Virtual Identity Dialogue

Here are some thoughts as I look back at 2007 in terms of Directory Services:

General:

• We saw more consolidation - in particular in virtual directory market (SAP bought MaxWare)
• Directory Services remain key to many applications and not just for security (e.g. personalization, data for workflow applications)
  
• Scalability is not just for telcos anymore as more & more organizations launch customer-oriented Websites that need directory services (either storage-based or virtualization of existing identity stores)
  
• Identity as a Service entered more conversations as things like directory virtualization, CardSpace and OpenID increased awareness of possibilities
  

• OVD 10.1.4.2 certified with Enterprise User Security - EUS simplifies user & role management for the database - now customers can choose to synchronize to OID or store EUS information in existing directory servers.
  
• OID 10.1.4.2 certified with Database Vault and Transparent Data Encryption - providing end-to-end security of directory storage that prevents even the DBA or Sysadmin from accessing your data except via LDAP clients with proper authorization.
  

Just saw this on CNN about how the US govt is attempting to finally make "REAL-ID" happen.

To summarize - REAL-ID is a specification that is designed to facilitate the standardization of information on Driver's License for electronic readers. The goal being that they will be harder to fake.

As anyone who has followed the story knows - there's alot of hot air on both sides.  People who want REAL-ID think it's going the security panacea  - that 9/11 would some how magically would not have happened had REAL-ID been in place. 

Of course that ignores that best preventive measure would have been kevlar-reinforced cockpits and orders to pilots NEVER to open the door under a terrorist threat.

The reason why REAL-ID is attached to 9/11 is that the terrorists had multiple driver's licenses and that if REAL-ID had been in place we would have caught the terrorists because I guess they would have shown up "Mohammad Ata - Known Terrorist" instead of whatever id they did present.

9/11 was a well funded operation who managed to bribe officials into getting valid driver's licenses without proper credentials. Actually on some level REAL-ID based driver's licenses may actually become easier to obtain because dishonest brokers only have to focus on system to create fakes. Plus because they are more valuable - there maybe more of a reason to sell them illegally (which is how at least some of the licenses in 9/11 were obtained - by buying them for a dishonest DMV employee).

But my favorite line in the story is the reason why REAL-ID cards for people over 50 is not going to be mandatory at first:
" the risk of someone in that age group being a terrorist, illegal immigrant or con artist is much less."

I won't debate the illegal immigrant  (though I personally despise the term but that's for another day & probably different blog). Most immigrants are usually younger people but that's irellevant.

The fact is that the other 2 groups listed - terrorist and con artists (I cracked up reading that) to my knowledge have no age criteria (though I did have a funny idea for a SNL type skit about someone filing age discrimination lawsuit against Al-Queda). Though it doesn't matter as much either because as I've said - REAL-ID is not going to be a magic security silver bullet.

But as I've written earlier - I'm no longer opposed to it either. We're already collecting the information used by REAL-ID and having a standardized system for getting that information is likely to have many positive aspects - security (at least defined by how the proponents of REAL-ID like argue) just isn't one of them.

My good friend Zed Shaw wrote a recent blog post called (warning contains bad words but we're all adults - right?)  "Rails is a Ghetto".  I really don't do anything (yet) with Ruby and I actually debated writing anything on it.

But I feel I must if for no other reason - Zed is one of my closest friends. I've know Zed since he was at University of British Columbia and I was starting at WebCT. He was doing really cool work on early Web Services and uPortal. I literally talked my management to paying my way to a uPortal conference (luckily uPortal was aimed at higher-ed and WebCT was too so wasn't too much arm twisting) just so I could meet Zed.

Zed is by far the best programmer I know. He's usually thinking 3-4 steps ahead of anyone else - which is why I think there can be some friction.

Then when this post came out - I was really worried for him. I felt bad - I didn't know exactly how lean those early days with Ruby were. And I wasn't sure if this post was too wise.

But then I watched another episode of Anthony Bourdain's No Reservations on Travel Channel. Which then reminded me of his first book - his big break - "Kitchen Confidential".

Which effectively was Bourdain's rant against food industry and many people (including himself) thought would kill his kitchen career.

But the opposite happened. While Bourdain was never the best chef - he understood food and passion for food. That good cooking actually was an expression of culture that could be portable even as people immigrated from one land to another. That the real sign of a good cook wasn't the ability to fire up a grill and cook a good steak - that's easy. The real trick is to take the parts that aren't so good (aka "The Nasty Bits") and turn it into something not only edible - but awesome.

I now view Zed's post as his version of Kitchen Confidential. Yes - it's crass. And no it's not for everyone. But he's being honest and it has re-opened discussions that probably should have happened before.

• Like - is RoR really about Ruby or is it really more about that we need to simplify some tasks in Java.
• How to be better prepared if you take on a consulting gig
• How programmers are NOT cogs. You can't just rip one developer out with another and necessarily expect the same productivity

We have released a new paper on SOA Security on OTN.

It's a pretty good introduction to the multiple pieces required to consider in your SOA infrastructure.

As many of you know - a British Airways flight had a recent hard landing (I know some will say "crash" but I go by the axiom if you can walk away it's a landing :)) at Heathrow. I don't have any identity spin on this - but since I fly quite a bit - thought I'd write something on it.

I'm sure it was scary as hell.

But what sticks in my mind (in particular after watching "We Are Marshall" this morning - FYI this goes on the list with "Brian's Song" & "Big Fish" as movies "OK for men to cry while watching") - is that this is like the 3rd major incident in like 5 years and nobody has died.

I'm very, very amazed by modern air travel. Yes - it does suck on many levels (I'll be reminded again Monday morning as I'm crammed into an AA MD-80 on route from DFW to SFO just how much). But to have a behemoth like a 777 come down and effectively crash & everyone lives.

Well that is pretty amazing.

That's what good engineering, good procedures and lots of practice to prepare will do for you.

Though a happier thought - the new biz-class seats on AA 757/767 are awesome. Near full recline without crunching the person behind you. A large table area so you can put your laptop up comfortably. Every seat has power. I've joked with my boss that I can think of biz-trips where I've have less work-space.

I 've scored these seats twice in route back home from SFO. I now try to sched my return trips so that I'm catching the first leg of an international flight early in the morning.

I also think that this really should be mandatory seating for biz related Intl trips. Yes, I know the immediate cash cost will be higher but I think can be offset by productivity boost from these seats. Not just because possible could actually do some work on the flight but ability to get rest on the flight to battle jet lag. Perhaps wishful thinking...