pay a premium. I'm in no way suggesting IBM pays almost 50% below the market.) because my colleagues convinced me not to (one in particular whom I shall always refer to as "Baron"). To be fair, my manager also managed to bring my salary a little more in line with the market but it still wasn't close to CA's offer. Long story short, I stayed and really pissed CA management off for wasting their time (sorry guys and gals). My own example isn't the exception to the rule. I know of quite a few others who had similar stories and left to take higher paying jobs. That said, there are many IBM veterans who know very well that they aren't being paid market value but stay because of the fact that they like working for IBM. What I'm saying is that it seems IBM make a concerted effort not to pay market rates because of all the intangible benefits they provide (emotional or otherwise). This is fine if working conditions are up to par. But as I said, in some parts of the company it isn't (especially if you take into account how good some other parts of IBM are to work in).

Which brings me back to the employees working for IBM's Flightdeck in Baulkham Hills. They work in exactly the area I mention - operations and support. I hope IBM do something about giving them some of the things they want and avoid inflicting pain on their customers who pay them a lot of money for the service. It's long overdue.

Update (5 Sept 2008): The strike's been called off...for now.

Monday, September 01, 2008

Top 10 IT security worries

Last week, Infosecurity Europe published the results of some research they did in relation to IT security concerns. I can't seem to find the original source, but there are stories all over the place about it (here's one example).

Here's the top 10 list, including the percentage of respondents worried about each:
  1. How to prevent data leakage from within an organisation - 69%
  2. How to secure remote, mobile and collaborative working - 58%
  3. Governance risk compliance - get security right to ensure compliance - 56%
  4. Implementing security that supports more cost efficient IT infrastructure - 48%
  5. ID and access management that works - 43%
  6. Building security that is future proof - 42%
  7. How to make IT architectures and strategies more secure - 39%
  8. How can security help IT more agile and aligned with future business needs and growth - 31%
  9. Security in new or emerging markets where infrastructure/networks are hostile - 25%
  10. Assuring common security standards with third parties, customers, suppliers and outsourced activities - 25%
I don't usually give much credence to surveys in terms of the numbers they publish, but this list serves as a decent guide if you want to guage the concerns in the market.

Anyway, I thought I'd give a paraphrased version of the list (from a C-level executive's perspective) to outline what could be driving each concern:
  1. Holy crap, I really don't want to get on this list...or the front page of any newspaper for that matter.
  2. Damn Apple and them iPhones. And can someone tell me why I would want to read my email on weekends via my BlackBerry?! Can't I just use webmail? Oh hang on, that's still remote access.
  3. When are the auditors showing up again? Next month? Crap!
  4. IT costs too much. Can we cut some crap out and call it a security measure?
  5. Why they heck is our Identity and Access Management project still running? We started that piece of crap 5 years ago!
  6. You wanted firewalls. I bought some firewalls. Then you wanted intrusion detection. I bought you intrusion detection. You wanted event monitoring. I bought you event monitoring. Then you wanted access management. I bought you access management. Then you said we had to deal with identities. So I bought you identity management stuff. Then you said we had to audit all this stuff. So we got auditing. Then you tell me our auditors want to check we're compliant with about 50 standards. I bought you that crap too. Then you said we had to secure our applications. I bought all that kit and all this stuff to do with entitlement management. Now we have to worry about data and what people do with it. I'm looking at that crap for you too. What is it going to be next month darn it?!?!
  7. Can someone just tell me why we can't hire enterprise architects that know something about security apart from how to spell it? Our guys just send me whitepapers from software vendors and attend conferences.
  8. Can someone do something about the fact the IT department is still stuck in the 90s? Pleeeeease?
  9. I want to do business in China and Russia. Can someone tell me how not to get hacked?
  10. We don't use standards? What the heck do we pay you people for?!

Biometrics for the phone platform that no one has yet

Those that don't iPhone, Android.

I'm not part of the iPhone crowd...yet. Mostly thanks to the fact that O2 here in the UK makes you sign up for an 18 month contract and I'm not sure I'll still be living in the UK 18 months from now!

So I've been keeping an eye out for some of the things coming out from Google's Android camp and noticed the BioWallet application today:
BioWallet is basically a “safe wallet” that can store sensitive information (passwords, certificates, documents, conversations, notes, pictures, etc.). This information can only be accessed by the user through iris or handwritten signature based authentication. The data is kept secret even if the device is lost or stolen using strong biometric encryption techniques. Advanced users can also digitally sign their documents or encrypt their communications. Even the phone itself can be protected and unlocked only if the user presents his/her eye or signature.

It would be nice if there was something tangible to play with. I don't know if there's something similar for the iPhone. Like I said, I don't have one and hence have not been browsing the App Store.

If they extended the functionality to integrate seamlessly with some of the things we do online that require authentication, they might be on to something. Perhaps Google should just pay these guys for their technology and build it into Android as standard functionality?