The IT Manager’s Declaration for IAM

The IT Manager is being squeezed. 

Not so long ago, any business trying to get a competitive edge with technology could not do without dedicated help, whether it was contracted, or an on-staff IT Manager.  But, IT was often poorly understood, and often badly managed--and stereotypically derided as aloof, incomprehensible, and yes, incompotent. And for decades, as the cost of technology has fallen, IT Managers have been asked to do more with less. Now, DevOps and other trends in automation are really putting the squeeze on the IT Manager. 

These days businesses can get by without dedicated IT Management. But advances in DevOps, the ubiquity of SaaS offerings and ever increasing advances in automation have not eliminated the need for IT Management. In the absence of dedicated resources, IT Management (including IAM) is a second job for someone in the company: the CFO, the HR Manager, a Principal Engineer, or that entrepreneur building their startup. They have insufficient time and resources to be an “expert” in IAM. Lacking the time and expertise, they struggle to build a safe and manageable IAM system for their business. They struggle to control who has access to their information--they struggle to keep their arms around their own intellectual property. 

Identity Access Management (IAM) is such a part of our everyday lives, we seldom give it much thought. It is just a part of the wires, fiber optic cable, and software that are the backbone of the Internet. It is like the roads we drive--there all the time, but generally experienced unconsciously. And like those roads, even with safety measures like traffic lanes, street signs and signals, it can be dangerous.

 

We know not all drivers obey the rules of the road. Generally, drivers do, but sometimes when they are in a hurry, they run a red light. Sometimes drivers are on unfamiliar roads with unfamiliar rules. And sometimes drivers just make mistakes; they veer left, when they should have veered right. We all make mistakes. For all of these reasons we witness daily pile-ups on our roads.

 

Like roads without traffic lanes and street signs, the Internet without IAM would be chaos.

Even with IAM the Internet is dangerous! Shortcuts, lack of concern and mistakes lead to some nasty security breaches, not to mention the routine aggravation when users have difficulty getting access to their systems and data.

 

Learning and implementing IAM is doable, but hard. Tools for IAM are available for larger businesses. When those tools fall short, these businesses can compensate with dedicated technical resources to fill gaps. For your everyday IT Manager, IAM is chock full of technical jargon, complicated certificate management, careful copying and pasting incomprehensible access URLs, and faulty integrations that often fall short of the promise of SSO, and require some manual user provisioning on either the identity provider and service provider side or both

.

THEREFORE, WE, THE IT MANAGERS, DECLARE:

 

We want a standard IAM model that is reliable, easy to use and secure. The standard IAM model will be:

 

·   STANDARD

If you’re thinking this declaration is unnecessary because we have SAML or some other existing service or protocol, you’ve missed the point. If so, consider electronic payments for a comparison. You don’t need to understand how the Automated Clearing House (ACH) system works to make an electronic payment. You don’t even need to know there is an ACH system. All you need to do is tell your bank where you want your money to go. Your bank does the work of getting your payment there. In the same manner, we want a standard IAM model that just works.

·   UBIQUITOUS

A standard IAM model will only be a “standard” when it is implemented widely. Wide adoption of the standard IAM model amongst the applications services we typically use or an ability to overlay the standard IAM model over existing IAM systems is necessary to achieve its benefits.

·   EASY TO IMPLEMENT along the standard IAM model:

o   Adding applications, services and user assignments is as easy as select, commit and go. 

o   When integrating identity and service providers systems will provide. comprehensible error messages when configurations do not work.

o   User management (provisioning and deprovisioning) will incorporate role, individual and group provisioning over all systems. Today’s integration gaps need to go away.

·   DEVOID OF JARGON

Please, no tech-speak. If you want an IT Manager to, “to access an API endpoint, to download a metafile and inspect a system’s SAML attributes,” you’ve fallen off the path. We want a standard IAM model that incorporates relatable metaphors, in the same way as our computers have “desktops” and “files.” 

·   UNENCUMBERED by complicated certificate or encryption key management

Certificate management and encryption keys are complex and confusing even for seasoned IT people. Any system that explicitly requires the generation of certificates or encryption keys is fundamentally hard to use. The standard IAM model we want obfuscates the heavy lifting of certificate management.

·   EXTENSIBLE

The goal of a small business is to become a big business. When business outgrows the standard IAM model, stepping up to an “advanced IAM model” should be an evolution, not a rip and replace nightmare.

·   AUDITABLE

Any system that is responsible for controlling access to our applications and data needs to be auditable. The standard IAM model we want will maintain an audit log of provisioning activities, configuration changes, and other important events, like failed logins. This audit log needs to be readily accessible (and read-only) to the IT Manager.

·   SECURE

Let’s not forget why we are doing all of this. We want to keep our applications and data secure. Identity and access management is meant to improve security by making access to our applications and data easier to manage. Ease of use cannot come at the expense of security. We want a reliable, easy to use and secure standard IAM model.

 

 

 

 

 

LINK: Journal of AHIMA: Don’t Let Accounts Payable Derail Your HIPAA Compliance Efforts

An article I wrote about AP Automation, HIPAA and Information Security was published on the The American Health Information Management Association (AHIMA) online publication, Journal of AHIMA.

Intro: 

Technology continues to disrupt organizations across industries—the way we work and go about daily operations has changed, and the healthcare sector is no stranger to these disruptions. COVID-19 has further accelerated this disruption with the adoption of telehealth and digital health solutions. Healthcare professionals are increasingly needing tools that provide quality care while also ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance and the confidentiality of patient information.

In addition to embracing telehealth technology, healthcare organizations are undergoing a similar wave of digitization in the back office. One top priority is finding an automated accounts payable (AP) solution designed for paperless invoice capture, coding, and approval, along with electronic payment execution. AP automation was developed not only as a way to make it easier for practices to pay their suppliers electronically via ACH, check, virtual card, and FX, but to free AP and finance staff of the burdensome task of processing invoices and payments manually.

More at: 

https://journal.ahima.org/dont-let-accounts-payable-derail-your-hipaa-compliance-efforts/

Hiring for DevOps -- And HowTo Navigate "DevOps Compliant" Resumes

DevOps has achieved buzz word status. Job descriptions and resumes are chock full of DevOps descriptors, tools and processes. Job descriptions are being built around DevOps and applicants are building their resumes around DevOps. Resume searches with DevOps keywords return thousands of hits. This is a sure sign of the impact DevOps is having. And yet, this shift towards DevOps has flooded the job market with "DevOps compliant" resumes. This adds a challenge when you're trying to find the right people to join your DevOps team. 

And let's not forget, PEOPLE are the most important aspect to successfully implementing DevOps. Getting the right people on-board is a must. 

So, here's what I've been doing--I break up the interview process into two or three stages:

• Stage 1: Initial phone screen
• 45 minutes
• An initial phone screen is an undemanding way in time and effort to determine whether or not a candidate with a resume of interest, is really that person on their resume!
• Stage 2: In-person tech and team review
• 3-4 hours
• The meat of an interview is a face-to-face (zoom calls included) review by the team to drill down on their technical capabilities, and more importantly, what and how they do things. Matching a candidates temperament with the company's culture is vital for success. A cowboy that jumps in and makes changes, may not be the right person in a strictly managed, process oriented environment. But, they might make an ideal candidate for many start-ups. 
• Stage 3: Final interview (optional) and negotiation 
• Another round of interviews may be appropriate depending on the size of the organization, and who has an interest. Often senior managers will want to meet all new hires. 

Then, there are four broad categories that I try to assess when interviewing. But, first, I always ask these two questions no matter who I am interviewing:

• What do you know about the company? (have you looked at our website? )
• In your own words, how would you describe the position? (did you read the job description)?

This is in part housekeeping. Recruiters and schedulers make mistakes. Or the job description may have changed since the applicant was engaged. But these questions can also reveal an applicants interest in the job. That's important, because I want to work with with people that take the initiative to learn about the company offering the job.  

Okay, so back to the four broad categories I use to assess candidates. They are: 

1. Ownership
2. Responsibility
3. Technology
4. Process

But, before I explain those categories, I have a few "go to" questions I ask every candidate looking for a technical position. These questions are meant to take a quick and deep dive into basic skills required by successful Ops people. If a candidate has done the work, these are simple questions. But if a candidate struggles with these questions, they likely won't recover during the remainder of the interview. 

Linux: What is load average?

Networking: What is a subnet mask?

Python (scripting): What's the difference between a "list" and a "tuple?"

Security: What is risk?

Ok, back to those four categories, and specific questions I use to get at these categories:

• Ownership -- Or "work ethic and philosophy." That's somewhat officious, but what I'm trying to get at is, what excites the candidate? And what do they think of the work? Or how do they go about getting the work done? Some questions:
• What do you consider success?
• How do you know when you've succeeded? 
• What is DevOps?
• Talk about your interests? Do you have tech interests outside of work? Associations, projects? 
• Responsibility -- Or role. What have you done? How much of it? And who did you do it with?
• What size teams have you worked with or managed?
  Talk about the environments you worked in:
• How large have they been?
• How many environments?
• What networking is involved?
• How many systems?
• How much application data are you storing?
• What role did you play in setting up the environment? And its upkeep?
• What's your hand's-on comfort?
• Are you on the on-call rotation?
• Technology -- Or skills: depth and breadth. These questions are meant to get a detailed picture of the candidates skills and the skills required for the job: 
• Server Configuration Management
• What experience do you have with Server Configuration Management? Docker, Check, Puppet, etc?
• Describe systems you worked with and your involvement in the design, setup, and their maintenance 
• Containerization:
• Are you familiar with Docker or other container technologies? 
• If so, describe the setups you have worked with and your involvement in the design, setup, and maintenance of those systems. Did your involvement include re-architecting existing VM based deployments? If so, describe.
• Cloud:
• What cloud companies have you used? AWS, Google, Azure?
• Describe the cloud services you've used? For example,  in AWS: EC2, S3, EKS, ECR, etc
• Process -- How do you do the work?
• Collaboration? Ticket management? Agile, kanban?
• Build and deployment: 
• Describe build and deployment systems you've worked with 
• Release process and cadence
• Monitoring:
• What is your current monitoring setup (Nagios/Sensu, commercial)? 
• How is it configured? 
• A specific question like, "how do you determine the threshold for load alerts?" can lead to open ended responses 
• Backups
• What is your backup plan?
• Do you have a committed RTO and RPO?
• Have you tested your backup plan?
• Log aggregation? 

Another approach you can weave into the questions above, is asking about real world examples. Real world examples are problems you have encountered. Setup the candidate with what you saw initially, and see where the candidate goes with that. This will give you insight into their experience and problem solving capabilities.  

These categories of interest and questions have served me well. But, one warning: if you are playing "gotcha" with questions and candidates, you've lost your way. Interviews are a dialog. The dialog--the engagement--you have with a candidate is so much more important than the questions. Interviewing is meant to find people you want to work with and that want to work with you. Be considerate. Be prepared to answer your own questions, and help a candidate that's stuck. Interviews are stressful. Sometimes, people need another beat, and then they're great. Remember: you are representing your company. 

Always, always, always treat candidates with respect.

Installing and configuring Python on MacOS (Catalina)

Installing Python (latest) on MacOS (Catalina)

New computer... and a new opportunity to setup python. This happens about as often as I update my blog. Things change, so here's what installing python on MacOS looks like circa July 2020. 

Set BASH as default SHELL

First of all... I prefer BASH as my SHELL. In Catalina ZSH is the default. Changing the default shell to BASH is a setting in Terminal:

Terminal--> Preferences --> General * Shells open with: Command (complete path): /bin/bash

Reference:

https://support.apple.com/lt-lt/guide/terminal/trml113/mac

Suppress annoying ZSH warning 

Apple really would prefer I stop using BASH. When opening a Terminal by default a message tells me that ZSH is now the default shell. That's a quickly tiresome reminder that I really should be using ZSH, and why am I using BASH anyway?--BASH has been deprecated. To make matters worse, the version of BASH installed by default on Catalina is quite old, and ZSH is all up to date. But, I don't want to be deterred, and I don't want to see this warning every time I launch a Terminal window, so, I added this to my ~/.bash_profile (reminder: .bash_profile is used instead of .bashrc on Mac OS X).

export BASH_SILENCE_DEPRECATION_WARNING=1

Set BASH command prompt

Yeah, I have preferences (doesn't everybody?). I set my command prompt to show me which user is active and what directory I'm in. This goes in my .bash_profile:

PS1='\u:\w\$ '

Install brew (MacOS package manager)

There's little life in a laptop you want to use to write code that doesn't have a command line package manager. So... (do this with a user with 'admin' privileges):

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" 

Reference:  

https://brew.sh/  

Install pyenv, pipenv

Reference: I'm starting this section with the reference, because I want to give a HT to Gioele Barabucci for an amusing nod to how convoluted this has been, and an excellent description of how to setup a modern python environment: 

https://gioele.io/pyenv-pipenv

tl;dr version: Segregate all your project dependencies and versioning by using pyenv and pipenv to manage different environments within a project/directory. This is a really nice way of doing things. It gets all the way around mucking about with the OS provided python installs and versions and your own dependency hell.  Use brew to install these tools. 

brew install pyenv 
brew install pipenv

Installing pyenv creates a .pyenv directory under your home directory where it stores and manages different versions of python so you can have them at your fingertips.

 Configure pyenv

We're getting close now. 

pyenv --list # shows you all the available versions of python that are available. There are a lot!

pyenv install 3.8.3 #install 3.8.3 version of python -- latest

pyenv global 3.8.3 # set 3.8.3 as the default version

pyenv init

This last statement, pyenv init, is the magic that connects your shell to the local versions of python installed and managed by pyenv. Really, all it does is adds the .pyenv directory to your PATH with a symlink to the version of python you want to use. Add this to your .bash_profile to have pyenv manage your python stuff by default.

eval "$(pyenv init -)"

Reference:  

https://realpython.com/intro-to-pyenv/   

 Configure pipenv

 pipenv is the glue between pyenv and your virtual python environments. pipenv install creates a file called Pipfile in your current directory or project where it tracks the python version for this project and any dependent packages you install for THIS project and only THIS project. For example:

pipenv install tweepy 

And as the output helpfully suggests: To activate this project's virtualenv, run:

pipenv shell 

Development environment segregation FTW!  

Install pycharm

Honestly, I might keep using vim for the most part--old habits. I may be an old dog, but I want to learn new tricks, so, installing an IDE. Download the installer here:

https://www.jetbrains.com/pycharm/download/#section=mac

EOJ

Dank DevOpz Memes #2 ~~ via @Manager_of_it #devops

Hey Ops! Why's the server down?
#DevOpzMemes 2 

The DevOps Phenomenon -- Chapter 1: What DevOps Means (Part 1 of 6)

Chapter 1: What DevOps Means (Part 1 of 6)

For the last few years I am being stalked on the Internet. A lot of companies have paid to target their DevOps ads to me. I see NewRelic ads entreating, “What is DevOps?”^[i] Puppet wants me to participate in their State-of-the-Art DevOps survey. Gartner wants me to know its annual report on DevOps is now available. What is being built around a word that was only coined a short time ago is remarkable. Yet, the word itself, DevOps, has defied an easy definition. Years into the DevOps phenomenon what DevOps means continues to be contested.

So what does DevOps mean? Let’s begin before the beginning and take a closer look at the words themselves. Looking back at the etymology of words is a good way to see where this mash up of ideas called DevOps is headed.

Develop

Develop, the root of the word development, is a lush word. It has lovely variations and often connotes magic. Magic that is concerned with conjuring, making something out of nothing, like “conjuring a table and chairs out of thin air.”

Many other connotations that are not directly referring to magic suggest a mysterious process. It is what is conceived of in the mind and made real. We expect to cause good outcomes, and love the rewards. It is a process and it takes time, but we are undeterred. Develop is suffused with hope and expectation. What we make in the process of development is exciting!  We want the negative made visible. We want to produce solutions, to move forward, to learn and grow. We want to develop!

Figure 6: http://www.wordle.net

Merriam-Webster dictionary definition:^[ii]

Operations

Operations is not as popular a word as Develop. It is used about a fifth as often.^[iii]  Its use in business and particularly Internet Operations are new usages. Theses usages are often unfamiliar to people outside the day-to-day workings of the Internet.

Figure 7: http://www.wordle.net

Business Dictionary definition^[iv]

Merriam-Webster dictionary definition:^[v]

It’s most common uses have to do with surgery and machinery. Operate is often about the body. Surgeons operate on bodies. Surgeons wage life and death battles in the body against disease and injury. Operations is concerned with the functioning of systems; their health and well-being; their availability and performance. Surgeons operate on orga machines. Operations works on mecha machines. A transcendent concept amongst all the variations of operate is the notion that things need attention and care. They need maintaining to insure their proper functioning.

So now we have these two words, Develop and Operations. They have been mashed together into the neologism DevOps, but what does DevOps mean?  It means Dev and Ops are two aspects of the same process. They are co-dependent. One does not exist without the other. The development of new software depends on the ability to operate it. Metaphysically (yes, I am going there), if the mind is the seed of the body and the body is the seed of the mind, then Dev is the mind and Ops is the body. Without the mind the body is not animated. Without the body, the mind does not exist.

Figure 8: Yin Yang

I experienced DevOps as an epiphany and conceive of it with more than a little bit of grandeur. My experience is not unique. Many IT professionals have simultaneously experienced this epiphany. This shared experience is the locomotion of the DevOps phenomenon. Of course, it’s a big IT world out there, and when many IT veterans were introduced to DevOps they saw just another new buzzword. Their introduction to DevOps might have been more marketing than thought. They see lots of hype for a re-packaging of how things have always been done. There has been a lot of DevOps hype. Marketers as they are want to do, have often slapped a DevOps label where it doesn’t fit or even make sense.

Every reaction has a re-reaction and DevOps pendants have taken great offense at how DevOps has sometimes been marketed. They take particular offense when DevOps is used as a job title or a department name. They want to protect the idea that DevOps is a new way of doing things. You can’t “buy” a DevOps. They want to protect the DevOps phenomenon. They are overreacting. Even amongst the naysayers there is a grudging admission that the DevOps wave is so wide and large that it will not be stopped.^[vi]

Fourk 2: The Principle Components of DevOps

DevOps is a new word for a new way of ordering thoughts and actions. It is expressed most prominently in five primary categories:

1.            Culture

2.            Automation

3.            Monitoring

4.            Communication

5.            Security

---

^[i] http://newrelic.com/devops/what-is-devops

^[ii] http://www.merriam-webster.com

^[iii] https://books.google.com/ngrams

^[iv] http://www.businessdictionary.com/definition/operations.html

^[v] http://www.merriam-webster.com

^[vi] Add reference

Puppet Bootcamp Boston -- "Puppet, Security and PCI"

I gave a presentation yesterday at Puppet Bootcamp Boston today. The title of the presentation was "Puppet, Security and PCI."  I went into the history of Internet credit card theft and the emergence of the PCI standard to combat the threat.  The conference was at the Revere Hotel which has a fabulous auditorium. The seats closest to the stage were actually couches and had little swivel tables.  And every seat had its own power!  Also, free drinks at the end of the day on the rooftop bar--not bad :)

Thank you Puppet for the opportunity!

A PDF of my slides is here.