Tag Archives: Enterprise Architecture

Good advice on CMDBs that sounds strangely familiar

Posted on October 31, 2008 | Leave a comment

George Spafford has this to say about CMDBs:

The truth is that a great many software-led configuration efforts that emphasized the technical merits of the CMDB have failed abysmally because the process requirements weren’t understood and addressed appropriately.

In response to this, tools vendors reacted in an unsurprising manner: they created a technology-led solution called “autodiscovery”. The premise is that by using autodiscovery tools to identify new, changed or deleted configuration items in production the CMDB will be current and accurate thus overcoming all the process problems. Guess what? The results have been far from ideal because it still does not negate the need for processes.

A fairy doesn’t appear at 2 A.M. in the data center and magically change configurations and move equipment. The fact is that someone made those changes and it is to everyone’s benefit to understand why. Simply pumping the changes blindly into the CMDB with autodiscovery is a recipe for disaster.

This should sound very familiar to anyone who has worked on IdM projects.

There are two take-aways from this. First, all of these wonderful enterprise tools require a process to be used effectively; and second it all comes down to people in the end.

→ Leave a comment

Posted in Change Management, CMDB, Identity Management

Tagged , , ,

Tightly coupled vs loosely coupled in the enterprise

Posted on September 19, 2008 | Leave a comment

Ping Identity’s Andre Durand makes some interesting observations about internal IdM vs Federation projects in the enterprise:

What’s interesting about our conversations is that invariably, they talk about one or more of their internal provisioning, IdM or WAM projects that is basically not meeting their expectations. What I find interesting about this is that federation deployments, by their very distributed nature, are taking an entirely different approach. Most if not all centralization projects are large, costly, complex and long. This makes them inherently more risky, and introduces higher and higher probabilities of failure at one or more levels.

He is absolutely right that centralization projects typically larger, more costly, and just plain harder than federation projects. Centralization is harder because it creates tight coupling between systems where as federation creates a loose coupling between systems. And tight coupling of systems made by different vendors (and often the same vendor) can be very hard and risky.

So Federation (loose coupling) is always the best way to go, right?

No. It’s often the best way to go but there are many times that tight coupling simply must be done. Often that means using a provisioning system and a means of synchronizing accounts (IBM TIM, Sun SIM, MS ILM, etc). Sometimes that means configuring your systems to centralize the identity (Quest Vintella,  Centrify, etc).

And here is where I will let you in on the dirty little secret of provisioning. It’s really all about deprovisioning. Typically enterprises don’t care if it takes weeks for you to get access to all of the resources you need to do your job. They care in the abstract (usually), but not enough to actually do anything about it. But the minute your employment is ended, your access to all your enterprise resources needs to be turned off.

And for that you need centralization of some sort.

Of course I have seen plenty of cases where systems are tightly coupled from an identity standpoint but loose coupled from and authentication standpoint. This is where the two systems share synchronized or centralized accounts, but are SSO enabled via federation. One common use case is using federation to bridge different vendors WAM solutions.

→ Leave a comment

Posted in Authentication, Identity, Identity Management, Password Management, Provisioning, Security

Tagged , , , , ,

Read vs Write in the Enterprise

Posted on December 11, 2007 | Leave a comment

I blogged about User Centric Identity in the Enterprise domain here. Matt Flynn blogs about it here and makes a very good point that I overlooked. I noted that the aspect of User Centric Identity that enterprises are most interested in is user self-service of personal information and credentials.

Matt makes the point that while users may provide this information via Self-Service, the typically can’t control who gets access to it afterwards. Basically the employee has read/write access and an indeterminate number of people have read access. So really the whole thing boils down to a terminology debate. I loathe terminology debates.

Clearly enterprises are not going to let employees control the use of their identity and personal information in general. Just as clearly they want to the employee to be responsible for providing and maintaining that same data.

Call it what you will.

(Mirrored from TalkBMC)

→ Leave a comment

Posted in BMC Software, Identity, Identity Management

Tagged , ,