I love the MQ on conference schwag. Sorry I missed the laser pointer (I think) but I did end up with two pair of magnetic Ben-Wa balls from Deloitte. Dude, did you just say Ben Wa? ummm...yes...look it up. Seriously, a dubious gift to be sure. I feel like Captain Quig when I play with them. Then there's the every present risk of HIGHLY magnetic items in the laptop case...thats gotta be dangerous. Finally, I was sure seeing those things in my bag would prompt some sort of impromptu cavity search but gratefully it was not to be.
Notes from the conference: Shannon Wilson is the coolest boss on the planet. Really, so many ways to describe it but the best reference isnt my word, its how many people at work are now approaching him wanting to be a part of his team. A good boss is like gold.
When you attend a Gartner conference and you're in the last session....ask a friggin question. I failed to notice the 4 iPod Nano's upfront...one for each questioner. Well how could you know you ask? Ummm...cuz they did the exact same thing last time (2 yrs ago). Oh well. I didnt win a damn thing.
Overall the conference was one of the best I've been to...relevant info, GREAT Wifi (consistently and EVERYWHERE) and very very good food (from the vendors).
One more thing, IT conference are great because of the diversity. I see Indians, Asians, Europeans, Canadians, South Americans, Caribbeans. I love the voices and the perspectives.
Wednesday, November 12, 2008
Making the case for IAM
Key issue 1 - Obtain and maintain support
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop
"The foundation of effective support is credibility"
Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity
Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution
Key issue 2 - Communicating the business value of the program
Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What
Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values
Tailor to audience preference
Temper content to reflect cultural and personality realitiess
Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?
Developing a balanced approach to investment justification
Reporting the results
Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop
"The foundation of effective support is credibility"
Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity
Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution
Key issue 2 - Communicating the business value of the program
Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What
Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values
Tailor to audience preference
Temper content to reflect cultural and personality realitiess
Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?
Developing a balanced approach to investment justification
Reporting the results
Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back
Privileged Access Presentation by Ant Allan
Ant is one of the best Gartner guys. Very thorough and very knowledgeable. So here's the news
50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider
SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.
SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.
SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.
SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).
Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)
Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.
This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.
50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider
SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.
SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.
SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.
SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).
Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)
Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.
This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.
Tuesday, November 11, 2008
IAM Implementation, worst mistakes, best practices
Big Mistakes
Not understanding the MQ. The leader quadrant is NOT for everyone.
No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals
Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure
Big Success
Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners
Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution
Decision Framework
Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize
Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables
IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement
the 4I model
Integrity, Investment, Indemnity, Insurance
What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION
Not understanding the MQ. The leader quadrant is NOT for everyone.
No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals
Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure
Big Success
Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners
Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution
Decision Framework
Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize
Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables
IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement
the 4I model
Integrity, Investment, Indemnity, Insurance
What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION
IAM as a Managed Service and IdMaaS
its an embryonic “pre-chasm” market with licensing and config challenges ahead
IdMaaS will rise and fall with SaaS and SOA centric approachs
First gen IdMaaS will be hybrid service and app architecture
IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent
Professional IAM “as a Service” Types 1 & 2 & 3
1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing
Fischers International is a company who will provide you IAM as a Service
Recommendations
Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it
Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues
Long term
Implement IdMaaS type appropriate to your organization
IdMaaS will rise and fall with SaaS and SOA centric approachs
First gen IdMaaS will be hybrid service and app architecture
IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent
Professional IAM “as a Service” Types 1 & 2 & 3
1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing
Fischers International is a company who will provide you IAM as a Service
Recommendations
Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it
Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues
Long term
Implement IdMaaS type appropriate to your organization
Service oriented identity
Early identity:
SSO, on boarding, provisioning to various applications
Today: Strong Authentication, Federation, encrypted laptops
What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform
All of these mean Service Oriented Security
Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk
Authorizations Service
Oracle Role Manager
Oracle Entitlements Server
Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)
Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time
the benefit of SOA Approach is that we can replace it as we see fit
lots of the standards for all of this are in flux and oracle is leading development of them
XACML is an XML representative of policy on disk
SSO, on boarding, provisioning to various applications
Today: Strong Authentication, Federation, encrypted laptops
What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform
All of these mean Service Oriented Security
Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk
Authorizations Service
Oracle Role Manager
Oracle Entitlements Server
Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)
Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time
the benefit of SOA Approach is that we can replace it as we see fit
lots of the standards for all of this are in flux and oracle is leading development of them
XACML is an XML representative of policy on disk
User centric identity keynote
CEO Province of BC (British Columbia)
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect
BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity
Talk is about Joe the user Citizen Consumer
Live ID now supports OpenID
there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc
Open Source Identity System
within 2 years all major vendors will support this
enterprise identity will weaken as it moves on the to Internet
OpenID, what else
its OK for low level transactions where there's very little value to hacking it
Microsoft and Google offering OpenID but NOT accepting it
the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine
standards based authorizations? Yes....eventually...authentication and authorizations have to be separate
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect
BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity
Talk is about Joe the user Citizen Consumer
Live ID now supports OpenID
there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc
Open Source Identity System
within 2 years all major vendors will support this
enterprise identity will weaken as it moves on the to Internet
OpenID, what else
its OK for low level transactions where there's very little value to hacking it
Microsoft and Google offering OpenID but NOT accepting it
the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine
standards based authorizations? Yes....eventually...authentication and authorizations have to be separate
Monday, November 10, 2008
Roles and Entitlements Management
Policy (access and identity) management is the common element between role and authorization management
Access and Identity Management aka Entitlement & Role Management
Role engineering, identity analytics, authorization management are coming
Role life cycle management, identity auditing and authorization management
Access and Identity Management aka Entitlement & Role Management
Role engineering, identity analytics, authorization management are coming
Role life cycle management, identity auditing and authorization management
Questions:
Distributed vs Centralized Entitlement Management
Describe difference between row level security and entitlements
Do you see people 'de-provisioning' entitlements and/or roles
Entitlement auditing necessary vs role management and who is the audience (role governance group?)
Map entitlements to appropriate role leve – Do we, should we management the lowest level OR just the IT roles, not operation and resources
Assigning roles AND entitlements are seperate activities per Earl (Perkins)
identity analytics --> auditing (AND what where there entitlements 8 mos ago)
Policies --> Controls
Business Roles (Ent Roles) --> IT Roles (and rules) are comprised of Entitlements, operations, and resources
This is VERY similar to standard RBAC model
Users → Roles → Attributes (locations, etc) → Permissions → Operations → Resources
what is XACML and why is it important?
A common policy/service registry is a possibility (similar to directories)
The bottom line here is that there are a TON of solutions for each technology, CISCO for Networks, Oracle for Database, BEA for Web App Servers, IBM for WebSSO, etc
NO ONE VENDOR for ALL entitlements management
AND GOOD LUCK getting buy off from the software developers to implement entitlement in their SDLC
IAM Architectures
Organization strategy for IAM
Consider Gartner's IAM Maturity Curve - self assessment or externally lead.
- Make it a part of Enterprise Architecture (EA)
- Establish Security Architecture Governance function
- Oversight and Review
- Subcommittee of EA team
- Consider tactical security architecture team
- Corporate and Business User staff
- Drives development and implementation of information security architecture (ISA) into the business and IT
- Focus on relationship building
- Integrate with development lifecycle
- AuthZ, AuthN protocols are adhered to
- Unify CAS, Security, Identity, roles, and priv access
Consider Gartner's IAM Maturity Curve - self assessment or externally lead.
Gartner IAM 2008 Keynote
Earl Perkins RVP IAM@Gartner
- IAM is a subset of IT Governance (should we have an identity arm of IT Governance or should IAM run Governance meeting of its own)
- Access in IAM is risk mitigation
- IAM-GRCM - controlling activities and compliance in enterprise apps
- GRCM is required to deliver "best practices"
- GRCM is heterogeneous and complex, requiring heterogeneous IAM infrastructure
- Addressing GRCM is IAM's showing "maturity" and increase success and quality
- How does IAM cut costs? (this is straightforward)
- trends in IAM GRCM
- IT Austerity Programs - what are the assets in the organization (identity, entitlement, roles)
- Why IAM Suite?
- Cost savings, GRCM with risk based decisions, best in class GRCM (dont expect just one comprehensive IT Tool for it)
- Deliver transparency of information while establishing "principles of privilege" to reduce litigation concerns and overall risk
- the biggest challenge of IAM is figuring out what access to give people
- IAM Maturity
- Infrastructure procedures ---> business processes
- Security basic -------> managing risk
- Coarse grained access ------> fine grained access
Seven Ps of GRCM
- Principles
- Policies
- Practices
- Processes
- People
- Products
- Production
- IAM timeline
- 2008 IAM to IT Services
- 2012 Business Enablement
- 2016 Profitability
- GRCM timeline
- Today - compliance
- 2008 Risk Management
- 2012 - Profitability
- Multi-regulatory, Cross enterprise - business stakeholders should get into compliance, reports, audits, defining access
Thursday, July 24, 2008
Friday, June 20, 2008
The Future of Identity @myJob
Identity is changing. Our initial focus was on controlling and provisioning access to key systems for purposes of satisfying Sarbanes-Oxley audit points. Identity was the afterthought, access was king. Our name for a long time reflected that, the Access and Identity Management (AIM).
More and more we’ve been moving towards becoming the Identity Information brokers. It hasn’t been easy. Our customers have continued with their demands to get their applications added to our Computer Access web site (CAP). The business has demanded easier access for new hires which gave birth to the ‘On-boarding’ project. The folks in Compliance and I&T still have an audit point to satisfy with regards to privileges granted roles in each application, and likewise privileged access to systems and databases. Throughout all of this we’ve been in the process of upgrading out metadirectory server for nearly a year now.
But as we’ve been completing these projects, my attention has been drawn to what we’ll need in the next 12-24 months. Here’s some of my conclusions of where we are headed in the Identity Management:
1. Being the identity information brokers doesn't mean we have to build a monolithic database (and schema) to house every little last bit of information about our users. For one, we should only build out relevant information as it relates to identity or is consumed by another application or end user. Likewise, we’ll never agree on a naming convention, etc with all of our end users. Instead we should look to support all of the elements they need and provide a proper mapping to the same for application developers. We should focus on building out a structure that will allow for more generic, more meaningful, roles for our end users. The application development teams who consume this information will provide the mapping to their application roles. We should partner with those development teams to better report on the privileges our roles grant to end users across the application eco-system.
2. We need to embrace the concept of Identity as a Service (IdAAS). We should provide an identity service layer to allow applications and other services to readily get their identity information from us. What are the aspects of this Identity as a Service that are key?
- Highly available
- Highly reliable
- Highly standard
- Easily recognized
- Simple to use
- Usable (see Simple to use)
- Ubiquitous
- Critical to daily activity
- Taken for granted (see ubiquitous)
The best analogy I can give for this Identity Service Layer is one of the old phone system (prior to cells). Applications should be able to lookup key elements of identity for a user of their system with the ease of using a Yellow Pages or a phone book. The elements like name, address, and phone number should be VERY easy to get from it. Likewise, simply pick up the phone and you’ve got a very, very, stable, always on, service layer waiting for your input. Simply dial the number of the end users and your application could be talking to them in moments. This also speaks to the need for an elegant API.
3. The API we develop for accessing this identity service layer should be very simple. We should not force our application development partners to learn new standards, or complicated SOA schemes. My preference is for a simple REST-ful interface. Federation is where we will need standardize our communications with trusted partners.
4. Federation is a key to our success with vendor and student/faculty integrations. As as move to a service oriented world, integrations of our end users with various vendor applications and even access to our student and faculty portal will be critical. We’ll have to provision and de-provision users to and from their systems. Our initial approach is going to help to ease multiple logins to vendor systems internally. Our focus should be to allow staff to access vendor sites from home or other remote sites without having to remember their passwords. This will take some time to complete. The first step should be federating our identity repository information with existing vendors. From there we can begin to look at the student and faculty portals. I believe we should have an awareness of student and faculty identities in our internal identity repository. I don’t believe this requires that we provision and de-provision students and faculty (although I would certainly prefer we leverage a common identity framework) as that is the particular domain of the people vested with maintaining those applications.
5. Replication and copying data demands will grow to the point where it may become untenable. Metadirectory tools like MIIS and ILM are based on a Web 1.0 paradigm where it is relatively simple to determine who owned the data. There was HR data, Galaxy data, CT & OSIRIS data and so on. Today’s applications are sharing data, components, and identity information. Who owns the data is becoming less and less important and clear. As we grow our IdAAS and IDM Service Layer, we will be forced away from ILM as a hub for identity information and driven towards policy and user centric information sharing. This change is still roughly two years away but we need to consider the buy vs. build solutions now that will allow us to remain competitive and relevant.
6. Identity’s importance to the enterprise will continue to grow. Enterprise 2.0 and Web 2.0 will change our business models and our strategies will need to adapt. Identity is the FOUNDATION for all of this. Identity will grow to not only encompass systems and database access, but physical and user access to laptops and desktops. The Identity team will work more closely with the HR Team as it pertains to the identity lifecycle. But as our scope grows we will HAVE to staff up to meet the demand, simple decisions to purchase software in an attempt to minimize man hours spent developing custom applications will not suffice to meet the demand. The key will continue to be employing highly intelligent, highly effective people to extend, implement, and support our identity initiatives.
7. The computer access web site will continue to become less and less important. We should focus on breaking it up into viable, independent pieces to be consumed in other applications or modalities. The computer access web site will need to live on for the next 18-24 months or until we acquire an identity management suite. At the point where we implement any new identity management suite, we may be able to employ the gadgets or pieces of the old computer access web site that we develop. More focus should be given to building our Identity Service Layer (with consideration for an Identity BUS to be implemented as a part of a larger enterprise service bus) and the tools necessary to support it.
This is my vision for the next two years. I would love to hear from all of you and your thoughts on the future of Identity Management in the Enterprise for the next two years.
Subscribe to:
Posts (Atom)