When I am not at work thinking about solving tough issues in Cloud & Enterprise Identity & Access management, I have music on my brain. Music has a way of calming frayed nerves…yet it also has a way of inspiring moments of pure genius. This is one of those times for me. Or maybe not – you be the judge.
Doesn’t anybody stay together anymore
I wonder why, doesn’t anybody stay together anymore
Oh I wonder why, doesn’t anybody stay together anymore
– Phil Collins Doesn’t Anybody Stay Together Anymore
The past two months I have been working with security gateways for integrating disparate systems via a token exchange service. These devices can go by many different names. Access Bridge. STS. Concierge service….(Shout out to Peter Davis/Neustar and Chuck Mortimore/SFDC for this one during a brainstorming session I convened at IIW here.) or however you want to call it. Try as we might to get every business onboard with SAML2, OAuth2, OpenID Connect, et al. it is not practical to expect that at some point in the near future that any one of these protocols will enjoy ubiquitous success across the entire Internet (cloud, enterprise, mobile) as Sir Phil Collins might opine if he were part of the Identerati: Doesn’t anybody use IdM standards anymore?
Give me a clue! What will I choose?! What will I choose??!!
This past weekend on a daddy/daughter outing with my brilliant 5 1/2 (almost 6) year-old daughter Molly, we made a stop for some candles at Pier 1 – notoriously one of daddy’s favorite stops. Molly was on her knees in the tiny little toy section, obviously conflicted about whether to spend her last $2 on a gift for her mommy or her daddy. I heard her singing (what I thought to be the lyrics to a musical of some sort but which turned out later to be her own improvised lyrics) “Give me a clue. What will I choose? What will I choose?” and I was immediately drawn into her world of conflict.
On any given day, that is the lyric of my life when evaluating vendors or projects that want to integrate with VMware Horizon and who don’t support SAML, or when trying to find a way to scale partner SSO without SFDC being brought into the picture. My fellow VMware employees may hear me singing the lyrics of my daughter’s lament down the hallways at Hilltop…. What will I choose?! Standards? Custom integration? Vote against the project? That is a lot like how an IT shop really works, until now. Now that we have choices via a STS (Access bridge, service gateway, etc…) we do not have to limit ourselves to supporting and standardizing access control to a single protocol. So the question I pose to the Identerati specifically and the industry in general, is…. do IdM standards even matter anymore when one we can use an STS or an access bridge to integrate disparate systems with different access protocols?
Come As You Are
Come as you are, as you were
As I want you to be
As a friend, as a friend
As an old enemy
– Nirvana Come As You Are
And then it hit me again. Another musical lyric that resolves all of the mysteries of the IAM universe brought to us by Alternative music royalty Kurt Cobain in his immortal lyrics.
So I couldn’t help but to imagine that this ought to be our philosophy when it comes to designing an access control system for a multi-billion dollar, multi-national enterprise such as VMware and others out there. How do you think that 85% of the virtualization market would respond if VMware restricted the ability to login to vSphere console or My VMware portal using only an x.509 certificate or a biometric password and nothing else? This concept was perhaps first ingrained into my head during one conversation I had with the brain child behind Salesforce.com Identity platform, Chuck Mortimore. His emphatic recommendation as long as I can recount was to always keep it based on URL as if to say that he has achieved a sort of protocol agnostic, nirvana state for authenticating users into Salesforce. If you are an SFDC developer or if you have talked with Chuck about this topic before then I trust that you, too, find some merit in his argument. You can access your apps and data at SFDC however you want, as long as it’s username/password, SAML, OAuth, OpenID Connect, et al. If you cannot choose one protocol, why not choose them all? With many different products in today’s marketplace, there is a mind-numbing amount of access protocol support for authentication nicely wrapped into a soft appliance.
Come to Me, all who are weary and heavy-laden
And then it also occurred to me that if Jesus were one among the Identerati, do you think he would say “Come to Me, all who are weary and heavy-laden, and I will give you rest” as though inviting closure to the on-going debate within access management standards and freeing up some of the bright minds working this age old problem to work on new challenges? Maybe there is a role based access governance problem that is worse off than the state of access protocols. Or when is the last time you ran a access re-certification or access audit in your organization? Is your privileged access management program a sound and effective one?
So that, then, is how I presume the world of Identity & Access Management to be according to three celebrities from the ancient to the modern world. The world of IAM according to Sir Phil Collins, Kurt Cobain and Jesus. I will be headed to the Gartner IAM conference in November if any of you want to meet up and debate the fine points of the intersection of IAM, music and theology.
If you are passionate about this subject and have a unique perspective to add to this thread, will you please do so?