by Chris Phillips, Technology Architect of the Canadian Access Federation
Tackling the Innovator’s Dilemma
Transformative moments are often remembered affectionately as if they happened overnight. What is closer to the truth is that an ‘overnight success’ is really an accumulation of years of iterative work. For Trust and Identity(T&I) our ‘overnight’ success has been more than a decade in the making and continues to have a tremendous impact on the R&E community. T&I has deep collaborative roots and is a product of how our community recognized early on that a challenge faced by one stakeholder is often one we all face. When we focus on solutions, solving for everyone is only marginally more work and contributes to the greater good. This approach embodies the ethos and values of the R&E community, has served us well, and shows no sign of changing for us in the future.
A big difference between now and then is that in the past we could take bold risks. When you have few ‘customers,’ all of whom are ready and able to be at the bleeding edge of development, being bold comes naturally. What was there to lose where nothing existed before? Our landscape is different now, in a great way: we have thousands of identity providers, critical services, and global connectivity via eduGAIN linking R&E stakeholders worldwide. Our challenges today are tough, but within a very different context. Today, it is no longer easy (or even appropriate) to be the scrappy player we were when there was nothing to lose. The risks we took early on are materially different now, and we need to adapt and strike a balance in the risk/innovation equation. We need to be more predictive than reactive, and keep making investments to continue to reap significant gains.
Building our Predictions
What’s the impact of any technological advance? Is it a ripple on the water or is it an ocean swell that can propel us forward like a surfer on a wave? How fast do these waves come? Trying to predict how technology impacts our future is like trying to predict the weather. Ironically, our understanding of tides is so amazingly precise we can assess them historically as far back as we want, down to the hour, and predict them well into the future; yet the same accuracy escapes us for weather a few days from now. Despite the complexity of predicting weather, we know foul weather events are immensely impactful and need to be planned for. Learning how to set sandbags while knee deep in flood waters is the wrong time to learn. Weather forecasting now uses models to predict weather, and we will do the same, taking a look at some recent trends to catch a glimpse of what the next five to ten years holds for T&I.
Physical to Virtual to Containers to Cloud
A great place to seek trends that propel us forward is in the datacenter. Virtualization took the datacenter by storm in 1999 and in six years transformed server provisioning from weeks down to a few clicks, with significant savings, and it continues to incubate new innovations.
During the race from physical to virtual servers, Amazon Web Services (AWS) emerged in 2002 with their platform challenging traditional data centers. Some early adopters were experimenting with its full capabilities, many mistakenly treating it like virtualization when it was something more. This revealed a gap where management and delivery of applications could not keep up. The response to moving faster was to merge development and operations into ‘dev-ops,’ and also introduce the notion of packaging applications into predetermined form factors called ‘containers’. In 2014 Docker emerged as the leading technology, and in only four years has native container support in all dominant cloud services, including on the desktop. This was an unheard-of pace of adoption by players traditionally known as slow to adopt. Now that the infrastructure support is there, how is adoption pacing along?
At four years in, containerization has yet to become as ubiquitous as virtualization. Why is that? Interestingly, it has a similar challenge as we do in T&I — customers as legacy. In the containerization case, ‘customers’ are the hundreds of thousands of applications written in the ‘old way’ (current technology). Both the datacenter and T&I face an innovator’s dilemma: our customers strongly desire stability and predictability, so at what point do you decide to re-tool to adopt the new technology, not do it all, or wait it out until the next innovation comes along? To re-tool means to assess and rebuild each app to be ‘cloud friendly’, or federated ID friendly, which can be very daunting. This is why you see new applications as containers first, or adopting federated sign-on first, and legacy applications slower to adopt either. We see this very same experience in T&I adoption as we explore new protocols in delivering trust. We are at an interesting crossroads with multiple paths into the future. We need to try as many paths as possible, designing for change as we go, and not just the innovation at hand because it too will eventually change.
Innovation is not just technical
Cloud is both a technical and a business model innovation. Businesses recognize the critical role of identity. They covet the users from our identity providers and see a competitive advantage in making it difficult to easily shift technology platforms and processes. Cloud providers desire revenue-“sticky” customers who are encouraged to collaborate with THEIR platforms. Perceived as a business advantage, it is diametrically opposite to the ethos of R&E federations. In addition, cloud vendors want users to divest of on-premise tools like your directory. Our base assumptions for campus architectures will change dramatically over the next five to ten years. The protocols that NEW applications are being built with are going to shift, and we are going to be pulled along, like it or not. We need to be at least prepared, if not ahead of the shift, each time it happens.
Signs of the shift are there if we look: software update cycles are compressed, from years to months. The download-install-and-keep-patching software on local hardware is migrating to subscription services of almost the same thing, but not quite; they are operated and managed in the cloud by vendors and NOT campus IT. The difference being that vendors are not as beholden to the campus mission and priorities in R&E as campus IT is. The shift is happening rapidly and we need to think about how we are going to stay afloat and continue to deliver on our mission in stormy weather.
Waves in the Future of identity
The migration to cloud is a significant example of change, but what else may impact us in the next five to ten years?
Multi-protocol is now the new normal
Identity federations have done very well in delivering our trust model in a single protocol space but after fifteen years, this model is being challenged. We are now like the datacenter in the second wave: facing the innovators’ paradox, wondering whether to maintain the status quo or innovate. For our services to remain compelling and easy to sustain, we need to plan for change by both serving our existing user base and new users desiring the same level of trust, by adopting new protocols like OpenID Connect. In implementing these new protocols we need to overlay our R&E needs, values, and critical requirements to ensure the solution meets the evolving needs of our participants.
We’ll need to pilot, experiment, and disrupt ourselves to understand how the technology works and how to weave in the R&E needs early on. We’ll need to do it quickly and rapidly iterate on new innovations to gain the knowledge and best practices our ecosystem requires for stable and reliable operations — what our participants value and have come to expect.
Have our vision and mission reflected in cloud operations
Cloud operators have different measures of relevance and value than the R & E ecosystem. We need to scrutinize offerings and embrace services that support our mission and vision. Where we find discrepancies, like metering access or usage, price per authentication, or price per API call where we traditionally have been unmetered, we need to highlight the issue and advocate for adjustments. The same can be said for supporting our trust models, our foundation for trustworthy collaboration. Just aiming for better office productivity is aiming too low.
Death of the password – long live authentication!
The death of the password has long been trumpeted but may actually start happening in the next five to ten years. New technologies like FIDO, U2F, and WebAuthn protocols for mobile play a critical role in this space. We need to invest in experimentation and assessment of these technologies to determine if they compliment our services or completely disrupt the federation model. If they are a disrupter, how are we going to adapt? While still early days, it may represent a tectonic shift in how authentication works. This may be an area where innovation friction may play in our favour, as we may be the early adopters and capitalize on this innovation for our community’s benefit.
Summing it up
Today, we need to be as hungry as we were at the beginning of our journey in R&E federated id, if not more so. How we deliver trust is now manifest in multiple protocols and technologies that could not have been predicted at the start of the journey. More change is coming, and we need to prepare and embrace it if we are to remain relevant to our community.
Nimbleness in adopting change is proportionate to the availability and quality of talent. We have a fantastic community but if we are not growing the next generation of talent we are shrinking. Our community has low turnover which in turn means that when it does happen, a chasm of knowledge and skill opens up and needs to be filled. Vendors are eager to fill this void with their solution or service, but if they aim low, does this mean we do too? We need to explore creative ways to attract, train and retain talent. Given our collaboration with academia we are well positioned to engage with the new generation and train the next cohort of trust professionals.
Lastly, we often play a leadership role on innovation, but our solutions have somehow acquired an “edu-only” stigma and not part of a solution’s base offering. By getting out of our comfort zone on where we work on our solutions and bring the R&E viewpoint into spaces where vendors of both software and cloud technologies congregate, we can inject our users’ needs into their development processes early on. We can be more influential and have software and cloud solutions edu-ready, rather than have solutions miss key R&E aspects or need us to retrofit them.
As much as we have our work cut out for us I’m optimistic that we can rise to meet the challenges. There are some exciting times ahead and no shortage of interesting work. I am eager see what is out there ten years from now and to make the most of it — I hope you are too.