Leading in a new IT environment:

1
Leading in a new IT environment
Old saws and new technologies

2
Disclaimers

• The abstract and the talk
• The ambiguity of the title
• The work of many, many others
• and my good seat in the house

3
About the title, and our topics today

• Leading in a new IT environment
• A bit player in some very fine plays
• A few frontiers from the past 25 years
• Some new frontiers for the next several years
• Leading, in a new IT environment
• The challenges for IT leaders in the new
  frontiers
• Some trusty old saws
• A few potentially useful new saws

4
Leading in a new IT environment A few
frontiers from the last 25 years

• The changing form and face of computing
• Making the Internet market
• The rise of the middle layer

5
The changing form and face of computing

• Technical
• The move from mainframe to mini to micro to LAN
  to client server to grid to mobile device to
• The move from pocket-protected user to pocket pc
  user
• With each technical shift so shift the politics
• The role of the central IT organization
• Much of the economics
• The policy needs

6
What we were leading in then

• IT as services, not as cycles
• Having the mainframe was not a blessing
• The network as the driver
• A shift in the funding model
• And the rise of the have-nots
• And the loss of a commons
• And the banner message of the day

7
Making the Internet market

• The late sixties and seventies established the
  core TCP/IP technologies and value to the CS
  community
• The eighties made a mass market of technology,
  applications and content
• The nineties created business plans and businesses

8
What we were leading in then

• A fundamental new infrastructure, with business
  models (occasionally) and large scale industry
• A lack of governance structure, with an array of
  processes that lurch forward
• A distributed, non-hierarchical information space
• A seismic shift from local to global thinking

9
The recent rise of the Middle layer

• Building campus/enterprise core middleware
  infrastructure that
• Serves the overall enterprise IT environment
• Is designed from the start to support the
  research and instructional missions - Implies
  consistent approaches and common practices across
  campuses and internationally
• Basic elements include identity management,
  directories, group and privilege management,
  workflow, authority trees, etc
• Application developers are now interested in
  outsourcing core needs to a middleware
  infrastructure

10
The rise of federations

• Federations offer a flexible and largely scalable
  privacy preserving identity management
  infrastructure
• Federations are occurring broadly, and
  internationally, to support inter-institutional
  and external partner collaborations
• They provide a powerful leverage of campus
  credentials
• Federations are learning to peer
• Internal federations are also proving quite useful

11
Leading in a New IT Environment Some
Frontiers for the Next Several Years

• Integrating Internet Identity
• Trust Fabrics and Virtual Organizations
• Authorization and the Attribute Ecosystem
• Plumbing the applications
• The rise of the collaboration layer

12
Types of Internet identity

• Federated
• Inter and intra enterprise bi-lateral or
  multi-lateral
• In academic settings, privacy preserving
  capabilities and international use are helpful
• Often is role and entitlement oriented
• P2P
• Originally PGP
• Now Infocard, OpenId, etc.
• May be coupled with reputation systems for trust
• (Global may still happen)

13
Identity integration goals

• First, of federated and p2p identity
• Many levels of integration tokens, GUI, privacy
  management paradigm, trust fabrics
• Then, of identity and privilege management
• Assignment and management of permissions to users
  by those with authority to grant such access
• Addresses the static aspects of the authorization
  space, with audit, delegation, prerequisites,
  etc.
• Permissions can be enterprise or virtual
  organization

14
Trust fabrics

• Federations themselves are still very early
• Climbing the LOA curve
• Business models are ripe with possibilities and
  uncertainties
• Interfederation Peering, Leveraged,
  Confederation, Intersecting
• Reputation systems integration into federated
  trust.

15
Of Federations and Virtual Organizations

• Federations provide general trust fabrics for use
  by many users accessing a variety of resources
• Specific collaborations among small subsets of
  users, typically a science experiment or a
  research community, are VOs.
• The intent is to leverage peered federations to
  support the identity management needs of virtual
  organizations, for both general collaboration and
  the domain science software/systems.
• International aspects of many VOs drives peering
  of federations
• Note that VOs can build across P2P trust

16
Peering

• Parameters
• LOA
• Attribute mapping
• Legal structures
• Liability
• Adjudication
• Metadata
• VO Support
• Economics
• Privacy

17
VOs plumbed to federations
18
Authorization and the Attribute Ecosystem

• The movement of attributes, entitlements,
  privileges, etc from sources of authority to
  identity providers, service providers, middlemen
  (portals, gateways, proxies, etc.)
• Includes account linking, the IEEE problem,
  provisioning and deprovisioning, etc.
• Can be compile time or run time movement
• Needs protocols, audit and diagnostics, etc.
• The ecosystem needs to deliver its services in a
  trustworthy manner some fabric is required

19
Real life in the attribute ecosystem
Source of Authority
Application access controls (including network
devices)
Source of Authority
Portal
IdP
Source of Authority
Gateway
Shib
Proxy
Source of Authority
Source of Authority
IdP
User
Source of Authority
Source of Authority
Source of Authority
Source of Authority
p2p
20
Plumbing the applications

• Many applications need identity management and
  access controls
• There are degrees of plumbing.
• The minimum is some type of federated identity or
  use of a standard P2P, along with privacy
  management
• Even better would be use of enterprise services
  for group and privilege management, workflow,
  diagnostics, etc.
• Its not just about plumbing its about user
  conceptual models
• Other consistencies are also desirable metadata
  tagging, searching, etc.

21
The rise of the collaboration layer

• An over-abundance of tools that, with careful
  integration, provide rich and growing
  collaboration capabilities
• No uber-app too restrictive of invention and
  community
• Collaboration across virtual organizations,
  social networks, P2P
• Asynchronous wikis, flickr, del.icio.us,
  webdav, etc.
• Synchronous - IM, IP audioconferencing, IP
  videoconferencing, etc
• All need some plumbing - identity management and
  access controls

22
The rise of the collaboration layer plumbing

• Middleware enabling lots of collaboration
  applications common management of identity,
  access controls, permissions, etc
• Asynch
• Fine-grain wikis
• Identity based spaces.internet2.edu
• Attribute-based wikis members of the
  community discussions
• Web-accessed shared file stores
• Collaboratively visible calendaring
• Real time tools
• Federated IM use your local login for external
  IM use
• An IM channel for a VO embedded in a campus
  portal
• Integrate privacy and authority management into
  tools

23
Leading, in a new IT environment

• The new frontier challenges for IT leaders
• Some trusty old saws
• A few potentially useful new saws

24
Challenges for IT Leaders - I

• Providing consistent user experiences
• The appearance of the collaboration layer
• User-centric SOA
• The policies of the collaboration layer
• The politics of presence
• The complex nature of privacy

25
Consistent dimensions of user experience

• User-centric SOA take common activities out of
  individual applications maintain a core set of
  IdM services for use across applications
• Identity and Privacy Management, including trust
  and reputation mechanisms
• Group and Privilege Management
• DRM on a wide variety of digital objects, with
  rich controls
• Metadata tagging
• Search on metadata
• Network layer management issues

26
The politics of presence

• Who owns the knowledge of your location the
  appliance, the service provider, the enterprise,
  etc.
• How can the user manage their presence and who
  has access to it?
• The doctor in the theater use case
• Presence logs, legal systems, and other devils

27
The complex nature of privacy

• Shift from no one knows to I control who knows
• Most users want the defaults to work
• International deeply compounds
• Differing policies
• A US citizen using a Swiss IdP
• A roaming network user from Australia in the EU.
• Legal considerations and log files
• Paradigm clashes happen, e.g. federated identity
  meets federated search

28
Challenges for IT Leaders - II

• Normalizing the academy
• Internal role rationalization
• Mapping external roles to internal
• Responding to federation and collaboration
• Applying identity management up and down the
  stack
• To roaming network access, firewall
  configuration, log management, etc

29
Normalizing the academy

• The only thing that scales, for the user and the
  institution, is role based access controls (with
  well-managed exception mechanisms)
• Not our history or culture
• No obvious leadership position at most
  institutions
• Harder still to map external entities to internal
  roles
• Growing urgency for more defined structure
  workflow, compliance processes, privilege
  management, federated and virtual use cases
• Whats hard is not the access control policies,
  but assigning roles
• Old wines in new clear bottles make expose
  floating objects

30
Responding to federation and collaboration

• Federation policies may place requirements on
  campus processes and procedures
• Comes with sweet inducements
• For some subsets of the larger campus, better
  identity proofing, better acts of authentication
• Campus participation in national and
  international activities
• Who puts up the EU Article Privacy Directive and
  when?
• Brokering for collaboration and the attribute
  yentah
• Installing VO schema in enterprise services

31
Applying IdM Up and Down the Stack

• Using enterprise identity management
• To provide eduRoam services
• Trust based transparency and firewall management
• Scanning rules
• At the application layer
• What applications must use enterprise IdM
• What applications can not use enterprise IdM

32
Some Trusty Old Saws
33
Some trusty old saws

• Be conservative in the data you send, be liberal
  in the data you accept
• There is no problem in computer science that can
  not be solved with another level of indirection
  except the problem of indirection complexity
• Expect the unexpected use
• Disruptive technologies usually change the
  economics
• There is a time for hierarchy, and a time for
  peering

34
A few other old saws

• Without end to end transparency, innovation is
  limited and generally twisted
• Duct tape inside software tends to hold forever
• The sooner you start, the longer it takes
• Try doing it with the engine running
• Perfection is achieved, not when there is nothing
  more to add, but when there is nothing left to
  take away.

35
A few new saws
36
New saws

• Higher ed is fractal in structure
• Scaling is always an issue, and scaling changes
  things a lot.
• The first thing any good new technology does is
  show how bad the existing policies are
• Complexity is contagious
• Change only happens where people are experiencing
  pain

37
New saws

• It is often not about solving the problem many
  problems have approaches at several layers of the
  extended stack. Solving the problem at the right
  level is the trick.
• The only numbers of importance in computing are
  1, 2 and many - with its meta counting variant
  1, 2, Schema
• Any piece of software reflects the organizational
  structure that produced it

38
New saws

• The first thing one learns from an
  interoperability protocol is all the ways in
  which we cant operationally interoperate.
• The intersection of privacy and collaboration is
  a tricky spot
• In theory, there is no difference between theory
  and practice In practice, there is
• What ever it is that hits the fan will not be
  distributed evenly.

39
Willingness to lead

• There is only the fight to recover what has been
  lostAnd found and lost again and again and now,
  under conditionsThat seem unpropitious. But
  perhaps neither gain nor loss.For us, there is
  only the trying. The rest is not our business.
• TS Eliot

40
Thanks