Transcript Leading in the new IT environment: Old saws and new
Leading in a new IT environment: Old saws and new technologies
Disclaimers
• The abstract and the talk • The ambiguity of the title • The work of many, many others …and my good seat in the house
About the title, and our topics today
Leading in a new IT environment • • • A bit player in some very fine plays… A few frontiers from the past 25 years Some new frontiers for the next several years Leading, in a new IT environment • • • The challenges for IT leaders in the new frontiers Some trusty old saws A few potentially useful new saws
Leading in a new IT environment: A few frontiers from the last 25 years
• • • The changing form and face of computing Making the Internet market The rise of the middle layer
The changing form and face of computing
• Technical • The move from mainframe to mini to micro to LAN to client server to grid to mobile device to … • The move from pocket-protected user to pocket pc user • With each technical shift so shift the politics • • • The role of the central IT organization Much of the economics The policy needs
What we were leading in then…
• IT as services, not as cycles • Having the mainframe was not a blessing • The network as the driver • A shift in the funding model • And the rise of the have-nots • And the loss of a commons • And the banner message of the day
Making the Internet market
• • • The late sixties and seventies established the core TCP/IP technologies and value to the CS community The eighties made a mass market of technology, applications and content The nineties created business plans and businesses
What we were leading in then…
• A fundamental new infrastructure, with business models (occasionally) and large scale industry • A lack of governance structure, with an array of processes that lurch forward • A distributed, non-hierarchical information space • A seismic shift from local to global thinking
The recent rise of the Middle layer
• • • Building campus/enterprise core middleware infrastructure that • Serves the overall enterprise IT environment • Is designed from the start to support the research and instructional missions - Implies consistent approaches and common practices across campuses and internationally Basic elements include identity management, directories, group and privilege management, workflow, authority trees, etc… Application developers are now interested in outsourcing core needs to a middleware infrastructure
The rise of federations
• • • • • Federations offer a flexible and largely scalable privacy preserving identity management infrastructure Federations are occurring broadly, and internationally, to support inter-institutional and external partner collaborations They provide a powerful leverage of campus credentials Federations are learning to peer Internal federations are also proving quite useful
Leading in a New IT Environment: Some Frontiers for the Next Several Years
• • • • • Integrating Internet Identity Trust Fabrics and Virtual Organizations Authorization and the Attribute Ecosystem Plumbing the applications The rise of the collaboration layer
Types of Internet identity
• • • Federated • Inter and intra enterprise; bi-lateral or multi-lateral • In academic settings, privacy preserving capabilities and international use are helpful • Often is role and entitlement oriented P2P • Originally PGP • • Now Infocard, OpenId, etc.
May be coupled with reputation systems for trust (Global may still happen)
Identity integration goals
• First, of federated and p2p identity • Many levels of integration – tokens, GUI, privacy management paradigm, trust fabrics… • Then, of identity and privilege management • Assignment and management of permissions to users by those with authority to grant such access • Addresses the static aspects of the authorization space, with audit, delegation, prerequisites, etc.
• Permissions can be enterprise or virtual organization
Trust fabrics
• Federations themselves are still very early • • Climbing the LOA curve Business models are ripe with possibilities and uncertainties • Interfederation – Peering, Leveraged, Confederation, Intersecting • Reputation systems integration into federated trust.
Of Federations and Virtual Organizations
• • • • • Federations provide general trust fabrics for use by many users accessing a variety of resources Specific collaborations among small subsets of users, typically a science experiment or a research community, are VO’s.
The intent is to leverage peered federations to support the identity management needs of virtual organizations, for both general collaboration and the domain science software/systems.
International aspects of many VO’s drives peering of federations Note that VO’s can build across P2P trust
Peering
Parameters:
•
LOA
•
Attribute mapping
• • •
Legal structures Liability Adjudication
•
Metadata
•
VO Support
•
Economics
•
Privacy
VOs plumbed to federations
Authorization and the Attribute Ecosystem
• The movement of attributes, entitlements, privileges, etc from sources of authority to identity providers, service providers, middlemen (portals, gateways, proxies, etc.) • Includes account linking, the “IEEE problem”, provisioning and deprovisioning, etc.
• • Can be compile time or run time movement Needs protocols, audit and diagnostics, etc.
• The ecosystem needs to deliver its services in a trustworthy manner; some fabric is required
Real life in the attribute ecosystem
Source of Authority Source of Authority Application access controls (including network devices) IdP Portal Source of Authority Gateway Shib Source of Authority Proxy Source of Authority User IdP Source of Authority p2p Source of Authority Source of Authority Source of Authority
Plumbing the applications
• • • Many applications need identity management and access controls There are degrees of plumbing.
• • • The minimum is some type of federated identity or use of a standard P2P, along with privacy management Even better would be use of enterprise services for group and privilege management, workflow, diagnostics, etc.
Its not just about plumbing; its about user conceptual models Other consistencies are also desirable: metadata tagging, searching, etc.
The rise of the collaboration layer
• • • • • • An over-abundance of tools that, with careful integration, provide rich and growing collaboration capabilities No uber-app – too restrictive of invention and community Collaboration across virtual organizations, social networks, P2P Asynchronous – wikis, flickr, del.icio.us, webdav, etc.
Synchronous - IM, IP audioconferencing, IP videoconferencing, etc All need some plumbing - identity management and access controls…
The rise of the collaboration layer plumbing
• • • Middleware enabling lots of collaboration applications – common management of identity, access controls, permissions, etc Asynch • Fine-grain wikis • • Identity based – spaces.internet2.edu
Attribute-based wikis – “members of the community” discussions • Web-accessed shared file stores • Collaboratively visible calendaring Real time tools • • Federated IM – use your local login for external IM use An IM channel for a VO embedded in a campus portal Integrate privacy and authority management into tools
Leading, in a new IT environment
• • •
The new frontier challenges for IT leaders Some trusty old saws A few potentially useful new saws
Challenges for IT Leaders - I
•
Providing consistent user experiences
• The appearance of the collaboration layer • User-centric SOA • The policies of the collaboration layer • • The politics of presence The complex nature of privacy
Consistent dimensions of user experience
• User-centric SOA: take common activities out of individual applications; maintain a core set of IdM services for use across applications • Identity and Privacy Management, including trust and reputation mechanisms • • Group and Privilege Management DRM on a wide variety of digital objects, with rich controls • • • Metadata tagging Search on metadata Network layer management issues
The politics of presence
• Who owns the knowledge of your location – the appliance, the service provider, the enterprise, etc.
• How can the user manage their presence and who has access to it?
• The doctor in the theater use case • Presence logs, legal systems, and other devils
The complex nature of privacy
• • • Shift from no one knows to “I control who knows” Most users want the defaults to work • • International deeply compounds • • • Differing policies A US citizen using a Swiss IdP A roaming network user from Australia in the EU.
Legal considerations and log files Paradigm clashes happen, e.g. federated identity meets federated search
Challenges for IT Leaders - II
• Normalizing the academy • • Internal role rationalization Mapping external roles to internal • Responding to federation and collaboration • Applying identity management up and down the stack • To roaming network access, firewall configuration, log management, etc…
Normalizing the academy
• • • • The only thing that scales, for the user and the institution, is role based access controls (with well-managed exception mechanisms) • • • Not our history or culture No obvious leadership position at most institutions Harder still to map external entities to internal roles Growing urgency for more defined structure virtual use cases – workflow, compliance processes, privilege management, federated and What’s hard is not the access control policies, but assigning roles Old wines in new clear bottles make expose floating objects
Responding to federation and collaboration
• • Federation policies may place requirements on campus processes and procedures • Comes with sweet inducements • For some subsets of the larger campus, better identity proofing, better acts of authentication Campus participation in national and international activities • Who puts up the EU Article Privacy Directive and when?
• • Brokering for collaboration and the attribute yentah Installing VO schema in enterprise services
Applying IdM Up and Down the Stack
• Using enterprise identity management • • To provide eduRoam services Trust based transparency and firewall management • Scanning rules • At the application layer • • What applications must use enterprise IdM What applications can not use enterprise IdM
Some Trusty Old Saws
Some trusty old saws
• Be conservative in the data you send, be liberal in the data you accept • There is no problem in computer science that can not be solved with another level of indirection … except the problem of indirection complexity • • Expect the unexpected use Disruptive technologies usually change the economics • There is a time for hierarchy, and a time for peering
A few other old saws
• • • • • Without end to end transparency, innovation is limited and generally twisted Duct tape inside software tends to hold forever The sooner you start, the longer it takes Try doing it with the engine running Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
A few new saws
New saws
• Higher ed is fractal in structure • Scaling is always an issue, and scaling changes things a lot.
• The first thing any good new technology does is show how bad the existing policies are • Complexity is contagious • Change only happens where people are experiencing pain
New saws
• It is often not about solving the problem; many problems have approaches at several layers of the extended stack. Solving the problem at the right level is the trick.
• The only numbers of importance in computing are 1, 2 and many - with its meta counting variant: 1, 2, Schema • Any piece of software reflects the organizational structure that produced it
New saws
• The first thing one learns from an interoperability protocol is all the ways in which we can’t operationally interoperate.
• The intersection of privacy and collaboration is a tricky spot • In theory, there is no difference between theory and practice; In practice, there is • What ever it is that hits the fan will not be distributed evenly.
Willingness to lead…
“ There is only the fight to recover what has been lost And found and lost again and again: and now, under conditions That seem unpropitious. But perhaps neither gain nor loss.
For us, there is only the trying. The rest is not our business.” TS Eliot