I'm there, but there's no THERE there
Wednesday, July 21, 2010 at 08:22AM This past week, I flew out to Boston for a manager’s meeting. I stayed in the south end of town at my usual hotel chain, normally a very good one.
The elevator to the fourth floor took WAY too long, and then when I finally got there, my key card didn’t open the door. So I waited for the next elevator down to the lobby, got another set of keys, and went back up. And then when I finally got into my room, it was 82 degrees in there, with no working A/C. So down I went yet again, to get a different room, and the manager acted like he was doing me a favor. One more tidbit: the previous week I stayed in another property of the same chain, and awoke at 5 am to a leaky ceiling in the middle of a thunderstorm. These guys don’t like me lately.
From there I walked to an Italian chain restaurant. The bartender spoke little English, which made ordering very difficult. Could not get him to understand that I wanted “NO OLIVES” anywhere near my martini. Then he brought me a salad instead of the minestrone soup I ordered, and at the end, he mucked up my bill.
In the end result, I got a room and a meal, but both providers did a lousy job, and my overall experience was not a good one.
An old boss of mine named Ralph used to always say, it’s not just what you do, but how you do it. So I look at it as, in the contract between provider and user, both parties have to be happy if the relationship is to continue. This means avoiding some of the stuff I’ve run into the last few years when reviewing customer IdM deployments:
1) Don’t evaluate so many policies during the auth process that it takes over a minute to log in.
2) Don’t protect against SQL injection attacks by disallowing all special characters, thereby thwarting strong password policies.
3) If you’re going to prompt for multi-factors, don’t spread them over several screens, ensuring that it will take a boatload of time to authenticate. Just the screen-painting alone can eat up lots of cycles.
4) Make use of cached policies so that any requests subsequent to authentication don’t take any more time than necessary.
5) Don’t put in a provisioning process that includes so many manual (i.e. non-automated) steps that you’ve pretty much wasted your time and money. If all your provisioning workflow does is notify approvers to manually create accounts, then you don’t really have a provisioning system. It’s like putting stuff in the back of your pickup truck for delivery, then pushing the sucker around instead of driving it.
6) Single sign on should also include a global password policy, so users don’t have to remember and reset multiple passwords.
7) If your system admin is really ugly, put a bag over his head.
It’s not enough to put a system in place. Don’t just serve up a room and a meal. Make it a pleasant experience so that the system gets ADOPTED.
Reader Comments (1)
Cool. You written any other books / whitepapers?