Phil Windley - BYU — Automatically Building, Configuring, and Maintaining Complex Infrastructure

I've been heads down for the last few weeks getting a project out the door for a new customer. As I mentioned, this involves creating a virtual appliance. I decided, due to the circumstances of this deployment that the best option was the build an appliance factory that is capable of churning out new virtual machines at will. I'm going to describe how I did that in this post.

There are bascially three steps to creating a new image that runs the Kynetx Network Service (KNS):

1. Create a new virtual machine
2. Install packages and Perl libraries, create users, and otherwise configure the machine to run KNS
3. Deploy the KNS code and test it

I was exporing Kickstart files for automatically installing Fedora and CentOS when someone pointed me at Cobbler. Cobbler is a Linux installation server that is simply amazing. It includes templated kickstart files, DHCP and DNS servers, the ability to manage multiple distros and repositories, and a database for keeping it all straight.

You start by importing distros and images, then define profiles that combine those with kickstart files, and finally create system definitions for each machine refering to profiles. I pnly needed one distro, one repo, and one kickstart, so I ended up with multiple systems hanging off of one profile. Once that's done, a command called koan (kickstart over a network) is used on the Dom0 machine to create virtual machines as defined by the system definitions cobbler.

I carefully edited the kickstart file to create just the machine I wanted with the right packages installed. At this point, I was building new VMs and taking them down 20-30 times a day as I tested this. That's the beauty of automation--tacking up a machine is just dirt simple.

I was lucky that I'd already invested considerable effort in Puppet recipes for building the environment that KNS need to run, so the second step was almost done. In fact, with just a few edits, I had Puppet building the new VMs up.

The third step was also one that I'd spent some time on. I have a custom deploy script (in Perl) that deploys KNS code based on server role and takes care of all the little details like setting up the configuration files for the various servers.

Every system is slightly different, but I think there's a definite distinction between machine setup, system configuration, and code deployment. The first creates a fairly standard environment, the second configures it to a specific purpose, and the third manages the code.

Some thoughts on all of this:

• Some have asked "Why not put the code in Puppet (i.e. why use a deployment system)?" My answer is that code deployment is a dynamic process that I want more control of than puppet's automatic configuration provides. You could probably press Puppet into this, but it didn't seem to fit for me.
• I had to create a simple YAML-based configuration file for KNS to pull everything together. YAML was the right answer for this. I chose to put that configuration file in Puppet, but I think I'll pull it into the deployment process in the future.
• One missing piece is a database that everything can read system configurations from. Cobbler provides a light-weight one that may serve our purposes for a while, but something like iClassify is more flexible. Right now there's system information in Cobbler, Puppet, and the deploy script. There's a way to put additional attributes in Cobbler that we could use in other places.
• All of this--Cobbler, Puppet, and the deploy script--were installed and running on a virtual machine that we call the factory. That one image, once installed in Xen is capable of creating as many copies of each type of machine we run as needed.
• This can all be done on physical boxes too, of course, but I prefer the flexibility of virtual machines--even when only one will be running on the physical hardware. They can be moved, replicated, and managed with a lot more ease that physical hardware. Plus I have the ability to fire up new ones for QA or whatever without buying and installing new physical hardware. When a 8 core, 32 Gb box costs $4K, you can amortize that investment a lot with virtual machines.

Startups need to be lean. Achieving that goal in a compute-intensive business requires automation. Fortunately with tools like Cobbler and Puppet, automating the build-side of your infrastructure is not only possible, but fairly easy. We manage several dozen machines with only a few hours a week of effort. What's more, adding a new box for load or experimenting is as easy as typing a few commands and waiting 20-30 minutes.

Dave Kearns — Snoopy Sears

World +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.

Click on the Facebook link, for example, and you see "Allowing Signin.mysears.com access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."

Click on the Twitter link and get: "The application Signin.mysears.com by Sears would like the ability to access and update your data on Twitter."

Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?

Decidely and emphatically, NO!

Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.

Gerry Beuchelt - MITRE — Balisage 2009: Introducing hData

For this year's Balisage in Montreal, we (R. Dingwell, A. Gregorowicz, H. Sleeper, and myself) have been accepted as a late-breaking proposal for our work on hData, which addresses some problems that are currently plaguing electronic health records. Our session is scheduled on Thursday at 11:00am. This is the abstract:

Title: hData - A Simplified Approach to Health Data Exchange

Interoperability issues have limited the expected benefits of Electronic Health Record (EHR) systems. Ideally, the medical history of a patient is recorded in a set of digital continuity of care documents which are securely available to the patient and their care providers on demand. The history of continuity of care standards includes multiple standards organizations, differing goals, and ongoing efforts to reconcile the various specifications. Existing standards define a format that is too complex for exchanging continuity of care information effectively. We propose hData, a simplified XML framework to describe health information. hData addresses the challenges of the current HL7 Continuity of Care Document format and is explicitly designed for extensibility to address health information exchange needs, in general. hData applies established best practices for XML document architectures to the vertical health domain, which has experienced significant XML-based interoperability issues.

As you might imagine, we will have to say a few things about identity, access, and privacy management for electronic health records, as well. Looking forward to seeing you there.

tags: balisageConference09EHRHIThealth carehealth recordshData

tinyarro.ws: http://➡.ws/榾 (wood chip)

Mike Jones - Microsoft — Information Card Standard Approved!

I’m thrilled to announce that the Identity Metasystem Interoperability Version 1.0 specification has been approved as an OASIS standard, with 56 votes in favor and none against. This standard benefitted substantially from the input received during the process. Numerous clarifications were incorporated as a result, while still maintaining compatibility with the Identity Selector Interoperability Profile V1.5 (ISIP 1.5) specification.

While this is often said, this achievement is truly the result of a community effort. While by no means a comprehensive list, thanks are due to many, including the OSIS members whose diligent efforts ensured that Information Cards are interoperable across vendors and platforms, the Information Card Foundation members for their adoption and thought leadership work, and the IMI TC members, including co-chairs Marc Goodner and Tony Nadalin, and Mike McIntosh, who was my co-editor. Paul Trevithick and Mary Ruddy get enormous credit for starting and leading the Higgins Project, as does Dale Olds for the Bandit Project. Kaliya Hamlin and Phil Windley were instrumental behind the scenes by running the IIWs. Axel Nennker has been a tireless force, producing both ideas and software, as has Pamela Dingle. Jamie Lewis, Bob Blakley, and Craig Burton all provided insightful guidance on the practical aspects of birthing a new technology. Arun Nanda deserves enormous thanks for doing the heavy lifting to produce the ISIP 1.0 spec. And of course, none of this would have occurred without the leadership and vision of Kim Cameron. Thanks one and all!

Ingrid Melve - Feide/UNINETT — Mandatory standards in Norwegian public sector

David Recordon — Sign in to Sears and Kmart with OpenID!

A lot of the major adoption successes for OpenID have been in the tech industry, though as of yesterday you can sign in to MySears.com and MyKmart.com using an OpenID. Beyond Interscope Records offering OpenID sign in on artist sites like Snoop Dogg's, Sears is really the first major retailer adopting OpenID. More on the OpenID blog and congrats to the team at JanRain that helped make this happen:

“We’re constantly looking for ways to stay innovative in our online initiatives by identifying and implementing technologies that help our users navigate our communities with ease,” says Rob Harles, Sears’ vice president of community. “Our adoption of the OpenID technology helps simplify our customers’ online experience and ultimately helps us meet our goal of ensuring our customers have the most efficient shopping experience possible.”

Robin Wilton - Future Identity — In the interests of balance...

Given that I've posted a couple of times about Alan Johnson's recent ID cards announcement, it's only fair to point you to his piece on the Guardian site today. It certainly refutes any allegation of a U-turn in one respect; the opening sentence is one we've seen from every Home Secretary since the Scheme was conceived:

"Our identity, the information that makes us unique, is something that we get called upon to prove each day, when we are opening a bank account, renting a flat, proving our right to work."

Please, Alan, can I stop you there? Two counter-examples to this assertion:

1 - 2/7/2009: Went to local chartered accountant to see if they would be a good firm to do the books for Future Identity. Needed to provide proof of identity for anti money-laundering compliance (compliance on his part, that is... I have no idea if he's a money-launderer...). No problem. One passport (already got one), one page of bank statement. Job done.

2 - 1/7/2009: Went to Houses of Parliament to attend Privacy APPG meeting. No need to prove identity. Their priorities are:

1. have you got anything dangerous in your briefcase/briefs, and
2. do you know the number of a room in the Palace of Westminster?

Having satisfied themselves on those two points, they let me straight in.

OK; in the first instance, I needed to prove my identity, but had no difficulty doing so without an ID card - and I could have presented my driving licence or either of a couple of other photo IDs I already possess. Net value-add of ID card: zero.

In the second case I didn't need to prove my identity at all, despite wanting to gain access to one of the most protected buildings in the country. I had to indicate my entitlement (and that only in the vaguest possible terms), and that I did not present a threat. Net value-add of ID card: zero.

Of course, these two examples are entirely unfair and un-representative. Normal passport use aside, it is extremely rare that I have to prove my identity at all. The last 36 hours have just been most uncommon in that regard.

Now, there may indeed be people who daily apply for a new bank account, flat, job or passport. My advice to the Home Secretary is... those are the buggers you want to keep an eye on.

Dave Kearns' IdM Newsletter — Can Sears Help OpenID Go Mainstream?

The question is: is Sears - despite its claims of driving innovation in online retailing, which seems a bit over the top - merely a late adopter looking to try something new or is this a sign of OpenID maturing to a point where it can finally reach that tipping point where it really starts taking off with a mainstream audience?

Marc Canter - Broadband Mechanics — pdf’s of my Textbook and my Manifesto!

So I finally found out how to trick Blurb’s BookSmart and get a pdf of my textbook.  And here’s the pdf of my manifesto!

This is a happy day for me!

Now folks can read what I have to say without having to pay $60!  And THEN if you love what I have to say - THEN you can buy a copy of the dead tree version (kudos to Cory Doctorow on that strategy!)  It’s taken me THIS long to get here.  How symbolic that the day I start to move my boxes into storage and REALLY move out - is the day my data moves out of it’s BookJail and into the cloud!

These pdf versions have a watermark in it and no covers - and I had to add one blank page to each book to  normalize the ”two-up” Acrobat reader display and get the pagination right.

That means that the page numbers will be one off by one from the TOC.

But besides that - this ROCKS!

Everyone can now have a copy of my textbook - and a copy of my manifesto - for free!

Ludovic Poitou - Sun — LDAPCon call for papers extended to July 8th...

I've just heard that the deadline for submitting proposals of presentations for the LDAPCon has been extended by a week.

if you're involved with LDAP in interesting project and you want to share your experiences, your innovative concepts... please check the "Call for Papers" and submit a proposal. Don't wait, a week is not much and it's better to do it now than realize the deadline is already over ;-)

The second edition of the International Conference on LDAP (LDAPCon) will be held on September 20th and 21st, 2009 in Portland, Oregon, USA, just before and at the same location as LinuxCon 2009.

Technorati Tags: conference, ldap, ldapcon

Courion — Oracle’s Fusion Middleware Strategy is “Specious”

Courion Access Assurance Blog

According to the Merriam-Webster dictionary, "specious" means "having a false look of truth or genuineness." This is a strong word to use when discussing the strategy of a multi-billion dollar software vendor, yet that's exactly the word Anne Thomas Manes used to describe the Oracle Fusion Middleware 11g announcement on July 1.

As the market is starting to realize more and more, the strategy of the stack vendors (including Oracle, IBM, Sun, CA and others) is to dominate their customer's IT infrastructure, from desktop to data center and everything in between.

This is why we say "Hallelujah" when we see Ms. Manes flatly declare:

"As alluring as the one-stop shopping strategy is, organizations must learn to just say ‘no'.  The reality is that no one has an entirely homogeneous environment. Oracle claims that Enterprise Manager supports end-to-end business process monitoring, but the concept breaks down if the process includes a .NET service or a third-party COTS application. A better solution is a management strategy that embraces diversity. Diversity in IT systems is a fact of life."

Courion's philosophy from the beginning has been to embrace the fact that every customer's IT environment is unique, heterogeneous and diverse. One reason we are able to compete effectively against much larger vendors is precisely because our Access Assurance solutions are designed to work with whatever the customer has in place.

Kudos to Ms. Manes for pointing out that this emperor has no clothes!

blog.courion.com

Robin Wilton - Future Identity — Main-stream, Schmain-stream...

I know it's trendy to bitch about the Main-Stream Media, but in my opinion they are spot on sometimes:

"A glance at some of the papers yesterday [sic] might have led you to believe that something truly momentous had happened: Alan Johnson, the shiny new home secretary and sometime last-resort leadership hope of desperate Labour MPs, had finally rid the government of its self-imposed policy millstone and binned the ID card scheme. If only. What Mr Johnson did instead was something much more modest, but which nevertheless erodes yet further the government's case for the identity database.

...

Of all the bits that go towards the £5bn ID project, however, the bit of plastic was both the most visible and the least important. Two other aspects were considerably more important: the biometric technology which is anyway going into new passports and driving licences, and the identity database." The Guardian (Editorial, 2nd July 2009)

"Mr Johnson's announcement is probably sufficient to make the roll-out of any ID card fall below critical mass.

...

All that having been said, Mr Johnson's announcement signals less of a policy climb-down course-change than it might appear. There is, for instance, no change to the plans for a National Identity Register, and anyone applying for a UK passport will continue to have their details entered in that repository. Similarly, there's still no apparent change to the policy on DNA retention, despite the European ruling earlier this year... though perhaps it's a little unreasonable to expect two major climb-downs course-changes in quite such short succession." Future Identity (blog post, 30th June 2009)

Come on, chaps... keep up! ;^)

Identicentric — Deep Thought

The Well was the first social network.

Although, I’m just being a contrarian to the social network hypers. The good old BBS probably pre-dates the Well, anyway.

Mark Dixon - Sun — links for 2009-07-02

• DoJ to Oracle/Sun: Not So Fast, Pardners - InternetNews.com
  "The federal government has denied Oracle's request for a speedy approval of its $7.4 billion purchase of Sun Microsystems, requesting more time to give the purchase scrutiny before passing it on to the Federal Trade Commission and the Securities and Exchange Commission for approval."
  (tags: Oracle sunmicrosystems java)

Ludovic Poitou - Sun — Work Paleontology

It all started today by a conversation with a colleague on our long experience with LDAP and Directory Services...

I told him that I've started my carrier as a developer in the X.400 domain. In my first job, for a French startup called E3X, between 1991 and 1995, I've wrote 3 different versions of a P7 Message Store for the UCOM.X400 product line. Along the same dates, I've also been involved a little bit with X.500. One of the things that I've done, was using our UCOM.X500 product to store information about some restaurants in the Sophia-Antipolis area, so that we could search and choose one whenever we had visitors coming. The data included beside the usual address and phone number, the type of food, opening hours, whether reservation was necessary and so on...

The schema defined eventually got cleaned up and published as an internet draft by my manager at that time, Dr. Alain Zahm. You can find a summary of this internet draft at the very end of this page: http://choices.cs.uiuc.edu/uChoices/Papers/Proposals/92.MobileComputing/INDEX.
Minutes of IETF OSI-DS meeting in November 1992 also shows that the schema was discussed.
Now that all public and research X.500 servers have been stopped and decommissioned, there is no trace of this anymore. Google is too young to have references to this, and so is Yahoo. But I do remember that in the mid 90ies, whenever I was searching for my name, most of the results coming back were associated with some little known restaurants on the French Riviera !

In 1995, I joined Sun to work on the Solstice X.400 product and a year later, with I've started working on University of Michigan slapd code to produce Sun Directory Services 1.0, released in September 1997... the rest is history :-)

Technorati Tags: directory-server, ldap, Sun

Suretec — Catalyst Perl book out soon!

The Definitive Guide 2 Catalyst: Writing Extendable, Scalable & Maintainable Perl-Based Web Applications

Gerry Beuchelt - MITRE — Links for 2009-07-01 [del.icio.us]

• Making Security Measurable
  MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories.

Vittorio Bertocci - Microsoft — HTC * ( Touch Pro2 vs Universal )

[warning: no identity in this post]

Ahh, immense joy. Today coming back from work I found a nice surprise: a brand new HTC Touch Pro2. Well, not exactly a surprise, since I spent every idle moment refreshing the FedEx tracking page; but it’s always a nice feeling to unbox a new gadget (as long as it does not become a compulsion to film & post every unboxing, behaviour that appears to be quite widespread lately. Rule 34: no exceptions).

The thingy is light, snappy, sports an enormous display with mind-blowing resolution, the best thumb keyboard I’ve ever used, and above all moves me back to first place  in the “latest smartphone” arm’s race with my wife (she has an “old” Touch Pro, and until 2 hours ago I had a s730. HA!). It does lack US 3G, but I am usually pretty content with Edge: I live constantly surrounded by PCs readily available at arm’s length, for the few times I need connectivity while on the move I can wait a bit. The other thing I am not crazy about is the charger, a super-sized UK plug: apart from the times in which I travel to Singapore (rare) or London (even more rare), that just takes a lot of room without a bringing any ROI. This is not the first time I have a phone with such a charger: 4 years ago I bought a JasJar (HTC Universal), a behemoth which was really good as PDA but a tad oversized as a phone, which forced me to go around with a fanny pack (and very briefly with a man’s purse) which was handy for keeping the rear pockets of my jeans in good shape, but that regularly unleashed hilarity among colleagues, friends & detractors alike. Now, that was a long sentence. Well, I needed an adapter and I thought I could find it in the original box of the Universal, which in turn was in the den’s closet, sleeping the sleep of the just in the geological strata that can be dated to our last move. I sure found the adapter (too many, in fact: a UK->Italy and a Italy->US), but even more interestingly I found the Universal itself. The thing is much, much bigger than the TouchPro2: keeping them side by side makes it so incredibly obvious that I felt compelled to shoot few pictures and write this silly blog entry for sharing them with you.

 

I know that the following is the quintessential commonplace about technology, nevertheless I can’t help but being amazed at this magical force that packs more power & features in smaller and slicker form factors. In front of this, a little overstretching of my jean’s pockets truly is a little sacrifice… at least I won’t have to dig out the fanny pack!

Jeff Bohren — Craftsman OpenID

Identicentric — Tempo's New Look: An Introduction

In preparation for taking Tempo’s new design out of beta and moving it to production, we’ve put together this overview of what has changed.

Will I still be able to use the old interface?

No, this is it! We’ve spent quite a lot time and hard work responding to your feedback and incorporating it into the new design. We know it’s not going to make everyone happy, but we’re pretty certain that after you use it for a little while, you won’t miss the old skin.

We are planning to make the move as early as next week, so if you still haven’t taken a look at the new version, if you still haven’t told us about that one thing that’s missing that you really need, now’s the time to try it out and get in touch!

The Layout

The basic layout consists of a left-side navigation bar, a footer (unseen in the image above) and desktop-window-like modules in the main content area. What you are looking at above is the Time screen, which is new to Tempo. Well, sorta.

In the initial version of Tempo, there was one screen that did just about everything – entering new time, reporting, viewing, exporting, etc. This became more and more cumbersome as we added features. For starters, you had to modify the current report view just to see your own time! In the second major revision of Tempo, we tried splitting a ‘My Time’ screen off of the main reporting screen, but it was poorly received. Our design skills just weren’t up to snuff, so we reverted.

In the new design, however, I think we’ve really nailed it, thanks to nGen Works. The Time screen gives you stats pertaining to your recent performance and a full listing of all your time (reflected in the API, as well).

It also allows you to easily switch between full-form entry of time, with all the various options laid out for you, and the simple command-line entry that we prefer here at Zetetic:

In the image above you can see the new tagging setup we blogged about recently, which includes support for Suggested Tags on a project! Here’s the command-line entry form, on the same Time screen:

One other big change here is in the table showing entered time. Have you ever found yourself looking at a data set, and thinking, “Hmm, what else is on this project?” Or, “I’d like to see all entries this goofball has tagged with ‘foo’.” Now, it’s as simple as clicking on the labels on an entry to dial up a new report on the Reports screen, fitting that criteria!

But, I’m getting ahead of myself. Before we discuss reports, let’s take a look at another one of the major design changes:

The Sidebar

One of the biggest changes is the introduction of a sidebar for navigating the application. There were a couple of things we wanted to emphasize here, aside from providing quick and easy access to the main areas of interest on the site.

The Add Time link produces a modal dialog (sample) allowing you to enter new time from anywhere in the application, even the Project or Account screens. Your Reports links out to a full listing of each of your saved reports, with creation dates and details, and the report links below it provide you quick and easy access to those reports you need to run at the end of each billing cycle.

Reports

The Reports screen is what used to be the one-stop-shop for all reporting functions in Tempo. This is probably the interface that changed most dramatically:

Still at your fingertips alongside Tempo’s powerful reporting are the charts, exports, invoicing, locking, batch-tagging, and saved reports features. There’s something about these various features that always threw new users, and hopefully this new design makes it clearer: they all pertain to the current report! E.g. If I dial in all time billed to Spacely Sprockets for the current quarter and then click on Export or Invoice, I’ll be exporting or invoicing all the time billed to Spacely Sprockets for the current quarter!

For those of you who are used to Tempo, these functions haven’t changed much, beyond their skin:

Projects

We needed to give the Projects screen some love to bring it into the fold of the new design, and also to pave the way for new features. The project listing itself isn’t new, but hopefully breaking out the team management helps to make things a little bit more obvious for new users:

Coming soon: individual project dashboards! Each project will have its own page where we can provide project-specific tracking and statistics.

Account

Finally, the account screen got a facelift. This is where all manner of things are handled, from billing to user profile to account preferences, it was all here and it was getting to be a long mess! This time around we’ve sectioned things off to make it way easier to work with.

That about wraps up the major changes in this round of hacking. It’s mostly design-centric, aside from some non-insignificant API changes you should be aware of, if you have your own software that interacts with Tempo’s API. We’re not done yet, there’s still more tweaking to do, more fixes to implement that have been sent in by our always-helpful customers! There’s still time to comment on the changes and make your voice heard, please get in touch right away if you haven’t already; we’re looking to push this out next week, barring any show-stoppers.

Robin Wilton - Future Identity — Intrusive Money Pit?

On June 10^th I blogged about one way in which straitened economic circumstances can influence policy – and some of the likely effects that could have on governance. I used the example of the Government's plans to make ISPs and telcos to collect and retain data about users' visits to third-party sites such as social networking services.

As I mentioned yesterday, I was at the House of Commons today for the first open meeting of the All Party Parliamentary Group on Privacy (Privacy APPG), as a result of which I need to reframe part of what I said in that previous post. Today's meeting was to discuss the implications of IMP - the government's proposal for an Interception Modernisation Programme, extending their current phone-tapping capabilities into the worlds of VOIP and social networking, among other things. You can read their background paper on IMP http://www.privacyappg.org.uk/Meetings.html. (Contrary to rumour, IMP does not stand for "Inspect More Packets"...)

My original analysis was this: in an attempt to save the cost of setting up and operating a centralised repository of this telecommunications data, recently-departed Home Secretary Jacqui Smith announced that the responsibility for collecting and storing the data would be passed on to commercial network operators – who would hang onto it for a specified period in case the law enforcers wanted to trawl it for evidence. I felt this mov eto a distributed system was likely to increase risk by making the governance regime very much more complex.

However, it turns out that there is a precedent, in the implementation of the Regulation of Investigatory Powers Act (RIPA), for the government funding the telco operators for their part in putting the legislation into practice. One participant estimated the current government funding for this activity at between £30-£40 million pounds a year.

If the same approach were to be adopted for IMP, then I would have to change my analysis to run as follows: by devolving responsibility for IMP operations to the telcos and then funding them to do it, the government would not only increase the risk of ineffective governance (and therefore the risk of privacy violations and inappropriate access)... it would do so without saving any money. In fact, managing the governance regime for a distributed, heterogeneous system operated by various third parties would be most likely to cost more.

Mark Wilcox - Oracle — Oracle Fusion Middleware 11g is Now Live

We launched 11g today. It's not just announcements - the software is ready to download.

There is more information on the updated Identity Management site.

It's also a major milestone for Oracle Directory Services reflecting over 3 years of work.  

So what is new?

The biggest changes in this release are within the management interfaces.

First - all 11g Identity Management components are now integrated with Enterprise Manager Fusion Middleware Control (EMFMC). EMFMC provides customers with operational monitoring (is the server up/down, how is it performing) and is the single point of access for logging and auditing.

Second - Directory Services now support a common management interface - Oracle Directory Services Manager. In previous version - OID and OVD had independent desktop-based management interfaces. ODSM provides a Web-based, task-focused interface leveraging Oracle's ADF framework so it has a desktop look & feel. While OID and OVD both share a common management interface - they do not require each other for deployment.

Over the next few posts - I will provide some more screencasts of ODS 11g.

Dave Kearns' IdM Newsletter — Oracle's Mega Fusion Middleware 11g Release

It was a tremendous effort. It took 7,350 person-years of engineering, occupied over 3,500 Oracle developers, involved 220,000 tests run each night, and incorporated 5,420 customer enhancements and 1,987 individual development projects, according to Rizvi.

Dave Kearns' IdM Newsletter — Sears Adopts OpenID Technology

Through this new innovation, users in the Sears and Kmart communities can use the ID and password they already have to write product reviews and can share information on products, services and solutions. Future updates planned with the OpenID platform will allow users in the communities to share their posts and product reviews with friends easily via Facebook.

Jeff Bohren — Drive by diagnosis

Tom Kemp - Centrify — Comparing DirectControl to the Apple Active Directory ("AD") Plug-In

I recently saw an article on options for integrating Macs in a Windows environment. The article noted that "Apple has offered an Active Directory plug-in ever since Mac OS X 10.3" but pointed out a key area that the Apple AD plug-in doesn't provide, namely Group Policy. I want to use this blog post to talk about the differences between our solutions and why some customers choose Centrify DirectControl over "what comes in the box."

Kuppinger Cole — Tim Cole: Integralis set to become the security arm of NTT

In Kuppinger Cole + Partner

On Tuesday, NTT offered the Integralis shareholders €6.75 per share. Integralis’ shares had been trading for around €5, up from a low of €2.14 in February. This represents a windfall for stock owners of about 70 percent over the past three months. However, at the height of the Internet frenzy back in 2001 the share price climbed to a dizzying €165.

Integralis has recently been following an aggressive international expansion strategy, acquiring or founding companies in North America, the Near East and Asia and focusing extensively on Managed Security and Identity as a Service concepts. Simultaneously Integralis opened a string of Security Operation Centers (SOC) around the world in order to provide “follow the sun” support for its customers. NTT, which operates a single SOC in Japan, intends to begin offering its own clients 24-hour service as soon as the merger is confirmed by German anti-trust authorities. At present, NTT has no Managed Security offerings of its own, choosing instead to cooperate with IBM’s ISS division.

I called Georg Magg, the CEO of Integralis, shortly after the deal was announced, and he confirmed that his company had been actively seeking an aqcquisition partner over the past few months. “We’re too small to play at the big table”, he said. As the security arm of NTT, he insists, it will be much easier to bid successfully for major international projects.

Integralis recently entered the Identity & Access Management market with a series of Managed Services offerings, mostly focused on providing authentication solutions ranging from remote monitoring to remote operation or complete hosting. Though most at Integralis would beg to disagree, the truth is that Identity Management as hitherto addressed by the company remains largely a sideshow to their IT Security offerings – a rather short-sighted view in KCP’s opinion.

We are curious to see how the added financial elbow room provided by the NTT acquisition will effect Integralis‘ ability to expand its IAM options towards true “identity as a service”solutions, something that would appear well within the company’s capabilities. However, Tokyo will be calling the tune now, and it remains to be seen what, if any, IAM strategy the new owners will pursue.

Apparently NTT was only one of two or so dozen companies interested in acquiring Integralis. From a strategic standpoint KCP feels that a different choice might have been preferable – for instance IBM where Integralis would have greatly complemented the existing ISS portfolio. Even continuing on alone might have been a viable option. However it seems that the major stakeholders, especially a few large investment funds, decided to end the rollercoaster ride of the Integralis stock and cash in their chips – disappointing, maybe, but understandable. We doubt that a medium-sized Anglo-German specialist with a distinctly central European viewpoint will be easy to integrate into an Asian corporate giant. While NTT has had some major wins in Europe (most notably Deutsche Lufthansa), the company has lagged behind its competitors in most European markets. Much will depend on whether NTT can successfully integrate the Managed Security solutions provided by Integralis into its existing services portfolio, and whether they will keep the dedicated team working for Integralis at a sufficiently loose rein. Given the tendency of some Asian conglomerates to micro-manage Western acquisitions, this is a serious worry. The real value of Integralis lies in its highly-qualified and hard-to-replace professionals, any of which would be a rare catch for the competition.

Gerry Beuchelt - MITRE — Links for 2009-06-30 [del.icio.us]

• How Open Data even makes Garbage collection sexier, easier and cheaper | eaves.ca
  Example on how open government data sharing can benefits citizens and administrations.
• How To Write Unmaintainable Code

Marc Canter - Broadband Mechanics — How to build the Digital City textbook

I’ve uploaded the final (draft3) version of the textbook I’ll be using to teach my class at CWRU this fall.

It’s course # EECS 396 - which is part of the EE Computer Science dept. at Case Western Reserve University.  I’ll be teaching on T-Thurs afternoons - for 15 weeks.

I am TOTALLY looking forward to meeting CWRU’s best and brightest!

This diagram shows off the many elements of our ’software infrastructure’.  They’ll be a Digital City ID system, which will merge SAML and Open Stack standards together - and keep everyone happy.

They’ll be shared servers, filled with jobs, events, businesses and services - with Open APIs for all to use.

They’ll be all sorts of on-line interactive multimedia content - which will fuel the sustainable business model - which is primarily focused at workforce development.

There are webcams and what I call ‘location pages’ - which will utilize eVectors Pages + system.

And you’ll notice these ‘bureaus’ which will be the focal node of every node.

Blurb has a ‘preview’ mode which allows you to see a few pages.  I’m gonna KILL these people if they don’t get me a pdf OUT of their BookSmart tool - which right now is acting like a BookJail - locking me into their proprietary platform.  I am so pissed off that I can’t share the content of this book with everyone via pdf.  Time to call Blurb - again.

Burton Group — I Can See Clearly Now...

Blogger: Kevin Kampman

The Clear registered traveler program is responding to subscriber questions and concerns, and providing us some very relevant considerations for identity services. In correspondence that came out Friday afternoon, Clear indicated that:

•    The service provided are no longer available at airports
•    Privacy information has been secured in accordance with “Transportation Security Administration's Security, Privacy and Compliance Standards” (which don’t by the way, identify what happens in the case of a company failure)
•    Clear, TSA, and Lockheed Martin (identified as the lead systems integrator for Verified Identity Pass, Inc, the company behind Clear) are working on an orderly program shutdown
•    Clear computers and disks assigned to airport kiosks and to Clear employees are being “triple wiped” to destroy all data and software
•    The identity information collected by Clear could be transferred to another service provider in accordance with TSA’s Registered Traveler Program polices, but no such transfer was identified. It is more likely that the information will be destroyed.
•    Clear is working with TSA, airports, partners and subcontractors to keep subscriber information secure.
•    There will be no refunds, support, or other consideration for subscribers. 

The bottom line is that the service that subscribers bought into and the data collected is history. I for one am happy that I didn’t respond to their recent special offers, for example, for Father’s Day (“Reminder: There's still time - Dad deserves 5 star service (and a new tie)”).  Here’s a sad joke: What do a Clear smartcard and a necktie have in common? Answer: They’re both useless.

Watching Clear’s demise, I see some disturbing parallels. One example is electronic patient records. I would be very careful, based on this experience, to ask:
•    What regulations protect the information
•    Who owns the information
•    Who holds the information, and how can it be archived or transferred
•    How is it secured, and how can it be corrected, modified, and deleted
•    Who can see the information, and under what circumstances
•    How are breaches detected, how will they be remediated,
•    Who is liable for lapses, omissions, or damages?

In the case of Clear, it is likely that the only lasting damages will be to registered travelers’ wallets. However, the questions that emerged from Clear’s failure should be a bellwether for future identity-related private-public initiatives.

Jeff Bohren — Death of a Salesman

Paul Madsen — Phishing for numbers

Please sign-in by entering the grid numbers corresponding to your previously selected pattern (and indicate which site you believe you are signing in to. Not that we don't ourselves know, we're just testing you)

Dave Kearns' IdM Newsletter — The Experts Conference 2009 Survey Underscores Need for Secure Identity and Access Management

Single sign-on, a new topic added to the survey in 2009, took first place as the top challenge among IT respondents, with 35 percent rating this area "problematic” or "out of control” in their organizations.

Dave Kearns' IdM Newsletter — Your Own Role in Identity & Access Management

...one thing we haven’t written enough about is your own role in the IAM organization, i.e. the roles, responsibilities, skillsets and prerequisites for effectively exploiting an IAM program within an enterprise. It’s really a shame, since knowing who can make the most effective use of IAM products and processes (and how) is more instrumental in validating IAM value for the enterprise than any product feature available or report you can produce.

Dave Kearns' IdM Newsletter — Call for Nominations for the 2009 IDDY Awards

The IDDY Awards shine a spotlight on the individuals and organizations responsible for building and deploying identity-enabled applications for people, communities, businesses and governments.

Kuppinger Cole — New design

In European Identity Conference Blog

We would like to present a “design refresh” of our web sites: www.kuppingercole.com, blogs.kuppingercole.com, and www.id-conf.com.

We hope that a common header style will increase recognition and ease navigation between the sites.

You are welcome to visit anytime, there is always something new waiting for you

Dave Kearns' IdM Newsletter — SaaS provisioning

Of course having an SPML capability in a SaaS is not going to be much help if the enterprise doesn’t have a provisioning system in place with SPML support. SPML support is not widely available in provisioning systems (although there are a few that have it out of the box).

Vittorio Bertocci - Microsoft — [VIDEO] Identity & Cloud Services

 

As promised last week, here there’s the video of my other session at the Belgian TechDays.

This session was part of the Architecture track, hence I took a mildly different, more abstract approach: I position Cloud computing as a trend (storytelling the famous parallel between last century’s electrification of the US and what may happen with Cloud services as we move toward a utility model), then talk about identity in general (same slides as the other session, slightly different angle) getting deeper in the underlying architectural patterns. Finally, I play a bit with the Access Control Service, using our MMC and a simple example for describing its inner workings.

In this recording I don’t do any crazy things like wearing sunglasses when I ask a question the audience (this session was 2 days earlier than the other one, I had yet to discover how bright the lights were) but I do gesticulate a lot (in fact, it’s hard for me not to do it) and I pull out of the hat few anecdotes which should mitigate your drowsiness as I blabber about the serious stuff. Have fun! :-)

Robin Wilton - Future Identity — So... it's the Swiss we don't like...

I regret that I have two corrections to make to my earlier post about the UK ID Cards policy.

The first is that, far from being a climb-down or policy course-change, the Home Secretary's cancellation of compulsory ID cards was in fact a re-affirmation of committment to the scheme and the signal for an accelerated roll-out. This document on the IPS website provides further details.

The second is to clarify that, while European Economic Area citizens will not have to be issued with UK ID cards, the exemption does not extend as far as European Free Trade Area citizens. So, while the Norwegians, Icelanders and Liechtensteiners are OK, the Swiss are PNG.

I can only assume this is at once a subtle pay-back to the recently-defeated Stanislas Wawrinka for keeping Andy Murray on court past his bedtime, and a masterly pre-emptive ploy aimed at Roger Federer.

Stephen Potter would be proud

Robin Wilton - Future Identity — Doctorow's DIY Digital Deed-box

Interesting piece here about Cory Doctorow's search for a solution to the problem of what to do with your "digital legacy". Now that so much of our lives is lived/captured/stored digitally, it's far more likely that our executors and relatives will need to unlock a laptop, disk drive or a file than a desk drawer or a filing cabinet... and yet, as Cory notes, there's not much on the market that provides a simple solution.

The French eID scheme has, for some time, included a 'digital vault' for each citizen to use as a repository, but I don't know what the escrow arrangements are should the citizen die and someone else need access. Perhaps someone could comment if they know the details?

Cory mulls over the compliexity of various DIY options - but fortunately for him, help may be at hand in the form of the EU-sponsored PrimeLife project. At the project's Reference Group meeting in Frankfurt earlier this year, I heard an excellent talk by Sandra Steinbrecher on "Trusted Content and Privacy Throughout Life". The slides are online here, and I recommend them for their clear analysis of the problem.

Robin Wilton - Future Identity — ID Cards scrapped... but what next?

Home Secretary Alan Johnson has taken advantage of his recent arrival to announce a change of policy: ID Cards will now not be compulsory... for anyone other than foreign nationals working in the UK.

Though, if I remember correctly, it remains illegal under EU law for any Member State to require the citizens of another Member State to carry its (the former State's) identity credential... so actually that means "foreign nationals other than citizens of other EU States..." and possibly European Economic Area/European Free Trade Area States (Norway, Iceland, Liechtenstein and Switzerland) as well, I don't know. "EU Member State" is one of those categories which seems neat and tidy at first glance, but turns out to get a bit fractal the closer you peer at it. Apparently the Falkland Islands, Greenland and Nouvelle Calédonie are not Member States, for instance, despite being overseas dependent territories of countries which are. I apologise in advance to their worthy inhabitants, but I'm not even going to look up San Merino, Andorra and the Vatican...

But I digress. The point is, by the time you rule out UK nationals and "citizens of the European Fractal", I wonder what percentage of the inhabitants of these islands you're left with, who may legitimately be challenged to produce an ID card. However, adoption of a voluntary citizen card, by the rest of us, is unlikely to achieve critical mass unless there is already a sufficient infrastructure (of authentication devices, for instance) to stimulate the development of a service provision ecosystem, which in turn make such a card worth carrying. Carrying that logic through to its conclusion: I cannot, in the current circumstances, see a Home Secretary committing to the investment required in such an infrastructure in the hope that it might stimulate enough demand for the scheme to pay for itself in the end.

When you then consider that anyone who still counts as a "foreign national working in the UK" will have to have their own country's passport, and probably a visa, work permit and/or other documentation in order to get in and stay here, Mr Johnson's announcement is probably sufficient to make the roll-out of any ID card fall below critical mass. What would be the point? A database record, indexed to the individual's immigration record on entry, would satisfy the same purpose without anyone having to issue, carry or check a plastic card.

All that having been said, Mr Johnson's announcement signals less of a policy climb-down course-change than it might appear. There is, for instance, no change to the plans for a National Identity Register, and anyone applying for a UK passport will continue to have their details entered in that repository. Similarly, there's still no apparent change to the policy on DNA retention, despite the European ruling earlier this year... though perhaps it's a little unreasonable to expect two major climb-downs course-changes in quite such short succession.

So where do we go from here? Despite successive Home Secretaries' determination to confuse the two, the National Identity Register and the National Identity Card were never the same thing, and a National Identity Scheme can quite viably continue without anyone having to carry the "terrifying, small... plastic card". The question, then, is what the government plans to do with the Scheme once its plastic card has been virtualized - NIS 2.0, perhaps... (sorry).

I think it's fair to say that the ditching of said plastic cards removes an element which added enormous complexity for questionable benefit. My hope is that that will free enough "policy-bandwidth" to make something sensible and constructive out of the government's citizen ID policy henceforth. For instance, perhaps this signals a shift away from the hierarchical, paper-credential view of citizen identity and towards one based on the selective management and disclosure of attribute-level assertions.

Perhaps we are ready to move away from the policy of:

"Tell me who you are, and I'll look up everything about you" and towards one of

"Approve a minimal disclosure of just enough data to let me grant you access, deliver this service, establish this entitlement...".

That would be a shift indeed, and one which could reflect a far more privacy-positive approach. It may be that I'll have the opportunity to find out tomorrow, at a meeting of the All Party Privacy Group in Westminster.

Matt Flynn - NetVision — Nobody gets fired for buying IBM

I liked this article about how some corporate IT departments are reacting to the economic downturn. "We're using smaller, lighter and cheaper technologies..." says one CIO.

Being that my employer is a small, nimble, innovative software company, I especially liked this quote from CPS Energy CIO Christopher Barron:

"With software from smaller vendors, it can take 20% to 40% less time to implement, and if it works, it could save you between three and eight times as much. The catch, of course, is that it doesn't always work. But even failing seems to be cheaper than going with the big guys."

I've always heard the adage that 'Nobody gets fired for buying IBM', meaning that even if you spend a little more, you're playing it safe by going with a trusted, well-known name. But the only projects I've ever heard becoming a colossal failure involve solutions from big name vendors with multi-million dollar price tags. And the really cool success stories you hear involve someone accomplishing something great with minimal budget.

Don't get me wrong - I know that many large businesses are run on big name solutions from IBM, SAP, Oracle and the like, but I think we need to be clear that the adage is not an axiom. That is, it's not self-evident. In fact, to some, it might even be nonsensical. Why would it make sense to spend 4x the amount of money to decrease your risk of over-expenditure?

What do you think? Does the adage hold up in today's economy? Will it hold up when we recover? Is it simply a question of finding the right solution for the job, or should it be part of a CIO's objective to put cost out in front of the decision?

Ludovic Poitou - Sun — LDAPCon call for papers closes tomorrow...

if you're involved with LDAP in interesting project and you want to share your experiences, your innovative concepts... please check the "Call for Papers" and submit a proposal NOW !

The second edition of the International Conference on LDAP (LDAPCon) will be held on September 20th and 21st, 2009 in Portland, Oregon, USA, just before and at the same location as LinuxCon 2009.

Technorati Tags: conference, ldap, ldapcon

Guy Huntington — NERC and Identity and Access Management

Currently, many utilities and critical infrastructure industries are having to comply with NERC CIPS. The point of this blog is that I feel that this is eerily similar to SarBox in its early days. When SarBox requirements came in, there was a mad scramble to figure out who was on financial systems and to ensure that identities were terminated. This brought into life attestation lists. I remember one company where the SVP had a executive assistant working nearly full-time on vetting the lists for the SVP. Over the next few years, enterprises began to understand the significant effort, time and costs to produce the regulatory reports. This lead to many identity management projects with electronic attestation that significantly reduced costs, time and effort to comply. NERC is of course different in that it pertains to critical assets, physical and logical systems. This past year, many consultants and employees have been scrambling with their spreadsheets, databases and lists to begin compliance. I see the same trend happening here re identity and access management as occurred with SarBox. There are many challenges in NERC. Many large enterprises have many data stores of critical assets where the asset is identified differently in each store. (Sound familiar identity people? - It's a great application for virtual directories). Then there is the physical and electronic access. Getting these lists put together takes time and money. These too are great applications for identity and access management. I have written a couple of white papers on this (see the "Papers" section of www.authenticationworld.com) . Over the next four years I predict that many utilities and critical infrastructure enterprises will adopt identity and access management to reduce their recurring costs. Regards, Guy

Dave Kearns' IdM Newsletter — Transparent or Translucent?

While we have Data.gov as one of the current administration’s steps towards furthering government transparency, we do not have an analogous Process.gov. Said another way – we get the sausage but don’t get to see how it is made. This isn’t transparent government but translucent government.

Kuppinger Cole — Stronger and simpler authentication

In Martin Kuppinger

I’ve seen many approaches for strong authentication – most of them are either too expensive, too complicated, or they aren’t really appealing. The latter is true for approaches like “passfaces” have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases.

But there are other approaches which are interesting as well. One which looks pretty interesting is GrIDsure, provided by an UK vendor and implemented by several OEMs right now. The idea is to provide a grid of numbers and to define a pattern within this grid per user. One user might decide on picking the numbers in the corners, clockwise. The next one might pick numbers from the second line from the right to the left. Even a relatively small grid allows for many different combinations. And due to the fact that the numbers within the grid change every time, there is a very high number of changing PINs which then can be entered. The concept is easy to understand, doesn’t require additional hardware and works with any type of device with a display.

Despite being really reluctant when a new vendor appears and likes to tell me that he has found the solution for strong authentication, the conversation with GrIDsure was definitely interesting. At least interesting enough to cover it in my blog and to do further research on that solution.

JISC Access Management Team — Give Me All Your Data and I Will Tell You Where You Are Going

Through a roundabout way, I’ve just been looking at TripIt, currently a US application that basically provides a convenient overview of your trip itinerary (and wraps all sort of services around it like advertising, user recommendations, sharing with friends etc). All you have to do is e-mail your booking confirmations / itineraries from any travel company to TripIt and they build your itinerary at TripIt. For people like me who are hopelessly unorganised it is simple, elegant and quick and works across different companies through aggregation.

Hang on a minute. E-mail TripIt your booking confirmation? With all of your travel details, personal details, payment details on it? How valuable is that information? How personal is that information? How much do I trust TripIt with that sort of data?

Now to be fair, TripIt have a clear privacy policy and user agreement prominently on their website:

.

However, this agreement is fairly open and allows for a lot of sharing and reuse of personal data, and open publication of travel dates (burglars - over here!).

Users love this site. They love the functionality and organisation features and all of the enhancements it gives to your user experience…and they don’t seem that worried about sharing this data. As organisations struggling under the burdens of the Data Protection Act in the UK, how do we get the balance right between protecting users and warning them of the dangers, but developing services that can exploit personal(ly) (identifiable) information (PII) to meet user demands? It’s an interesting quandry but I’m keen that it is properly explored as a subject area and not shut-down by overly risk-adverse approaches.

Paul Madsen — Contextual reputation metrics

I received an invite to connect from a friend - this time from TripIt - the online travel organizer (which I love).

Presumably to encourage me to accept, the invite includes the phrase

X has traveled 31,102 km to 9 locations

Well that's good, cuz there is absolutely no way I would friend-up with anybody below the 30k threshold.

Vertical networks like TripIt of course have an advantage over horizontal networks in being able to offer such metrics  - all they have to offer is # connections.

 

Jeff Bohren — SaaS provisioning

Robin Wilton - Future Identity — UK policy and cyber-warfare

A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don't.

"Think of three layers", was the suggestion of my older and wiser colleague: "a bottom layer of technology, a 'good practice' middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control... and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers". I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.

So, then, what to say about the government's announcement, last week, of its plans to establish a cyber-security operations centre?

Well, I think there are three questions to ask:

1 - is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear 'yes'. There's no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. It may be entertaining to be transported back to the 70s by watching "Ashes to Ashes", but few of us would much enjoy a long spell of being restricted to 70s technology levels.

And just like all those other elements, the UK's cyberspace presence is inextricably linked into the global network. ("Sewage?", I hear you mutter... "How is the sewage system cross-border?" Ask the Dutch... I read a report that, if the Netherlands couldn't export the excrement by-product of its bacon industry, t