The Open Group and MIT Experts Detail New Advances in Identity Management to Help Reduce Cyber Risk

Transcript of a BriefingsDirect podcast in conjunction with the upcoming Open Group Conference on the current state and future outlook for identity management.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with The Open Group Conference this July in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

The conference will focus on enterprise architecture (EA), enterprise transformation, and securing global supply chains. Today, we're here to focus on cyber security, and the burgeoning role that identity (ID) management plays in overall better securing digital assets and systems.

We’ll examine the relationship between controlled digital identities in cyber risk management, and explore how the technical and legal support of ID management best practices have been advancing rapidly. We’ll also see how individuals and organizations can better protect themselves through better understanding and managing of their online identities.

Joining us now to delve into this fast-evolving area are few of the main speakers at the July 16 conference. We are here with Jim Hietala, the Vice President of Security at The Open Group. Welcome, Jim. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Jim Hietala: Thanks Dana, good to be with you.

Gardner: We are also here with Thomas Hardjono, Technical Lead and Executive Director of the MIT Kerberos Consortium. Welcome, Thomas.

Thomas Hardjono: Hello, Dana.

Gardner: And we are joined by Dazza Greenwood, President of the CIVICS.com consultancy, and lecturer at the MIT Media Lab. Welcome, Dazza.

Dazza Greenwood: Hi. Good to be here.

Gardner: Jim, first question to you. Let’s describe the lay of the land for our listeners. What is ID management generally and how does it form a fundamental component of cyber security?

Hietala: ID management is really the process of identifying folks who are logging onto computing services, assessing their identity, looking at authenticating them, and authorizing them to access various services within a system. It’s something that’s been around in IT since the dawn of computing, and it’s something that keeps evolving in terms of new requirements and new issues for the industry to solve.

Particularly as we look at the emergence of cloud and software-as-a-service (SaaS) services, you have new issues for users in terms of identity, because we all have to create multiple identities for every service we access.

You have issues for the providers of cloud and SaaS services, in terms of how they provision, where they get authoritative identity information for the users, and even for enterprises who have to look at federating identity across networks of partners. There are a lot of challenges there for them as well.

Gardner: Is it fair to say, Jim, that as we expand the boundaries of process and commerce beyond the four walls of the enterprise, that this becomes even more urgent, more of an issue?

Key theme

Hietala: I do think it’s fair to say that. Figuring out who is at the other end of that connection is fundamental to all of cyber security. As we look at the conference that we're putting on this month in Washington, D.C., a key theme is cyber security -- and identity is a fundamental piece of that. So, yeah, I think that’s a fair characterization.

Gardner: Let’s go to you, Thomas. How have you been viewing this in terms of an evolution? Are we at a plateau that we're now starting to advance from? Has this been a continuous progression over the past decade? How has ID management been an active topic?

Hardjono: So it’s been at least a decade since the industry began addressing identity and identity federation. Someone in the audience might recall Liberty Alliance, the Project Liberty in its early days.

One notable thing about the industry is that the efforts have been sort of piecemeal, and the industry, as a whole, is now reaching the point where a true correct identity is absolutely needed now in transactions in a time of so many so-called Internet scams.

The number attacks have increased, including attacks from state-sponsored co-terrorists, all the way to so-called Nigerian scammers. This brings to the forefront the fact that we need two things right now, yesterday even, namely, identity under federation and also a scalable authorization mechanism that’s linked to this strong identity.

Gardner: Dazza, is there a casual approach to this, or a professional need? By that, I mean that we see a lot of social media activities, Facebook for example, where people can have an identity and may or may not be verified. That’s sort of the casual side, but it sounds like what we’re really talking about is more for professional business or eCommerce transactions, where verification is important. In other words, is there a division between these two areas that we should consider before we get into it more deeply?

Greenwood: Rather than thinking of it as a division, a spectrum would be a more useful way to look at it. On one side, you have, as you mentioned, a very casual use of identity online, where it may be self-asserted. It may be that you've signed a posting or an email.

On the other side, of course, the Internet and other online services are being used to conduct very high value, highly sensitive, or mission-critical interactions and transactions all the time. When you get toward that spectrum, a lot more information is needed about the identity authenticating, that it really is that person, as Thomas was starting to foreshadow. The authorization, workflow permissions, and accesses are also incredibly important.

In the middle, you have a lot of gradations, based partly on the sensitivity of what’s happening, based partly on culture and context as well. When you have people who are operating within organizations or within contexts that are well-known and well-understood -- or where there is already a lot of not just technical, but business, legal, and cultural understanding of what happens -- if something goes wrong, there are the right kind of supports and risk management processes.

There are different ways that this can play out. It’s not always just a matter of higher security. It’s really higher confidence, and more trust based on a variety of factors. But the way you phrased it is a good way to enter this topic, which is, we have a spectrum of identity that occurs online, and much of it is more than sufficient for the very casual or some of the social activities that are happening.

Higher risk

But as the economy in our society moves into a digital age, ever more fully and at ever-higher speeds, much more important, higher risk, higher value interactions are occurring. So we have to revisit how it is that we have been addressing identity -- and give it more attention and a more careful design, instead of architectures and rules around it. Then we’ll be able to make that transition more gracefully and with less collateral damage, and really get to the benefits of going online.

Gardner: Jim Hietala, before we go into what’s been happening in the field around ID management, I just wanted to get a better sense of the urgency here. We hear quite a bit about consumerization of IT trends in the enterprise, driven in many respects by mobile use. But it seems to me that there is a need here to move rapidly away from de facto single sign-on through some of the social networks and get more of a mission-critical approach to this.

Do you agree that people have been falling into a consumer’s sense of security for single sign-on, but that it really needs to be better, and therefore we need to ramp up the urgency around it?

Hietala: I do agree with that. It’s not just mobile. You can look at things that are happening right now in terms of trojans, bank fraud, scammers, and attackers, wire transferring money out of company’s bank accounts and other things you can point to.

There are failures in their client security and the customer’s security mechanisms on the client devices, but I think there are also identity failures. They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening. I don’t know if I’d use the word "rampant," but they are clearly happening all over the place right now. So I think there is a high need to move quickly on some of these issues.

They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening.

Gardner: I sense that the legacy or historical approach was piecemeal, somewhat slow to react to the marketplace. Then, there is this other side, where the social mechanisms have crept in, and in the middle of this big hole you could drive a truck through.

So let’s talk about what’s going to be happening to shore this up and pull it together? Let’s look at some of the big news. What are some of the large milestones? We’ll start with you Jim for ID management leading up to the present.

Hietala: Well, so I think the biggest recent news is the US National Strategy for Trusted Identities in Cyber Space (NSTIC) initiative. We’ll probably talk about that as we go through this discussion, but that clearly shows that a large government, the United States government, is focused on the issue and is willing to devote resources to furthering an ID management ecosystem and construct for the future.

To me that’s the biggest recent news. You can look on the threat and attack side, and see all sorts of instances, where even the LinkedIn attacks from the last week or so, demonstrate that identity and the loss of identity information is a big deal. You don’t have to look far in the news headlines these days to see identity taking front and center as a big issue that needs to be addressed.

Gardner: Let’s go to you Dazza. What do you see as the big news or milestones of the day. Then, maybe a secondary question on what Jim just mentioned -- that it’s not just about protecting ID, that the bad guys are often trying to take IDs away from others?

At a crossroads

Greenwood: I think that’s right. Where we are just now is at a crossroads where finally industry, government, and increasingly the populations in general, are understanding that there is a different playing field. In the way that we interact, the way we work, the way we do healthcare, the way we do education, the way our social groups cohere and communicate, big parts are happening online.

In some cases, it happens online through the entire lifecycle. What that means now is that a deeper approach is needed. Jim mentioned NSTIC as one of those examples. There are a number of those to touch on that are occurring because of the profound transition that requires a deeper treatment.

NSTIC is the US government’s roadmap to go from its piecemeal approach to a coherent architecture and infrastructure for identity within the United States. It could provide a great model for other countries as well.

People can reuse their identity, and we can start to address what you're talking about with identity and other people taking your ID, and more to the point, how to prove you are who you said you were to get that ID back. That’s not always so easy after identity theft, because we don’t have an underlying effective identity structure in the United States yet.

I just came back from the United Kingdom at a World Economic Forum meeting. I was very impressed by what their cabinet officers are doing with an identity-assurance scheme in large scale procurement. It's very consistent with the NSTIC approach in the United States. They can get tens of millions of their citizens using secure well-authenticated identities across a number of transactions, while always keeping privacy, security, and also individual autonomy at the forefront.

Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

There are a number of technology and business milestones that are occurring as well. Open Identity Exchange (OIX) is a great group that’s beginning to bring industry and other sectors together to look at their approaches and technology. We’ve had Security Assertion Markup Language (SAML). Thomas is co-chair of the PC, and that’s getting a facelift.

That approach was being brought to match scale with OpenID Connect, which is OpenID and OAuth. There are a great number of technology innovations that are coming online.

Legally, there are also some very interesting newsworthy harbingers. Some of it is really just a deeper usage of statutes that have been passed a few years ago -- the Uniform Electronic Transactions Act, the Electronic Signatures in Global and National Commerce Act, among others, in the US.

There is eSignature Directive and others in Europe and in the rest of the world that have enabled the use of interactions online and dealt with identity and signatures, but have left to the private sector and to culture which technologies, approaches, and solutions we’ll use.

Now, we're not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online. Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

Gardner: Before we define a few of these approaches, Thomas, a similar question to you, but through a technical lens. What’s most new and interesting from your perspective on what’s being brought to bear on this problem, particularly from a technology perspective?

Two dimensions

Hardjono: It's along two dimensions. The first one is within the Kerberos Consortium. We have a number of people coming from the financial industry. They all have the same desire, and that is to scale their services to the global market, basically sign up new customers abroad, outside United States. In wanting to do so, they're facing a question of identity. How do we assert that somebody in a country is truly who they say they are.

The second, introduces a number of difficult technical problems. Closer to home and maybe at a smaller scale, the next big thing is user consent. The OpenID exchange and the OpenID Connect specifications have been completed, and people can do single sign-on using technology such as OAuth 2.0.

The next big thing is how can an attribute provider, banks, telcos and so on, who have data about me, share data with other partners in the industry and across the sectors of the industry with my expressed consent in a digital manner.

Gardner: Let’s drill down a little bit. Dazza, tell us a bit about the MIT Core ID approach and how this relates to the Jericho Forum approach. I suppose you'd have to just do a quick explanation of what Jericho is in the process of explaining it.

Greenwood: I would defer to Jim of The Open Group to speak more authoritatively on Jericho Forum, which is a part of Open Group. But, in general, Jericho Forum is a group of experts in the security field from industry and, more broadly, who have done some great work in the past on deperimeterized security and some other foundational work.

With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

In the last few years, they've been really focused on identity, coming to realize that identity is at the center of what one would have to solve in order to have a workable approach to security. It's necessary, but not sufficient, for security. We have to get that right.

To their credit, they've come up with a remarkably good list of simple understandable principles, that they call the Jericho Forum Identity Commandments, which I strongly commend to everybody to read.

It puts forward a vision of an approach to identity, which is very constant with an approach that I've been exploring here at MIT for some years. A person would have a core ID identity, a core ID, and could from that create more than one persona. You may have a work persona, an eCommerce persona, maybe a social and social networking persona and so on. Some people may want a separate political persona.

You could cluster all of the accounts, interactions, services, attributes, and so forth, directly related to each of those to those individual personas, but not be in a situation where we're almost blindly backing into right now. With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

Good architecture

Sometimes, that’s okay. Sometimes, in fact, we need to be able to have an inability to separate different parts of life. That’s part of privacy and can be part of security. It's also just part of autonomy. It's a good architecture. So Jericho Forum has got the commandments.

Many years ago, at MIT, we had a project called the Identity Embassy here in the Media Lab, where we put forward some simple prototypes and ideas, ways you could do that. Now, with all the recent activity we mentioned earlier toward full-scale usage of architectures for identity in US with NSTIC and around the world, we're taking a stronger, deeper run at this problem.

Thomas and I have been collaborating across different parts of MIT. I'm putting out what we think is a very exciting and workable way that you can in a high security manner, but also quite usably, have these core identifiers or individuals and inextricably link them to personas, but escape that link back to the core ID, and from across the different personas, so that you can get the benefits when you want them, keeping the personas separate.

Also it allows for many flexible business models and other personalization and privacy services as well, but we can get into that more in the fullness of time. But, in general, that’s what’s happening right now and we couldn’t be more excited about it.

Gardner: Of course, you'll be discussing this in greater detail at The Open Group Conference coming up on July 16, so we look forward to that. When it comes to this notion of a core ID, where might that be implemented and instantiated? Where would I keep my core ID, so that I could develop these other personas, have a form of federation as a result, but managed through my own core? Where would that core reside?

It's important to recognize that people are not computer scientists and hardware manufacturers, and don't run data centers in their basements.

Greenwood: I'll say a couple of words on that and I think Thomas has a few words as well. The Jericho Forum is pretty definite that they favor having the individual human being have a hardware device of some kind, a cryptographically hardened module of some kind, within which the data that comprises the core identifier.

Also some wrapping data that Thomas and I are putting forward in the proposed architecture would reside on it, and that would be literally owned and under control of, in the pocket of, the person, so they can treat it almost like their wallet. It maybe would become part of the future wallet, or what we come to think of this as a wallet, with digital walletized services on phones and other devices people have with them.

So there is that high dimension, a very basic answer where the data would reside. It's important to recognize that people are not computer scientists and hardware manufacturers, and don't run data centers in their basements. There is always a critical role for service providers to make this easy for people, so there would be simple products and simple services that people can use to have the issuance and management of each of layers of their identity.

Part of what we have done is come up with an architecture with the right types of institutions. Mixes of governments and other highly-trusted institutions that for hundreds or more years have already been the authoritative source for identity, as opposed to new startups, would have their appropriate role. Then, layers of service providers that provide personalization, eCommerce, and other services, whatever their appropriate roles within the ecosystem we’re looking toward to help support and enable within the architecture we’re putting up. Thomas may have some more on that.

Hardjono: I agree with Dazza. For a global infrastructure for core identities to be able to develop, we definitely need collaboration between the governments of the world and the private sector. Looking at this problem, we were searching back in history to find an analogy, and the best analogy we could find was the rollout of a DNS infrastructure and the IP address assignment.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Here today

It's not perfect and it's got its critics, but the idea is that you could split blocks of IP addresses and get it sold and resold by private industry, really has allowed the Internet to scale, hitting limitations, but of course IPv6 is on the horizon. It's here today.

So we were thinking along the same philosophy, where core identifiers could be arranged in blocks and handed out to the private sector, so that they can assign, sell it, or manage it on behalf of people who are Internet savvy, and perhaps not, such as my mom. So we have a number of challenges in that phase.

Gardner: Very interesting. Does this relate to the MIT Model Trust Framework System Rules project? If so, please explain how and how this notion of a directory -- either private, public or in some combination -- would help to move this core ID concept forward.

Greenwood: The Model Trust Framework System Rules project that we are pursuing in MIT is a very important aspect of what we're talking about. Thomas and I talked somewhat about the technical and practical aspects of core identifiers and core identities. There is a very important business and legal layer within there as well.

So these trust framework system rules are ways to begin to approach the complete interconnected set of dimensions necessary to roll out these kinds of schemes at the legal, business, and technical layers.

What’s really missing is the business models, business cases, and of course the legal side.

They come from very successful examples in the past, where organizations have federated ID with more traditional approaches such as SAML and other approaches. There are some examples of those trust framework system rules at the business, legal, and technical level available.

Right now it’s CIVICS.com, and soon, when we have our model MIT under Creative Commons approach, we'll take a lot of the best of what’s come before codified in a rational way. Business, legal, and technical rules can really be aligned in a more granular way to fit well, and put out a model that we think will be very helpful for the identity solutions of today that are looking at federate according to NSTIC and similar models. It absolutely would be applicable to how at the core identity persona underlying architecture and infrastructure that Thomas, I, and Jericho Forum are postulating could occur.

Gardner: Thomas, anything to add to what Dazza just said?

Hardjono: No. I'm looking back 10-15 years. We engineers came up with all sorts of solutions and standardized them. What’s really missing is the business models, business cases, and of course the legal side.

How can a business make revenue out of the management of identity-related aspects, management of attributes, and so on and how can they do so in such a manner that it doesn’t violate the user’s privacy. But it’s still user-centric in the sense that the user needs to give consent and can withdraw consent and so on. And trying to develop an infrastructure where everybody is protected.

Gardner: So it sounds as if you are proposing a chartered or regulated industry, perhaps modeled somewhat on ICANN and the way that DNS has been managed to be the facilitator of these core IDs and then further into federation. Is that fair?

Almost an afterthought

Hardjono: It's only an analogy. Unfortunately if you look at history, people say that ICANN is an organization that was put together quickly, slapped together quickly, because the Internet was growing so fast. It's almost an afterthought for how to regulate the management of IP addresses.

I am hoping that this time around, for identity, we have a more planned and thought-out process that would allow an infrastructure to remain for the next 50 years or 100 years and scale for the needs of technology 50 years from now and 100 years from now.

Greenwood: I’ll just pick up on that a little bit. What you described there was like be a regulated industry. Perhaps one day, but that’s not today and that’s not tomorrow. What we have today is just reality, as it exists, and so what we're coming up with is something that works in a few levels. One of them is a vision in line with the Jericho Forum’s vision. It's a future state vision. It's a very good vision to work towards to help organize our thinking and to get out for discussion and dialogue on ideal amendments or consensus.

Meanwhile, from this trust framework system rules approach and some of the skunkworks project that we'll be able to share at The Open Group Conference in D.C. out of MIT, we're showing in a stepwise way how can we get there from here, what constructive things can we do that are in alignment with this vision today.

The system rules at the business, legal, and technical level in this model trust framework system rules approach are great because they are very flexible. There are lots of examples in payment systems, supply chains, identity federations, and other places, where they use multilateral contractual approaches, can allow multiple stakeholders to get together right now to define their liability, choose the technologies, establish the business processes, and so forth and get rolling.

I am hoping that this time around, for identity, we have a more planned and thought-out process that would allow an infrastructure to remain for the next 50 years or 100 years.

So we are attempting to offer something that can work today. One day perhaps there may be an industry or industries that may be regulated without really presuming how exactly that will come out. Those are decisions, as Thomas said, that are best made, because they are infrastructural really, by a number of different parties over time.

Gardner: Jim Hietala, at The Open Group, being a global organization focused on the collaboration process behind the establishment of standards, it sounds like these are some important aspects that you can bring out to your audience, and start to create that collaboration and discussion that could lead to more fuller implementation. Is that the plan, and is that what we're expecting to hear more of at the conference next month?

Hietala: It is a plan, and we do get a good mix at our conferences and events of folks from all over the world, from government organizations and large enterprises as well. So it tends to be a good mixing of thoughts and ideas from around the globe on whatever topic we're talking about -- in this case identity and cyber security.

At the Washington Conference, we have a mix of discussions. The kick-off one is a fellow by the name Joel Brenner who has written a book, America the Vulnerable, which I would recommend. He was inside the National Security Agency (NSA) and he's been involved in fighting a lot of the cyber attacks. He has a really good insight into what's actually happening on the threat and defending against the threat side. So that will be a very interesting discussion. [Read an interview with Joel Brenner.]

Then, on Monday, we have conference presentations in the afternoon looking at cyber security and identity, including Thomas and Dazza presenting on some of the projects that they’ve mentioned.

Cartoon videos

Then, we're also bringing to that event for the first time, a series of cartoon videos that were produced for the Jericho Forum. They describe a lot of the commandments that Dazza mentioned in a more approachable way. So they're hopefully understandable to laymen, and folks with not as much understanding about all the identity mechanisms that are out there. So, yeah, that’s what we are hoping to do.

Gardner: Do you sense that what MIT has been working on, and what Dazza and Thomas have been describing, are some important foundational blocks to where you see this going. Are they filling a need that you can bring to bear on the discussions and some of the standardization work at The Open Group?

Hietala: Absolutely. They fill a void in the market in terms of organizations that are willing to do that sort of work. The Jericho Forum tends to do forward-looking, thought-leadership kinds of work, looking at problems at the highest level and providing some guidance. Doing model trust frameworks and those sorts of things is that next layer of detail down that’s really critical to the industry. So we encourage it and are happy it's happening.

Gardner: We’re coming up on our time limit, but I did want to dive a little bit deeper into NSTIC. We mentioned that earlier on as an important aspect. Now that we’ve talked a bit more about what's going on with Core ID concepts and trust framework activities, perhaps we could now better explain what NSTIC is and does, but in the context of what we’ve already understood. Who would like to take a step at that?

Greenwood: The best person to speak about NSTIC in the United States right now is probably President Barrack Obama, because he is the person that signed the policy. Our president and the administration has taken a needed, and I think a very well-conceived approach, to getting industry involved with other stakeholders in creating the architecture that’s going to be needed for identity for the United States and as a model for the world, and also how to interact with other models.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge.

Jeremy Grant is in charge of the program office and he is very accessible. So if people want more information, they can find Jeremy online easily in at nist.gov/nstic. And nstic.us also has more information.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge, which is comprised of a governing body. They're beginning to put that together this very summer, with 13 different stakeholders groups, each of which would self-organize and elect or appoint a person -- industry, government, state and local government, academia, privacy groups, individuals -- which is terrific -- and so forth.

That governance group will come up with more of the details in terms of what the accreditation and trust marks look like, the types of technologies and approaches that would be favored according to the general principles I hope everyone reads within the NSTIC document.

At a lower level, Congress has appropriated more than $10 million to work with the White House for a number of pilots that will be under a million half dollars each for a year or two, where individual proof of concept, technologies, or approaches to trust frameworks will be piloted and put out into where they can be used in the market.

In general, by this time two months from now, we’ll know a lot more about the governing body, once it’s been convened and about the pilots once those contracts have been awarded and grants have been concluded. What we can say right now is that the way it’s going to come together is with trust framework system rules, the same exact type of entity that we are doing a model of, to help facilitate people's understanding and having templates and well-thought through structures that they can pull down and, in turn, use as a starting point.

Circle of trust

So industry-by-industry, sector-by-sector, but also what we call circle of trust by circle of trust. Folks will come up with their own specific rules to define exactly how they will meet these requirements. They can get a trust mark, be interoperable with other trust framework consistent rules, and eventually you'll get a clustering of those, which will lead to an ecosystem.

The ecosystem is not one size fits all. It’s a lot of systems that interoperate in a healthy way and can adapt and involve over time. A lot more, as I said, is available on nstic.us and nist.gov/nstic, and it's exciting times. It’s certainly the best government document I have ever read. I'll be so very excited to see how it comes out.

Gardner: A good read for the summer, no doubt. Before we close out, let's affirm for our audience how important this is. Clearly, we are at a crossroads, as you mentioned, Dazza. It seems to me that the steam, the pressure, for having a better means of ID management is building rapidly from things like the use of multiple mobile devices, location-based commerce, the fact that more of our personal business and economic lives are moving to the cyber realm.

Being able to continue to gain productivity from that really falls back to this issue about maintaining a core and verifiable identity, and being able to use that effectively in more-and-more types of activities.

Being able to continue to gain productivity from that really falls back to this issue about maintaining a core and verifiable identity.

Do you agree? What would be some of the future trends that are going to drive even more demand to solve this problem? Let’s start with you, Jim, and go through our panel. What’s coming down the pike that’s going to make this yet more important?

Hietala: I would turn to the threat and attacks side of the discussion and say that, unfortunately, we're likely to see more headlines of organizations being breached, of identities being lost, stolen, and compromised. I think it’s going to be more bad news that's going to drive this discussion forward. That’s my take based on working in the industry and where it’s at right now.

Gardner: Thomas, same question.

Hardjono: I mentioned the user consent going forward. I think this is increasingly becoming an important sort of small step to address and to resolve in the industry and efforts like the User Managed Access (UMA) working group within the Kantara Initiative.

Folks are trying to solve the problem of how to share resources. How can I legitimately not only share my photos on Flickr with data, but how can I allow my bank to share some of my attributes with partners of the bank with my consent. It’s a small step, but it’s a pretty important step.

Gardner: Dazza, what future events or trends are going to drive this more rapidly to the public consciousness and perhaps even spur the movement towards some resolution?

Greenwood: I completely agree with Thomas, keep your eyes on UMA out of Kantara. Keep looking at OASIS, as well, and the work that’s coming with SAML and some of the Model Trust Framework System Rules.

Most important thing

In my mind the most strategically important thing that will happen is OpenID Connect. They're just finalizing the standard now, and there are some reference implementations. I'm very excited to work with MIT, with our friends and partners at MITRE Corporation and elsewhere.

That’s going to allow mass scales of individuals to have more ready access to identities that they can reuse in a great number of places. Right now, it's a little bit catch-as-catch-can. You’ve got your Google ID or Facebook, and a few others. It’s not something that a lot of industries or others are really quite willing to accept to understand yet.

They've done a complete rethink of that, and use the best lessons learned from SAML and a bunch of other federated technology approaches. I believe this one is going to change how identity is done and what’s possible.

They’ve done such a great job on it, I might add It fits hand in glove with the types of Model Trust Framework System Rules approaches, a layer of UMA on top, and is completely consistent with the architecture rights, with a future infrastructure where people would have a Core ID and more than one persona, which could be expressed as OpenID Connect credentials that are reusable by design across great numbers of relying parties getting where we want to be with single sign-on.

I believe this one is going to change how identity is done and what’s possible.

So it's exciting times. If it's one thing you have to look at, I’d say do a Google search and get updates on OpenID Connect and watch how that evolves.

Gardner: Very good. We've been talking about cyber security and the burgeoning role that identification management plays in the overall securing of assets and systems. We've learned quite a bit about how individuals in organizations could begin to better protect themselves through better understanding and managing of their online identities.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 to 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support enterprise transformation.

I’d like to thank our panel for this fascinating discussion, Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: We are also here with Thomas Hardjono, Technical Lead and Executive Director of the MIT Kerberos Consortium. Thank you so much, Thomas.

Hardjono: Thank you, Dana.

Gardner: And also Dazza Greenwood, President of the CIVICS.com consultancy and a lecturer at the MIT Media Lab. Thanks very much, Dazza.

Greenwood: Thanks. It's been a pleasure.

Gardner: I look forward to your presentations in Washington and I encourage our readers and listeners to look at this conference, register if you can, go to learn more about what’s going to be happening there and some of the activities will be streamed live for you to consume regardless of where you are.

Thank you all too, the audience, for listening. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Transcript of a BriefingsDirect podcast in conjunction with the upcoming Open Group Conference on the current state and future outlook for identity management. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Corporate Data, Supply Chains Remain Vulnerable to Cyber Crime Attacks Says Open Group Conference Speaker
• Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?
• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business
• San Francisco Conference observations: Enterprise transformation, enterprise architecture, SOA and a splash of cloud computing
  
• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need to act fast, say Open Group speakers

Enterprise Architecture and Enterprise Transformation: Related But Distinct Concepts That Can Change the World

Transcript of a sponsored podcast discussion on the respective roles of enterprise architecture and enterprise transformation and the danger --and opportunity -- of conflating the two.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Francisco the week of January 30, 2012.

We've assembled a panel from among the conference speakers and contributors to examine the fascinating relationship between enterprise architecture (EA) and enterprise transformation. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

For some, the role and impact of an information technology and the organizing benefits of enterprise architecture make them larger than life, when it comes to enterprise transformation. In other words, if you really want enterprise transformation, you really need enterprise architecture to succeed in the modern enterprise.

For others, the elevation of enterprise architecture as a tag team to enterprise transformation improperly conflates the role of enterprise architecture and, as such, waters down enterprise architecture and risks obscuring its unique contribution.

So how should we view these roles and functions? How high into the enterprise transformation firmament should enterprise architecture rise? And will rising too high, in effect, melt its wings and cause it to crash back to earth and perhaps become irrelevant?

Or is enterprise transformation nowadays significantly dependent upon enterprise architecture, and therefore, we should make enterprise architecture a critical aspect for any business moving forward?

We'll pose these and other questions to our panel here to deeply examine the relationship between enterprise architecture and enterprise transformation. So with that, let me now introduce our guests.

We're here with Len Fehskens, Vice President of Skills and Capabilities at The Open Group. Welcome, Len.

Len Fehskens: Hi, Dana. Great to be here.

Gardner: We're also here with Madhav Naidu, Lead Enterprise Architect at Ciena Corp. Welcome to the show, Madhav.

Madhav Naidu: Thanks, Dana.

Gardner: We're also here with Bill Rouse, Professor in the School of Industrial and Systems Engineering and the College of Computing, as well as Executive Director of the Tennenbaum Institute, all at the Georgia Institute of Technology. He's also the Principal at Rouse Associates. Welcome to our show, Bill.

Bill Rouse: It's great to be here, Dana. Thank you.

Gardner: And Jeanne Ross, Director and Principal Research Scientist at the MIT Center for Information Systems Research, join us. Welcome back, Jeanne.

Jeanne Ross: Good morning, Dana.

Architecture and transformation

Gardner: Let's start with you Len. You’ve been tracking enterprise architecture for quite some time. You’ve been a practitioner of this. You’ve been involved with The Open Group for some time. Why is enterprise transformation not significantly dependent upon enterprise architecture, and why would it be a disservice to bring enterprise architecture into the same category?

Fehskens: I don't think that's quite what I believe. My biggest concern is the identification of enterprise architecture with enterprise transformation.

First of all, these two disciplines have different names, and there's a reason for that. Architecture is a means to transformation, but it is not the same as transformation. Architecture enables transformation, but by itself is not enough to effect successful transformation. There are a whole bunch of other things that you have to do.

My second concern is that right now, the discipline of enterprise architecture is sort of undergoing -- I wouldn’t call it an identity crisis -- but certainly, it's the case that we still really haven't come to a widespread, universally shared understanding of what enterprise architecture really means.

Just go onto any Internet discussion group about enterprise architecture, open up the discussion about the definition of enterprise architecture, and I guarantee that you will get hundreds and hundreds of posts all arguing about what enterprise architecture is. To make that problem worse by trying to fold enterprise transformation into the function of enterprise architecture is just not a good idea at this point.

To make that problem worse by trying to fold enterprise transformation into the function of enterprise architecture is just not a good idea at this point.

My position is that they're two separate disciplines. Enterprise architecture is a valuable contributor to enterprise transformation, but the fact of the matter is that people have been transforming enterprises reasonably successfully for a long time without using enterprise architecture. So it's not necessary, but it certainly helps. It's just like having power tools makes it easier to build a house, but people have been building houses for a long time without power tools.

I'm concerned about making bigger promises than we can actually keep by falling into the trap of believing that enterprise architecture, by itself, is sufficient to make enterprise transformation successful. I don’t think that’s the case. There are other things that you need to be able to do besides developing architectures in order to successfully transform an enterprise.

Gardner: Okay, Len, if the concept, the notion, or the definition of enterprise architect is changing, I suppose we also have to recognize that enterprise transformation, as it's defined, is changing as well. To borrow from your analogy, the power tools to build a house are not necessary, but you might be able to build a better house a lot faster. And building things better and faster seem to be much more a part of enterprise transformation now than they used to be.

Fehskens: No argument, but again, to use that analogy, you can do more with power tools than build just houses. You can build all kinds of other stuff as well. So, no argument at all that enterprise architecture is not a powerful means to effecting enterprise transformation, but they are distinct disciplines. The means to an end doesn’t mean the means is the end and doesn’t make them synonymous. They are still, as I said, distinct.

Gardner: I think we’re getting close to understanding the relationship. Madhav, as a practitioner of enterprise architecture at Ciena Corp., are you finding that your role, the value that you’re bringing to your company as an enterprise architect, is transformative? Do you agree with Len? Do you think that there's really a confluence between these different disciplines at this time?

Means and ends

Naidu: Definitely. What Len mentioned, it rhymes very well with me. The means and the end, kind of blending it down. Transformation itself is more like a wedding and EA is more like a wedding planner. I know we have seen many weddings without a wedding planner, but it makes it easier if you have a wedding planner, because they have gone through certain steps (as part of their experience). They walk us through those processes, those methods, and those approaches. It makes it easier.

That’s why, definitely, I agree with what Len said. Enterprise transformation is different. It's a huge task and it is the actual end. Enterprise architecture is a profession that can help lead the transformation successfully.

One another point Len brought up in this discussion is that, it is not just the enterprise architects who will be doing the whole thing. Almost everybody in the enterprise is engaged in one way or another. The enterprise architect plays more like a facilitator role. They are bringing the folks together, aligning them with the transformation, the vision of it, and then driving the transformation and building the capabilities. Those are the roles I will look at EA handling, but definitely, these two are two different aspects.

Gardner: Is there something about the state of affairs right now that makes enterprise architecture specifically important or particularly important for enterprise transformation? I believe I'm getting more towards this idea that IT is more important and that the complexity of the relationship between IT and business necessitates EA and therefore transformation really can't happen without it.

There is a lot of discussion about what really constitutes an EA and where are the boundaries for EA.

Naidu: We know many organizations that have successfully transformed without really calling a function EA and without really using help from a team called EA. But indirectly they are using the same processes, methods, and best practices. They may not be calling those things out, but they are using the best practices. When they do that, the transformations have been successful, but then when they don’t apply those best practices and standards, there are many organizations that fail.

That’s why, now, like Len brought up earlier, there is a lot of discussion about what really constitutes an EA and where are the boundaries for EA, because it is part IT, there are different roles, and part business, and a lot of people are engaged.

So there's a lot of churn going on over what should be the part of EA. But going back to your question, I definitely see the critical role EA is playing. Hopefully, in the next few years, EA will form its appropriate objectives, processes, and methods so that we can say this is what we mean by EA.

Gardner: Bill Rouse, how do you come down on this? Clearly there's an impact that EA has on enterprise transformation. We seem to grasp for analogies when we try to define this relationship. Are you finding in your research and through the organizations you're working with that the role of architecture creeps in? Even if people don’t know they’re doing architecture, when they get to transformation and a complex setting in today’s world, architecture is almost a necessity.

Rouse: There are two distinctions I’d like to draw. First of all, in the many transformation experiences we've studied, you can simplistically say there are three key issues: people, organizations, and technology, and the technology is the easy part. The people and organizations are the hard part.

The other thing is I think you’re talking about is the enterprise IT architecture. If I draw an enterprise architecture, I actually map out organizations and relationships among organizations and work and how it gets done by people and view that as the architecture of the enterprise.

Important enabler

Sometimes, we think of an enterprise quite broadly, like the architecture of the healthcare enterprise is not synonymous with IT. In fact, if you were to magically overnight have a wonderful IT architecture throughout our healthcare system in United States, it would be quite helpful but we would still have a problem with our system because the incentives aren’t right. The whole incentive system is messed up.

So I do think that the enterprise IT architecture, as I see it -- and others can correct me if I'm wrong, but I think that's what you’re talking about -- is an important enabler, a crucial enabler, to many aspects of enterprise transformation. But I don’t see them as close at all in terms of thinking of them as synonymous.

Gardner: Len Fehskens, are we actually talking about IT architecture or enterprise architecture and what's the key difference?

Fehskens: Well, again that’s this part of the problem, and there's a big debate going on within the enterprise architecture community whether enterprise architecture is really about IT, in which case it probably ought to be called enterprise IT architecture or whether it’s about the enterprise as a whole.

For example, when you look at the commitment of resources to the IT function in most organizations, depending on how you count, whether you count by headcount or dollars invested or whatever, the numbers typically run about 5-10 percent. So there's 90 percent of most organizations that is not about IT, and in the true enterprise transformation, that other 90 percent has to transform itself as well.

There's a big debate going on within the enterprise architecture community whether enterprise architecture is really about IT.

So part of it is just glib naming of the discipline. Certainly, what most people mean when they say enterprise architecture and what is actually practiced under the rubric of enterprise architecture is mostly about IT. That is, the implementation of the architecture, the effects of the architecture occurs primarily in the IT domain.

Gardner: But, Len, don't TOGAF at The Open Group and ArchiMate really step far beyond IT? Isn’t that sort of the trend?

Fehskens: It certainly is a trend, but I think we've still got a long way to go. Just look at the language that’s used in the architecture development method (ADM) for TOGAF, for example, and the model of an enterprise architecture. There's business, information, application, and technology.

Well, three of those concepts are very much related to IT and only one of them is really about business. And mostly, the business part is about that part of the business that IT can provide support for. Yes, we do know organizations that are using TOGAF to do architecture outside of the IT realm, but the way it's described, the way it was originally intended, is largely focused on IT.

The TOGAF standard was developed almost entirely by the IT community. But it is clear to people who step back far enough from the details of where the implementation happens that architectural thinking is a very generally applicable discipline and certainly can be applied to that other 90 percent of the enterprise that I talked about.

Not a lot going on

It's just that there's not a whole lot of that going on, and as Madhav pointed out, what is going on is generally not called architecture. It's called organizational design or management or it goes under a whole bunch of other stuff. And it's not referred to as enterprise architecture, but there is a lot of that stuff happening. As I said earlier, it is essential to making enterprise transformation successful.

My personal opinion is that virtually all forms of design involve doing some architectural thinking. Whether you call it that or not, architecture is a particular aspect of the design process, and people do it without recognizing it, and therefore are probably not doing it explicitly.

But Bill made a really important observation, which is that it can't be solely about IT. There's lots of other stuff in the enterprise that needs to transform.

Gardner: To that point, let's go to Jeanne Ross. Jeanne, in your presentation at The Open Group Conference, you mentioned data management and that the ability of leveraging analytics and presenting that to more people with good data in real time is an essential ingredient for transformation and for just doing things better, faster, cheaper, more impactful in the market, and so on.

Now wouldn’t the data management as a category sort of crossover. It's got parts of IT, parts of architectures, and parts of organizational management. When we think about making data management essential, doesn’t this in a sense bring about more recognition that an architectural approach that helps foster something at that level at that category becomes really important in today’s world?

Ross: I actually would discourage people from focusing on data management first. We've had a number of companies we studied who thought, "All I care about is the data. I'm just going to get that cleaned up." What they learned was that if they didn’t clean up their processes, they didn’t need to be thinking about data. It was going nowhere.

Analytics has been over-hyped as something that we can do a lot of in IT, while we're waiting for the rest of the organization to get its act together around architecture. Similarly, that has led to a lot of IT efforts that haven’t added real value to organizations.

So I wouldn't emphasize data management as a priority, even though we'll get there eventually. It is actually essential at some point. I think a lot of efforts around data management have been around the idea "Data makes this organization run. Let's get data fixed," as if we could just do that in isolation from everything else. That is a really frustrating approach.

I'd go back to the challenge we have here of enterprise architecture being buried in the IT unit. Enterprise architecture is an enterprise effort, initiative, and impact. Because enterprise architecture is so often buried in IT, IT people are trying to do things and accomplish things that cannot be done within IT.

We've got to continue to push that enterprise architecture is about designing the way this company will do it business, and that it's far beyond the scope of IT alone. I take it back to the transformation discussion. What we find is that when a company really understands enterprise architecture and embraces it, it will go through a transformation, because it's not used to thinking that way and it's not used to acting that way.

Disciplined processes

If management says we're going to start using IT strategically, we're going to start designing ourselves so that we have disciplined business processes and that we use data well. The company is embracing enterprise architecture and that will lead to a transformation.

Data management will be a crucial element of this, but the big mistake I see out there is thinking that IT will fix up data, and that is going to have some big impact on either enterprise architecture or enterprise transformation, or both. The ‘I’ is simply a critical element. It's not something that we can just fix.

Gardner: You also said that someday CIOs are going to report to the enterprise architects, and that’s the way it ought to be. Does that get closer to this notion that IT can't do this alone, that a different level of thinking across disciplines and functions needs to occur?

Ross: I certainly think so. Look at companies that have really embraced and gotten benefits from enterprise architecture like Procter & Gamble, Tetra Pak, and Maersk. At P&G’s, IT is reporting to the CIO but he is also the President of Shared Services. At Maersk and Tetra Pak, it's the Head of Global Business Processes.

Once we get CIOs either in charge with more of a business role and they are in charge of process, and of the technology, or are reporting to a COO or head of business process, head of business transformation, or head of shared services, then we know what it is we’re architecting, and the whole organization is designed so that architecture is a critical element.

But in practice, what we’re seeing is more CIOs reporting to someone who is, in fact, in charge of designing the architecture of the organization.

I don’t think that title-wise, this is ever going to happen. I don’t think we’re ever going to see a CIO report to chief enterprise architect. But in practice, what we’re seeing is more CIOs reporting to someone who is, in fact, in charge of designing the architecture of the organization. By that, I mean business processes and its use of data. When we get there, first of all, we will transform to get to that point and secondly, we’ll really start seeing some benefits and real strategic impact of enterprise architecture.

Gardner: Madhav, at Ciena, do you see that this process-level capability around enterprise architecture is what's occurring, even if the titles are not aligned that way or the org chart doesn’t point to the CIO reporting to an architect. Is architecture in practice elevating a process orientation to this capability set that therefore fosters better transformation?

Naidu: Definitely. Some progress has been happening, especially what Jeanne was mentioning about the business process changes itself, rather than just bringing the systems and customizing it to our needs, and rather than transforming our business processes so that they match industry standard.

That’s definitely happening, and the architecture team has engaged and is influencing that process. But that said, the maturity level takes quite a few years, not only at Ciena, but in other places too. It will take some time but this is happening.

Gardner: Len Fehskens, we have a mentality in our organizations that architecture isn't that important, and there's some cynicism and skepticism around architecture, and yet, what we’re hearing is it's not in name only. It is important, and it's increasingly important, even at higher and higher abstractions in the organization.

How to evangelize?

How then do you evangelize or propel architectural thinking into companies? You may have been concerned that advancement of architectural thinking would have been impelled when we conflate enterprise architecture into transformation, but until then, what should you do? How do you get the thinking around an architectural approach more deeply engrained in these companies?

Fehskens: Dana, I think that’s the $64,000 question. The fundamental way to get architectural thinking accepted is to demonstrate value. I mean to show that it really brings something to the party. That’s part of my concern about the conflation of enterprise transformation with enterprise architecture and making even bigger promises that probably can't be kept.

The reason that in organizations who’ve tried enterprise architecture and decided that it didn’t taste good, it was because the effort didn’t actually deliver any value. Certainly the advice that I hear over and over again, and that I myself give over and over again, is: “Don’t try to boil the ocean.” Start small and demonstrate success. And again, there's that old saw that nothing succeeds like success.

The way to get architectural thinking integrated into an organization is to use it in places where it can deliver obvious, readily apparent value in the short-term and then grow out from that nucleus. Trying to bite off more than you can chew only results in you choking. That's the big problem we’ve had historically. There are all these clichés and the reason of clichés is because there's certain amount of truth to them about your reach exceeding your grasp, for example.

It’s about making promises that you can actually keep. Once you've done that, and done that consistently and repeatedly, then people will say that there's really something to this. There's some reason why these guys are actually delivering on a big promise.

Trying to bite off more than you can chew only results in you choking. That's the big problem we’ve had historically.

Rouse: Can I offer something, another perspective?

Fehskens: Yeah, please do go.

Rouse: We ran a study recently about what competencies you need to transform an organization based on a series of successful case studies and we did a survey with hundreds of top executives in the industry.

The number one and two things you need are the top leader has to have a vision of where you’re going and they have to be committed to making that happen. Without those two things, it seldom happens at all. From that perspective, I'd argue that the CIO probably already does report to the chief architect. Bill Gates and Steve Jobs architected Microsoft and Apple. Carnegie and Rockefeller architected the steel and oil industries.

If you look at the business histories of people with these very successful companies, often they had a really keen architectural sense of what the pieces were and how they needed to fit together. So if we’re going to really be in the transformation business with TOGAF and stuff, we need to be talking to the CEO, not the CIO.

Gardner: Jeanne Ross, let’s focus on what Bill just said in terms of the architecture function really being at the core and therefore at the highest level of the organization.

Corporate strategy

Ross: I totally agree. The industries and companies that you cited, Bill, instinctively did what every company is going to need to do in the digital economy, which is think about corporate strategy not just in terms of what products do we offer, what markets are we in, what companies do we acquire, and what things do we sell up.

At the highest level, we have to get our arms around it. Success is dependent on understanding how we are fundamentally going to operate. A lot of CEOs have deferred that responsibility to others and when that mandate is not clear, it gets very murky.

What does happen in a lot of companies, because CEOs have a lot of things to pay attention to, is that once they have stated the very high-level vision, they absolutely can put a head of business process or a head of shared services or a COO type in charge of providing the clarification, providing the day-to-day oversight, establishing the relationships in the organizations so everybody really understands how this vision is going to work. I totally agree that this goes nowhere if the CEO isn’t at least responsible for a very high-level vision.

Gardner: So if what I think I'm hearing is correct, how you do things is just as important as what you do. Because we’re in such a dynamic environment, when it comes to supply chains and communications and the way in which technology influences more and more aspects of business, it needs to be architected, rather than be left to a fiat or a linear or older organizational functioning.

So Bill Rouse, the COO, the chief operating officer, wouldn’t this person be perhaps more aligned with enterprise architecture in the way that we’re discussing?

We can't find a single instance of a major enterprise transformation in a major company happening successfully without total commitment of top leadership.

Rouse: Jeanne makes a good point. Let's start with the basic data. We can't find a single instance of a major enterprise transformation in a major company happening successfully without total commitment of top leadership. Organizations just don’t spontaneously transform on their own.

A lot of the ideas and a lot of the insights can come from elsewhere in the organization, but, given that the CEO is totally committed to making this happen, certainly the COO can play a crucial role in how it's then pursued, and the COO of course will be keenly aware of a whole notion of processes and the need to understand processes.

One of the companies I work very closely with tried to merge three companies by putting in ERP. After $300 million, they walked away from the investment, because they realized they had no idea of what the processes were. So the COO is a critical function here.

Just to go back to original point, you want total commitment by the CEO. You can't just launch the visionary message and walk away. At the same time, you need people who are actually dealing with the business processes to do a lot of the work.

Gardner: Madhav, at the Ciena, how do you view the relationship between what you do as a lead enterprise architect and what your operations officer does? It might not be that title, but the function of operations management and oversight. How do they come together?

Not role, but involvement

Naidu: Not by role, but by involvement. There are quite a few business executives engaged in the business process identification and changes. Many of them report to the top executives in the business line. That’s what the current setting right now. We're pretty happy that that kind of support is coming from many of the executives and business teams. That said, there is no formal relationship in terms of reporting and all.

Gardner: Len Fehskens, you mentioned a while ago that finding success and demonstrating value are instrumental to promulgating the use of architecture and understanding the benefits of architecture. Would operations, rather than just technology, be a target than for how you can demonstrate that? The architecture processes might be the sweet spot in some of the thinking now about where to demonstrate that enterprise architecture is the way to go.

Fehskens: Absolutely. And this ties into another thing we need to be aware of, which is that the need to transform, the motivation for enterprise transformation, doesn’t always come from disruptive technologies. There was a really interesting talk last week at the conference on sustainable enterprise architecture, and they made the point that there are lots of major disruptions that have nothing to do with technology.

In particular, in a world where resources are becoming increasingly scarce, and impact on the environment is a significant concern, the drive to transform an enterprise will often come from other places than the appearance of disruptive technologies. There will be disruptions of all sorts that have to be dealt with. The transformation in response to those isn't going to come out of the IT organization. It's going to have to come from other organizations.

The idea that we talked about at the beginning of the discussion was that architecture is a very powerful means for figuring out what kind of transformation is necessary, and how to effect it, means that we need architectures that aren’t about IT, we need to understand driving architectural approach to the other considerations that an enterprise deals with.

Architecture is a very powerful means for figuring out what kind of transformation is necessary, and how to effect it.

As Bill said, historically it's been the case that the lead architects in the most successful organizations were the guys who had the vision and the guys who were at the very top of the organizational structure who created this organization in the very first place. And they weren’t IT guys. Bill Gates, in particular, didn’t build Microsoft around its IT capability. He built it around a whole bunch of other ideas that were really business ideas, not IT concepts. So, yeah, absolutely.

Gardner: I'm afraid we'll have to wrap it up. I’d like to go once around the panel with a pretty direct question and if you could perhaps provide your succinct thoughts. What is the relationship between enterprise architecture and enterprise transformation? Let's start with you first, Jeanne.

Ross: I'd say the relationship between enterprise architecture and enterprise transformation is two-way. If an organization feels the need for a transformation -- in other words, if it feels it needs to do something -- it will absolutely need enterprise architecture as one of the tools for accomplishing that.

It will provide the clarity the organization needs in a time of mass change. People need to know where they're headed, and that is true in how they do their processes, how they design their data, and then how they implement IT.

It works just as well in reverse. If a company hasn't had a clear vision of how they want to operate, then they might introduce architecture to provide some of that discipline and clarity and it will inevitably lead to a transformation. When you go from just doing what every individual thought was best or every business unit thought was best to an enterprise vision of how a company will operate, you're imposing a transformation. So I think we are going to see these two hand-in-hand.

What's the relationship?

Gardner: Bill Rouse, same question, what in your view is the relationship between enterprise architecture and enterprise transformation?

Rouse: I think enterprise transformation often involves a significant fundamental change of the enterprise architecture, broadly defined, which can then be enabled by the enterprise IT architecture.

Gardner: Madhav, also to you the same question, relationship between EA and enterprise transformation?

Naidu: Like I mentioned in the beginning, one is end, another one is means. I look at the enterprise transformation as an end and enterprise architecture providing the kind of means. In one way it's like reaching the destination using some kind of transportation mechanism. That’s how I look at the difference between EA and ET?

Gardner: Len, I know you’ve gone out at some length about this, but perhaps the elevator version. How do you view the relationship between EA and enterprise transformation?

Enterprise transformation often involves a significant fundamental change of the enterprise architecture, broadly defined, which can then be enabled by the enterprise IT architecture.

Fehskens: One of the fundamental principles of architecture is taking advantage of reuse when it's appropriate. So I'm just going to reuse what everybody just said. I can't say it better. Enterprise architecture is a powerful tool for effecting enterprise transformation. Jeanne is right. It's a symmetric or bidirectional back-and-forth kind of relationship, and what Bill and Madhav said applies as well. So I really don't have anything to add.

Gardner: Well, I found it very interesting. I have a newfound appreciation for architecting how you do something better enables you to decide what it is that you're going to do in the future, and there is an interesting relationship between how and what that perhaps escape some folks. I hope they recognize that a little bit more deeply.

You’ve been listening to a sponsored podcast discussion in conjunction with The Open Group Conference in San Francisco, the week of January 30th, 2012. We've enjoyed our discussion with our guests and I’d like to thank them and call them out individually one more time.

Len Fehskens, the Vice President of Skills and Capabilities at The Open Group. Thank you, Len.

Fehskens: Thank you, Dana.

Gardner: Madhav Naidu, Lead Enterprise Architect at Ciena Corporation. Thanks so much.

Naidu: It's been my pleasure.

Gardner: Bill Rouse, Professor in the School of Industrial and Systems Engineering as well as the College of Computing and also Executive Director at The Tennenbaum Institute, all at the Georgia Institute of Technology, and Principal at Rouse Associates. Thank you, Bill.

Rouse: Thank you. I enjoyed it.

Gardner: And Jeanne Ross, Director and Principal Research Scientist at the MIT Center for Information Systems Research. Thanks so much for your input.

Ross: Thank you. Great talking with you all.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks to our audience for joining us, and come back next time.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast discussion on the respective roles of enterprise architecture and enterprise transformation and the danger --and opportunity -- of conflating the two. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

• Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?
• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and Business
• San Francisco Conference observations: Enterprise transformation, enterprise architecture, SOA and a splash of cloud computing
  
• MIT's Ross on how enterprise architecture and IT more than ever lead to business transformation
• Overlapping criminal and state threats pose growing cyber security threat to global Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need to act fast, say Open Group speakers
  
• Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and Impact of Business Architecture