Identity and Access Management (IAM)

During my recent visit to Euro CACS - the Computer Audit and Control Symposium - in Stockholm the event night was held at the Vasa museum.  This museum contains the preserved remains of the Vasa a 16^th century man of war that was recovered from the sea near Stockholm.  The story of this ship is one that will have a ring of familiarity to anyone involved in the IT industry.

The king of Sweden had recently won independence from Denmark and was at war with Denmark and Poland over trade.  He needed an impressive war machine to defeat his enemies and, as a consequence, he commissioned this ship to be built.  Because he needed something that went above and beyond the accepted standards he personally specified that this ship should have an extra gun deck.  At that time the best and most accomplished shipbuilders were from Holland - he therefore commissioned a Dutch shipbuilder to build the ship.

Building the ship was a long process taking two and a half years.  This was in part because the main source of oak needed to build the ship was mainly available from Denmark who was Sweden's enemy.  During the build the original shipbuilder died and was replaced by another Dutchman.

When the ship was completed it was named the Vasa in honour of the king whose family name was Vasa.   Because the Vasa was a new design - the admiral insisted on certain tests before he would accept the ship.  Included in these tests was a stability test - which comprised the crew repeatedly running across the deck of the ship from side to side.  This particular test had to be abandoned because the ship came so close to capsizing.  Before the tests were completed the king, who was making war off the coast of Poland, insisted that the craft be made available immediately to help with this effort.  The admiral therefore commanded the ship to be made ready and to sail to the King without further delay.

The Vasa set out from Stockholm harbour firing all guns in salute to the absent king.  There was a strong following wind and the ship made steady progress for 2km until it passed by a gap between the islands of the Stockholm archipelago.  Through this gap there was a strong gust of a crosswind which caused the ship to immediately roll to one side.  The gun covers, which had been opened for the salute, but had not been closed allowed water to pour in sinking the boat.  The stricken craft sank to the bottom with only the masts, still flying the Swedish flag, visible above the sea.

The enquiry which followed the loss questioned the shipbuilder, the admiral and the captain of the ship.  Everyone agreed that, because of the divine nature of the king, his specification of this new design could not be the cause.  The admiral was questioned about the stability of the ship.  He gave the opinion that all sailing ships were to some degree unstable and it was up to the captain to adjust the ballast appropriately to mitigate this.  The captain testified that he had fully loaded the ballast (a fact that was disproved during the recovery) and that it must be the fault of the shipbuilder.  The shipbuilder said that he was simply following the instructions of the king and the details worked out by his predecessor.  Finally the enquiry decided that it was the fault of the original shipbuilder.

So - even if your customer is divine and even if he puts the product into use when it failed his tests, and in addition the end user does not use the product correctly - you will be blamed if the product you delivered to his specification does not work.