Smokey Novell and the Bandit
Submitted by Mike Rothman on Wed, 2006-06-14 15:56.
One of the key issues for any type of application is integration. Whether you are talking about databases or application servers or whatever, you typically need some duct tape and bailing wire to make everything work together. Part of the promise of web services was to eliminate a lot of the integration that is required at all levels of the stack.
To be clear, I am not an applications guy. I left that world for the glorious space of networking and security in 1991 - and I haven't looked back. I'm an infrastructure guy - bigger pipes, deeper moats, more power!!! But I do get that we build (and secure) the infrastructure to support the applications. To date, most applications are neither network nor security aware. They assume big pipes and build in their own security. It's been that way since the beginning of time. Every attempt to get application oriented folks to externalize security functions has gone over like a lead balloon.
I should know. Back in 1998, I started a company called SHYM Technology that was going to externalize authentication, encryption and digital signatures via a middleware layer between the application and a public key infrastructure layer. Let's just say that didn't work out too well. The application vendors only wanted to cash our partner program checks and the PKI vendors decided to compete with us. But I did learn a lot. You always do when you take $30 million of someone else's money with you.
I apply many of those lessons every day and I saw with great interest Novell's announcement of their Bandit open source initiative. NetworkWorld's coverage is here. In a nutshell, Bandit is trying to externalize how applications use identity information. By establishing a common set of application calls, there would no longer be the need to build role-based security models and identity stores into applications. They would be handled in the infrastructure.
I wish there was an open source model when we were doing SHYM. We had to do all the integration work ourselves and integrating anything with SAP and PeopleSoft is a bear. And that's on a good day. If we had a community that would have built the connectors, we would have been able to magnify our impact before the PKI vendors had a chance to see our threat and respond accordingly. But we didn't, so we didn't. And that's why I'm not on a beach somewhere sipping a daiquiri in a friggin' pineapple with an umbrella in it. But I'm not bitter. Really.
In a nutshell, application support is the biggest threat to Bandit. Sure, everyone is jumping on the bandwagon. IBM, Microsoft, Liberty, Symantec all think this is great. Where's SAP? Where's Oracle? Those are the folks that need to buy into this. And Microsoft's Identity group can say all sorts of great things (Kim Cameron is quoted in the article), but when will Microsoft Dynamics support Bandit (or any other interface)?
Application support is where the rubber meets the road. I don't want to sound like a wet blanket or anything, but that will dictate the success or failure of Bandit. I think it's a great idea and sorely needed. It fits perfectly into my Pragmatic Security architecture, which has Identity as a separate layer/domain being leverage by infrastructure and the applications. But making that happen is a long and arduous process and it's not clear the application vendors want to see it succeed.
Let's take Oracle for example. No I haven't talked to them about this (in fact, they make it a habit not to talk to analysts about anything), but indulge me for some speculation. Why do you think they've made such heavy investments in Identity? I think it's because they see it as a way to differentiate their applications with SAP at the high end and Microsoft at the low end. They want to make it really easy for Oracle application customers to add the identity management layer. They'd also like to see Oracle Identity customers move towards their apps. So how interesting is it for Oracle to be able to support all identity systems through a standard API? Right, not very.
Rock on Bandit! I wish you the best and I hope a huge community develops around you so folks like Oracle and SAP don't have a choice but to support your interfaces. But be wary of those Sheriff Buford T. Justice(s) in application vendor garb lurking around every corner. They are not your friends.
To be clear, I am not an applications guy. I left that world for the glorious space of networking and security in 1991 - and I haven't looked back. I'm an infrastructure guy - bigger pipes, deeper moats, more power!!! But I do get that we build (and secure) the infrastructure to support the applications. To date, most applications are neither network nor security aware. They assume big pipes and build in their own security. It's been that way since the beginning of time. Every attempt to get application oriented folks to externalize security functions has gone over like a lead balloon.
I should know. Back in 1998, I started a company called SHYM Technology that was going to externalize authentication, encryption and digital signatures via a middleware layer between the application and a public key infrastructure layer. Let's just say that didn't work out too well. The application vendors only wanted to cash our partner program checks and the PKI vendors decided to compete with us. But I did learn a lot. You always do when you take $30 million of someone else's money with you.
I apply many of those lessons every day and I saw with great interest Novell's announcement of their Bandit open source initiative. NetworkWorld's coverage is here. In a nutshell, Bandit is trying to externalize how applications use identity information. By establishing a common set of application calls, there would no longer be the need to build role-based security models and identity stores into applications. They would be handled in the infrastructure.
I wish there was an open source model when we were doing SHYM. We had to do all the integration work ourselves and integrating anything with SAP and PeopleSoft is a bear. And that's on a good day. If we had a community that would have built the connectors, we would have been able to magnify our impact before the PKI vendors had a chance to see our threat and respond accordingly. But we didn't, so we didn't. And that's why I'm not on a beach somewhere sipping a daiquiri in a friggin' pineapple with an umbrella in it. But I'm not bitter. Really.
In a nutshell, application support is the biggest threat to Bandit. Sure, everyone is jumping on the bandwagon. IBM, Microsoft, Liberty, Symantec all think this is great. Where's SAP? Where's Oracle? Those are the folks that need to buy into this. And Microsoft's Identity group can say all sorts of great things (Kim Cameron is quoted in the article), but when will Microsoft Dynamics support Bandit (or any other interface)?
Application support is where the rubber meets the road. I don't want to sound like a wet blanket or anything, but that will dictate the success or failure of Bandit. I think it's a great idea and sorely needed. It fits perfectly into my Pragmatic Security architecture, which has Identity as a separate layer/domain being leverage by infrastructure and the applications. But making that happen is a long and arduous process and it's not clear the application vendors want to see it succeed.
Let's take Oracle for example. No I haven't talked to them about this (in fact, they make it a habit not to talk to analysts about anything), but indulge me for some speculation. Why do you think they've made such heavy investments in Identity? I think it's because they see it as a way to differentiate their applications with SAP at the high end and Microsoft at the low end. They want to make it really easy for Oracle application customers to add the identity management layer. They'd also like to see Oracle Identity customers move towards their apps. So how interesting is it for Oracle to be able to support all identity systems through a standard API? Right, not very.
Rock on Bandit! I wish you the best and I hope a huge community develops around you so folks like Oracle and SAP don't have a choice but to support your interfaces. But be wary of those Sheriff Buford T. Justice(s) in application vendor garb lurking around every corner. They are not your friends.
Recent comments
35 weeks 2 days ago
35 weeks 3 days ago
35 weeks 4 days ago
37 weeks 2 days ago
37 weeks 6 days ago
38 weeks 1 day ago
38 weeks 1 day ago
38 weeks 2 days ago
38 weeks 2 days ago
38 weeks 3 days ago