Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Friends

Mike Jones
Chuck Knutson
Kristen Knight

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« September 2003 | Main | November 2003 »

October 30, 2003

Connecting Stateful Session Beans and JSPs

Note: This example has been updated. See this essay on connecting stateful session beans for the most recent description.

In my class on large scale distributed systems, we've been talking about enterprise java beans. The question at this point (since they're starting on their project) is how to implement a system so that session state is maintained across multiple JSP pages and inside an associated stateful session bean. Since I've not been able to find many great examples that show how to put it all together, I wrote one today and I thought I'd share it here.

Here's the problem set up. You want to create a web application using JSPs and stateful session beans so that a user can browse multiple screens, making selections from each screen and when finished, use all of that information to perform some calculation. Obviously a shopping cart is a perfect example of this pattern, as are things like selecting classes from a course catalog, reserving seats to a sporting event, and so on. Its easy to see how to implement a stateful session bean (SSB) to do this, but how do you tie the JSP pages to the SSB and maintain context. The answer is a JavaBean on the servlet engine (I call this the ClientBean) that the JSPs can use to maintain their state in between invocations. The ClientBean also maintains the reference to the SSB on the EJB container.

The picture to the right shows the simple example I wrote to illustrate the technique. The example uses XDoclet to deploy on jBOSS. The example has four JSP pages. The first one is a form where the user submits an integer. The second is a form where the user submits a second integer. The third is a form where the user submits two more integers. The final JSP displays the sum. The ClientBean creates the SSB in the container and stores a reference to its remote interface when the ClientBean is initialized. Then as each JSP is loaded and the parameters processed, the accessor functions (setters) in the ClientBean store the form inputs into the SSB. The final JSP calls the process function on the ClientBean which merely invokes the business logic in the SSB and returns the result.

The SSB in this example is obviously contrived, but it illustrates the idea. In real life, the SSB could be using entity beans to update the database and process complex business logic. Also, its not always the case that the ClientBean acts so neatly as a mere servlet side proxy for the SSB in the container---this example is merely meant to display the general technique. The data being passed around in this case is fairly simple (integers). For more complex data, you'd want to use the data transfer object pattern to avoid multiple remote calls.

Note that the overall session state is maintained through the cooperation of multiple entities. The container is keeping the SSB around until its removed (or times out) because its declared to be "stateful." The ClientBean is sticking around because it was created in a JSP with its page scope set to "session." Because the ClientBean persists the reference it hold back to the SSB can be used to keep hold of the state stored there. Each JSP accesses that state through the ClientBean. Its a complex dance, but the end result works.

9:55 PM | Comments () | Recommend This | Print This

October 29, 2003

Make Sure You're Playing the Right Game

Chess and poker are perfect analogies for the competing interests in deciding how and where to be transparent. In chess, the state of the game is transparent. Each player can see the current state of the game and plan their strategy, and try to deduce their opponents strategy, from that state and the actions taken to get there. In poker, the current state is a secret, or at least mostly secret. You can't bluff in chess the way you can in poker.

Most geeks play better chess than poker, metaphorically at least. IETF and other organizations work on the basis of compelling ideas and working code. We like to believe that if everyone just has the right facts, good decisions will follow. I hear variations on this theme whenever I talk to techies about public policy issues.

This is one of the biggest problems I had when I was Utah State CIO: I thought we were playing chess when in fact we were playing poker. Its actually worse than poker---at least in poker, everyone has the same goal. In government everyone has a different goal and their actions often look irrational because you don't understand their motivation. I've spent years studying the actions of some people there and still can't deduce their motive. And yes, I've flat out asked them. They just look all wide eyed and innocent and say "I have no motives of my own---I just do my job."

In an environment like that, its difficult to make progress through an appeal to rationality and facts. Its often the bluffing and the behind the scenes maneuvering that makes the most difference. The winners frequently have no facts at all. They'd lose a chess game hands down, but they're very good poker players.

4:39 PM | Comments () | Recommend This | Print This

Its Like Windows, But it Sucks Less

Jon Kale has an amusing and interesting post on the first day of Microsoft's PDC. One of the most interesting things is his description of Allchin (MS Group VP for Platforms) editing code live in front of the 7000 member audience. That's the way it ought to be.

2:25 PM | Comments () | Recommend This | Print This

October 28, 2003

Organizational Blogging

I got an email from Thomas Burg in Austria asking for any hints on introducing blogging to an IT organization. Here's what I told him:

  1. Don't do it if you're not prepared, as an organization, to speak the truth. Blogging promotes, but also requires to some extent, a culture of candor.
  2. Start small.
  3. You need an organizational leader to set an example.
  4. Set up the infrastructure, buy licenses, etc. early and make it easy for people to get started. I bought Radio licenses for everyone. You could choose Moveable Type as well, but I think Radio has some definite advantages: (a) it includes the hosting that's outside the organization and (b) it brings a sense of user ownership since it lives on the desktop.
  5. Set a few guidelines (to show you've thought about them) but don't set too many since they will stifle people's creativity.
  6. Create an aggregator that reads the RSS feeds from the various blogs and presents them for people who don't use blogs and aggregators. Point at it and reference it whenever you can to drive traffic to the information in the blogs.
  7. Enable comments to encourage participation through feedback and interaction from those who don't write blogs.
  8. Be prepared for some people to be very threatened and offended when you speak the truth. Be proactive in preparing the people who they'll complain to so that they understand what you're doing and what the goals are.
  9. Pick out two or three people who like to write and give them special encouragement to get their blogs going. Meet with them often and form a "support group" of sorts to get things going.

Not all of these will work for everyone, but the advice is hard won. These are things I did that worked or things I wish I'd done. If you'd like to talk with me about doing this in your particular situation, send me an email, or comment below.

6:18 PM | Comments () | Recommend This | Print This

Serendipitous Flexibility

I got a lesson today in how loose coupling provides flexibility to applications in the face of change. Interestingly enough, I got the lesson from myself. As I've reported, I moved www.windley.com to a new server last Saturday. One of the things on my TODO list was to "fix" my newsletter since I was sure it was broken.

My newsletter is created from a special RSS feed on my blog. I created a category in Radio called "newsletter" and set it up so that it doesn't generate HTML, just RSS. Whenever I write an article on my blog that I want in my newsletter, I just check the "newsletter" category. The newsletter process is run from a cron job three times a week. It parses the RSS and turns it into a nicely formatted text file which automatically gets sent to the mailing list.

I had put "fix newsletter" on my TODO list since I was sure that moving my blog to its new home and leaving the newsletter process on the old server had broken it. Much to my surprise, when I read mail this morning, there was Monday's newsletter. It worked because the newsletter process reads the RSS feed over the network using a URL. It doesn't care where the RSS file lives as long as it can get it over the net.

"So what," you may be saying, "that's how it should work." To which I say, "yes, provided you've done things right." I can just as easily imagine that I would have simply grabbed the file from the file system, since the program and the file it needs were both on the same machine. The result would have a tight coupling. I called this "serendipitous" flexibility since I can't claim I thought of it ahead of time. Its a perfect, if simple, example of how following some simple guidelines results in more flexibility and agility.

6:08 PM | Comments () | Recommend This | Print This

October 27, 2003

If You're Going to be Naked, You'd Better Be Buff

Regular readers will know that transparency is a favorite topic of mine. One of the chief benefits of eGovernment is transparent access to information about what government does. In an IT organization, transparency makes happy customers: there's no place inside a healthy organization for hiding information about rates, project status, or operational metrics. IT customers should have ready access to all that information. Now, Don Tapscott and David Ticoll have written a book which deals with transparency in the larger organization called The Naked Corporation: How the Age of Transparency Will Revolutionize Business. The book was the subject of a recent article in CIO Insight. Here are a few highlights:

Tapscott says that "its staggering to think that companies, when it comes to disclosure of various classes of information, pretty much just wing it. Few have a strategy for figuring out what should be disclosed and under what conditions." He offers some specific advice for companies in an increasingly transparent business climate:

  • Abide by basic values in all operations. Tell the truth, abide by commitments, consider the interest of all stakeholders, be candid about shortcomings and challenges. Make sure that business integrity drives every aspect of company operations.
  • Deliver the right value to each group of stakeholders.
  • Understand the promise and peril of transparency and manage it continuously. Don't just try to spin and execute PR strategies when a problem occurs. Develop a proactive approach to communicating the values of the company in the face of challenges.

The article has a section entitled "Blogs and Martyrs" but it doesn't deal extensively with the idea of weblogs other than to mention that "stakeholder webs" can use them to bring public scrutiny to bear. I'd have liked to see more about how employee blogs can be a human voice for the company and provide positive results through transparency. In general, as you'd expect from the quote I give above, the tone is defensive: how to protect yourself from too much unwanted disclosure rather than proactive. Maybe the book is different.

One of the things I've been contemplating is how the intersection of several recent trends drives the move to corporate transparency. Here's the argument in brief:

Initiatives like Sarbanes-Oxley are requiring corporations to report more and more material information to shareholders.

Accounting data is not enough. In the past, when capital was the most important thing, accounting data rules supreme, but what about today's corporation where the quality of your technical operations or the knowledge tied up in your employees head is your competitive advantage? Does mere accounting data tell the whole picture of the company and its operations?

Right now, I get basically the same accounting information that a shareholder of Ford or GM saw in 1970. Yet, corporations are increasingly turning to digital dashboards and similar systems to provide business intelligence to managers because they know that the accounting data isn't enough. As a shareholder, I'd like to see some of that information when judging the health of a company. I'm sure that this would cause some significant angst among corporate executives, but I think that's where we're headed.

The article concludes with a discussion of the CIO's role. Just as eGovernment is about providing transparent access to government, corporate IT systems will increasingly be driven by policies and decisions regarding what information to disclose to whom. This is the essence of digital identity and is just one more example where traditional "secure perimeter" approaches to information security are becoming increasingly inadequate.

3:41 PM | Comments () | Recommend This | Print This

Upgrade to Panther

This was the weekend of moves and upgrades. In addition to moving my weblog to its new server, I also got Panther, the newest version of Apple's OS X, in the mail on Friday. I waited a little while to see what the forums were saying about the upgrade process and then went ahead and installed it on my TiBook. Here's what I did:

  • Backed up /Users, /Library, and /Applications, just in case. All of your user data, including address book entries, mail (if you use the Apple Mail client, at least), etc. are in your /Users/$user_name/Library folder. I backed up /Library and /Applications to preserve properties and so on in case of a disaster.
  • Ran the installation, choosing the upgrade option. I was originally planning on doing an archive and install, but decided an upgrade would work as well. I usually like to do clean installs, but that seemed too much bother, especially in light of the fact that I'm traveling this week and didn't want to keep finding things I needed when I was away from home. If the upgrade doesn't work well, I'll do a clean install later.

I backed up to a SMB mounted disk over my home network by just making compressed tarballs of the directories. Even with compressions, I had about 17Gb of data to back up, so it took a while. The installation proceeded smoothly and about 45 minutes starting the installation I had an upgraded machine.

Here's my first impressions and bug reports:

  • Expose ROCKS! If you haven't heard of Expose, its the new addition to the GUI that let's you see all of your windows at once. If you work with lots of open windows, as I do, you'll love how it lets you see where everything is and then let's you select which you want on top. The effect reminds me of the computer GUI in "Minority Report" a little bit. This is one of the coolest GUI innovations I've seen in a long time. I'd upgrade just for Expose.
  • Mail, iCal, and the Address book seem snappier and I don't see the "wait" cursor nearly as much as I used to. I tried the new message threading feature in Mail and turned it back off. It may take some getting used to.
  • Startup items are now listed under the user accounts preferences to give each user their own custom environment.
  • A few things didn't work in 10.3. The two I've found so far are uControl, a utility for swapping the CAPSLOCK and Control keys, and CopyPaste-X, a utility which makes the clipboard into a stack---very handy in blogging. uControl simply doesn't work (yet) with 10.3. CopyPaste-X made my lowercase "c" key not work for some reason.

That's it for now. A painless and simple upgrade that pretty much left the rest of the machine alone. I'll write additional reports as I gain more experience.

8:08 AM | Comments () | Recommend This | Print This

October 25, 2003

A New Home for Windley's Enterprise Computing Weblog

I've slowly been moving services that I used to host at Verio over to my co-located server. This weekend, I'm moving www.windley.com and this blog to the new machine. If you're seeing this message, then you're seeing the new digs. I'd appreciate any bug reports.

The new machine is hosted by Fibernet, a local ISP and hosting company run by my friends Lane and Lee Livingston. I've got a lot of respect for them because they've been around since the beginnin and they've survived in the boom times and the lean times. While others are struggling, they recently built and moved into a new building. In addition to co-location, they also offer DSL, shared hosting, wireless, and T1s.

12:05 PM | Comments () | Recommend This | Print This

October 23, 2003

Dan Farber on DIDW and PingID

Dan Farber was at Digital ID World and has written up a great article for ZDNet's TechUpdate. I didn't get to meet Dan at DIDW, I wish I had. Dan highlights three things from DIDW: Tony Scott's keynote, the discussions of federation, and PingID, and manages to tie them together nicely in a discussion of PingID and its mission (disclosure: I'm on the PingID advisory board).

One of Tony Scott's main points was that the technology to federate is the easy part, the hard part is issues like organizational trust, scenario planning, regulations, changing usage patterns, and how to split up costs. These are the kinds of issues that PingID tries to tackle: those above the basic pipes and protocols. Quoting Dan:

The company has developed the PingID Network, a member-owned, technology-neutral identity network that provides businesses with a legal and business framework to smooth the process of developing contracts between partners. While all the promises of transparent access, legal safety zones and privacy protection from the various standards and practices aspirants sound a bit idealistic, PingID takes its cue from a well-known and successful networked partner infrastructure: the ATM banking system. As ATMs grew more popular, banks interconnected systems regionally to provide customer convenience. The next step was to extend the partner network more globally. It became unmanageable for banks to individually or even regionally negotiate ATM partner relationships. The problem was resolved by creating a third-party network of national and international ATMs guided by a set of common operating rules and legal covenants, such as standardized procedures, risk management, dispute resolution and mutual confidence parameters. According to Durand, Ping Identity has defined shared services as well as common legal agreements, liability shifts and limits, participation requirements and dispute resolution procedures. Basically it's a template for creating a trust network based on the emerging Web services standards.

People have a tough time getting their arms around what PingID is doing at first. The best way I can describe it is to think of the world of credit cards before Visa and Mastercard. You pretty much could only use a credit card at that set of merchants who used the same bank you did. Visa and Mastercard, hook up various banks in a network and deal with the interorganizational issues (at this point by fiat). The end result is I can use a credit card from one bank at a merchant who uses another and Visa and Mastercard take care of bringing them together for a real time transaction. These same issues and islands of identity federation will exist in the world of digital identity and someone needs to hook them together in a network. Can PingID succeed at this? Andre likes to say this is a 5-10 year process and I think he's right. Even so, I see the need and PingID has some good momentum and, as of last week, funding.

8:08 AM | Comments () | Recommend This | Print This

October 22, 2003

Long Road, Large Gains for Identity Management

Tom King is CISO at Lehman Brothers Holdings. He had a simple idea: rather than build authentication into each application, they would build a central identity. provisioning and authentication system. Three years later, he's still working on the project. Before he could implement his idea, he first had to create a single repository of identity information in the company. Why go to the trouble? Read the following paragraph from the CIO magazine article where Tom's story is told::

So why bother with identity management at all? Because the returns can be impressive. According to a survey of more than 7,500 top IT execs cosponsored by CIO and PricewaterhouseCoopers, the top two strategic security initiatives for CIOs during the next year are to block unauthorized access to systems and to monitor systems activity. Identity management systems can help you do both. They also let CIOs provide new employees with almost immediate access to the applications they need (and take away access from former employees just as quickly). And since authentication (you are who you claim) and authorization (you're allowed to do what you're trying to do) occur at one location, employees can access all their applications with a single user name and password, a move that can dramatically cut down help desk calls.

NerveWire found that 38% of the 145 companies it surveyed expected an ROI of as much as five times on their identity management investment, and another 10 percent expected even higher returns. In an age where ROI is the king of the hill, its no wonder that CIOs are tackling these project, even if they are long term.

Of course, identity management projects can get hung up and suffer from scope creep just like any other IT project. I think there are some keys to making sure this doesn't happen:

  1. Realize that identity management isn't a product you can buy from a vendor. Its a process, that you have to create inside your business. This is about business goals, not just security or authorization.
  2. With that in mind, do the enterprise architecture work around the identity management piece. By that, I mean that you need to work out governance, business needs, standards for interoperability, and infrastructure requirements.
  3. Structure the project as multiple small projects. The first step is probably building a single master directory. The second should probably be password self-service since there's a huge ROI there for most organizations.
  4. Require new projects to use the identity infrastructure and add onto it as needed. Bring legacy applications on board as it makes sense from a feature/functionality standpoint.

I should be very clear about the third point. If the only thing you want is the ROI on password self-service, that's an easier project than a complete identity management project. You can do it as part of an identity management project, however and bank the ROI gains to help defray the cost of the identity infrastructure.

The gains in this kind of project are often soft: better agility and increased alignment with business objectives. You should take ROI anywhere you can, but don't expect this to be a cold, hard numbers kind of decision.

8:24 AM | Comments () | Recommend This | Print This

Digital Identity is Not an Emerging Technology

I proposed doing a tutorial on digital identity management protocols (SAML, SMPL, XACML, WS-Security, etc.) at the O'Reilly Emerging Tech conference next year. Just got notice that they didn't accept the proposal. I was planning on doing an expanded version of the tutorial I did at DIDW, but with more meat concerning the protocols and their implementation. I guess digital identity is not cutting edge enough for ETCon? Go figure.

8:08 AM | Comments () | Recommend This | Print This

October 21, 2003

Salt Lake Public Library

I'm sitting at the Salt Lake library in between a couple of meetings. Since the last time I was here, they've installed free Wi-Fi courtesy of XMission. I took some pictures of the library and its rather dramatic architecture earlier this year and they've become a popular attraction on my blog. They show up third in a google of "salt lake public library". One of the things I've discovered about blogging is that its hard to predict why people visit your blog. You can try and build a body of material that will attract that readership, but then your pictures of the library turn out to be the thing people really want to see. Go figure.

9:23 AM | Comments () | Recommend This | Print This

Closing the XML Security Gap

If you use a firewall as part of your network security strategy, you might be feeling smug, thinking that you've closed access to thousands of ports and vulnerabilities. What you may not realize is that your firewall is most likely blithely passing XML through port 80, the Web's default port. ... But there is hope for application security in the form of XML firewalls. These devices sit behind a traditional firewall and monitor traffic on port 80 and any other ports you select. They pick through the contents of the XML packets, looking for potential trouble and taking action when trouble is found. [Full story at InfoWorld...]

I had a good time working on this story about three XML security appliances, commonly called "XML firewalls." As the article goes on to say, I did have my favorite, but they all were very able devices. The crucial difference in the product was the view that their developers took on how an XML firewall ought to work. The Sentry seems the most like a traditional firewall while the Reactivity product was more like the Web services intermediaries I've been reviewing.

I did my testing at KeyLabs (see photo at right). I could have accommodated the appliances in my home lab (such as it is), but it was nice to have some support on DNS, power, etc. and room to spread out. Performance testing of the appliances was outside of the scope of my testing, but we did a pretty thorough feature and functionality test.

If I were running a business today and thought my digital assets were valuable enough to buy a regular firewall for security, I'd definitely go the next step and buy and XML firewall to sit behind it and monitor my HTTP traffic. Even businesses that aren't using Web services or XML are susceptible to XML attacks.

Beyond that, I think there's some pretty interesting things you could do with these boxes. They make managing encryption and digital signature tasks on XML a snap. They're extremely configurable XMl processing engines and that alone makes them fun little toys. The DataPower box, for example is programmed using XSL stylesheets and the hardware-based XML processing engine makes XSL transformations fast. One or two of these boxes and a lab full of grad students is a recipe for fun.

9:11 AM | Comments () | Recommend This | Print This

October 20, 2003

Redesigned Utah Legislature Page

The Utah Legislature's Web site has undergone a redesign. I like it. The new look is clean and functional and there are high profile links to the things people will want the most. They are even using le.utah.gov as the URL instead of le.state.ut.us! (You wouldn't believe the flack I took from the Legislature over the move to utah.gov.) And in a fit of foresite, legislature.utah.gov redirects to the same place. Very nice. My favorite part is the "What's happening today" box at the bottom of the page and the associated link out to a calendar of events. I just wish it had an RSS feed to go with it.

2:23 PM | Comments () | Recommend This | Print This

Open Source Business Conference

You've seen open source conferences and conventions. Maybe you've been to a few. They're interesting and exciting, but they rarely focus on what most businesses want to know: how do I make money if I open up the source code? Now there's a conference that answers that question.

Matt Asay, a good friend of mine and one of Utah's most active open source source proponents, is putting together a conference called the Open Source Business Conference (March 17-18). Matt has a knack for brining people together--he's the founder and host of Utah's largest monthly meeting of entrepreneurs and venture capitalists, the Genus Breakfast. The list of speaker is impressive and I'm confident its going to be a great show.

11:12 AM | Comments () | Recommend This | Print This

More on Massachusetts Moves to Open Source

I wrote about Massachusetts moving to OSS a few weeks ago. This AP story has more information. According to the article, the Microsoft-led industry group Initiative for Software Choice has tracked 70 different open-source preference proposals in 24 countries.

8:36 AM | Comments () | Recommend This | Print This

So Far, Participatory Democracy for Democrats Only

Esther Dyson wrote a piece for the New York Times last week called Power in Participation about some recent trends in politics involving the Web and blogs. She mentions MeetUp.com, a Web site for that helps organizes physical meetings. When I looked at MeetUp my first thought was "I can't believe its taken us this long to create a Web site that does this." MeetUp is well done and has active groups in many different categories. Its also been discovered by the politicos, as Esther points out:

Meetup was recently discovered by the Democrats, most famously and effectively by Howard Dean. About 40,000 Dean supporters "met up" face-to-face in 740 locations all over the country, and -- to the professional politicians' surprise -- they've helped donate more than $25 million. Also, the campaign has organized its supporters at Meetups to write tens of thousands of letters to undecided voters, asking not for money but for support.

She also points out the use of Web sites by the Dean campaign:

Meanwhile, campaign organizations for Dean and other candidates have discovered the world of political blogging, in which both campaigners and their supporters publish online journals, or Weblogs. The bloggers comment, pontificate and argue among themselves. The candidates -- or their blogwriters, today's version of the speechwriter -- record their thoughts and adventures on the campaign trail. One result is excitement: Voters are getting involved and energized. They are engaging in face-to-face discussions with their neighbors -- often people they've never met before. And they are publishing their views, adding to the political discourse without the gatekeeping of newspaper editorial boards or campaign "messaging."

As I went out and looked at MeetUp.com and political blogs, I was struck by the fact that I don't see much participation by Republicans. I wonder why that is. Maybe its because the incumbent president is a Republican and so there's not as much energy in the campaign right now. I should note that George W. Bush does have a blog and is using RSS for its newsfeed, but neither of these are what you would call grass roots efforts.

One thing I noticed while working my precinct as a delegate was pitiful lack of any significant use of IT in managing the process. If you're a techie and want to make a difference in a campaign or in your local party, there's plenty of low hanging fruit. Now, getting in the door and not having them just shuffle you to the back room to staple signs on sticks will be a trick. You'll have to work pretty hard, especially in smaller campaigns to find someone who will understand the value of what you're bringing to the table. I think its high time that every campaign caught a clue from the private sector and even government and got a CIO-like figure who could advise the campaign manager and candidate on how IT could be used to add value to the campaign. Even simple things like suggesting the use of MeetUp.com and similar sites would be valuable.

8:22 AM | Comments () | Recommend This | Print This

October 17, 2003

DIDW: Doc Searls Endnote

There's now a tradition that Doc closes out Digital ID World. Its a good conference strategy--I stuck around to hear Doc even though the desire to get into the sky and home is pretty strong. I'm glad I did. I can't possibly do justice to a Doc Searl's presentation, but here's some thoughts I had while I was listening.

Doc is speaking on the topic of "Myidentity, Ouridentity, Theiridentity," Andre's three tier hierarchy of identity domains and tying it into ClueTrain ideas. While he's been here, he created a vocabulary of identity buzzwords for his Buzzphraser application. Here's some identity phrases it created for me:

  • Properly Concerned Authorization Platform
  • Eventually Well-integrated ID APIs
  • Independently Hardened Disclosure Quagmire
  • Fiduciarily Influential Identifier Platform
  • Eventually Several Burden Tree
  • Inherently Productive Dispute Functionalities
  • Properly Related Access Proliferation

I'll be using this frequently in my consulting practice!

Doc talks about how our relationships with the tier-2 identity owners are very narrow. For example, I have a very narrow identity relationship with my credit card company. He shows the membership of Liberty Alliance and says its "scary." Does federated identity get us to broad, rich relationships?

What do we do with networked customers? We embrace if we're big, we enable if we're small. The answer is easy: think about what customers want:

  • Anytime
  • Anywhere
  • In the networked world

Wlcome relationships initiated by the customer. Let customers link to each other. Let suppliers link to each other. Can RSS and SMS help here? Imagine if by some really simple syndicated method we could express our desires and feedback to companies in personalized way. As people have new ways to express demand, mass advertising could die due to the inherent inefficiencies.

Google advertising is an example of this kind of personalized demand and supply. Google needs competition for our attention. Don't boil the ocean---just do some simple things.

11:52 AM | Comments () | Recommend This | Print This

Salt Lake County Recorder Web Site Get and Public Access

eGovernment is largely about public access to information. What does that say, then about making web sites as widely accessible as you possible can? I think there eGovernment Web sites have an obligation to be as accecssible as possible. In this category, I have to give the Salt Lake County Recorder's Office a grade of "F". Here's what I saw when I went to their Web site:

I sympathize with web site developers who want to offer some neat functionality that's browser specific, but I think its decidedly broken to offer public services only to people who use a particular kind of browser, computer, etc. This site simply can't be compliant with Section 508 or the American's with Disabilities Act. I've got a lot of respect for Gary Ott and I think he's clearly clueful about many of the public records issues that eGovernment is raising, but I'm disappointed in this.

10:58 AM | Comments () | Recommend This | Print This

DIDW: The Identity of Things

This morning's opening session was a panel moderated by Esther Dyson on the Identity of Things. The debate naturally moved to what does it mean for all of the things I buy to be individually identified. Who manages the relationships? Me? Others? A near-term example that can shed light on some of the questions is SpeedPass, the RFID devices that are being distributed in urban areas to charge tolls to cars as they speed by rather than making the cars stop and pay the toll. These can, of course, be used to track the vehicle in other places as well, and some people are concerned about the "big bother" aspects.

The question I have is, does anyone care? Now that's asked somewhat tongue in cheek since the debate that occurred today in Denver indicates that there are people who care. Even so, consumers have shown their ever increasing willingness to give Albertson's just about any information Albertson's might want to collect in order to save $0.50 on a six-pack of Coke. I think if you tell people that they can have a suitcase that tells you what you're missing after you pack it (based on RFID tags on the clothing), they'll jump for it. Sure, there will be some local news stories about how scary this is and some people will spend lots of money removing the tags or buying devices to kill them, but most people just won't care.

Got an opinion? Share it below.

10:37 AM | Comments () | Recommend This | Print This

October 16, 2003

Details on the Vonage Ruling

The judge who vacated the Minnesota Public Services Commission regulations concerning Vonage earlier in the week issued more detailed comments and rationale today. In a Washington Post article the judge is quoted:

State regulation would effectively decimate Congress's mandate that the Internet remain unfettered by regulation. The court therefore grants Vonage's request for injunctive relief.

I haven't found the actual ruling yet to link to. The MPSC has not said whether they'll appeal or not, but I think its a foregone conclusion that they will.

The real issue in my mind is this. If I had brought the Cisco ATA186 that Vonage gave me to my hotel in Colorado, it would work. I'd be using an 801 number, but with number portability, I think we'll see the tie between numbers and geography disappear over time. Its just a billing question now. I'd be using networks in Colorado to talk to a switch in New Jersey. Which gateway I use depends on who I call or who calls me. So why does Utah have a stake in regulating that transaction?

6:02 PM | Comments () | Recommend This | Print This

DIDW: Personal Area Networks

While I was chatting with Andre and Doc today, Andre mentioned something that I liked: a personal area network. Your personal area network is the group of folks in your buddy list. This is an incredible resource that no one has really tapped. People who use instant messaging have taken the time to indicate the people that they consider their friends and right now all its used for is chatting and presence. There's got to be other things that we could do with it. This comment happened in the context of a larger conversation with Simon Grice, the founder of Midentity. Midentity is pretty cool little application that is integrating lots of connectivity and identity information into a single pane. I called it a "personal identity management" tool and that seemed to resonate with Simon, Doc, and Andre.

Simon is doing something in England that uses SMS enabled phones to create community groups that people can use for neighborhood watch and similar purposes. I liked the idea a lot.

3:34 PM | Comments () | Recommend This | Print This

DIDW: How Identity will Refocus IT

Here's the cast of players:

  • Moderator: Phil Becker, Editor, Digital ID World
  • Rick Caccia, Director & Product Mgr, Oblix
  • Brian Anderson, Program Director, IBM Tivoli
  • Andy Eliopoulos, Director, Business Mgt. Network Identity, Sun
  • Kurt Johnson, VP Business Development, Courion

The number of applications that IT shops are supporting and the number of connections to partner systems is going up, not going down. Companies that can put the right people through the right resources, with the right resources are the companies that succeed. Identity has moved beyond can I come in, to the questions of where can I go and what can I do.

Measure the right thing or it will bite you: internal help desks sometimes fight against identity management solutions because they're measured on how many calls they take and how long they spend on the calls. If you introduce a password self-service reset system and calls to the help desk go down, help desks that are measured on the wrong things will be punished and consequently give pushback.

IT needs to remember that telling management what a technology does isn't the same as telling business why they need the technology. The example given in the panel is meta-directories. Explaining what a meta-directory does isn't the same as describing the business problems that it solves.

One of the problems with identity projects is that they requires some degree of centralized coordination. That means that its not a business unit decision, but an enterprise decision. This raises questions of governance and politics that haven't been part of the equation before.

The problem with this panel is that Phil is asking CIO-type question of a group of vendors and they're falling all over their tongues trying to come up with smart sounding answers. Phil asked about the centralization issue I pose above and follows up with a question about whether standards will alleviate this problem. No one gave the right answer. The right answer is that governance is the issue and that has to be worked out whether you've got industry standards or not. Governance implies that you've going to create an enterprise architecture and an interoperability framework. Once you've got those then each business unit can go do their own thing, follow the standards, and the system will stand a chance or working. Without them, its endless meetings leading to project failure.

3:05 PM | Comments () | Recommend This | Print This

DIDW: Tony Scott Keynote

Tony Scott, GM's CTO, is today's second keynote.

SInce 1996 GM has made significant progress toward common processes. They've reduced their legacy systems from 7000 to 3500. They have built a common email systems, created a global employee portal, created a single global CAD/CAM system (down from 23), and gone from having the highest IT cost as a percentage of sales to the lowest IT cost in the industry. That is impressive.

They've achieved this by taking a "one-company" approach to IT. They still have regional CIO's responsible for systems, but overlay that with cross regional "process information officers" that worry about supply chain, network, etc. Tony's one of those cross-regional offices. GM is 100% outsourced. There's no one in GM who's writing code, running data centers, administering networks, etc. GM manages IT by contract. What GM does internally is the "value innovation" function (see Modular IT Organization) that decides how IT can be used to help the business.

GM has been working on IdM since the current management team arrived in 1996. They started by working on the fragmented directories and worked toward a common directory infrastructure. They've been active in Liberty from its start because they saw the need to federate inside and outside GM. They've used Liberty to provide SSO in the employee portal (Socrates). They did this with an external benefits provider. Some lessons learned:

  • Trust is important: organization to organization, audit, and security.
  • Liability and support issues: costs and escalation process for problems.
  • User issues: users thought it was broken and called the help desk because it didn't continually ask them for a password.
  • Spend time on the use cases: work through all the specific cases like new employees, status changes, session time-outs, logging out of one site, but not another, and so on.
  • Obtain business buy-in: why is this important? What are the risks and benefits?

GM has built a global employee phonebook. It took a year to get regulatory approval in Europe. Europe has defined privacy as a human right while in the US data protection laws quickly run afoul of free speech issues. This means that location of data is important (in what country). Are you going to move that data outside the territorial boundary of the country. Data center consolidation turned from technology issue to a regulatory issue. One big lesson was that their data access and retention policies had to be harmonized globally.

Digital ID in Auto Manufacturing: Every vehicle has a unique ID that has not traditionally been leveraged very well. They're starting to change that. GM build about 250 test fleet vehicles of each type and subjects them to various conditions. There are 55 microprocessors on board for diagnostic purposes. In the old process, GM collected data in the test fleet on an ad hoc basis, there was significant lag time, and the data was only available to a few. It could take 180 days to get data from the test fleet into the engineering process and affect manufacturing. Today they collect data daily through OnStar, the results are available in real time on the internal network. Some problems can be corrected in real time. The benefit is a shortened engineering to production cycle. They are at 18 months now (down from 5 years). This also removes significant warranty costs by decreasing false positives, for example.

The long term implications:

  • DIgital IDs for many things, not just people.
  • Management tools will be necessary for commercial and personal applications
  • Rules for access and privacy are unclear
  • Still room for technology innovation in this space

10:15 AM | Comments () | Recommend This | Print This

DIDW: Jamie Lewis

Jamie Lewis, from the Burton Group, is giving today's first keynote. I remember enjoying Jamie's talk last year, although I didn't realize how much was there. I ask him for the slides and recently went back and reviewed them and realized how many concepts I hadn't gotten at all a year ago that now seem very important.

Jamie defines the virtual enterprise network (VEN) as the corporate network along with the connections to employees, partners, customers, and suppliers. Jamie's first thesis is that tightly coupled systems won't enable large-scale interoperability. The most important benefit of Web services is that it turns the network into a platform. Businesses are just starting to map out Web services strategies.

Jamie's second thesis is that exclusionary business models (read: firewalls) do not enable business. Identity enables an inclusive model that goes beyond the necessary but insufficient perimeter security models that are common today.

The same market pressures that are driving Web services are driving digital identity management (IdM). We have made significant progress in the last year in the deployment of real implementation of specifications and standards that were just ideas a year ago. To manage identity, you need to build process and infrastructure at the same time. Process is about managing the life-cycle (registration, propagation, maintenance/management, and termination). Infrastructure manages the actual IDs, entitlements, and so on.

The Burton Group has a reference architecture for IdM. The reference architecture provides a goal state. Each organization can build their own reference architecture to define their own goal state. It seems to me that this is a part of the Enterprise Architecture. The reference architecture is centered on the idea of a "security domain" which is different the intranet and corresponds to the VEN mentioned earlier.

Much of the Internet's potential is untapped because the infrastructure doesn't support the necessary functionality. Enterprises are interested in leveraging and integrating what they have, not buying new things. Jamie says they've had all the "technology cheeseburgers" they can stand; they're full and want to digest some of it. Web services is a move in the right direction.

Why will Web services work where other's have failed?

  • Markets have changed
  • We've learned out lesson about tight coupling
  • Technology and politics have changed with more vendor buy in and lots of standards work.

Standards and open source implementations of those standards are allowing us to create a true network platform. Still, the reality is that we've only taken baby steps toward the goal. Right now, you can count on XML and SOAP. WSDL is almost baked. The rest is in some disarray. The incentives are there to solve the problems, but they need to be solved.

Most early efforts at solving IdM problems tried to legislate homogenization dictating how developers with handle identity and security. X.500, Kerberos, X.509 are examples. They also placed inappropriate burdens on developers. The next step was to build heavyweight integration products and middleware. These steps are necessary for creating the intra-organizational infrastructure, but don't address the inter-organizational issues.

Inter-organizational IdM will ride on top of the network bus created by Web services. If Web services doesn't work, we'll need to invent something just like it to provide that functionality. Internal federation can enable interoperability and consolidation after M&A.

The fact that the product we buy aren't secure means that we've been forced to buy security products.

There's lots of interest in provisioning, but it can be a big project with lots of political pitfalls. Password management is the low-hanging fruit of provisioning and can provide the quickest route to ROI. Still, its not full-blown provisioning. Web access management is still a bedrock solution for portals. Delegated administration, self-service, password management, and other tools provide real differentiation.

Right now SAML is gaining momentum with lots of early adoption. There are multiple products in release or development, some of them open source. SAML has a simple , narrow focus. Liberty is entering early adoption with some implementation underway in consumer facing apps. The WS-* standards raise the convergence issue and looks like a polite war. WS-* has an ambitious scope, but eventually the concepts behind WS-* will be necessary. Burton's advice is don't let the conflict stop you from meeting business needs. Eventually vendors will support all of them. SAML is a safe starting point.

Identity networks:

  • Centralized like Passport and AOL ScreenName
  • Industry-base and proprietary: SecuritiesHub/Bond Hub, Verified by Visa, etc.
  • SAML-powered like Shibboleth
  • Liberty powered like Neustar's Land Records Exchange Network
  • PingID has announced that they will build a gateway that translates between SAML, Liberty's ID-FF, and the WS-* standards

Jamie sees us going through a long, but inevitable transition. Web services and federated IdM have enormous potential, but we're several years away. We've mde more progress in the last 2 or 3 years than we have in the past 2 or 3 decades. Understand what you can do today and get started building the most general purpose architecture you can.

You should also read AKMA's excellent write-up on Jamie's talk.

9:18 AM | Comments () | Recommend This | Print This

October 15, 2003

DIDW: Photos

I have a gallery of photos I've taken at Digital ID World.

6:23 PM | Comments () | Recommend This | Print This

DIDW: Grassroots identity: Does it Have a Chance?

I was torn between Carol Coye-Benson's session on The Business of Digital Identity and the session on Grassroots Identity. Grassroots Identity finally won out because the characters they've got assembled for this panel are bound to provide an interesting show:

  • Moderator: AKM Adam, Reverend Dr., Seabury-Western Theology Seminary
  • Doc Searls, Sr. Editor, Linux Journal
  • Simon Grice, CEO, Midentity
  • Marc Canter, Chairman & CEO, Broadband Mechanics
  • Simon Phipps, Chief Evangelist, Sun

T-shirts, haircuts, tattoos, cars, vanity plates, and so on are examples of non-digital grassroots identity. Digital example include email addresses that are picked,meetup.com and other community creating services. Issued identities include driver's licenses, passports, many email addresses. Grass roots identity is created by the person for their own purposes. Its about being yourself, expressing yourself, sharing your own data, thoughts, and ideas. This blog is an example of a grassroots identity created by me to share an aspect of myself.

No identity is an island. Every identity sits in some context.

People are willing to pay for choice associate with identity. For example, many people pay to have a particular email address. I'm one of these, for example. I pay pretty dearly in terms of money and time to maintain a domain (windley.com) where I can create my own identity.

Identity markets are about relationships. Identity isn't worth much without a context. People exist inside relationships (both personal and organizational). We're typically very forgiving of identifying attributes being transfered to organizations and people we have relationships with. This even applies to where we shop and our willingness to give up information about who we are hen we buy in order to get a discount.

5:44 PM | Comments () | Recommend This | Print This

DIDW: Federation, Policy, and Trust Management

I'm in the Federation, Policy & Trust Management session. The participants are:

  • Moderator: Jim Hurley, VP, Aberdeen
  • Khaja Ahmed, Chief Security Architect, Microsoft
  • Michael Barrett, VP Internet Strategy, American Express
  • Tim Moses, Sr. Director Advanced Security Technology, Entrust

I apologize that I've not kept careful track of who said what in the following. There's some general discussion of policies and trust. Access policies should be:

  • Accessible to people and businesses in native languages
  • Portable from business strategy through IT operations
  • Consistent from human readable to digital instruction and across time and location invariant
  • Reliable
  • Trusted

Policy is the set of actions that a party is required to take. Trust if confidence that a policy is being followed. For example, in authentication, the policy details the authentication mechanism and parameter values. The trust comes from the identification and authorization procedure and refresh requirements. In a different scenario, the policy might tell to what uses the data may be put, how long it can be retained, entities that may have access, etc and the trust is based on certification.

There are some important questions about policy in a federated space:

  • Who sets policy? First-party, third-party, bilateral?
  • How is the policy represented? Human readable, machine readable, both?
  • At what stage is the policy set? Deploy-time, run-time?
  • How flexible is the policy? Take it or leave it, adaptable?

The bad news is that traditional approaches for managing policy and trust are inflexible, slow, and costly. The worse news is that federation makes this worse. This sets the stage for requirements for policies that are machine readability, consistent, support late binding, adaptable, and function in a heterogeneous environment.

A community of trust has four components:

  • Governance (operating rules, roles and responsibilities, and legal validity)
  • Operations (people and the procedures they follow)
  • Technology (software and hardware)
  • Viable economic model

A village is a community of trust. Trustworthiness is based on reputation. Strangers have no trust, but over time this changes. eBay is a good example of this kind of trust system. MSN Messenger has provided a community for traders where people rely on the MSN messenger ID being inviolate. Email works very similarly--people trust email addresses and an email address conveys some sense of trust to people who have interacted with it for some time. Villages have a low governance burden. The community manages the trust and it works effectively across national boundaries. Risk management is done by each individual judging the risk/reward for a particular transaction.

Some ideas for reputation system:

  • Better formalized reputation system or 'gossip' mechanism in cloud-based systems
  • Services that allow a hybrid model (reputation plus authority assertions (village elder)
  • Rich, intuitive, "falling off a log" easy desktop tools for credential and attribute management.

Liability flow between companies affects trust. A liability flow occurs when a service provider can sue an identity provider for damages related to problems associated with an identity. False positives occur when someone has access to an account they have no rights to, an automated attack occurs and fools the system into granting an identity that doesn't belong to the attacker, or social engineering attacks. Another problem is authentication strength. Its very difficult to compare two authentication schemes and determine which is stronger (how UID is chosen, how passwords are chosen, how passwords are aged, etc.)

What to do? Ignore the risk--probably not a good idea. Accept the risk--viable and often done. Joining a prep-existing network that's worked some of these problems out--PingID is providing such a network. Utilize the Liberty Alliance Business Guidelines that explore these issues in detail and work out solutions.

4:51 PM | Comments () | Recommend This | Print This

DIDW: Digital Identity Tutorial

My tutorial on digital identity management was this morning from 10:15 to 12:15. It overlapped a keynote and consequently we were slow getting going. Initially there were just three people there, but by the time we finished the room was full. Many of those present were people I know and respect; I felt like I was talking to a group of people who knew more about digital identity than I did. We had some good questions and discussion and I had several people say that going over the basic technologies in context was helpful. That's why I developed this tutorial: I knew about the various technologies, but didn't understand how they worked together and interacted. The tutorial:

  • defined the language of digital identity,
  • related digital identity to familiar identity scenarios in the physical world,
  • described the primary protocols for creating, exchanging, and using digital identity, and
  • discussed how organizations can develop an identity management strategy.

You can get a copy of my slides. I also have a white paper upon which the slides are based. You can get a copy by signing up for my free newsletter. If you'd rather not sign up for the newsletter and were at the tutorial this morning, send me an email and I'll send it to you.

2:14 PM | Comments () | Recommend This | Print This

DIDW: Identity Management vs. Managing by Identity

Phil Becker is using an interesting distinction to emphasize a point I've made several times before: identity management is about opportunity, not just security. He calls this "managing by identity" rather than "identity management." He says managing by identity

  • uses identity to organize, manage and secure computing processes
  • allows business process and computing process to align more naturally
  • releases the real promise and capability of network computing: networking business processes

Networking business processes across business boundaries has now become possible. Soon it will be necessary for survival.

Phil moves onto the topic of trust. Networks require trust to release their power. Human networks learn to trust over time. You can't buy, build, or create trust. Trust is granted by others based on behavior. Transparency is the surest path to trust. Secrecy impairs trust. If this is interesting to you, be sure to review Professor Kent Seamon's research.

The web browser taught people the concept of discovery and networking at the document level in realtime. Web services are the next step at the application level. These new network activities have shown us the need for management by identity.

Federated identity is about linking silos of identity into networks of identity in a way that scales. The only way to make this happen, according to Phil, is to keep the management local while allowing the identity to be used globally. I think this is a great definition of federation because it is general enough to allow multiple solutions.

Because its impossible to pre-define all the ways people will want to integrate data and applications, we need to be able to integrate on demand. This is a good view of what's different about Web services. Businesses integrate on demand all the time: they form teams of people to solve special problems on a regular basis. The tools don't support this kind of "integrate on demand" business process. Only a robust identity infrastructure can support this.

Portals are a starting to address this problem. Portals have always been about aggregation. Portals should be organized based on the user's needs and the policies of the applications and data. Think of what an employee portal is meant to do. Aggregate the data that a user needs in a personalized way. This is an interesting view of what portals do.

9:18 AM | Comments () | Recommend This | Print This

nTAGS at Digital ID World

We're using these interactive name tags called nTAGS. These are little computers that you were around your neck. The goal is to provide a technology that enhances, rather than disrupts, face to face communication. The devices have a pretty simple interface and function well. They are a little heavy, but that's the first generation. I wish they were more dynamic. They're meant to be that, but the information that the conference attendees provided was more multiple choice than free form, so they're a little less free form than I think they need to be. Still its a fun experiment and they're great conversation starters.

8:55 AM | Comments () | Recommend This | Print This

October 14, 2003

Travel to Digital ID World

I'm at Digital ID World in Denver tonight. This was a great conference last year and promises to be even better this year. I flew my plane to Denver rather than going commercial. I was able to leave my house and be in the air 45 minutes later and land just 5 miles from the conference hotel. I had a 50 knot tail-wind and was traveling as fast as 218 knots at one point. Not bad. My door to door time was about an hour shorter than if I'd flown commercial. As a bonus, I was able to bring my pocket knife.

10:44 PM | Comments () | Recommend This | Print This

October 13, 2003

Public Records are No Longer Effectively Private

There are a lot of government records that are public: court proceedings, arrest records and property recordings are examples. Public records are one of the cornerstones of democracy. Democracies prefer accountability to enforcement. Rather than trying to enforce every rule and law with absolute certainty, we make information public and make people accountable. Accountability based systems scale better than enforcement systems. Even so, the Internet has upset some long held practices related to public records. Here's an example:

Utah County, where I live, has put property records online. They've also done a good job of making their queries using GET, so I can give you a link to the information they have about my property. (Warning: its buggy; most of the time it craps out with a 'server not found" or "Error in DLL" error.)

Now, I'm not sure I'm very excited about having my mortgage information on the Web for all the world to see, but I am convinced that they're not breaking any rules--everything they've made public really is public. I know my wife would be very upset to find this information on the net. She wasn't very happy about being able to type pour phone number into Google and get a map to our place. How do you feel about it? If your county doesn't make this information public now, they will. Recorders all over the country are moving in this direction since it makes their job easier.

There's a reason property information is recorded with the county and why its public: protecting the public from land fraud. When I buy a piece of property, I want to know what its exact boundaries are, what disputes their may have been over it, what rights come with it, and what liens there might be against it. The problem is that while this information has always been public, the reality of the paper record keeping system made it effectively private for most purposes. You had to physically present yourself at the county recorder's office to search through their records to find out about my property. This meant you had to really want it. Now anyone who wants to know what my mortgage is can go look it up online in a few minutes, in their bathrobe, for any purpose whatsoever.

These collisions between the Internet and public policy are fascinating. I wrote about a similar collision between State telecom regulation and VoIP last week. Techies have a unique perspective on these issues and can be of great value to the public policy discussions. Techies have a tendency to ignore these kind of debates however and then just rail against them when regulators, legislators, or whoever make a boneheaded move. These people need your help in framing the debate and they need to hear from you when the debate happens. The next few decades are likely to be painful if we don't solve these issues correctly, so I urge you to get involved.

10:26 AM | Comments () | Recommend This | Print This

October 10, 2003

Web Services Early Adopters

Many companies are reluctant to deploy Web services, having heard scary stories about security threats and half-baked standards. Still, a number of IT departments are moving forward--some slowly with pilot projects and others more aggressively. This most recent CIO magazine has an article on Web services early adopters and why they're keen on the technology. The highlighted organizations include Motorola, the US Navy, and Wells Fargo. Samir Desai is Motorola's CIO:

"This is about increasing the throughput, agility and cost-effectiveness of IT," says Desai. "How many times should I code a credit card check? With Web services the answer is one. In the past no one really knew the answer, but it was a much, much larger number." Merely by automating standard transactions, Web services promises to save a huge amount of effort and money.

The article goes onto list five risks and discuss how they can be mitigated. I've listed the risks from the article below, but the commentary is my answer to those risks.

  1. Web services isn't secure.

    First step, buy and XML firewall (I've got a review on three XML security firewall products coming out soon). Next understand that Web services and other emerging technologies break down the traditional secure perimeter and require a move to a more holistic digital identity strategy. Companies that can build a digital identity infrastructure won't see Web services security as a problem, they'll see digital identity as an opportunity.

  2. The lack of standards breeds complexity.

    I don't think lack of standards is as big an issue as the fact that there are still issues that need to be resolve and that will lead to new and different standards over the next few years. I'm still trying to figure out how this is different from the world of 3-4 years ago when there were no standards for decentralized computing. The way to mitigate this risk is to use a good Web services intermediary that can provide insulation from changing and emerging standards.

  3. Vendors might go out of business.

    Which brings us to the fear that once you pick one, they might go out of business. That's a real fear since many of these vendors are small start-ups and there's a whole pack of them. At