Interview with Carol Wapsphere (Unify Solutions) about Forefront Identity Manager (FIM) and women in IT
Paul Schnackenburg interviewed Carol Wapshere after a Women in IT lunch where Carol spoke about her career in IT, starting in networking, through programming and development and eventually falling in love with Microsoft Identity Integration Server (MIIS), now called Forefront Identity Manager (FIM).
Carol has moved countries several times over the last 15 years and spoke at the luncheon about how specialising in a particular technology and making a choice to stay in technology instead of moving to management kept her options open. In the interview Carol speaks about FIM, challenges to identity projects and why there are so few women in IT.
PS: Hi Carol, thanks for coming to talk to me. I thought the Women in IT lunch went really well.
CW: Oh yes, I actually really enjoyed that, it was fun.
PS: I thought it was cool. I know you showed a picture of the audience at the keynote where there were hardly any women but they were obviously women at TechEd, because there were quite a few at the Women in IT lunch.
CW: Yes, there were and there were definitely other women as well. I’ve seen lots of women about the place who I’m pretty sure weren’t at the lunch. .
PS: Oh really.
CW: And I thought why weren’t they there? Didn’t want to hear me speak? I think some people didn’t understand there was food there.
CW: Yes, I think they just said Women in Technology in the schedule, no mention of lunch. It was a decent lunch.
PS: So I obviously already know a lot about you and your background and your career, because I listened to the whole thing when you talked about it, so that was pretty cool.
CW: Yes, my picture CV.
PS: So what actually made you get into IT in the first place, you know, before you graduated from university?
CW: Well, it’s funny, because, you know, I had various encounters with the world of IT. The first proper computing job I had I was 15 years old and I actually worked for Apple over the summer holidays flogging Apple IIc in Grace Bros. And it was this weird thing where they thought it would be really cool to get teenagers to sell the computers, and they signed me up for that and I knew nothing about them. And I had to stand there and try and convince people to buy these instead of the Commodore 64, when it was four times as expensive and pretty much the same thing. So it was interesting.
You know, at university I had no idea what I wanted to do, so I did a science degree and computer science was just something that I took it in first year, it was easy enough so I did it the second year then did it in the third year. And then at the end of that I actually got a job as a programmer and I lasted two months, it was SO boring. And I felt like I was a robot who’d been hired to translate English into C. I had no idea what the product was, they just put all the developers or programmers – we were programmers not developers – they just put us in a back room and you were given such specific instructions on what you had to do that there was no creativity, there was no big picture, it was drudgery, I hated it.
And I actually went back to university thinking that computers were not for me after all. And I did an honours year in maths and when I graduated from that I was looking for something more on the maths side. And that’s actually how I ended up at the University of Technology in the Electrical Engineering Department. They hired me as a research assistant, because they didn’t have enough budget for a full-time person to run the PC network, so it was a split budget thing, so I was supposed to be 50% PC network, 50% research assistant. And by the end of that first year all I was doing was PC network. And I rewrote my job description, got a huge pay rise, and I thought, oh, this is fun and it pays well.
PS: A lot better than sitting in a back room as a programmer.
CW: Yes, and I’ve been there ever since. So, there was luck there.
PS: It was interesting you were talking about coax cable and running coax cable, because that’s where I started too.
CW: To crimp those, got to strip them down and crimp the things on, yes.
PS: The first experience I had with networking was when I really needed to fix it was when we were trying to play Doom against each other in a network, back in, mid 90s or something and we had to run our own coax networks, back in the day.
So I attended your FIM session (SIM 322), the first one, this morning; I thought that was great. And the learnings, I always try to assimilate these things to convey to my students, the learnings or the approach that you had there about implementing FIM can be applied to any type of IT project, there was a lot of stuff there.
CW: It absolutely can. And I know a lot of that stuff applies to other IT projects, but, I’ve done a lot of email projects, I’ve done a lot of AD projects, I’ve done a lot of migrations and I feel like a lot of these problems are bigger with FIM, they have more impact on your projects.
PS: Yes, I can see that.
CW: I mean, internal politics can just completely stall the project; it doesn’t normally stall a mail migration.
PS: No, because everybody wants email and just get on with it, we’re going to fix it, yes.
CW: You just get on with it and do it. A lot of the other projects I’ve worked on are very: design, build, implement, done. Whereas identity management, it really does have to be a living part of your environment. And so these projects have a reputation for continuing on for years and never being quite finished, but should they ever be finished? You know, the identity needs are going to keep changing in an organisation and so you need to have many project phases to accommodate that.
PS: What is your normal company size or the range of the size of environments that you work with where FIM is a good fit?
CW: So, obviously it’s usually bigger environments. Now I must say the smallest one I ever did was the company I worked for in Switzerland and that was a systems integrator, and we were 250 people and we had FIM, But we used it to synchronise contacts from the CRM system into AD so that we could all have every single customer contact on our Global Address List. And that’s not typical. They’re normally far bigger environments than that. I would say I’m normally dealing with numbers in the tens of thousands. Now I know there are plenty of people who do hundreds of thousands and even millions of identities with FIM, but I will say my projects have probably tended to be say around the 40,000 kind of size.
PS: Wow, that’s still a very big environment.
PS: Is that the biggest, or what would be the biggest?
CW: Yes. The two biggest environments I did were around 40,000 and they were both quite different. One of them was one of the UN agencies in Switzerland; it was actually the ITU – the International Telecommunications Union. And they’re interesting because they have 800 staff and 35,000 external users, because they have all these partner organisations worldwide and these organisations pay to be a member of the ITU and their people get access to applications and systems and all that sort of thing. And, yes, so some very interesting identity needs there, we did that whole project on ILM and we actually built our own portal (prior to FIM there was no built in user web portal). I worked with a developer there hand in hand and he was doing an ASP based, self-registration portal and you could go and add services and that sort of thing, because that was before the FIM portal.
The other really big one I worked on was again around the 40,000 user mark, and this was a big multi-national company. And it’s actually an umbrella company with a whole lot of companies underneath, which are actually extremely well-known companies, even though no one’s heard of the umbrella company. And completely worldwide – 41 different countries, every single language to worry about, all the different spellings of names and accented characters and the people in the Asian countries who have an Asian name and a Western name. And we actually migrated the whole lot, all their email boxes from a multitude of Active Directories and a multitude of Lotus Notes environments into BPOS, into one BPOS environment. And I did all the identity work for that. That was a big project. But at the end of the day they were so pleased. They said to me that they’d people coming in for ten years telling them they desperately needed identity management and there was never that impetus, and it was only when, okay, BPOS was going to be implemented, it’s happening, we’re starting next week and then they just realised they weren’t going to be able to manage it without sorting out their identity stuff.
PS: That must be cool, though, working in a big environment and reaching the end of such a project successfully.
CW: Yes, that was an amazing project, yes. And actually that was great, because I ended up getting the FIM portal in there as well. I set the FIM portal up as a frontend for BPOS administration. Because in BPOS like in Office 365, the permissions are across the board and you can’t carve them up. And because this was a multi company environment they needed that, you know, that vertical as well as the horizontal slicing of the permissions. And so we ended up front ending everything with the FIM portal and I just wrote a simple little BPOS PowerShell activity and literally everything you could do with PowerShell we had happening through the FIM portal. And then in that way we could really finely control the permission.
So we had this whole system of each area, sometimes the areas were in companies, sometimes they were a combination of company and location, sometimes you had split locations, so this site is, kind of, half this and half that. And so we had to have this very flexible system where people were in an IT admin group, an administrative group, and then there are the IT admins who look after that group and then they have certain rights only over those people. And then we had to have a way of basically transferring someone, they could send them out and the receiving guy had to accept them into his group.
PS: That’s cool. Now, so identity in general though is coming to the forefront, because we’re now talking about Cloud Services and what that tends to up with, in my experience working in smaller businesses is basically people just get multiple logins, because they sign up to all these different Cloud Services. And then they have to log into five different things to do their daily work.
CW: Yes. And what do they do, they use their corporate email address to identify themselves and they put their corporate email password as the password, because they don’t want to have to remember all these different passwords.
CW: And you’ve got a big security problem right there.
PS: Yes. And that’s what’s happening. So do you see anything in identity that’s coming around to address these problems?
CW: Look, I really hope so. And it was funny sitting in on the Office 365 Identity Federation talk, which was just after mine, because I have never heard FIM mentioned so many times in a talk that wasn’t about FIM. So I hope it’s bubbling to the surface. ButI think FIM is an enabler, it’s not a cool product in its own right; it enables a lot of other stuff. And this is why I said in my talk this morning that all my most successful projects have been in other projects entirely, like that one that I mentioned before, it was actually a BPOS project. So, yes, it’s a difficult thing, because you’re telling people they need something that they think they have already, you know, user accounts are being created, groups are being populated, it’s not efficient, but it’s happening.
PS: They think they’re done, it’s there, yes.
CW: Yes. And it’s not until there are these pressures that change happens. And like Federation tokens, can you ensure that Federation token has accurate data in it? If you’re getting it out of Active Directory and Active Directory is managed by hand, then absolutely no, you can’t, you don’t have that assurance.
PS: What about Identity as a Service (IDaaS), what about identity in the Cloud?
CW: I don’t know. I mean, there’s different aspects of identity as a service. There’s the authentication bit, which in a way we already have with open authentication where you can say I want to log into this service using my Facebook password, but you still need an identity in that service. For me it’s all identities that need to be managed, whether they’re on-premises or in the Cloud, they still need to be managed, it doesn’t actually make it any easier. And, you know, I think this is nice, the stuff that Microsoft is talking about, with opening up as your Active Directory so that other providers can use those identities, but actually this is no different from what already have with Active Directory on-premises. Anyone can write an application that uses Active Directory as an identity store and as an authentication source. So all we’re doing is taking that exact model and putting it in the Cloud as well.
PS: AD in the Cloud.
CW: Yes. So really from my point of view there’s not a lot of difference.
PS: Okay, so you see that FIM still has a future as a product?
CW: Absolutely, yes, big time.
PS: Because it’s a bit like a product that as you said enables other things.
CW: A product that no one loved.
PS: I was going to say the product that God forgot, sort of thing. It’s a bit like a side product.
CW: It’s been a bit neglected, yes.
CW: I hope that will change. It’s interesting and because being an MVP I get to have these calls with the product group and this has actually come up suddenly, Office 365 is happening, or BPOS is happening, and we need a way to synchronise identities. And suddenly people are knocking on their doors saying we hear you have an identity synchronisation service. And I actually choked, I said, oh, so even in Microsoft it takes a Cloud project to get people interested in FIM.
PS: Yes. Now the other thing that I think is happening, I’m certainly not an identity expert, but one of the things that I read about is the concept of meta directories as opposed to virtual directories, can you elaborate on this?
CW: Virtual directories, yes. So the virtual directory’s a really neat concept. With FIM we have very much this sort of moving data around concept, so there’s some data in HR that we want in AD, so let’s copy it across. The virtual directory leaves all the data where it is and just makes something that looks to the application like a directory that presents all this data, but that it’s actually gone and just presented from all the different sources.
I think it’s a really interesting idea and I know it’s been really useful in environments where they have a lot of legacy products that’s just been used absolutely everywhere and it relies on a particular version of Sun LDAP that you couldn’t even get now; that sort of thing. And you install your virtual directory and actually it can now get that data out of Active Directory or SQL, or wherever you have it, and then present it to the application as though it really is coming from that Sun LDAP. So it’s a really neat idea and I think both have their place; it would depend on the project. In a way perhaps the virtual directories are a bit more like it’s for a specific situation where you need that presentation layer. Whereas with the synchronisation servers then it’s very much, we can connect anything to it.
Meta directories, I mean, that again is something a little bit different. We say that FIM has this metaverse inside it, which is the collection of all the best identity data that you have, but you can’t authenticate against it. So I think strictly a meta directory would almost be this directory that has everyone in it. And I think for a long time people hoped that would be Active Directory, but it hasn’t happened and while people take shortcuts and create applications with siloed identity inside them then. The technology has been available for so long for them to use Active Directory as their identity store and yet they don’t.
PS: So how does Active Directory Federation Services fit in with FIM?
CW: Well, again I think it’s like a hand in hand, because Federation Services needs to find correct identity data to make a token with and so an identity store for Federation Services is Active Directory or SQL or there are other things there, like ADAM / AD LDS. FIM keeps that data up to date. So we are getting the department from HR and putting it in Active Directory and making sure it’s always correct so that when you make that Federation token that has department in it, you can rely on it.
PS: Okay. So it all fits together.
CW: It all fits together, yes, it’s not overlap it’s more hand in hand.
PS: Is that by design or did that just happen?
CW: You’ll have to talk to the product groups about that. Look, I hope they talk to each other.
PS: Well, they might be doing it a bit more now; I think that there’s some evidence of that in Server 2012 that they do. I mean, it’s a very big company and there are lots and lots of different products, it makes sense that they aren’t all communicating everything with each other.
CW: Yes, exactly.
PS: So there is a new FIM coming? I mean, 2010 is a long time ago.
CW: You know, R2 is just out, so R2… it was only a month or so ago. So maybe that’s FIM 2012.
PS: So if you had to project in the future the whole identity part of IT, if you had to project in five years or ten years,what’s going to happen, where are we going?
CW: We need to get more consistency. One of the reasons why it’s so difficult to make identity management tools is because everyone does things their own way. And some times I think, you know, we’re a bit like the help desk world was 15 years ago. So 15 years ago it was, Remedy was the big name, but you really had to put a lot of work into building your service desk system on top of it, it was a framework. And now you can go and buy a product off the shelf that does pretty much what you need. But then there’s just been so much work that’s been done there on SLAs and processes and escalations and all that sort of thing, that now people pretty much follow the same method for service desk, they’re not all inventing their own systems.
So I do feel a bit we’re still in that here’s a framework, building your own system because we can’t tell what you’re going to want to do with it. I think it needs to get a bit more commoditised and a bit more uniform. You know, there’s always going to be interesting little special needs. You go into Education and they have certain requirements, you go into Health, they have completely different ones. We always have to be able to accommodate those special business needs. But there has to be more uniformity in the way that people create accounts and administer accesses and, you know, do roles and that sort of thing.
PS: Well, I think because identity’s so inexorably tied to security, I think one of the big problems is that we haven’t got security right.
PS: Because it doesn’t cost the business money. For example, in Australia, business don’t even have to tell customers when they’ve been compromised. If your credit card or my credit card gets taken by a black hat, they don’t have to divulge that to me.
CW: Unless you’re in the public sector, and this is why the public sector projects often get such a bad name for having all these problems and having security breaches. And every time I read one of those stories I think obviously there’s a private sector company I’ve seen exactly in that same boat, but that doesn’t get publicised.
PS: No, because they don’t have to.
CW: They don’t have to.
PS: So I hope that comes here. That’s one of the few things they’ve got right in America, I think, is that they have to inform their customers.
CW: Once they’re public companies.
CW: This is the other thing in America, which I daresay we’ll see more of here, is this whole compliance thing. And I know, look, a lot of the guys in the US have been getting quite a bit of work out of compliance, because that auditor will come in and say, right, can you show me exactly how you are switching accounts off within 24 hours of a person leaving the business? And if the answer is, someone rings the help desk and says this person’s left, you get a big black cross, so fail.
PS: Yes, that makes sense. Yes, I’m hoping that too. As I said I teach part-time at TAFE and I teach at Certificate 4 and Diploma level, and by the time the students get to me I look at a classroom of 26 guys; they are no women in there and I haven’t seen them for years.
CW: Yes, I know.
PS: When I started teaching IT 12 years ago there were actually one or two in the classroom and some of them actually made successful careers. And we have quite a number of people who went from TAFE with a diploma in hand and got an IT career out of it actually and have got good jobs now and are working their way up and whatever, including a few women. But nowadays we just don’t see any women at all in IT. And I would’ve assumed that it would be increasing, not decreasing.
CW: It would go up, yes.
PS: Go up a little bit.
CW: It does seem to have gone down, doesn’t it?
PS: What I hear from universities it’s the same thing; the numbers are down.
CW: I did a project in the main School of Engineering in Switzerland, and I’d go and have lunch with the guys in the cafeteria and it’s all young men. And I said to them, where are all the women? And they said, oh, they’re down the road at the, hospitality and administration college, which was the sister college – sister, genuinely, like all the girls are there. But they said to me they had spent so much money on programmes to try and encourage girls to come to the School of Engineering, and they just were not coming.
PS: It’s just not happening.
CW: But interestingly I did know a young woman who had been through that school. And we had a guy there, like yourself, he was a consultant who worked with us and he would teach there, and it was just a passion, he loved to do it. But it also meant he was in a great position to cream off the top students and then come and work with us. And this young woman she actually came from Africa, one of the French speaking countries in Africa, and she’d always been very good at maths and science and she really wanted to do medicine and she’d applied to come to Switzerland as a med student. And in Switzerland they have very strict quotas on overseas students, and they said to her, you know, we’ve filled our quota, but looking at your profile why don’t you do “informatique”. Now “informatique” is the French word for information technology. And she went, oh, that sounds like it’s to do with libraries. Well, I like books, so okay. She’d never seen a computer before. She graduated top of her class.
And it just made me think this whole thing about preconceived notions. She had no preconceived notions; she had no reason to think that she couldn’t do it, because she didn’t know what it was.
I was very much the same. When I got into IT, when I was knocking on people’s doors with that crimping tool and that network card, well, no one had ever knocked on their door with a network card before. So the fact that it was a young woman with punky hair was okay.
PS: That’s cool.
CW: Whereas I think now there’s just that image.
PS: Yes, but the thing is though that the image is changing, that’s what doesn’t make sense to me. Because 15 years ago IT was very much like that; it was geeks that could not talk to people, they could not socialise with other guys, let alone women, right…
CW: Yes, and now there’s lots of just young men and…
PS: To work in IT today, you have to have the soft skills, you have to be able to communicate with people. Like the days of the programmers sitting in the back room and people slipping the pizza under the door and they never let them out, because they might talk to people, those days are gone. You can’t work in IT with that attitude any more, it’s just not going to happen. Because those soft skills are areas where women traditionally have excelled, so one would think that that would happen.
CW: I do wonder as well if it’s, guys are great collectors, they’ll collect things maybe, but they’ll also collect facts and figures and information about things, and so you get the guys who just are really obsessed with some particular aspect of technology and they’re going on about it at great length and great depth.
And I wonder if the girls look at them and think I’m not like that so therefore I can’t do that. You know, these are the guys going into the IT careers who’ve already had the interest, already been dabbling, already perhaps doing a bit of app development in their spare time, getting a bit obsessed about it.
PS: Yes, I’m with you.
CW: And the girls just think, oh, you have to be that obsessed to do it. And I want to go out and say to girls you don’t, you know, you can be interested in using technology as a way to help people work better and more efficiently. But it doesn’t mean that you have to spend or want to spend all your spare time programming.
PS: Well, that’s the same reason, that’s why I’m in IT, that’s why I’ve been in IT for 20 years, you know, to help people improve whatever they’re doing in their business with use of technology. Because I know how technology works and they obviously know how business works and I can help them. That’s really it. Oh well, it doesn’t look like we’re going to get an answer to that one, is it?
CW: I’m sorry, I can’t help you.
PS: I asked the question two years ago here at TechEd when interviewing three women in IT.
CW: It’s something I’ve thought about that I have no answers, I really don’t know why.
PS: I think role models are important, I think mentoring is important.
CW: Yes. This is why I was so pleased when they asked me to speak this year, because I had a bit of a bad Women in Technology TechEd experience a number of years ago at TechEd Amsterdam, and I felt so patronised by the end of it, I was ropeable, the worst reviews I’ve ever put on any session ever. We came in and we’re having lunch and wanting to talk to each other, all these women, great, let’s chat, you know, and five minutes later they’re like, no, you all have to come and sit down here in these seats and watch us. And the woman who’d organised it started off, I mean, she actually played I Am Woman by Helen Reddy, she actually played that. She then showed pictures of Marie Curie and she didn’t actually show a single picture of a contemporary woman in IT and I think Cobol was written by a woman, didn’t even have that one. I think she put five minutes into preparing it, you know. And then her speakers were… well, the first one was a man and he was one of these Microsoft evangelists and he rambled on, again hadn’t prepared anything, just rambled on and on and the gist of his talk seemed to be that he once employed a woman and he didn’t regret it.
PS: I got a little bit of feel for you when were presenting about your past there and your IT career, I think that by this time there was steam coming out of your ears, I think.
CW: Oh yes, it got worse.
PS: Oh, it got worse.
CW: The second speaker was at least a woman, but she was an MBA, she was on the business side, and she spent the whole time talking about some boss she’d had and the clever things he had, referring to her as my personal Yoda, as if that would appeal to us techies. I’m sitting there; I’m fidgeting in my seat. Finally I spoke up and said I’ve got a question. And I said, look, I’ve been listening to this and I thought I came here to talk to women in IT, I’ve heard a man and I’ve heard a woman in business. And then I, sort of, turned around to the room and said anyone else here actually work in tech jobs? Everyone puts their hand up. I mean, it’s TechEd. And I said I wanted to talk to them. And then I went, anyway, I’ve had enough of this, I’ve got a session to go to, and I got up and walked out. Apparently after I left, it must have shamed them a bit or something and they did actually open it to the floor and apparently there was a great discussion after I stormed out.
PS: Well, I’m glad it wasn’t that bad this time around.
CW: You know, I’ve signed up to various Women in IT, kind of, things over the years and the other thing that puts me off about them is they do always seem to focus on the women who are in management, you know. If you are managing an IT department or something, good for you, great, but that’s management. Yes, you may have to deal with technical people, but you’re no longer a techie.
PS: It’s not technology.
CW: You’re not a techie yourself.
CW: And so I was pleased to actually be able to stand up there yesterday and say, I’m a techie, I’m an IT Pro and this is my story.
PS: But I liked that; I liked the fact that you’d made those choices along the way. Well, not always choices, but however it happened, to stay in tech.
CW: Stay in tech, yes.
CW: Like for a long time I thought am I going to have problem as a tech in the future. It wasn’t that I thought am I going to get too old for this, it was more are people going to think I’m too old for this? But I know plenty of guys older than me who are still doing tech and that’s what they want to do and they’re successful.
PS: Yes, well, also because you have specialised.
PS: Yes, that’s the thing, right. If you were a server admin now, life could be a bit difficult, I’d say.
CW: Maybe it could. And I think as well, when you get to that position, that’s when you get people parking themselves in just one job that they just end up staying in for 15 years. And I’m still really into being the consultant and getting out and going into different environments and, getting to boss around a whole lot of new people. I try to anyway, if they let me.
PS: The result of this, the interview, is going to end up on the 4sysops blog that’s very popular in the Windows world, they have 500,000 hits a month and I think that FIM is so specialised that, unless you’re into identity you’re not really going to be that interested in the product itself.
CW: Yes, it’s good though to keep it people’s minds somewhere there under the surface so they know when they run into those problems we really have to start looking into this FIM thing.
PS: Is there any competition, are there other products that do exactly the same thing as FIM does?
CW: Oh yes. Oracle has a very well regarded product suite. Sun IDM was apparently excellent, but Oracle bought Sun and then basically shot Sun IDM in the head, because they had their own product. Similarly with Novell, they had a very well regarded product which is no longer with us. There are other contenders. CA has some stuff, but I haven’t heard great things about it. What else is there? You know, on the Gartner Chart…
PS: Magic Quadrant.
CW: Yes, the Magic Quadrant, FIM still tends to be placed in the challengers, so it’s there; Oracle’s usually up there at the top. And this is one thing I tell people, you know, if you’re doing enormous scale, of you’re doing millions of attributes, then you may well need Oracle. But most businesses aren’t. And FIM’s certainly a lot cheaper and the fact is I was talking about all those problems around FIM in my session, I could’ve taken out FIM and said… Oracle; those problems will happen either way. So often the technology is the least of your worries. So, yes, it has competitors, then again there’s that thing, you know, if you are pretty much a Microsoft shop, then FIM supported Exchange 2007 before any other product did so you’re going to get a bit more.
PS: It’s got to be a bit easier to integrate with the other Microsoft stuff.
CW: A bit easier there, yes.
PS: Well, that’s always the case, isn’t it?
CW: But at the same time we can integrate with the non-Microsoft stuff as well, which is really, really important.
PS: Cool. Thank you for your time, Carol.