Event Recording

Mike Neuenschwander - Why the Future of IDM Still Needs Us


Keynote at the European Identity & Cloud Conference 2014

May 13-16, 2014 at Munich, Germany

I we're going to kick off now. It's my pleasure to introduce to you now, Mike Swan, I've known Mike for quite a few years, and if you supply me Liberty with beer, I'll be prepared to tell all of the stories that he would like not to be revealed about him anytime after the session today, please stop by. Mike's gonna talk to us about the why the future of I still needs us. And Mike I'm a little concerned. Is this like an indication of progressive old age that, you know, at some point there you feel the need for, you know, ratification that we still need here. Yeah. Why don't you come on up and stand to kick off. Give Mike, just give mic a hand.
Thank you. That was really, that was really heartfelt and very, very warming. I'm gonna use this, I think. Is this on? Oh, good. Okay. Yeah, the so, so it's true. A lot of us that have been in industries a few years are aging and we thought about retiring this year. Right. But turns out that we're back for another year. The, I need the clicker. Okay. Are the slides up? I get the slides. Okay, there you go. So the I've been around the industry a little bit, so I wanted to give you first of all, an idea of where I am. Okay. So I was, I was at Oracle most recently and I see a few of my Oracle colleagues out there, but I also spent some time at Burton group and at Accenture and at, not in that order, but, and in, at Minecraft and Nobel and so on.
So I've been kind of around a little bit, but now I, I have known Jurgen Biman for quite a while. Who's the group CEO of IC consult, and we decided it might be good to do something and, and get together in, in America and start an IC consult group out there as well. So currently I'm, I'm now running the IC consult group in America, and it's going very well that way. So that's why I have a different logo here. So first of all, I think that probably don't need to tell everybody, but let's just review briefly that, you know, times have changed a little bit with identity management back in the day, when, when we started this thing, you'd have an administrator who, who, and we would develop some product for that person that had lots of windows and like really obscure kind of instructions.
And, you know, and, and that guy loved it because he was kind of a geek, right? And then there was an HR database somewhere that nobody really knew where, and that database was managed by a person who was not a geek and, but very helpful and so on and knew all the HR stuff. And this HR system would sort of emanate data, right? Like that was nice and clean and yeah. Usually, or eventually got clean. Well, it's kind of, hopefully these guys are laughing. Like they, the anyway, that, that data of course allowed us to do all kinds of workflow processes. Then we would, you know, basically treat the users like sheep, you know, and, and all the users in the organization would, you know, be comfortably provisioned and, and set up to do work and so on. So that is essentially the way that that's the legacy let's say of identity management right.
Today. A lot of the work though that we're, we're doing now last several years is a little different. First of all, there's no administrator, right? There's just not, and there's also no real HR database. In fact, a lot of the HR information may not even be at the company, right? There's a lot of cloud kind of services where a person might have their identity out on the cloud. And for that reason, then the, the authoritative source of truth about that person is probably not in one convenient place. It's probably in several places and probably not on the premise. Also, we're working now more often with a dev team, a bunch of developers that sit around and are basically working on some kind of commercial website. And that that website is essentially a cloud service to a number of other clients. You'll, you'll notice also that we don't talk anymore in, in these cheesy little graphics, right?
Like this is real life now. So it's getting like more complicated. Plus the people have gotten sexier. Like we don't have, you know, now we have like a bunch of people that we're working with that actually have real jobs and businesses and stuff that they run. And they, they have a lot of different things that, that, that they're working on. Right. A lot of their workforce is very diverse. And so for those reasons, then, you know, identity management, the nature of identity management, logging into things, getting sign on and so on, even though it's a similar problem, it, it is, is very much a different activity. As a case study, we're working in America now with a company that's a large entertainment Porwal and, you know, they're just things that, that are, that we, where we use products that are shipping products. It becomes very difficult to use these products in, in, in sort of the new way, let's say, and for example, this, this company needs to do things around account creation, flows.
Well, as I said, there's no HR database, right? If you have 2000 venues that basically need to create accounts for each of their employees, well, you don't really have a centralized HR in that case. In fact, these are, these are business partners, right? And so they're, and they don't. And each of the business partners that they have are generally too small to have their own HR database. They keep their accounts in the cloud or in a spreadsheet or somewhere. Right. So that's kind of where we start. So we, we need to do things like vetting somebody through a private email exchange, right? Like, like you would on a consumer site, we need to do things like device registration on a personal device, rather than having something issued to you. And we, we need to have a password reset on the site and then have an auto log automatically.
So the idea is why I, I reset the password and then immediately the page refreshes as it were. And then, and then is logged in under the new context. There's a thing called we refer to as page two functionality. So if you're using an access product, there's a lot of AF just after the login or the password reset, there's a place where we need to insert a whole bunch of other processes, you know, webpages, essentially a lot of times, they're not even webpages. There's some aspect of, of a mobile device that we need to work through, you know, take over the process of registering a device. For example, there's also the idea of multiple user types. So a single user could have many different personas in this case where in, in the one case they're a run, helping run the business. But in another case, they're actually just another consumer.
There's also another use case, of course, where the, the, the customer service representative needs to basically see exactly what the customer is seeing. And for that reason needs to sort of log in as the customer and experience exactly the same, kind of see exactly what the customer is seeing. There is also a pretty big need for custom UI. And this is true, not just a, this user at, at this particular user, this is pretty indicative of what the kind of work that we do, the kinds of UI designs and so on that were acceptable in the past. That because we, we relied essentially on a very sophisticated it user to be looking at is no longer the case. And so we, and, and plus we're running in a cloud, so we need the, we need the UIs to work on a lot of different screens for a lot of different people.
And so usually that means that we'll have to customize the user experience in a, in addition to using the product. Right. So, and that's true, even for the customer service reps. Now, it used to be that we would just say, okay, if you're back, if you're way in the back end answering a phone somewhere in India, who knows where right then it doesn't really matter. If the user interface is really ugly, as long as it sort of works, right. Well, that's not really the case anymore. We need to, you know, make much better improvements. There multi-tenancy is a pretty big deal. The, in this case, the customer had 2000 business partners that they wanted to have on the site that each of them needed to have essentially their own space to manage their own employees and their own data and so on. So there's a lot of data firewall needs and data sharing.
And then another, this, I put this one in, this is more operational, but the idea is that we need to be able to very frequently, since it's a cloud service pump out iterations of the identity service very quickly. So we needed to automate essentially the, the deployment of the system into dozens of environments. All right. So given those requirements, the difficulty, a lot of times that we run into is that, well, the existing products by and large right, are kind of what they were, you know, there's when you commit to an architecture, that's just kind of what it is. I'm gonna pick on Oracle here a little bit, but this is true about every product that I'm aware of it. Once it's built the engine is sort of designed in a certain way, and it kind of stays that way of by and large. The, the quote here is from some documentation, by the way, my, I always, this is, this is a little Analyst trick, right?
You don't need to read all of the product, Dota documentation. If you really want know what's going on, you look in the release notes, right. Cuz that's where you have to be brutally honest in the release notes. Oh, don't push that button or else everything will blow up, you know, that's right. Yeah. Guys, Brent second that, but I did a lot of reading. Don't get me wrong, but it's how I lost my eyesight. It's it's terrible. Anyway. No, but the, the, in this particular documentation, it says here, you know, you'll notice that the schema description in the Oracle O IM product is still called the accelerate type equals user. So accelerate is, is a artifact essentially from the, the product that Oracle acquired the Thor product right way back in the day. So nobody goes, you might, you might change like the, the UI to say Oracle on it, but deep in the guts of this thing, it's still Thor, right?
Because it's got all the schema in there and everything. So it's, it's very difficult to change the, the, the architecture of a product once it's sort of set, right? So this is true by and large of, of the products that are out there. And, and so the standards of course continue to evolve the scale and, and performance. And so on requirements, keep getting higher and higher and higher. You get to a point where you, you have to start wondering then, you know, is, is identity management are the products that are out there kind of out out of their, their league. Right? So if this is, if this child represents kind of where we were with the first iteration, let's call it of identity management solutions is have we come to this point where, you know, we have to sort of give up on the existing product architecture, right?
So the, that, that question I think, was posed in a slightly different way from, from Ian Glazer, who was gonna be speaking to us a little bit later, you know, about whether we need to kill IDM and that sort of thing, maybe, you know, I don't know, but I wanna give you my perspective on that, given that we've seen at IC consult and, and through my career, a lot of these requirements coming there is such a thing as an annihilation fantasy. If you've seen that movie, Moses know that, what is it, Noah? I'm sorry. Why do I, why do everybody get Moses? And Noah confused? You did that to me. Yeah. The, you know, that's this idea of like, maybe this whole world would be better if none of us were here. Right. So maybe I'm not the one to forward that argument though. The bill joy wrote a, an article about that and wired where he said, basically why the future doesn't need us.
Right. And weirdly then stepped off the apparently took his own words correctly. Cause I haven't really seen bill joy around recently. Is he around? I don't know. Haven't seen him. I guess we don't need him. That's horrible to say, but Hey, whatever you put it out there. Okay. So, alright. Let me give you a little bit of a metaphor. We, you know, at this conference historically, we've talked a lot about movies and stuff like that. So I thought maybe a, a, a, I'd give you an idea. There's this, there's this place in Nevada called Reno. Has anybody been to Reno? Yeah. Okay. Well, for the rest of, for the, for everybody, but the three that raised your hands, you probably don't need to go there. Okay. Anyway, the it's in Nevada and Nevada of course is famous for Las Vegas, which is nowhere near Reno.
Okay. And by the way, I didn't color this map in any way. This is a satellite picture. That's what Nevada looks like. Okay. And everything else around it is green. It's true. True. Right. It's true. So the thing is, is Reno is this weird little place in Nevada. Okay. And it's, you'll notice that we didn't put icy consult there. We're based in salt lake city. That's where I'm from. And it's nice. And, but basically the Sheriff's department in Reno is they've done this little documentary on, well, it's in full disclosure. It's not really documentary, but it may as well be it's, but it's, there's this TV show called Reno 9 1 1. Okay. And the, the, the Reno Sheriff's department of course is depicted in this to be, you know, very let's well, very crazy, basically in inept. Right. So, but the, the thing is that, you know, this is how basically the Sheriff's Reno depart, the Reno Sheriff's department sees themselves.
They're, they're really more like this, you know, in, in, and, and not very good at their jobs. And, and so what happens is through, through the first couple of seasons, right. They proceed to basically do all kinds of crazy things on camera and it results in there all getting fired. Right. So they get completely wiped out. They, the, the state comes in and Schutze 'em down and fires this whole team. Okay. And then they bring in the, the new recruits and weirdly, literally they're, they're each character in the previous show is replaced by someone who looks almost like them, but much sexier. Right. So, so these are the new sheriffs in town. Well, it turns out that this group is horrible at managing Reno, right. Because Reno is a crazy place and these people can't deal with it. Right. And so they start shooting people like it.
And, and at some point they commit so much crime themselves that they basically go get the, the previous team and put them back in place. Right. Well, you know, I think that, and you know, for those of you that haven't seen that by the way, I have it on my iPad. You can come watch Reno 9 1, 1 with me later, if you'd like, it's really funny. Okay. I think it's funny. Maybe you don't like the same things, but I do, but I think that this offers a nice little par parable for identity management, which is that there is this inclination, you know, know to sort of say, you know, why don't we just like, run the sheriff outta town and get a new one. Right. The, you know, but the people of Reno, as I mentioned, and at least as the fake Reno, at least that we're seeing here are, are in a way very unruly.
They don't necessarily put up with real police work, you know, and, and they can't be policed. Right. So it's kind of like the user population out there on the internet. The also the decision to replace the, the, the police force was largely politically motivated and had nothing to do with the actual performance of this team. Right. And, you know, I, I often see this happen at customers where, you know, there's some business decision that for whatever reason they say, you know what, we're gonna go pull this product out and we're gonna put a new one in and things are gonna be great and they try to sell you on it and so on. But you know, the, the thing is, is that even, even if you were to wipe out all of the identity management products as they exist today, and then start over with like a whole new bunch of products, well, there's a couple problems.
All the same people are just gonna, we're gonna try to be a little bit sexier about it, but basically we're all gonna be, we're gonna fall into the same trap. We're gonna get the same kind of people back here to Recode it. We're gonna take the same approaches to the problem. And that's partly because that's the right approach. Right. So, you know, that, I think that's another interesting angle on it. The, the replacements, as I mentioned are also not all that mature when it comes to, you know, fighting crime in this case. And so they don't handle it very well. And I think that it, it's important to understand that when you have a new product on the market, you didn't think necessarily through all the use cases. And so for that reason, you end up looking like you don't really have your stuff together.
Right? So the, I think a better metaphor out of the west is kind of from an area where I live in, which is like some of the parks, the national parks in, in Southern Utah, and maybe even the grand canyon, if you wanna include Arizona. But basically you see essentially a natural architecture evolving in, in this landscape, right? Because what, this is many, many years of things going on, pressures being placed on various layers. And, and, and there's a, there's a lot of geological interaction going on here. If, if you think about starting over, it's really more of a romantic, ideal than a practical notion, right? The idea is that here, and here's the problem. You have so many layers, a product itself. If you think about what a product is, it's only the first sort of beginning stage of something that is going to become a very long process.
It would be at the bottom essentially of the grand canyon, bottom layer kind of thing. And then after you get developers who build a product and then, and then come integrators and so on, then it departments everybody brings and deposits something that is important for the, for the development of your identity program. Okay. And then, and then while that happens, there's lots of, of other forces like deployment needs, trends, and standards, and other sorts of things that essentially whittle away at, at the chaff, at the things that are unneeded, right. That, that make, that create these natural architectural shapes. And I think in many cases like the developer, the way that the thing that a developer is interested in doing, and the motivations behind being a developer and creating software are in somewhat, oftentimes it odds with what the customers are actually trying to do.
So there will always be some kind of fault line between there. And, and, and, and this is really an important interaction because over time, essentially what happens is code does get better. And even if it seems weird to you, and even if it's crazy, right, it's, it actually has a real reason. So, you know, my, my quote here is, as I've altered a little bit, is to say that no code really survives contact with the customer. Okay. The, the, so shipping products, I don't believe will ever meet the contemporary needs of a client. You can see here, this guy is an artist apparently, and he is taking garbage and basically putting together a picture.
And, you know, you can make art from, from all kinds of crazy things, right? And so you don't necessarily need fantastic materials in order to put together some kind of interesting piece of work. Okay. So at IC consult, you know, we've helped companies solve their immediate problems and even some of their future problems using the existing technologies. And I, and you know, we've done things like multi-tenant LDAP designs where, you know, to support one of the, the clients I mentioned earlier, this idea of progressive profile creation, instead of getting a single feed out of an HR system, we start with just an email address and that's enough to create an account. And then as the interaction with that person continues to be need greater security. We continue to create a bigger profile and in some cases, a more validated profile. And for that reason, we can use it for higher security operations.
The also things like automated tested production capabilities. So in summary for identity products, I think that creative and destructive processes are continually going on. There's, there's always layering happening with existing technology, but then there's also forces that, push it into a different space. And so starting, starting over completely rarely in my opinion, saves time or effort. And that's true of whether you're, you're completely starting over as a vendor with a new product, or if you are a client or an integrator, or excuse me, an it shop completely replacing products. And so I think that the U to use the technologies available is really the best bet if you can use them to the best of their abilities. Okay. So with that, I, well, thank you for listening and that's the end of the presentation. Thank you.
So, Mike, I only have one question, was that all summarized by the statement that I created really lousy products and you're never gonna do better than what I screwed up. Yeah. I that's it. Thank you. That was like a softball. Ask me something hard. Okay. I think we're good. So thanks, Mike always entertaining and some, actually some very pivot comment set.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00