We Are Purpose Maximizers!

Tweet

 

Company culture is extremely important to us at Identropy, as we have written about in the past. It's what makes us who we are, and a big reason why many of us have come together here. It's also been cited by customers as a reason for selecting us, and by the VCs who have invested in us.

One of our big influences is the book 'Drive' by Daniel Pink, which has not only helped formulate our approach to work, but also gave us our Fedex Day ritual. You can check out the post Ash wrote about the success of Identropy's first Fedex Day here. Two weeks ago, we had our third Fedex Day at our quarterly in Austin, and it was not only hugely successful once again (have you noticed the slick makeover our website got, for one?), but incredibly inspiring. The camaraderie it builds in a team as geographically dispersed as ours is invaluable. And we can't wait to showcase the outcome of the projects we did, so stay tuned to this space.

In the meantime, I wanted to share the video below which does a simply brilliant job of presenting - in a visually arresting and cool way - the core idea in Drive, which is that we should incentivise people by giving them purpose instead of rewards. Apparently this was the video that started it all for Ash, Frank and the rest of team Identropy (even though I only came across it today). Check it out.

A Retrospective Look at Identity in 2011 and Predictions for 2012

Tweet

 

As 2011 draws to an end, I can help but feel sentimental about this year and get anxious about next year. It has been a good year.

Looking back at 2011 and our predictions from earlier this year, it is great to see that we fared really well. Our mid-year check and balances already evidenced that we were on track with our predictions. The one prediction that we were undecided about in late June 2011: "Identity Administration Reaches Maturity" has come through in a strong form. This became evident in the second half of 2011, with traditional IAM product vendors announcing their plans to adopt a managed services model, in some cases, leveraging the cloud. We at Identropy can validate that customers are more and more are evaluating more mature models for adopting and implementing their core IAM solution, and that cloud or managed services models are becoming more predominant.

Looking forward to 2012, predicting what trend is going to “cross the chasm,” is at best a highly inexact science. However, and in our tradition of being opinionated, I will venture a few predictions that I believe should be tracked in 2012:

1) Identity Intelligence comes of age: According to Gartner’s Earl Perkins, “IAM intelligence represents the ability of IAM tools and process to (a) build effective repositories of identity information for IAM systems to use, (b) collect and correlate information about the IAM events that occur throughout the system with other important security events and information, (c) provide a means to monitor, analyze and report on what is happening within the IAM world for a number of constituents.”

The goal is to apply serious analytics to identity information that delivers business value to the organization. For example: a manager goes to an IAM portal to request creation of a new contractor working in her team and the system "suggests" the kinds of access that the contract may need based on the data already in the system and some applicable business rules. This helps the manager be more efficient, helps the organization better manage access, and ensures the end user has access to the resources she needs to do her job. 

Over the past 18 months, “next-gen” access request applications have been introduced, bringing with them the promise that more intelligent and efficient access request processes will materialize. Furthermore, the maturity and greater sophistication of role management products have allowed organizations to make good sense of what bundles of access should be made available to drive the business, and leverage this information in ways that expedite key IAM functions such as on-boarding, transfers and termination of users.

These are just two factors that indicate the tipping point for Identity Intelligence is not as far off as many (including myself) once thought.  The level and pace of innovation in this area is enough to expect great strides in effective and business-ready Identity Intelligence in 2012, most likely delivered as a service.  

2) Consumer Identity Brokers prepare for prime time:  An Identity Broker, or “i-broker,” as referred to by Wikipedia, is “a trusted third party that helps individuals and organizations share private data the same way banks help exchange funds and ISPs help exchange e-mail and files.”  Think of PayPal as an identity broker for online shopping, or Facebook for information sharing on the Internet.

While the concept of identity brokers is easy enough to digest, making it work in a user friendly and privacy enhancing way is not so easy.   It is widely accepted that identity brokers should be advocates of consumer privacy and protection. Andrew Nash perfectly encapsulated this requirement in his (Asimov-inspired) three laws of Identity Brokers:

1. An Identity Broker may not injure a consumer, or through inaction, allow a consumer to come to harm.
2. An Identity Broker must obey orders given by consumers, except where orders would conflict with the first law.
3. An Identity Broker must protect its own existence as long as such protection does not conflict with the first or second law.

While Facebook has carved out a role for itself as the identity broker most trusted by consumers in social networks, it is fair to say that these laws are not its guiding principals, as seen by consumer revolt over Beacon and other privacy issues.   Additionally, it is highly suspect that Facebook or rival identity brokers such as Google or Microsoft will be viable or trusted outside of social network transactions. It will be interesting to see how much progress we make in the coming year working through key issues such as:

• What use case or service will push use of identity brokers forward? 
• Who pays for what?  
• Who will regulate the integrity and security of identity brokers?  

3) Behold the proliferation of the Managed Identity Service Provider (MISP): Just as the complexity of network security gave rise to the Managed Security Services Provider (MSSP) market (estimated by Forrester to be a US$4.5 billion market), the pain associated identity management has given rise to a similar trend.  IAM specialists are now capitalizing on their expertise, delivering variety of specialized offerings including dedicated, hosted IAM services.   Like any nascent market, there are several acronyms being used to frame this market, including IDaaS (Identity as a Service) and MIS (Managed Identity Services).  We believe that this market will explode in 2012 with a variety of players entering in to the fray consisting mainly of software vendors offering hosted versions of their on-premise offerings, VARs specializing in Identity Management expanding into the hosted services market, and entrepreneurs opening up dedicated shops.  Either way, the demand for specialized IAM services will explode in 2012, giving rise to the emergence of a much-needed new breed of service provider – the Managed Identity Services Provider (MISP).

How close to the mark these predictions are, only time will tell.  Regardless, one thing I am sure of is that 2012 is sure to push the envelope forward when it comes to matters of digital identity, and we at Identropy are glad to be a part of it.

My best wishes to you and your family for a very healthy and prosperous 2012.

Oh, and about all this talk about the end of the world happening on December 21^st, 2012, my prediction is that this will not come true, just like none of the prior doomsday predictions have not come true in the past.

Getting Your IAM Program Ready for 2012

Tweet

 

It’s that time of year, when everyone does their best Carnac the Magnificent impression and rolls out their prognostications and top 10 lists. Here at Identropy, we’re not so sure about trying to predict the future, but we do know a thing or two about helping customers succeed in meeting the goals of their IAM programs. So if you’re looking to make a new year resolution, we’re here to remind you of some steps you can take to truly set your IAM program up for success.

First, create an IAM governance body. Without establishing a governance body, your organization is not going to be able to overcome the roadblocks, complexities and sometimes personalities that often derail even the best planned IAM project. Proper governance is also crucial in making sure that the project adjusts properly to the continuously evolving business and policy environment that IAM needs to operate within. Our CTO, Ash Motiwala, recently wrote an article for SC Magazine on how to go about setting up your IAM governance body.

Next, you’ll need an IAM Roadmap (if you don’t have one already – naughty list). If you have more than a few identity related problems that you are trying to solve, an Identity Management Roadmap will be critical to ensure that you tackle it as a program, with various phases that are sequenced in the appropriate priority order and have tangible business benefits and “wins” along each step of the way.  We’ve published a series of blog articles on developing an IAM roadmap that can help you think through how you may want to approach your own situation.

Of course, in order for the governance body to know how the program is progressing and make good decisions, they need good information. To address that, you need to take the final step of using metrics to help measure the effectiveness of your IAM program and identify inefficiencies and issues. Our very own Frank Villavicencio wrote for CSO Online earlier this year about the 10 IAM Metrics that matter. Even if you don’t use a tool like our own SCUID Operations, there are simple reports and analysis you can do on a periodic basis to get some visibility into how your IAM tools and processes are doing against the business objectives laid out by the governance body. It’s a worthwhile investment that can often pay for itself in terms of the improvements it can help identify.

So take some time to figure out how to put in place the support structure your IAM program needs to truly achieve its potential and deliver on the objectives you laid out for it.

And Happy Holidays from the Identropy family to yours!

Business Differentiation through IAM, Really?

Tweet

 

It is very unusual to see the term “business differentiation” being used in the world of Identity and Access Management (IAM), but working with a customer recently, business differentiation was the very topic of our conversation; and yes, it was in the context of IAM – hard to believe, right?

In the recent past, I have written about IAM in Healthcare and provided an explanation for why there is an explosion of IAM adoption in this particular sector. In one recent post, I talked about the impact that IAM can have in patient care, and specifically in Emergency Care, which I found very sobering.

But last week, my conversation with the business owner of clinical solutions for a large healthcare organization was so enlightening, to me at least, that I felt compelled to share the story with you, as I found this to be a very unique opportunity to talk about IAM as a business transformation element for an organization.

As I am sure you know, there is a pronounced healthcare workforce shortage in the United States, particularly caregivers (nurses and physicians), and it is acutely so in the geriatric area where the gaps are greater. As a result, healthcare organizations face competition for the available workforce, and it is imperative for them to attract and retain top talent to achieve a significant competitive advantage.

In our experience working with healthcare organizations, we have learned that the majority of physicians are contractors instead of employees. I speculate that this phenomenon is directly correlated to the shortage in physician workforce, since a physician is likely to provide services at various sites and thus for different healthcare organizations, and opt for the flexibility and income maximization of being a contractor.

What this means to the healthcare organization is that in order to retain this physician, they need to look for differentiation over other competing organizations, even though this physician is not an employee. Therefore, organizations need to create a model for differentiation that goes beyond just pay (though evidently, pay is a big driver), and it is here where IT, and specifically IAM, can be valuable.

An effective and well-aligned IAM program, coupled with the appropriate IT infrastructure, could enable physicians to:

• Work under a “Bring Your Own Device (BYOD)” environment, which in addition to being a global trend in IT, appears to be a desire commonly expressed by physicians. Physicians’ ability to leverage their own laptop, tablet computer or mobile device to do their work and connect to clinical systems, complete dictations, access email and other applications seamlessly at the facilities they provide services at, is seen as a significant gain in productivity.  We discussed some of the implications that this trend has for the organization’s IAM infrastructure and program in a past blog article. Anecdotally, my customer shared a story of a physician that called the Help Desk to request that they allow his iPad to connect to his favorite streaming music service online while in the Operating Room. This meant relaxing a firewall rule to allow the music traffic through, and while he was glad that the access was granted to the physician, I am sure that the patient and her relatives were happier to hear that the physician was able to get his wish while performing the procedure “at the right beat”.
• Spend more time providing care and less time trying to get access to the applications that physicians need in order to provide care. As discussed in this article, this would create benefits such as:
  • Less idle time waiting to get on-boarded from the onset. This speaks to automated and streamlined provisioning.
  • Less time signing on to clinical systems and applications, and accessing the patient record. This speaks to IAM capabilities such as reduced and single sign-on, possibly coupled with context management such that clinical applications that the physician utilizes show the electronic record for the patient being attended to; as well as a usable and efficient password reset and recovery mechanism. In some cases, strong authentication, whether biometric or proximity badge-based, could add to the convenience and efficiency of the end user experience while providing higher assurance.
  • Provide new types of healthcare services, such as allowing a new father at a remote location (such as a soldier deployed overseas) to securely witness the birth of his child; or allow a new mother at home in a rural area to receive breastfeeding lessons from a nurse through an online video conference.

This conversation only scratched the surface of what could be a new way to look at IAM in healthcare. Being able to measure the success of the IAM program in improving physician retention or in reducing healthcare costs, tracking the effect that certain IAM capabilities can have in effectively differentiating a healthcare organization in the marketplace, increasing patient and caregiver satisfaction, and consequently coming up with new ways to justify funding IAM initiatives are very tough, non-trivial metrics to obtain, and while I won’t discuss them in this article, I do believe that this way of thinking about IAM will have very positive effects for healthcare, and will turn into drivers of innovation for IAM products and solutions.

One of my predictions for healthcare in the coming years is the accelerated pace of modernization in IT, particularly in the area of IAM. Therefore it is very important for those leading IAM initiatives to always remember that business must always come ahead of technology for the initiative to be successful, thus ensuring that there is clear alignment between the business objectives of the organization and the goals of the IAM initiative. As much as possible, measuring the effectiveness of such alignment will be a good approach to a successful IAM program. Nishant Kaushik posted a great blog article on this topic.

While this discussion is mainly focused on healthcare, it can easily apply to other industry sectors where workforce shortage and increased demand is taking place. I would love to hear your thoughts.

Commonly Used Acronyms in Identity and Access Management

Tweet

 

A few days ago, a customer asked us if we had a document with Identity and Access Management (IAM) acronyms. This exercise made us collaborate in compiling an updated list of commonly used acronyms, which I felt would make a good contribution to the identirati.

With that, I give you our list of commonly used acronyms in IAM. Your comments, suggestions and opinions are most appreciated.

General IAM Acronyms

Software Development

Standards Organization

Regulatory Compliance

Showcasing SCUID Operations at the Gartner IAM Summit

Tweet

 

Next week a number of people will be descending on San Diego to attend the Gartner Identity and Access Management Summit, and learn about ways in which they can improve their security, their compliance posture and their business by leveraging identity. One of the overlooked aspects of getting value from your identity management investment is the use of metrics and continuous analysis to understand how well your IAM deployment is operating and performing against its goals. Identropy's SCUID Operations is an industry first solution that does exactly that. It allows clients who host their own IAM solution in-house to outsource the monitoring, management, reporting and remediation of the infrastructure to Identropy's identity management experts. The power of SCUID Operations lies in it's unique combination of automated monitoring and analytics delivered via a cloud service with expert management on-demand. You can read more about how to get started using operational management to improve your IAM deployment in this blog post.

We'll be showcasing the latest release of SCUID Operations at the Gartner Summit. It features a slew of new metrics and some exciting new features that really help customers get a complete view of the health, operational efficiency and correctness of their IAM deployment. You can learn more by finding myself or Ranjeet at the Quest hospitality suite on Tuesday evening (Nov 15 at 6pm), where we'll be demoing SCUID Operations monitoring a Quest One Identity Manager installation. If you'd like a more in-depth, one-on-one description of how SCUID Operations can help you manage your Quest, Oracle, Courion or Novell identity management deployment, then we'd be more than happy to sit down with you any time during the conference. Just leave us a message in the comments or using our contact form.

As always, I will also be looking to leverage the summit by hearing about what's working and what's not from the Gartner analysts as well as from the end-user case studies. And I relish the opportunity to meet up with everyone and just chat about the latest challenges in identity management. I will of course keep anyone that's interested apprised of my thoughts on Twitter.

Look forward to seeing you in San Diego.

A Step Closer to Identity-enabled Transactions

Tweet

 

Last week, the Kantara Initiative announced that it received final approval of their Trust Framework Provider (TFP) program as the only Approved US Government TFP certifying Levels of Assurance (LoA) 1, 2 and 3 non-crypto (non-PKI).

Having been involved with the Kantara Initiative Identity Assurance Work Group (IAWG), and the development of the Identity Assurance Framework for a few years, this milestone is significant. It signals the beginning of an era in which citizens will be able to rely on credentials of known LoA’s issued to them by trusted 3^rd party providers to access US Government services online. These credentials will conform to the NIST Special Publication 800-63 guidelines.

The Office Management Budget (OMB) is driving a timeline within the US Government to foster the use of credentials issued at known LoA, starting with LoA 1, and eventually adopting LoA 2 and 3 non-crypto, for higher value US Government agency services in the near term.

This has been long coming, and while many hurdles had to be cleared, I commend the perseverance and leadership within the US Government and the Kantara Initiative for reaching this milestone. The first of many to come I am sure.

Why is this relevant?

In my view, there are a few reasons that make this milestone relevant:

• This is a sign of commitment from the US Government to the strategy for identity-enabling online services as described in the National Strategy for Trusted Identities in Cyberspace (NSTIC). Establishing an identity ecosystem of private sector entities that would issue and manage credentials at defined LoA that the US Government could trust was one of tenets of the overall strategy. And accepting Kantara Initiative as a TFP is an important milestone in the execution of the strategy
     
• It represents the first, of possibly many, private sector initiatives and organizations that will enable the next generation of identity federation within the US Government
• It materializes an initial set of policies and standards that is required to take to practice what for years have been discussed as utopian: “could we agree on a set of parameters that will convey trust, at known levels, to the parties involved in online transactions, such that high value online services can be provided in large scale”. The answer seems to be yes

What does this mean to you?

A few things will start to change over time, which will impact the way you interact with the US Government, and eventually with non-Government service providers online

• As an individual end user, you will start to see US Government web sites advertising that they can accept credentials from a list of providers that they trust. Hence, if you have credentials issued by one of these providers, you will not need to create a separate account on that web site - behold real identity federation!
• At lower LoAs, it is quite plausible to expect that some US Government sites allow you to use facebook or Gmail credentials (to name some) to log in within the very near term
• You will become more aware of privacy issues relating to digital identity, and in particular will give some consideration to which credentials to use for what kind of transaction
• There will be some debate over whether and how higher LoA credentials will have a direct cost to the end user, or if instead, they will have an indirect cost (i.e. they are given as part of a subscription to some other service)

What should we expect to see in the future?

I think that the future will be quite interesting an exciting as the NSTIC strategy execution continues:

• More organizations will become TFP, such as the Open Identity eXchange (OIX), creating a number of options and a market for credential issuers at various LoAs
• I very much believe that Identity Brokers will emerge as a result of the formation of the identity ecosystem, as stated in our January 3, 2011 predictions, but I doubt that this will happen in 2011. So I guess this will be a carryover into 2012

• Beyond technology or IT services providers, players in other industry sectors, such as banks and mobile carriers, will start announcing identity services that can be leveraged within the identity ecosystem. A case in point is the announcement by the Government of Canada trusting credentials issued by banks to access agency services online
• There will be a tipping-point-like adoption of services at LoA 3 in which the high-volume, high-value transactions sweet spot seems to be. Therefore, I anticipate that once a certain threshold be met, there will be an explosion of LoA 3 services and credential providers in the market
• There will be lots of debates over whether employers should issue NSTIC compatible credentials to its workforce, and whether these could be used under a personal context. These debates will unearth a number of privacy and security perspectives that we have not yet been able to discuss thoroughly, simply because there was no identity ecosystem per se. Moreover, this debate will also encompass whether employers should trust NSTIC compatible credentials that employees may already have, which have been issued by a 3^rd party. This debate will result in a number of standards, policies and potentially even regulation around privacy and acceptable use, further blurring the line between consumer and corporate use of IT infrastructure: the consumerization of Enterprise IAM
• We will witness the end of PKI-centric user authentication, if it is not fully dead yet (there I said it: "there won't be a year of PKI"), and the extinction of programs such as HSPD-12, which will be replaced with more user friendly and cost effective non-crypto credentials, and will reach mass scale more rapidly

I will be very interested in your thoughts about this fascinating transformation that we are fortunate enough to see unfold before our eyes.

Protecting Yourself While Using Cloud Services

Tweet

 

I was recently asked to comment on the top 5 ways to protect yourself (as an individual) when using the cloud. Obviously I brought a very identity-centric slant to it, but it was an interesting exercise as I tried to put down on paper (!) the steps I take to protect myself daily. I thought it would be worthwhile to share what I put together with the broader community, and get your take on additional steps that you believe people should take.

Establish Your Fundamental Security Posture

Part of the allure of cloud-based services is the whole access from anywhere aspect of it -  at work, on the road, in a coffee shop, in a public park, in your hotel room. As public, often free, wifi becomes something we (especially road warriors) start to rely on more, make a checklist of things you do in order to secure your interaction with cloud services, which should include (but isn’t restricted to):

1. Make sure you secure your communication with cloud services by using HTTPS instead of HTTP. I highly recommend installing the ‘HTTPS Everywhere’ plugin that the EFF have released
2. Use a Virtual Private Network. It lets you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you're on a public one. A lot of people can get it through work, but if your job doesn’t come with one then get your own, like CyberGhost VPN or WiTopia (Check out this Lifehacker article)
3. And watch out for shoulder surfers

Don’t Reuse Your Passwords

It’s an all too common phenomenon: when setting up an account with a cloud service, users are forced to come up with yet another password, and they choose a familiar, well used one. Especially when signing up for services for work, people will often use the same password they use to access services internal to the enterprise (like their email system, or their corporate CRM system). Reusing those passwords definitely helps you remember it for next time, but it’s the equivalent of leaving your house keys in the mailbox - someone else will eventually see it and figure out how to use it.

Better Still, Use A Password Manager

As our usage of the cloud increases and we battle password fatigue, that last point becomes increasingly harder for us. But there are tools like LastPass and 1Password that can help us greatly, not only by remembering the passwords for us (in the cloud, of course) and providing simple plugins to autofill those pesky login forms, but by also generating random string passwords that are stronger than your average password. Just remember to follow all their recommendations: create a really strong and unique Master Password, configure the settings to recognize trusted locations (like your home network), make sure to read their ToS and security policies, and use common sense in trusting what is still a cloud service.

Bring Your Own Identity

But those last two points still rely on having multiple passwords, which is recognized widely as an insufficient approach to security. Federation technology has matured to the point where we can now rely on federated login to cloud services. Most enterprise service providers will support federation with your corporate identity, eliminating the need for passwords to log into these services. And on the consumer side it is becomingly increasingly easy to sign into your services like Tripit or Flickr using your Gmail, Facebook or Twitter identity, using mechanisms like OpenID and OAuth that do not share your password with the relying site. The goal is not to go down to one password for one account that is your key to your online life, but rather have a manageable number of identity providers that you then use to access your various services. And use common sense to evaluate the sensitivity of a particular service before setting up a relationship between it and an external site.

Review Those Service-to-Service Relationships

The concept of a periodic review of user access is a cornerstone in enterprise governance programs. Why should our personal life be any different? As you rely increasingly on the federated model, set up time to periodically go into your services and review which Mobile Apps and 3rd Party Services you have granted access to. Did you grant some twitter ranking site access to your twitter account months ago, but have never gone back and used it? Reviewing the access grants will remind you to sever that relationship, removing any possibility of abuse or exploit.

Are there any other steps you take that help keep you safe? Practical suggestions only please, unlike this (see second last bullet).

[Cross-posted from the Talking Identity blog]

Identropy's Company Culture

Tweet

 

Last week, we kicked off our Q4 2011 here at Identropy, and it is exciting to see how much the company has grown in 2011.

We updated our Intranet with the video and slides from our quarterly meeting, and I felt compelled to borrow content from our Intranet and share it with you all. I must confess that at first, I was very hesitant to publish this on our blog, but after very good internal encouragement from the whole team, we agreed to go ahead.

Earlier this year, I wrote a blog post on the topic of creating a strong company culture, which is  a great preface to this post, given that below we describe Identropy's Company Culture. This is a subject that is close and dear to our hearts at Identropy, but in the spirit of transparency (one of our core values), here we go...

Why Define our Company Culture?

As Identropy continues to grow, we want to focus on those things that have made us successful and pay attention to creating an environment that allows us to preserve and foster those things, as well as allow us to scale up without losing our DNA as a company.

Having a strong company culture is allegedly the key ingredient in the sustained success and durability of organizations in the information age (Ex. Google, Zappos, Netflix, Softtek, TD Ameritrade, Amgen).

There are several industry initiatives such as the Social Happiness Movement, and new social psychology theories such Ecosynomics & Harmonic Vibrancy, which focus on the positive effect of a strong company culture in its overall performance. In particular, Harmonic Vibrancy is what people experience when they are identified with and acting out of their greatest potential. In simpler terms: if the organization’s core values align with its employees’, the organization achieves exceptional performance and employees are happier.

For these reasons, and inspired by a few really good books on the topic, in Q1 2011 we started to define Identropy’s culture. The first step was to collect our employees’ feedback, and to that end we conducted a short online survey.  This exercise allowed us to identify our core values.

Our approach to defining our culture was relatively straightforward:

1. Identify the company’s core values
2. Document and publish them
3. Commit to them

A bit more context: Have you ever been “in the zone”? 

In positive psychology being “in the zone” means experiencing “flow”. Flow is a concept proposed by Mihály Csíkszentmihályi.

According to Csíkszentmihályi, flow is completely focused motivation. It is a single-minded immersion and represents perhaps the ultimate in harnessing the emotions in the service of performing and learning. In flow, the emotions are not just contained and channeled, but positive, energized, and aligned with the task at hand.

“Flow can be addictive… but an addiction that is healthy for you in so many ways…”  - Sir Ken Robinson in The Element - How Finding Your Passion Changes Everything

Identropy's Core Values

Innovation

• Never settle for the status quo, even if it’s good
• Continuously create new and better ways of doing what we do to make it better

Autonomy

• Own your career
• Create your own path; seek a partner for some guidance
• Right a wrong when you see it.  Don’t wait!
• Manage by deliverables. Never micro-manage

Customer Service

• Having happy customers starts by you listening
• Put yourselves in their shoes. What would you want?
• Communicate effectively. Prevent misunderstandings
• Deliver hard and fast.  But don’t get sloppy
• Make a connection.  Build relationships
• Always do what you promised

Vision

• Strive to solve real customer problems
• Have a positive vision for your tasks, projects, and career
• Think long-term

Knowledge

• Read
• Especially about your domain – Know your domain
• Don’t overlook the details. Know them too
• Create knowledge by analyzing experiences
• Practice applying knowledge to your daily work

Drive

• Mix vision, passion and action
• Work the mission to completion
• Execute tenaciously
• Don’t stop! (unless the vision changes)
• Love winning

Friendliness

• Be easy to get along with
• That doesn’t mean you have to be everyone’s best friend
• Enjoy helping others. Share. Compliment. Empower
• Never play the politics game

Partnership

• Where possible, work with someone.  It’s more fun that way
• Two brains are better than one
• But be smart selecting the right partner for the job (colleague, vendor, etc.)

Humility

• You are great at X, but realize that there’s always a better X’er than you
• Remember that Identropy can never realize its vision without the team
• Admit mistakes with grace
• Respect opinions of customers and colleagues

Transparency

• Be pathologically honest
• Transparency and honesty creates trust between people
• Sometimes, it may cause you embarrassment.  That’s OK. It’ll pass

Identropy's Culture Book

Much like Zappos, we set off to create our own culture book in March of 2011. Our first step was to collect our employees’ thoughts and input, and to that end we conducted a short online survey.  Participation in the survey was optional, and everyone had the option to keep their responses anonymous if they preferred.

In the survey, we asked our employees to “describe in 150 words or less why you work for Identropy. Consider: why are you at Identropy and not elsewhere? Say it is Monday morning, what motivates you to come to work?”

The only edits were typos, but aside from that, here is what we got...

Taking an Apple Approach to IAM Implementations

Tweet

 

This post can also be found here on my personal blog.

Ah, the religious wars: vi vs Emacs (vi!), Republican vs. Democrat (Neither), Mac vs. PC (Mac!)...

Mac vs. PC. We all know the talking points:

1. Macs are pretty, PCs are not.
2. PCs can be configured a billion ways, to use a Mac you must do it the way Apple thinks you should.
3. Macs are easy, PCs can be difficult
4. Did I mention Macs are pretty?

You may not agree with these assessments, but they're popular opinions. You might ask why I would be blogging about them in a blog where I typically stick to consulting and Identity Management.

The fact is, we generally take a PC approach to IAM implementations: Here is the product, and these are the 5 million different switches we can flip to customize it for your organization. We have our best practices (default configuration), but ultimately we're going to customize it the way you want it to be, whether it's good for you or not. We want to be everything in IAM to everybody who will pay for IAM.

Is this the right approach? I don't think it is. Why don't we take a look at how Apple does things?
I recently read an article from Pragmatic Marketing, a journal my wife used to read as a product manager. They go through some of the reasons why Apple is worth billions of dollars and you aren't.

A few of them stuck out at me:

You need to know your customer and your market.

The point is not to go ask your customers what they want. If you ask that question in the formative stages, then you’re doing it wrong. The point is to go immerse yourself in their environment and ask lots of “why” questions until you have thoroughly explored the ins and outs of their decision making, needs, wants, and problems. At that point, you should be able to break their needs and the opportunities down into a few simple statements of truth.

This is terrific advice. People do not typically know what they want, they only think they do. Invest the time in figuring out what the end goal is, then you can propose the right solution to the problem.

Pony meetings.

These meetings are scheduled every two weeks with the internal clients to educate the decision-makers on the design directions being explored and influence their perception of what the final product should be.

Keep leadership involved, and keep them on your side. Present them with an elegant solution that meets the needs of the organization. As long as they are on board with your solution, you can better drive the project.

Apple focuses on a select group of products.

Apple acts like a small boutique and develops beautiful, artistic products in a manner that makes it very difficult to scale up to broad and extensive product lines.

Dont try to solve every problem. Dont try to work in every vertical. Stick to what you're good at, and be the best at it. This will actually make future engagements easier as you'll have some street cred.

Ultimately, if you pay attention to detail and listen for what the customer really wants, not what they think they want, you should be successful. Just don't be afraid to tell the customer "no" and explain why they need to change course a bit. The end result will be a successful implementation and a happy customer.