Policy and Identity

Policy and Identity are foundation technologies enabling the future of collaborative computing. More and more infrastructures will be deployed “in the cloud” and will not have the traditional IT constraints and overhead to govern the use and access to resources. Rather, policies will be expressed and identity used by those policies to govern the access and use of resources. New “cloud” services will be instantiated as needed, will exist as long as that need continues, and be disposed of’; all in accordance with policy. Storage will be persisted when policy dictates, while other resources will be reused as needed by other “cloud” services. And, policy interactions must in turn be governed by trust relationships and trust governing policies

As with policy, identity is a foundation technology for future use of collaborative computing. Identity assertions of the future must be exportable throughout the network and withstand the rigors of use in hostile environments. An identity assertion must be capable of withstanding capture, inspection, and attempted reuse without comprising the original intent of the creation of the identity. Today’s use of identity comprises “logging in” to a “system” and single sign-on attempts to reuse that “logging in” for other purposes to save the user the trouble of authenticating credentials each time a “system” boundary is crossed. This model will not take us to the future.

Identities of the future will be crafted because of a successful authentication of credentials, which may require the user (or agent) to submit some kind of secret (e.g., password), but such is not required. Authentic credentials of the future may require no secret at all, but rather be based on other mechanisms to assert the authenticity of credentials needed to access a resource. Indeed, a UserID may be replaced by a “role” or “claim” to allow resource utilization.

Policy becomes the lock and Identity the key for the utilization of network, process, and storage; which in turn provides the building blocks for interoperable collaboration. Compliance provides the watchdog to report proper and improper use of resources.

The future of networked collaboration

The future of networked collaboration looks bright. Faster networks, bigger disks, and multi-core processors all act synergistically to make possible collaboration without boundaries. I spent a lot of time on this subject during the development of the Fossa Project (announced by Novell several weeks ago). More local storage that can be safely shared with a collaboration team and the future availability of cheap “cloud storage” will allow more collaboration content to be available to teams and cached locally for off-line access. The big thing that is still missing is an interoperable notion of identity that can be relied on and associated with more than just users.

Dale Olds has said much (and I’m sure will continue to say more) concerning identity and the user’s control of identity. These notions along with standards (e.g., SAML) and community initiatives (e.g., Information Card Selector) and identity products (e.g., Novell’s Access Manager and Identity Manager) are moving us toward a day when networked collaboration can be used safely and readily.

One of the first things we will need is a way to associate both identity and usage rights with a file. We need to be able to establish file ownership and allow the owner to assert usage rights to govern the use of the contents of the file. We all expect a file to have a location and name (for example, the words you are currently reading have a location and file name that WordPress used to access the content for display). In the future (I hope it is a near future) we should expect files to have an identity with declared usage rights that are honored and enforced everywhere the content is referenced. This would allow a collaboration team gathering place to be created “in the cloud” with associated ownership and usage declarations. For example, a file which had a usage stipulation “Eyes only: Novell” (notice we need a rights markup language as well) would not be uploaded to a collaboration gathering place with a “Eyes only: unbounded” stipulation. They are incompatible. One is a gathering place for everyone (”unbounded”) where the file is confidential to Novell.

Additionally, files should be marked so that privacy issues are enforceable. Fore example, medical records are constrained for use by regulations in many countries of the world. If a set of MRI images were to be extracted from an MRI imaging sytsem, the patient’s identity should be assiged along with some statement that restricts usage so that regulations are enforced. By making this rights assignment native to the file metadata viewing of the images would be restricted to only those that had the proper relationship with the patient (e.g., primary care physician or consulting physician).

It sounds complex, but so did an “interoperable network that spanned the globe” — until we solved the issues of IP, TCP, HTTP, HTML, SSL, TLS, etc. Much of what we need is available today, SAML, S/MIME, X.509, private key cryptography, etc. Consider the following:

A. Today’s networks are interoperable because of the IP protocol and packets are delivered because of the TCP protocol
–The base object is the packet and the message is the aggregate of a selection of packets
–Naming is provided by DNS and addressing by IPv4 or the new IPv6
–Security is provided by SSL or TLS which allows the protocols to interoperate but secures the content via encryption

B. Web servers are interoperable because of the HTTP protocol and content is interoperable because of HTML
–The base object is a URL and the message is the aggregate of URLs in a page
–Naming is provided by a file name and addressing via URI
–Security is provided by the HTTPS protocol which protects the HTML content

C. What is needed is a protocol to allow the interoperability of collaboration and rights management
–The base object is the document and the combination of the document and a rights markup mechanism constitutes a collaboration document
–Naming will need to reference the collaboration document and addressing can be via URI
–Security will be provided by — something, I’m not sure about this (it has to be more than simple encryption because of the collaborative nature of the object)

This is a cooperative rights management proposal that survives the network because it is integral to collaborative use . . . and, I don’t think we are not going much further without addressing the identity and usage assertions concerning the naming, identity, and rights assertions around digital content.

More later . . .

Novell’s Technical Vision

These last eight weeks have been very intense, but very rewarding at the same time. I’ve been working with some of the best at Novell to articulate Novell’s technical vision through 2012. Thinking that far ahead has been very entertaining and thought provoking. We’ll be talking about the vision at Brainshare 2008 in Salt Lake City and there will be a breakout session to discuss the vision with the Novell Fellows and Distinguished Engineers.

I invite you to come and talk to us and glimps what we see in the next five years. I’m excited to be in this industry, especially now when so much is accelerating. And, with that acceleration will come the need for even more identity and policy. Hear what Dale Olds has to say about identity and open source. Lloyd Burch about identity and the enterprise. Carolyn McClain about how policy will control it all. And many others.

Hope to see you there

Winner and loser?

Matt Asay in his blog entry declares Red Hat the winner and Novell the loser (see this) with this statement:

“. . . leaves two clear victors in the Linux camp: Red Hat and Ubuntu. While Novell capitulated to Microsoft’s early demands for a patent stooge, Red Hat and Ubuntu stood firm.”

This because of what Microsoft said in a press release which includes, “Microsoft said that it will not sue open-source developers who create non-commercial software based on Microsoft’s protocols.”

Congratulations, Red Hat and Ubuntu — you can now create non-commercial software. I’m sure that fits your business model very well.

Cool! The future looks really cool!

The future is really shaping up. Consumer’s now have access to hardware that previously was affordable only by the enterprise data center or by serious gaming people (who seem to be able to afford much more than the average computer user).

♦ 4-core systems with 3GB of memory and 1 TB of disk are now priced at just over $1,000. Apple and Dell have both announced 8-core consumer systems. They are still pricey, but that will change during 2008 as competition increases.

♦ Standard 3.5 inch form-factor hard disks using PMR (perpendicular magnetic recording technology) are now providing 1 TB (7200 RPM) capacity under $300 (the combination of several other developing technologies are estimated to provide 50 TB 3.5 inch hard disks by 2013 [read here]). And, using SATA Raid technology (standard on most mother boards) these 1 TB disks can be combined to provide fault-tolerant large-volume storage.

♦ Gigabit networks in the home are commonplace and businesses are adopting gigabit as old infrastructure is upgraded. While 1Gbit is available today, 10 Gbit is rapidly approaching. And bandwidth to your home (last mile) is increasing as cable and fiber are deployed in even small communities.

♦ Consumer-grade NAS (Network Attached Storage) that allows multiple 1 TB disks to be used in Raid configurations provides new, fault tolerant, shared storage, options to the consumer and small business. I have a D-Link DNS-323 in my basement which provides shared storage to all my home computers — wireless and wired. While the 323 was harder to set up than I would have liked, it runs just fine. I helped my daughter-in-law put one in her elementary school (she is a 4th grade teacher) and they use it to share curriculum materials without a problem (they call it “The Magic Box” — “the agenda for next week’s meeting is on the magic box.”).

Now, consider that Intel has said that they will have an 80-core chipset “in five years” (four years left — I’m counting). I’m thinking we can expect 16-core consumer systems by that time. Memory is so cheap now that the 16-core systems can have enough memory to really fly. Instead of systems having a boat-load of disk, I’d guess that they will have a reasonable amount of disk and that NAS boxes will become easier to use and will be the way that photos, etc. are stored and shared. And, with faster networks (10 Gbit by then) we will get to that content fast.

But, what will the average consumer do with 16 cores? I asked one of our product managers that question and he replied, “Play Halo?” Well, Halo might consume four cores, but that leaves 12 cores still wondering what they should be doing. And, will the average consumer really know how to manage SMP (do you know what SMP is? I know that no one in my neighborhood does, nor would they know what to do with 16 cores)? They just expect their system to run, and they want it to run fast. We need to insulate users from complexity while still allowing new technology to make their life better, more secure, and more private.

Well, I have some ideas on this and will explore them in a future post

Fractal page added

One of my life’s fascinations involves plumbing the depths of the Mandelbrot fractal via Ultra Fractal by Frederik Slijkerman (http://www.ultrafractal.com/). The combination of infinite variety and engaging artistic presentation is very fulfilling to me personally. I’m not all that good at it, but it gives me a relaxing outlet.

Some of my favorite sites:
Janet Parke
Kerry Mitchell

And, there are on-line classes available as well.

So, I’ve added a page to my site that provides me with a place to share this interest. The first entry for the page is a pdf of the first two chapters of a book I’m writing about Mandelbrot Midgets. Take a look and tell me what you think.

Frederik provides a fully functional 30-day trial of Ultra Fractal. If what you see on my fractal page (and elsewhere on the Internet) interests you — try it.

Photos page added

I added a page to show a few of my photos and fractal art (coming soon).

Enjoy!

Does it bother you . . .

. . . that, in order to be socially acceptable, you have to be a friend on Facebook, a follower on Twitter, have a web of contacts on LinkedIn, be a trusted contact on Spock, etc., etc.? And, to be one of the many personas in these societies you must give a name, email address, age, birthdate, . . .? I know you can use throwaway emails and lie about the rest (which is really socially acceptable, isn’t it?), but aren’t we giving up just a bit too much to run with the crowd(s)? And, these crowds seem to have the same faces in them, over and over again.

 And the cynic in me worries, “Where there is a crowd, there is a pickpocket.” What are we giving up for this “bold new world?” And why should I care? What am I leaving behind if I ignore it? Is there really a future here?

If this is the future, it is getting distributed rapidly, and I’m uncomfortable. It seems that we are proliferating places for information about us that could be used . . .

more later . . .

On-line and moving forward

Well, it appears that I’m up and going again. Sorry for the protracted pause between my last post and this one. A tragedy involving a family member and cancer first derailed my blogging and then, as those of you who blog know, it is all too easy to forget to write and post.

My efforts around identity and innovation have increased this past year and will be the subject of many of my musings in the future. A part of those efforts have been participating in the development of a white paper concerning an Identity Fabric (Identity Fabric — then click on Learn More at the bottom). I believe that identity must be as pervasive as what we call “the network fabric” if the Internet and networks of the future are to be effective. Our everyday interactions with networks and network-societies are becoming more complex than the average user can manage. And we, as an industry, must provide mechanisms to manage and secure identity and privacy in a way that is understandable and usable. I’m sure that many of you are your neighborhood and family “tech support” and have first hand experience in what I’m talking about.

The future is awesomely exciting to me. Multi-core, consumer computing devices are redefining the concept of the computing platform. Memory and memory address space along with the increases in disk density and rotational speed are providing us with new ways of conceptualizing storage. And, the current movement from 1 gigabit to 10 gigabit (and beyond) network fabrics is allowing new uses for the network (including the Internet). All of this suggests an exciting future — and I want to be a part of it.

More later . . .

The CandI papers as PDF documents

Much better! Now you can read the papers without my clumsy symbol editing. I’ll put the links on the sidebar in a few days. Until then, enjoy!

http://NeboManor.com/CandI1.pdf

http://NeboManor.com/CandI2.pdf

http://NeboManor.com/CandI3.pdf