Monday, April 30, 2007

imho Ocean Semantic..


I don't know if I ever mentioned this. Day in and day out, I cover the data management industry for Current Analysis.

One of the key segments of my coverage area is data integration (DI). And within that is a broad space called "enterprise information integration" (EII), which is often contrasted with "extract transform load" (ETL). So as not to bore you with unnecessary distinctions, EII primarily deals with logical dynamic integration of heterogeneous data across dispersed repositories, whereas ETL deals with physical integration of that data into a common, persistent data store called a data warehouse. That's slightly oversimplifying the matter, but please indulge for a moment. There is a payoff.

Principal vendors of EII solutions include IBM, BEA, Business Objects, Informatica, Sybase, Actuate, Composite Software, Ipedo, Inetsoft, and MetaMatrix (note: the latter vendor is in the process of being acquired by Red Hat and having its EII software open-sourced under In the EII space, most of the vendors offer solutions that incorporate what they often call a "semantic layer." Here now's a smattering of what is often included under the discussion of a "semantic layer":
  • data management layer
  • efficiently and reliably enables federated access to a wide range of heterogeneous data sources
  • support enterprise implementation of virtualized, composite, unified views of disparate data that has been retrieved from heterogeneous sources, including ERP systems, line-of-business applications, transactional databases, and Web services
  • federated data services and metadata management
  • enables data to be accessed from disparate data sources and used in any form in any application.
  • organizations can reduce the application development and integration costs associated with accessing and reconciling disparate data, while improving its overall utilization and consistency
  • resolves data access challenges and the physical and semantic differences among disparate, physical data sources.
  • provides a semantic-interoperability data services layer that decouples applications from their data sources and makes data assets available as services in an SOA, freeing data from single application silos.
  • instead of managing multiple data sources for different applications and trying to keep them reconciled with one another, users can take any data from any data source and use it with any application.
  • developers and architects create, deploy, and manage data services that access, transform, integrate, and aggregate data to provide the information needed by applications while hiding the complex details of diverse physical data sources
  • alleviates the need to create yet another new copy of the data
  • simultaneously provides mechanisms for data consistency, security and compliance
  • through a model-driven approach, application teams can create, deploy, and manage data services that simplify data integration.
  • enables users to access a single view of their data from multiple disparate systems
  • performs the necessary semantic mediation and vocabulary management to get the data into the right form - all without software programming.
All of which seems to be core to most industry discussions of "semantic Web." How is this all not the "semantic Web"? Is it all not here and now, and eminently feasible, thanks to the EII market? Do any of these commercial solutions depend on any of the core specs (i.e., RDF, OWL) usually associated with the W3C's flavor of "semantic Web"? (answer: no). Does Red Hat's decision to acquire MetaMatrix, open-source its EII technology, and bundle it with the JBoss Enterprise Middleware Suite represent a critical step toward making SOA-enabled EII (i.e, semantic Web) ubiquitous? (answer: you betcha).

And where do "ontologies" and "federation" fit into this picture?

More to come.


imho Ocean Semantic.


This notion of a "semantic Web" is one of the great perennial "boil the ocean" topics. Germinated and perpetuated by Sir Tim Berners-Lee, it's been kicking around the industry for a few years now. It keeps going and going, and morphing into new contexts.

For example, from last week (now it's "Web 3.0"):

Web 2.0 Arrives to Find Web 3.0 Under Way.

Or just the other day (it's "Web 3.0," but also "semantic SOA"):

SAIC Pushes Past Web 2.0 to Web 3.0

So what, if anything, is the "semantic Web"?

Is it some supermagical metadata, description, and policy layer that will deliver the nirvana of universal interoperability by making every networked resource automatically and perpetually self-describing on every conceivable level?

Or just some banal XML tagging schema or folksonomy that everybody will be exhorted to apply to every scrap of online content so as to facilitate more powerful metadata discovery, indexing, and search?

Or what?

Last week, I debated the issue with a host of other SOA industry analysts in the weekly podcast at, hosted by Dana Gardner of Inter-Arbor Solutions. The stream and transcript won't be posted there for a few weeks, but I'll bring you up to speed on my evolving thoughts on this matter. Thanks especially to David Linthicum for his insightful commentary (much of it from articles he published 3 years ago....a period when I jotted some thoughts on the topic as well....I responded to him only in the past week).

More to come.


Wednesday, April 11, 2007

imho Appliance hype building to fever pitch


Enterprise software vendors have devised many ingenious new approaches for crafting solutions. Over the past few years, vendors have ventured well beyond their traditional focus on licensed software packages. Many have begun to offer solutions that incorporate such diverse approaches as open source software (OSS), service-oriented architecture (SOA), and software as a service (SaaS).

Some software vendors have even taken a bold step into the world of hardware. A growing number are offering “appliances,” which integrate software with CPU, storage, and other hardware to deliver function-specific, performance-optimized solutions for quick deployment. Essentially, an appliance allows a vendor to pre-equip a “shrink-wrapped” infrastructure component to fit a particular functional role and support a specific capacity, throughput, and performance profile.

Appliance wars are upon us, as can be seen in IT vendors’ eagerness to slap the label on a growing range of hardware-integrated solutions, most of which are much bigger than a breadbox, and also far more complex and costly (though, ostensibly, less so than the software-centric solutions they hope to supplant).

Appliance hype is building to a fever pitch. Every vendor claims that its appliances are true “plug-and-play” solutions, though few customers are so na├»ve as to imagine that a complex IT solution can be as easy to install and setup as, say, a toaster-oven. In addition, vendors and industry observers are starting to line up behind competing definitions of what constitutes a “true appliance.” Depending on whose religion you subscribe to, an appliance must be a simple “black box” device (such as a blade), or it can be a complex assemblage of processing, input/output, storage, and other components integrated across one or more racks in an enterprise data center.

Of course, there are plenty of opportunities for overzealous vendors to stretch the concept of an appliance to the breaking point. Unfortunately, one of the core features that most people associate with appliances—their physical tangibility--is starting to fall by the wayside. Increasingly, vendors are exploring the nouveau notion of the “virtual appliance.” This refers to the concept of a self-contained software package that can be deployed rapidly to diverse operating and hardware platforms through virtualization technologies such as VMWare and Xen. It’s not clear how these “virtual appliances” differ from existing development paradigms, such as Java, that also promise the ability to “write once run anywhere.”

But like it or not, appliances—in all their bewildering proliferation—are here to stay, and they are moving into the mainstream of enterprise computing and networking.

Many IT professionals have already taken a first foray into this new world, in the form of content-aware network appliances from the likes of Cisco, Juniper, F5, Citrix, and IBM. Usually deployed at the network perimeter, these appliances look into the contents of application messages and take various policy-driven actions, such as fine-grained access control and dynamic rerouting, in response to what they find in payload data.

Just as important, appliances have begun to take up permanent residence at the heart of the data center, in the form of data warehousing (DW) appliances. In the past few years, DW appliance pure-plays such as Netezza, DATAllegro, and Greenplum have seen their market share grow. Even longtime software-oriented DW vendors such as Teradata, Oracle, and IBM have begun to offer integrated solution packages for appliance-type deployments.

These trends have been developing for several years, but the appliance market reached a turning point in March when IBM announced that it had re-architected its entire DW product family as appliances. At that time, Big Blue launched the most comprehensive, scalable enterprise DW appliance solution family on the market. Its new “Balanced Warehouse” family of appliances addresses DW price-points and requirements ranging from high-end enterprise DWs down to smaller, function-limited DWs and low-end departmental data marts.

That very same week, business intelligence (BI) market leader Business Objects announced that it too was putting appliances at the core of its ongoing go-to-market strategy. To develop BI, DW, and data integration (DI) appliances for various customer segments, Business Objects is partnering with a wide range of complementary vendors, ranging from large established server/storage providers to pure-play appliance startups. It has even factored “virtual appliances” into its long-range roadmap, demonstrating the breadth of its vision.

Without a doubt, appliances will have an impact on every component of the enterprise application architecture. If nothing else, the need for incrementally scalable application infrastructure components will continue to grow, stoked by relentless increases in transaction and data volumes across the service bus.

Enterprise IT professionals should begin right away to factor appliances into their SOA strategies.


Wednesday, April 04, 2007

rfi User-Centric Identity and Frontispiece


The article's done, edited, revised, and in the publisher's hands. Check out next month's issue of Business Communications Review. Thanks to everybody who responded to my request for interaction (rfi). I've given my blog readers the benefit of a preview, plus my developing perspectives on many related topics.


Tuesday, April 03, 2007

rfi User-Centric Identity and the Odd Geography of Mutuality


I’m no role-play gamer, but today’s IdM metasystems are starting to remind me of Dungeons & Dragons.

The more hyper-heterogeneity we throw into the IdM mix, the more convoluted and confusing and treacherous it all feels from the user’s viewpoint. Looking at Ping’s convergence use cases (integrating OpenID with CardSpace with SAML) or the Higgins/Bandit convergence demonstrations from RSA 2007 (throwing Liberty into the stew), it all seems a tad more complex—hence, lower on the assurance scale--than it needs to be. As if we’re introducing more IdM terra incognita into every online transaction, hence more scary monsters that might swallow us whole or ocean-edges off which we might merrily sail.

IdM metasystem heterogeneity introduces odd geography into the mutuality equation, threatening to turn what should be direct interaction paths (i.e., logins) into indirect odysseys involving card-cluttered conversations, eerie URI-infused interactions, insistent assertion insertions, and restive roundabout REST-y redirect ricochets among too many moving part(icipant)s. In the process of researching this article, and considering all the many initiatives/standards/specs, I sketched out the multifarious dimensions, entities, and relationships that must be represented in any truly comprehensive identity metasystem taxonomy. No, I’m not going to exhaustively list them here (try Liberty Alliance’s wiki for a good dose of heterogeneity). But, in order to stave off personal bewilderment, I cobbled together a working IdM metasystem taxonomy that includes (in no particular order) myriad use cases, interaction patterns, standards, identifiers, attributes, cards, card selectors, credentials, protocols, authentication contexts, federation topologies, domains, identity agents, directories, IdPs, authentication authorities, attribute authorities, attribute brokers, certificate authorities, validation authorities, in-person proofing agents, discovery services, RP/SPs, TTPs, PKI trust paths, etc. (hmmm….I sort of broke my promise not to go exhaustive…pardon me).

So excessive heterogeneity is the enemy of both abstraction/simplicity and mutuality/assurance. To fondle another touchstone from nerd-culture, today’s complex IdM systems make us feel a bit like a hobbit traversing the dangers of middle earth to ascend to the seventh level of mordor (or whatever--I never read the books, and enjoyed the movies but totally lost the plot). Ambling among sovereign domains, you constantly wonder if you have the right papers, passport, currency, vouchers, and reputation to secure your safe passage to the land of the next overlord, and you worry that neighboring domains may not be on friendly terms, with you caught in the crossfire, clapped in irons, or ostracized entirely, kept from climbing whatever mighty mountain beckons.

User-centric identity systems don’t change this odd geography, or save us from this odyssey. In fact, taken to the “strong form” extreme, they just intensify the heterogeneity by adding sovereign self-asserting personal-IdP and personal-RP domains to the mix. Every user becomes a self-sufficient realm all their own, needing the potential of hooking up, on various levels, persistent or fleeting, with any other domain as needs dictate. Think of the higher order of combinatorial explosion in the density of negotiated cross-domain relationships. Here’s a good point for me to rehash/mash the definition, levels, and stakes of mutuality:

  • An internet-scalable identity metasystem enables interactions built on mutual recognition, assurance, risk, recourse, restitution, and responsibility among all parties.
  • Mutuality requires shared, assured, cross-domain, transitive, balanced, equitable, symmetric, commensurate, and reciprocal interactions among end- and intermediate-points, implemented in the context of ubiquitous business/legal, trust/PKI, federation/IdM, and reciprocal permission-based resource-sharing relationships from end to end.
  • End-to-end mutuality allows any end- or intermediate point to participate in the identity metasystem with confidence that they can fend for themselves and actually benefit from plugging in.

How can parties rely, users prove reliable, and mutual relationships emerge and remain durable in a cosmically vast, comically dynamic, and freakishly fragmented crucible such as this?

Odd indeed.


Sunday, April 01, 2007

rfi User-Centric Identity and Reputation


What's the intersection of user-centric identity and reputation? I've been reading Phil Windley's many great blog postings on the topic of reputation. I've also doubled back and read my own past musings on the topic (a year-plus ago...). I was commenting on some reputation proposals by Marco Barulli and Giulio Cesare Solaroli. Still processing.....

Taken to a logical extreme, wouldn't user-centric identity require some concept of "self-asserted reputation"? But isn't that, on the face of it, absurd and conceited? Sounds like someone walking around shouting "trust me" and "I'm the best" and so forth. Of course, it's not totally outside the pale. This is what we pay agents (ie., PR and marketing) to do for us: stoke up a wished-for reputation by vouching for our magnificence.

Reputation lacks assurance if it doesn't seem to spring organically from collective evaluation, by others, of our character, deeds, trustworthiness, and so forth. In other words, it must (at least appear to) be "other-asserted." It's not "trust me" but "trust them" (with "them" being others who seem to know whereof they speak, and aren't in fact our surreptitiously paid spokespersons).

But here's the rub: the "unreliable narrator." If I'm a relying party (RP) who wants to know if you can be trusted, I can't necessarily ask you your opinion (each of us is assumed to be the most unreliable narrator/voucher of our own life story, since we have every vested interest in distorting it to our advantage). And I can't necessarily trust others either, unless I have some special access to their heads, hearts, backgrounds, personal agendas, and relationship to you. They--IdPs, attribute authorities, reputation authorities, circles of reputational trust, or what have you--are also unreliable vouchers of our trustworthiness until they can prove otherwise.

That latter concern--who you trust to tell your life story--is what motivated this prior post:
  • "Reputation feels anti-governance, hence unfair. It feels oppressive. It’s the collective mass of received opinion, good and ill, weighing down on a particular identity. It feels like a court where the judge, jury, prosecuting attorney, jailer, and lord high executioner are phantoms, never showing their faces, but making their collective force felt at every turn. It feels like outer appearances, not inner character, ruling our lives."
Earlier in this thread I asserted that, in user-centric identity systems, the user is the sovereign of their identity, having total control over which of their identities, credentials, and attributes are disclosed to which relying parties. But where reputation is concerned, I would switch that focus around 180 degrees. Reputation is never user-centric; rather, it's always RP-centric. The RP can factor any, all , or no third-party assertions (from yourself, peers, reputation authorities, etc.) into their decision to transact or not transact with you.

So, in reputational systems, the RP, not the user, is sovereign. Actually, I came pretty close to arguing that point in those words a year or so ago, per this excerpt:

"Reputation isn’t an identity, credential, permission, or role. It isn’t exactly an attribute, in the same sense that, say, your birth date or hair color are attributes. And it isn’t something you claim any privacy protection over—it’s the exact opposite: the court of public opinion over which you have no sovereignty and little direct control.

In the identity management context, reputation is more of an assurance or trust level—an evaluation of the extent to which someone is worthwhile to know and associate with.

Reputation is relying parties’ evaluation of our reliability, of their liabilities, and of the degree to which associating with us makes them ill at ease.

Relying parties —- the ultimate policy decision and enforcement points in any interaction —- need many levels of assurance if they’re going to do business with us. They gather assertions and data from many “authorities” (authentication authorities, attribute authorities, etc.) before rendering their evaluations and opening their kimonos."

Again with the kimonos. I have to find new metaphors. Anyway, I was thinking about the notion of reputation springing up organically in user-centric identity systems through negotiations between sovereign entities: user and relying party (forget about intermediaries such as authentication and attribute authorities--they're not necessary in the pure model). What's the mutuality-enabling "conversation model" (to borrow a phrase from the Ping paper) in which reciprocal reputational assurance can emerge in a world without "other-asserted" reputation? Windley had a really good statement on the stakes of reputation:
  • "To have social value, reputation has to be the basis of trust in the society and there has to be reciprocity. Reputation is a measure of an entity’s past actions and factual attributes. Trust is an expectation of future behavior. Reciprocity is the idea that 'good' actions will be met by society with positive results and 'bad' actions with negative results....To really function, social systems have to have reputation, trust, and reciprocity baked in. Without it, there’s no real social contract and no real society."
So what's the conversational model for reputational assurance in a non-intermediated, negotiated dual-sovereign system (user and RP)? It's fairly close to Hobbes' "state of nature." In that case there's no "society," no "social contract," and no third-party "vouching," just interacting parties transacting for their mutual benefit, and abrogating at the risk of mutually assured destruction.

The conversation model is terse and to the point: a shuffle of sharp words, done deeds, and big sticks.


rfi User-Centric Identity and Conor Cahill’s Take


Prepare for run-ons and re-runs.

Awakened in the middle of the night by a call from the Louvre….young girl in distress…lost, scared….quickly resolved with a few calls to others in and around Paris….not Audrey Tautou….nobody you’ve ever heard of….no colorless clerics….no conspiracies….no holy grail or anything remotely metaphysical….just me paternally PO’d pale and sleepless six time zones to the west…having completed all the household chores the day before, I had taken me a pleasant self-guided walking/driving/jamming tour of DC yesterday…new ballpark going up in no-mans-zone southeast….passed by my old waterfront haunt, now vacant and awaiting the eventual and much-needed wrecking ball…saw the startling neighborhood transformation going on near the Navy Yard…followed M Street to what I could see of the Anacostia…huge vacant fenced away abandoned 60s project….will these new 00s project seem as forlorn in the 2040s?....then up through Capitol Hill…Mall….DeVotchKa, Shins, Peter Bjorn & John….call from the going-on-20 boy….Cherry Blossom Festival….tons of out-of-town tourists….parked in the West End….walked the C&O canal in mid-60s springtime solitude and serenity…tripped down that ancient red-brick Georgetown interior waterway….galleries….historical smokestack in/above the new Ritz-Carlton….empty office buildings….second-floor gallery overlooking a single alleyway blossom tree…then up to mainline M, along/above Rock Creek Park…quiet traffic…full of early spring potentialities…then stayed up late to catch the rerun of SNL with Arcade Fire….I bought “Neon Bible” last week….on SNL, they were great (wish the comedy had been up to par)….”Intervention” “Keep the Car Running”…live they came off just as intense and sprung as their recordings…Win smashed his acoustic guitar at the end….bravo bravissimo.…anyway, now, involuntarily adrenalized and semi-boggled I’m figuring I might as well rattle off the latest installment in this thread….good thing Starbucks opens early…belatedly writing up another phone chat from a week and a half ago with somebody just one county over here in northern Virginia.

Where was I? Oh, yes…Conor Cahill….identity architect with Intel, who’s been working with Liberty Alliance from the start. In March, it took us a few weeks to hook up, but I’m glad we did. He has an interesting perspective on user-centric identity. I used my interview questions as a rough track for our discussions, but primarily I asked Conor to deliver his take in whatever order he wished. According to Cahill (I’m putting these loosely paraphrased points in a slightly different order from my raw semi-illegible-even-by-my-own-lax-personal-standards notes):

  • User-centric identity is great marketing term, referring to identity systems that give users control over their identity info
  • Most users don’t want to be in every identity transaction…once I federate with a relying party, should implicitly set up auto-sharing (identity, credentials, attributes) rule that executes upon each return visit
  • Most enterprise federated IdM implementations give users some control over the sharing of their identity info with service provider/relying parties, but not complete control
  • User-centric identity is central to SAML and Liberty Alliance initiatives, which have addressed permission-based attribute control from early on
  • User-centric identity is to some degree supported in most commercial SAML-enabled IdM products---in the sense that the IdP is allowed to ask users which of their attributes should be disclosed to federated relying parties—though this feature is not explicitly called out in the SAML standard protocol(s) and may not be implemented by users in many real-world SAML deployments
  • OpenID is great for low-value transactions, such as blog posting authentication, but not beyond that, due to need for legal agreements between IdPs and relying parties, under which domains agree on risk and liability for inappropriate authentication etc.
  • OpenID is user-centric identity in the limited sense that the user directs the relying party to an IdP that the user explicitly selects, but 1.0 doesn’t implement permission-based attribute sharing (that’s in attribute exchange service in 2.0)
  • OpenID assumes user wants to know they’re using OpenID, and willing to type in long URI, hence enabling easy IdP discovery for benefit of relying party, whereas SAML does IdP discovery through the common cookie mechanism, and Liberty through Discovery Service specified in standard
  • OpenID like SAML and Liberty in that it makes use of dumb browser (though Liberty goes it one better by specifying Liberty-enabled client)
  • OpenID lacks disconnected client support, a feature integral to Liberty’s advanced client
  • Possible future Liberty integration of Oracle-contributed IGF specs into ID-WSF is exciting to enable users to exercise life-cycle control/expiration/shredding of attributes that they choose to disclose to relying parties
  • CardSpace is first stage beyond dumb browser, has great user experience, adds more value to SSO than to attribute sharing
  • Surprised that when CardSpace came out, with Vista availability, that Microsoft didn’t announce any CardSpace relying parties right off the bat (Passport redux?)
  • Real driver will be strong authentication, which CardSpace has

Without much prompting from me, Conor tied together lots of themes/concerns that I’ve heard from others and also things I’ve posted to this thread from the top of my noggin. Still, I think his statement that most commercial SAML implementations support user-centric identity is provocative….and I’m not sure I agree with it….I mean, if a feature (e.g., permission-based attribute sharing) is purely implementation-specific and is not explicitly called out or defined in the underlying standard, can we legitimately attribute it to the standard?....or simply to the fact that this is an important requirement that necessitate that IdM vendors commercially color outside the SAML lines until the standard (inevitably) evolves (through mashup with ID-WSF, OpenId 2.0, IGF, etc.)?

Coffee's drained. Me too. Up against the wall of consciousness. Need a nap. And a PB&J. Baby went to Amsterdam….she put a little money into traveling….now it’s so slow…so slow…baby went to Amsterdam…four or five days by the big canal…now it’s so slow…so slow.