The official announcements from Microsoft on Cardspace have led to a lot of reflection in the identity community. From the core team, Mike Jones described what he considered some of the important barriers:
- Not solving an immediate perceived problem: In my extensive experience talking with potential adopters, while many/most thought that CardSpace was a good idea, because they didn’t see it solving a top-5 pain point that they were facing at that moment or providing immediate compelling value, they never actually allocated resources to do the adoption at their site.
- Not drop-dead simple to use: Users were often confused by their first encounter with CardSpace; many didn’t succeed at the task at hand. Indeed, many saw it as something complicated getting in the way of what they were actually there to do.
The first of these issues is one I am always trying to be cognizant of. From the 90s, a Bill Joy quote that stuck with me was when he described why JINI never took off - "we were solving problems that people did not know they had yet." Its an every day occurrence to manage this reality-perception gap in infosec both from a business risk standpoint; as well as given the myriad of architectural opportunities for improvement (aka problems) which ones and where do you want to invest your time in strengthening your systems?
But from an industry perspective, there is a positive way to look at Bill Joy's quote - the word "yet." Just a few years after JINI failed to launch, Web services took off like gangbusters and there is no end in sight.
As Howard Marks says in investing, sometimes being early is indistinguishable from being wrong, but that is a temporary thing, and a longer term view is in order. Jeremy Grantham (GMO) got out of tech stocks in the 90s bubble, his clients thought he was crazy and he lost half his business. Grantham called this taking career risk.
Another great value investor, Jean Marie Eveillard said about this episode - I would rather lose half my clients than lose half my client's money.
Everyone could see the tech bubble was out of control in the 1990s but very few investment managers were willing to take the career risk to themselves to protect their client's assets.
Today everyone can see that our Internet identity technology is woefully inadequate, but very are willing to push through comprehensive approaches towards addressing them
Being early is not necessarily being wrong, but when coupled with a new usage paradigm, its more problematic. Farhang Kassaei discussed what the view looked like from the point of a consuming company looking to develop on Cardspace.
The Cardspace team has many talented people and freely published more in depth thinking on identity than anyone else in the industry. These lessons won't be forgotten and the future for Claims based access control is bright, in fact its just beginning. We may look back in a few years time and think of Cardspace like JINI and see tidal wave stack of CBAC/ABAC/Selectors/U-Prove that powered up huge new parts othe industry the same way Web services played out.
In fact I bet that we do.
What's the other option? Living with a ridiculous patchwork approach to identity?
No one writes there own crypto, security people are good at getting this message across - but what do you bootstrap your crypto off of? Identity! And people write identity, authN, authZ, provisioning, from scratch all the time - where is the logic?
The behvioral economist Dan Ariely talked about some ways to motivate employees when their project is shutdown. Note, I am in no way comparing this to any particular events on Cardspace, but the lessons seem quite pertinent both in general and to infosec where projects are regularly cancelled
A few months ago an ex-student of mine, who was at the time working for a big software company, contacted me and asked me to meet with her and her team later in the summer. My student, together with a large team, had worked very hard for the previous two years on an innovation which they believed was the best new idea in the “computer world,” and the best new direction for their company. They worked very hard on this project and were full of hope and expectations. But, between the time that she originally contacted me and the time that I arrived at their offices for my presentation, the CEO of the company looked at the project and decided to cancel it.
So there I was sitting with a group of highly creative people who were completely deflated. I’ve never seen people in the high-tech industry with a lower level of motivation. So I asked them, “How many of you show up to work later than you did before the project was shut down?” Everybody raised their hand. I next asked them, “And how many of you go home early?” All hands went up. Lastly, I asked them, “How many of you feel that you are now more likely to fudge a bit your expense reports?” In this case, no one answered the question—instead, they smiled in a way that made me think that they had first-hand experience with expense fudge.
Now, it is possible that the project was really not that good, or that it did not fit with the future direction of the company, which would mean that canceling it was the appropriate decision. But even if this were the case, how the CEO could have behaved differently if he was also trying to keep the team members excited and interested in their work? So I posed this question to the team and they came up with a few interesting answers:
1. The CEO could have asked them to present the project to the entire company. The presentation would have included the process that the team followed and the final product specifications. This would allow everyone at the company to understand and (hopefully) appreciate the hard work they had done.
2. The CEO could have asked the team to write about the steps they took in the process of development, and then to use this as a template to help other teams as they developed new products. In this way, their work would not have felt wasted.
3. The CEO could have gone a step further and allowed the team to build a few working prototypes in order to let them experiment with the technology in more depth (which would have also provided a more accurate idea of the usefulness of the technology).
4. The CEO could have asked the team to redirect their efforts toward finding ways to introduce some of their new technology into other products the company was working on.
There is too much fraud, crime, malfeasance and threats to keep rolling out the same old same old identity. Change will come if for no other reason than the present is untenable.
Cardspace was like the first Marines trying to take the beach and some got cut down, but much has been learned in the process and the beach has to be taken; there are waves of identity and access improvement coming right now.
Rest in Peace Cardspace. Long Live Claims Based Access Control!