Wednesday, December 21, 2011

Fired Up About the Kindle Fire

A couple of months ago, I wondered whether I had any use for a Kindle Fire, and concluded that while it was an intriguing device, I probably didn't need another tablet in my life. Well, it turns out I was wrong. A few days ago, Santa came early with an Amazon "smiley box" containing a brand new Fire. Within ten minutes of ripping open the box, I was hooked.

I've owned an original iPad for over a year now, and use it mainly for watching movies on planes, reading eBooks on the Kindle app, playing Angry Birds when I need to take out my frustration on defenseless cartoon piglets, watching streaming media on Netflix, Hulu and SlingPlayer while on the road, and taking notes in meetings. The iPad hasn't quite replaced the need for a laptop yet, but I've certainly made good use of it. So it never occurred to me that there was room in my gadget-filled life for another tablet. That was, until I opened the smiley box.

Like the iPad, the Fire "just works" out of the box. No instructions are needed, there are no complicated setup procedures; you just turn it on and go. If you don't know what the Kindle Fire is for, the simple home screen menu says it all (Music, Video, Apps, Books, Newsstand, Docs, Web). No ambiguity there. Simply go through a simple Wi-Fi configuration screen, enter your Amazon ID to register the device, and you immediately have a wealth of media at your fingertips.

Make no mistake, media consumption is what the Kindle Fire is all about; specifically, consumption of media from the Amazon ecosystem. The first thing that impressed me was that every streaming movie I have ever purchased from Amazon (usually through my TiVo box) was immediately available in my Video library. I'd forgotten that on a cold, rainy day about five years ago, I'd paid ten bucks to stream Love Actually from Amazon (don't say a word!), but there it was, sitting right in the library.

Needless to say, every eBook I'd ever purchased on my iPad Kindle app was also there. And I quickly discovered that by connecting the Kindle Fire to the USB port on my laptop, I could transfer MP4 movies to the device for subsequent viewing. Yes, I know the iPad also allows you to do that, but the Fire doesn't require a clumsy, heavyweight app like iTunes to synchronize files; it operates just like a flash drive, so transferring media is simply a matter of copy and paste. Gotta love that!

The OS is based on a custom implementation of Android 2.3 Gingerbread. While it is heavily "Amazonized", there is no hiding the fact that an Android kernel lurks under the hood, and I don't necessarily mean that in a good way. No matter how much you try to put lipstick on that Angry Birds character, Android lacks the polish, elegance and responsiveness of iOS. Functionally, it works great, but if you have been spoiled by iOS, the jerky scrolling and occasionally erratic keyboard can get a little tiresome.

Perhaps the weakest feature of the Fire is the Silk web browser, which I found to be painfully slow, especially when loading Javascript-intensive webpages. Granted, the iOS implementation of Safari is no speed demon, but compared to Silk, it is like putting a Formula 1 car up against a 1987 Chevy Nova. I'm not sure whether this is due to the Silk application itself or the Fire's low-end hardware spec, but considering that the Fire packs a not-too-shabby dual-core OMAP 4 1GhZ processor, I suspect it has more to do with the former.

I found it strange that the home screen menu does not contain a link for email; instead, the email client is buried under Apps. The email client offers a basic set of functionality but does what it is designed to do and worked fine with my work and personal GMail accounts, aggregating all of my mail into a "Unified Inbox". In many ways, I prefer it to the iOS mail client.

Speaking of apps, the Amazon App Store offers a surprisingly large and growing range of them. Within minutes of opening the device, I had installed Netflix, Pandora, Facebook and Hulu Plus. There wasn't a Kindle version of SlingPlayer yet, but I was able to obtain the generic SlingPlayer app for Android and then install the package using the ES File Explorer app. Simple. And yes, Angry Birds is available too.

So what of the device itself? Given that my tablet experience so far has been limited to the 9.7" iPad, I found the 7" form factor of the Kindle Fire refreshing. There is something nice about being able to comfortably hold a tablet in one hand, particularly when reading an eBook or magazine. Strangely, the smaller form factor isn't as constraining as I expected it to be; writing emails using the onscreen keyboard is no more cumbersome on the Fire than on the iPad. If anything, it is slightly easier, since the 7" form factor allows you to thumb-type in much the same way as one would on a smartphone.

The most pleasant surprise was the display, which I expected to be slightly below par given the Fire's price point. Colors are rich and vivid, contrast is outstanding, and videos are razor sharp. Some may disagree, but the Fire's display is more than a match for the iPad. And the embedded speakers are, if anything, superior to those on the iPad with a slightly broader volume range and less tinniness.

That is not to say the Kindle Fire is perfect, by any means. The omission of volume buttons is extremely puzzling, given that the device was clearly designed for media consumption. To compound matters, the onscreen volume slider is always in a different place depending on the app you are using. As for capacity, the miniscule 8Gb storage doesn't offer much room to store music or videos. Yes, I know that Amazon's cloud infrastructure theoretically reduces the need to "store" media, which is fine if you always have a Wi-Fi connection. But for a road warrior like me, Wi-Fi isn't always an option. Not all planes are Wi-Fi enabled, and have you ever tried streaming media using a hotel Wi-Fi connection? Still, the lack of storage isn't a dealbreaker, given how easy it is to transfer files back and forth over USB.

If the Kindle Fire were priced similarly to the iPad, any of these shortcomings would be enormous. But it isn't, not by a long shot, and that is the point. Given the Kindle Fire's $199 price tag, what might be fatal shortcomings for an iPad or similarly priced tablet are trivial gripes in this case.

But the real test for me is how frequently will I use the Fire compared to the iPad. Well, after two weeks with the Fire, I've learned that it depends on the use case. If you read a lot of eBooks and eMagazines, then the Kindle Fire is a superior option given its weight and form factor. For movies, there isn't much to choose between the two; the Fire is great if you don't mind a slightly smaller screen, and it compensates for this with superior sound quality. Given those two factors alone, I have found myself more inclined to use the Fire when on a plane, grabbing a latte at Starbucks, or just catching up on some late night reading.

But the Fire isn't a productivity device like the iPad. I could not imagine myself using it to take meeting notes, fire up a quick spreadsheet, edit a slide deck or even act as an RDP thin client to access my remote servers. Then again, Amazon didn't design the Kindle Fire to be a productivity device. They clearly built it to provide a portal into the Amazon media ecosystem. The device ships with a free 30-day subscription to Amazon Prime, which in addition to free two-day shipping, provides access to a range of free streaming movies and TV shows. While this library isn't as extensive as that of Netflix, it seems to be growing rapidly and you also have the option of renting or purchasing more recent movies directly from the device.

So just when I thought I had all the gadgets and devices in my life that I could handle, the Kindle Fire has found a niche that I didn't even know existed. I may not have needed one, but iPad or not, I will certainly make good use of it. Even had it not been a Christmas present, the $199 price tag is a bargain. For consumers who want a tablet but cannot justify the $499 entry point for an iPad, the Kindle Fire offers a compelling alternative. It may be less than half the price of an entry-level iPad 2, but certainly offers more than half the functionality and features.

Monday, December 19, 2011

Gartner 2011 Magic Quadrant for IAG: Tight Competition in a Maturing Industry

Gartner has just released its first ever Magic Quadrant for Identity and Access Governance (IAG), and SailPoint appears to have emerged as a narrow victor. Unlike the Forrester Wave for IAG published earlier this year, which showed SailPoint and Aveksa leading the competition by a mile, Gartner has 4 of the 7 evaluated offerings in the top quadrant, with CA on the borderline.

Admittedly, I'm more familiar with SailPoint IdentityIQ and Oracle Identity Analytics than any of the other products featured here. Both are extremely mature, versatile offerings that are simple to deploy and provide a full range of access governance capabilities, including role analytics, detective/preventative policy enforcement and certification/remediation. From a pure governance perspective, there isn't much to choose between them.

SailPoint's acquisition of BMC's identity management offering and their incorporation of BMC's provisioning engine into IdentityIQ means that they are no longer a pure play IAG vendor, and can compete on equal terms in the IAM space with the likes of IBM, Oracle, CA and Microsoft. In recent months, SailPoint has also been adding provisioning capabilities to their extensive range of native governance connectors, which ship with the product. Of course, OIA also offers provisioning capabilities, but only when integrated with OIM or another supported provisioning product.

As I've noted before, the maturation of identity management is driving a trend away from bottom-up identity administration tools, towards more holistic, governance-based solutions. Visionaries such as SailPoint have long anticipated this evolution and are ideally positioned to take advantage of it as organizations become more sophisticated in how they approach identity governance.

The decision by both Forrester and Gartner to begin publishing IAG market analytics in 2011 acknowledges the increasing maturity of IAG. The explosive growth being experienced by Aveksa and SailPoint offers further validation, if any were needed, of this trend.

The question is, what does this mean for identity management practitioners?

Well, as one might expect, there is good news and bad news. The bad news is that it is no longer sufficient to be a technical whizz who can develop advanced customizations, custom connectors and sophisticated workflows in their product of choice. As IAM/IAG offerings become easier to deploy, offer richer, more business-friendly functionality, and adopt a less I.T.-centric approach, I expect the demand for advanced technical customizations to diminish. The good news is that the increasing maturity of these offerings will allow identity management professionals to spend less time focusing on arcane technical integrations and more time devising robust, governance-centric solutions for customers.

I'm not saying that the market for identity administration tools will go away. Of course it won't; there will always be a demand for automated provisioning. But identity administration is becoming more commoditized, and over time I expect it to be increasingly viewed as just one component of a more holistic IAG framework. Just because the tools are becoming more sophisticated doesn't mean that the operational challenges that create a need for streamlined identity administration are going away.

The real implication is that IAM/IAG solutions are evolving from mere I.T. tools into corporate governance suites, which in turn suggests that the target audience for such offerings is increasingly likely to be a CTO, CISO or CIO than the Manager of Enterprise Applications. For identity management professionals, this means that the ability to articulate business value to a non-technical audience, deliver policy-driven solutions and demonstrate a sophisticated awareness of the regulatory landscape will become just as important as the ability to create a kick-ass workflow. Individuals with that balance of soft and hard skills are difficult to find, and will therefore remain in extremely high demand.

Which, in my opinion, is exactly how it should be.

Friday, December 9, 2011

Access Rights versus Access Usage

Having been in the IAM space for enough years to remember when the idea of a metadirectory was still "cool", I spend a lot of time thinking about where the industry is going, and more specifically, how we can enhance the value that IAM brings to our customers. Recently, one such customer articulated a requirement for an identity governance solution that not only provided them with a global view of access privileges, but allowed them to see who was accessing a particular server or file share.

It occurred to me that most modern identity solutions do a great job of providing a view into who has access to what, but not what they are actually doing with that access. These are two completely different concepts, but from a technical perspective, they don't necessarily need to be.

A standard identity management suite ships with a connector framework that exposes a common interface to abstract the logic that interacts with the target system. These interactions generally comprise standard IdM events such as account creation, modification, enablement, disablement, retrieval and deletion. Obviously, each connector "type" is required to invoke native API calls.

Since vendors are already building connectors that manage accounts across a wide range of target systems, how difficult would it be to extend these connectors to inspect logs on those same systems, and then correlate each log entry to an identity object in the same way that we already do for native accounts? For example, in addition to pulling a list of local accounts from a UNIX server and correlating them to a person's identity, a UNIX connector could expose a method to pull the server logs and update identity records with information about what actions each user had been performing on that server.

It's just a thought, but it strikes me that being able to see who is doing what is as foundational to robust identity governance as being able to see who has access to what.

More Thoughts on Cloud Identity

Unfortunately, I haven't had much time to blog lately, as November was essentially a wash. First, we were left without power for a couple of weeks by the epic Halloween storm that crippled much of New England early in the month. Then I took off on my annual pilgrimage to visit relatives in England. And then, of course, it was Thanksgiving. Next thing I know, the malls are filled with Christmas shoppers and the drone of those annoying seasonal tunes to which we are thankfully subjected for only a few weeks a year.

Anyway, I'm back now. While catching up on my favorite blogs, this comment on cloud-based identity by Sean O'Neill---who I consider to be one of the best minds in the business---caught my eye, mainly because it echoes my own sentiments on the topic.

Sean notes that from a technical perspective, there is nothing earth-shatteringly new about cloud computing itself, except that we now give it a fancy name. No argument from me there. But his more important point is that the increasing adoption of cloud services creates a whole new set of governance headaches for CIOs. To illustrate this point, he quotes the CIO of a major insurance company:
“One thing I have come to realize is that when I move my application to the cloud, all of the security of my networks and firewalls that I have invested in over the years disappears. The only defense I have left is identity and data security in the application”
In my experience, that sentiment is probably not unusual among CIOs and CISOs, particularly in highly regulated verticals such as financial services, pharmaceuticals and healthcare. Entrusting identity management to the cloud may seem like a good idea to analysts, vendors and techies, but they are not the ones who would be laying awake at night, worrying about the legal and regulatory implications of their cloud identity provider suffering a catastrophic breach.

As Sean explains:
Even if you can sue the pants off of your cloud provider, the basic problem is a breach would have occurred and your people are not involved at the security level.
In other words, if you are a CIO and sensitive personal information about your customers and employees is leaked due to a breach at a third-party identity provider, the victims aren't going to give you a pass because you entrusted security to a cloud service. If anything, they will hold you even more liable for gross negligence. Not to mention that "not my fault" will do nothing to mitigate damage to your company's brand reputation.

The increased adoption of cloud computing is inevitable, but it is both reckless and unrealistic to view IAM as just another one of those services, particularly for large organizations.

Currently, everybody seems to be focused on the idea of moving IAM tools to the cloud (which, by the way, does nothing to alleviate the process and governance issues that make IAM projects so notoriously complex---it simply moves these problems somewhere else). Instead of viewing IAM as just another commodity, we should be thinking about how to help organizations evolve robust governance strategies for managing cloud identities. I know this isn't as sexy as the idea of cloud-based IAM products, but it is far more relevant to the average CIO.