Identity and Access Management Framework Book

Customer service is a thing of the past. Quality is out the window. It’s garbage in, garbage out. You pay for this, I give you that. You’re not a valued client, you’re a task to be completed as effortlessly as possible.

On a recent trip to Boston, I stayed at a joint in the south part of town. Upon my arrival, I had to wait while the two kids behind the desk finished their pointless conversation so one of them could check me in. Then I had to wait a ridiculous amount of time for the elevator. Once on the fourth floor, I found that my electronic keys didn’t work, either one of them. So I waited once again for the elevator, waited in line again, and said, gimme new keys. I got back up there, and once in the room, I found that hot air was pouring out of the air conditioner, and it was ninety-five outside.

So BACK down to the lobby. I said, I need a room, working keys, and A/C. The manager acted like I was putting him out. He got me keys for another room. I grabbed the business card from the desk and said, if there's another problem, I’m calling from up there. More than twenty minutes after I’d arrived, I was finally in a proper room.

And the evening just got better. I didn’t have a rental car, and there wasn’t much to walk to for dinner besides two chain restaurants. I picked the closest one. It’s a household name, they advertise on TV. Instead of waiting for a table, I decided to eat at the bar. The bartender barely spoke English. I explained very carefully, Grey Goose martini, straight up, NO OLIVES. I hate olives. He asked me anyway, “How many olives do you want?”

“NONE,” I said. “NO olives.”

Okay, he got it that time, although just before he served it to me, he asked me if I wanted it “dirty,” meaning with olive juice. “No, I hate olives. HATE. HATE. Tell me where you're from, I'll google the word for HATE."

I'm not a xenophobe. I'm very well-traveled. But I usually only do business in one language when I'm in Boston.

Instead of the minestrone soup I asked for, he brought me a salad. A little later, I had to stand up in my stool and wave my arms to get my check, because he was too busy schmoozing.

The manager asked me about my experience as I was leaving. I told him the truth. He said he was sorry, but I should be sure to come back next time, as they were always improving their service. Uh-huh.

So consider this. Make your system customer-friendly. If your customers are internal employees or contractors, same deal. Sure, they’re a captive audience, but you WANT your users interacting. If they use a system that stinks, they won’t return, or else they will find workarounds, and this often means that vital information doesn’t get captured. I worked for a place that made stupid customizations to their Salesforce screens, to the point where nobody wanted to use the system, and people started collaborating offline, using different shared folders or even email, which defeated the entire purpose.

As I cover in the book, I worked with a partner who once customized a customer's authorization process so heavily, it took 45 seconds to log in.

DUring initial testing of the Oracle identity suite 11g, the customer feedback wasn’t the most wonderful (and getting real customers to beat your stuff up takes some guts and planning, BTW). “It takes too many mouseclicks to get where I’m going,” was a common comment. “Too many steps to provision somebody.” Well, they took all that feedback, from customers and field ops guys and consultants, and they rewrote a good chunk of the GUI before it went into production.

I love Marriotts. I stay at them all the time. And for a long time, I hated calling their elite line, because I’d punch in all the identifying info in advance, and then when I finally got a person on the line, they’d ask me all that crap a second time, making me wonder why I wasted my &$^#%# time keying it all in. I complained about it, as did many others, and now once you’ve punched in your Marriott id, the person you’re connected to knows everything she (and it’s always a she) needs to know. They take your session and treat it like it's a baby.

Use a natural functional flow, sensible password policies, easy to understand help screens. When you own a piece of somebody’s id, make it look like you care. They’ll get more out of it, and you’ll get more out of THEM.  In the modern, impersonal era of menu-driven EVERYTHING, your system is a stand-in, a proxy for a human voice. Make that system reflect your organization’s values, which should be customer service with a smile, lest you end up with no customers.



My wife’s a math teacher. So years ago, she got REALLY REALLY freaking upset when they put out a Barbie doll that, when her string was pulled, uttered the words, “Math is hard.” At the time, my woman said, “Only a MAN could have designed such a stupid thing.” I wanted to reply, “Only a man could have given you children, or bought you a pizza last night,” but I wisely kept my mouth shut.

But, y’know, there are people who make that Barbie sound smart. In the not too recent past, I received an email from a customer who sent me a capture of a screen that my company’s product had generated, asking him to reset his password. He wanted to know why it was doing that. I explained to him, “This is what we in the security market call a security feature.” His password was ninety days old, and the system was asking him to change it.

He asked why we only kept passwords around for three months. I explained, our product only enforces the policies that your administrators come up with. Our product could use the same passwords indefinitely, but that’s not a good idea. In the meantime, I said he should take the matter up with his own admins.

He went on to complain that this was an inconvenience. Yes, yes, I wanted to tell him, you have to invent a new, strong password, with upper and lower case, digits and special characters, once every three months. In fact, now that you’ve done it, the next three-month clock is ticking, so you’d better start thinking of the next one. Do you have any kids? Maybe they can help you. Or wait, let me suggest one that incorporates all those strong password requirements. Try this one: B0nehe@d. That second character is a zero, so we’ve covered all the necessary bits.

This same customer, by the way, had previously asked why approvals were necessary. If we were enforcing role-based provisioning, we should be able to automatically decide who could or couldn’t get access to a given system. Once again, I explained that these were his company’s policies, and that our tool was simply helping them enforce those policies. We’re the toolset, not the carpenter. I also gave him examples of where human eyeballs on an access requests were good things.

Security dictates that you compile a number of ingredients: defined requirements, the policies to fulfill those requirements, the tools to execute and enforce those policies, and the willpower and the BRAINS to choose the tools and use them wisely.

Math is hard.

My dad told me once, you know you're really living on your own when you have to buy your own toilet paper. You're not just crashing with somebody else, you're actauly responsible for your own well-being, and having to take care of things you never thought of before. Like toilet paper. Milk. Gas bill.

So I guess this is where I'm at now in my chosen niche of the market, security. I've got a book out. "Designing an IAM Framework with the Oracle Identity and Access Management Suite."

I wanted to add about nine more words to the title, just to be annoying,but they use a special ink for the covers, made from the bean of a plant that only grows on one hillside in the Brazilian rainforest. In fact, at one point, McGraw-Hill wanted to just call the book "Bob" in order to cut costs. 

I've been in security since the mid-90's or so, with identity and access taking up the bulk of that time. Prior to that, I was in database, development tools, pure development, and bare knuckle fighting to help pay for college. In fact, software sales feels a lot like bare knuckle fighting, although I've never been a pure salesguy. I've always stayed on the engineering side of it.

I wrote the book because of the years of experience I had in the field, and I was bursting with stories about how to build an identity framework correctly, and how to do it WRONG. I have seen customers, services guys, and partners do it WRONG, despite all the best advice in the world. And that's too bad,  because when it's done right, it can last for years, and make everybody happy. That's why I wrote the little ditty, Ten Ways to Screw Up an IAM Project.

By the way, I like to think of any kind of framework just like the offensive line on an NFL team. Nobody notices when you block the linebackers play after play. They just notice the one play where you allow your quarterback to get sacked. All it takes is a single breach, and all your hard work, all the times you kept somebody from exercising improper access or assuming another user's identity are forgotten. It's got to be tight. Oh, and compliant. Auditors are either chewing at your shorts right now, or they will be. Even universities, not typically publicly-traded entities, are assuming that Sarbanes-Oxley is in their future.

The book details not just the design of the system, but all the stuff that comes before it, and all the stuff that comes after. You have to build the business case, for the need and the funding and the resources. You have to shop for software and help, some of which you may already have internally. THEN comes the design, and the building, and the testing and the maintenance. There is a lot to it, with plenty of moving pieces. I hope I've come relatively close to catching all the pertinent subjects surrounding identity and access management.

Otherwise, watch for my next book, "Sculpting Action Figures from Lunchmeat For Dummies."

We have to be very, very careful in our house about what we say. Anything, any random phrase that reminds my wife of a commercial jingle will set her off SINGING that jingle. If it’s lunchtime and we pull out the baloney, she starts crooning the Oscar Mayer song. If we drive past a Burger King, I’m treated to “Hold the pickle, hold the lettuce.”

The problem is that my wife, lovely as she is, sings like a wounded wildebeest. Whenever she breaks into song, the cows stop giving milk, the chickens stop laying eggs, and somewhere at NORAD an alarm starts going off. So marketing slogans are right out, in our household.

The last time Microsoft had anything catchy going in marketing, it involved a Rolling Stones song that I’m still not allowed to play in the house when the kids are home, because of one dirty line near the very end. But they’re trying again, this time with the tagline, “Be what’s next.”

Microsoft has a lot of good products. I’m not sure if one of them is Windows, which is why SO many of my colleagues, who are provided laptops by employers, put out their own money to buy Macs for work. Windows may be easy to work on, but it’s also easier for hackers and other folks to turn into a pile of doo-doo. Like I always say, you don’t ever really own a Windows box, you’re just sort of borrowing it, because no matter what you want it to do, it’s going to do whatever it feels like anyway.

“Be what’s next” is kinda funny, since when it comes to identity, “what’s next” for MS is a reconfig of “what’s old.” They took a bunch of stuff they had laying around, glued it all together, and called it something new, namely “Forefront.” It’s still AD, Sharepoint, and some bits and pieces, along with third party components. What’s new here is the packaging, and the supposed integrations. Sharepoint still scares me, because it’s notoriously unsafe, and lends itself to silo security policies maintained by whoever decided to toss up a site and publish docs on it.

One more little thing about being “what’s next.” And that’s sweating the cutting edge. The Next Big Thing is great for no-risk ventures like entertainment software, or various skunkworks projects. But when it comes to identity, in which you are being trusted with digital assets, the most precious of which is private information, you can’t afford to be cutting edge. You need tried and true, battle-tested stuff. You can’t afford to be the first kid on the block with the new bike; you need to get the bike that you know the chain won’t slip on, where the seat won’t fall off. Best of breed solutions are called just that because they’ve survived.

Sorry for the rant, but I’m starting to wonder why anybody would trust their enterprise identity structure to a company that can’t even safely or satisfactorily run a desktop.



This past week, I flew out to Boston for a manager’s meeting. I stayed in the south end of town at my usual hotel chain, normally a very good one.

The elevator to the fourth floor took WAY too long, and then when I finally got there, my key card didn’t open the door. So I waited for the next elevator down to the lobby, got another set of keys, and went back up. And then when I finally got into my room, it was 82 degrees in there, with no working A/C. So down I went yet again, to get a different room, and the manager acted like he was doing me a favor. One more tidbit: the previous week I stayed in another property of the same chain, and awoke at 5 am to a leaky ceiling in the middle of a thunderstorm. These guys don’t like me lately.

From there I walked to an Italian chain restaurant. The bartender spoke little English, which made ordering very difficult. Could not get him to understand that I wanted “NO OLIVES” anywhere near my martini. Then he brought me a salad instead of the minestrone soup I ordered, and at the end, he mucked up my bill.

In the end result, I got a room and a meal, but both providers did a lousy job, and my overall experience was not a good one.

An old boss of mine named Ralph used to always say, it’s not just what you do, but how you do it. So I look at it as, in the contract between provider and user, both parties have to be happy if the relationship is to continue. This means avoiding some of the stuff I’ve run into the last few years when reviewing customer IdM deployments:

1)      Don’t evaluate so many policies during the auth process that it takes over a minute to log in.

2)      Don’t protect against SQL injection attacks by disallowing all special characters, thereby thwarting strong password policies.

3)      If you’re going to prompt for multi-factors, don’t spread them over several screens, ensuring that it will take a boatload of time to authenticate. Just the screen-painting alone can eat up lots of cycles.

4)      Make use of cached policies so that any requests subsequent to authentication don’t take any more time than necessary.

5)      Don’t put in a provisioning process that includes so many manual (i.e. non-automated) steps that you’ve pretty much wasted your time and money. If all your provisioning workflow does is notify approvers to manually create accounts, then you don’t really have a provisioning system. It’s like putting stuff in the back of your pickup truck for delivery, then pushing the sucker around instead of driving it.

6)      Single sign on should also include a global password policy, so users don’t have to remember and reset multiple passwords.

7)      If your system admin is really ugly, put a bag over his head.

It’s not enough to put a system in place. Don’t just serve up a room and a meal. Make it a pleasant experience so that the system gets ADOPTED.