I love the MQ on conference schwag. Sorry I missed the laser pointer (I think) but I did end up with two pair of magnetic Ben-Wa balls from Deloitte. Dude, did you just say Ben Wa? ummm...yes...look it up. Seriously, a dubious gift to be sure. I feel like Captain Quig when I play with them. Then there's the every present risk of HIGHLY magnetic items in the laptop case...thats gotta be dangerous. Finally, I was sure seeing those things in my bag would prompt some sort of impromptu cavity search but gratefully it was not to be.
Notes from the conference: Shannon Wilson is the coolest boss on the planet. Really, so many ways to describe it but the best reference isnt my word, its how many people at work are now approaching him wanting to be a part of his team. A good boss is like gold.
When you attend a Gartner conference and you're in the last session....ask a friggin question. I failed to notice the 4 iPod Nano's upfront...one for each questioner. Well how could you know you ask? Ummm...cuz they did the exact same thing last time (2 yrs ago). Oh well. I didnt win a damn thing.
Overall the conference was one of the best I've been to...relevant info, GREAT Wifi (consistently and EVERYWHERE) and very very good food (from the vendors).
One more thing, IT conference are great because of the diversity. I see Indians, Asians, Europeans, Canadians, South Americans, Caribbeans. I love the voices and the perspectives.
Wednesday, November 12, 2008
Making the case for IAM
Key issue 1 - Obtain and maintain support
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop
"The foundation of effective support is credibility"
Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity
Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution
Key issue 2 - Communicating the business value of the program
Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What
Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values
Tailor to audience preference
Temper content to reflect cultural and personality realitiess
Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?
Developing a balanced approach to investment justification
Reporting the results
Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop
"The foundation of effective support is credibility"
Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity
Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution
Key issue 2 - Communicating the business value of the program
Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What
Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values
Tailor to audience preference
Temper content to reflect cultural and personality realitiess
Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?
Developing a balanced approach to investment justification
Reporting the results
Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back
Privileged Access Presentation by Ant Allan
Ant is one of the best Gartner guys. Very thorough and very knowledgeable. So here's the news
50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider
SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.
SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.
SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.
SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).
Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)
Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.
This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.
50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider
SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.
SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.
SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.
SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).
Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)
Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.
This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.
Tuesday, November 11, 2008
IAM Implementation, worst mistakes, best practices
Big Mistakes
Not understanding the MQ. The leader quadrant is NOT for everyone.
No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals
Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure
Big Success
Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners
Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution
Decision Framework
Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize
Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables
IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement
the 4I model
Integrity, Investment, Indemnity, Insurance
What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION
Not understanding the MQ. The leader quadrant is NOT for everyone.
No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals
Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure
Big Success
Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners
Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution
Decision Framework
Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize
Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables
IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement
the 4I model
Integrity, Investment, Indemnity, Insurance
What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION
IAM as a Managed Service and IdMaaS
its an embryonic “pre-chasm” market with licensing and config challenges ahead
IdMaaS will rise and fall with SaaS and SOA centric approachs
First gen IdMaaS will be hybrid service and app architecture
IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent
Professional IAM “as a Service” Types 1 & 2 & 3
1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing
Fischers International is a company who will provide you IAM as a Service
Recommendations
Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it
Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues
Long term
Implement IdMaaS type appropriate to your organization
IdMaaS will rise and fall with SaaS and SOA centric approachs
First gen IdMaaS will be hybrid service and app architecture
IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent
Professional IAM “as a Service” Types 1 & 2 & 3
1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing
Fischers International is a company who will provide you IAM as a Service
Recommendations
Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it
Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues
Long term
Implement IdMaaS type appropriate to your organization
Service oriented identity
Early identity:
SSO, on boarding, provisioning to various applications
Today: Strong Authentication, Federation, encrypted laptops
What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform
All of these mean Service Oriented Security
Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk
Authorizations Service
Oracle Role Manager
Oracle Entitlements Server
Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)
Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time
the benefit of SOA Approach is that we can replace it as we see fit
lots of the standards for all of this are in flux and oracle is leading development of them
XACML is an XML representative of policy on disk
SSO, on boarding, provisioning to various applications
Today: Strong Authentication, Federation, encrypted laptops
What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform
All of these mean Service Oriented Security
Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk
Authorizations Service
Oracle Role Manager
Oracle Entitlements Server
Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)
Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time
the benefit of SOA Approach is that we can replace it as we see fit
lots of the standards for all of this are in flux and oracle is leading development of them
XACML is an XML representative of policy on disk
User centric identity keynote
CEO Province of BC (British Columbia)
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect
BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity
Talk is about Joe the user Citizen Consumer
Live ID now supports OpenID
there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc
Open Source Identity System
within 2 years all major vendors will support this
enterprise identity will weaken as it moves on the to Internet
OpenID, what else
its OK for low level transactions where there's very little value to hacking it
Microsoft and Google offering OpenID but NOT accepting it
the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine
standards based authorizations? Yes....eventually...authentication and authorizations have to be separate
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect
BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity
Talk is about Joe the user Citizen Consumer
Live ID now supports OpenID
there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc
Open Source Identity System
within 2 years all major vendors will support this
enterprise identity will weaken as it moves on the to Internet
OpenID, what else
its OK for low level transactions where there's very little value to hacking it
Microsoft and Google offering OpenID but NOT accepting it
the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine
standards based authorizations? Yes....eventually...authentication and authorizations have to be separate
Monday, November 10, 2008
Roles and Entitlements Management
Policy (access and identity) management is the common element between role and authorization management
Access and Identity Management aka Entitlement & Role Management
Role engineering, identity analytics, authorization management are coming
Role life cycle management, identity auditing and authorization management
Access and Identity Management aka Entitlement & Role Management
Role engineering, identity analytics, authorization management are coming
Role life cycle management, identity auditing and authorization management
Questions:
Distributed vs Centralized Entitlement Management
Describe difference between row level security and entitlements
Do you see people 'de-provisioning' entitlements and/or roles
Entitlement auditing necessary vs role management and who is the audience (role governance group?)
Map entitlements to appropriate role leve – Do we, should we management the lowest level OR just the IT roles, not operation and resources
Assigning roles AND entitlements are seperate activities per Earl (Perkins)
identity analytics --> auditing (AND what where there entitlements 8 mos ago)
Policies --> Controls
Business Roles (Ent Roles) --> IT Roles (and rules) are comprised of Entitlements, operations, and resources
This is VERY similar to standard RBAC model
Users → Roles → Attributes (locations, etc) → Permissions → Operations → Resources
what is XACML and why is it important?
A common policy/service registry is a possibility (similar to directories)
The bottom line here is that there are a TON of solutions for each technology, CISCO for Networks, Oracle for Database, BEA for Web App Servers, IBM for WebSSO, etc
NO ONE VENDOR for ALL entitlements management
AND GOOD LUCK getting buy off from the software developers to implement entitlement in their SDLC
IAM Architectures
Organization strategy for IAM
Consider Gartner's IAM Maturity Curve - self assessment or externally lead.
- Make it a part of Enterprise Architecture (EA)
- Establish Security Architecture Governance function
- Oversight and Review
- Subcommittee of EA team
- Consider tactical security architecture team
- Corporate and Business User staff
- Drives development and implementation of information security architecture (ISA) into the business and IT
- Focus on relationship building
- Integrate with development lifecycle
- AuthZ, AuthN protocols are adhered to
- Unify CAS, Security, Identity, roles, and priv access
Consider Gartner's IAM Maturity Curve - self assessment or externally lead.
Gartner IAM 2008 Keynote
Earl Perkins RVP IAM@Gartner
- IAM is a subset of IT Governance (should we have an identity arm of IT Governance or should IAM run Governance meeting of its own)
- Access in IAM is risk mitigation
- IAM-GRCM - controlling activities and compliance in enterprise apps
- GRCM is required to deliver "best practices"
- GRCM is heterogeneous and complex, requiring heterogeneous IAM infrastructure
- Addressing GRCM is IAM's showing "maturity" and increase success and quality
- How does IAM cut costs? (this is straightforward)
- trends in IAM GRCM
- IT Austerity Programs - what are the assets in the organization (identity, entitlement, roles)
- Why IAM Suite?
- Cost savings, GRCM with risk based decisions, best in class GRCM (dont expect just one comprehensive IT Tool for it)
- Deliver transparency of information while establishing "principles of privilege" to reduce litigation concerns and overall risk
- the biggest challenge of IAM is figuring out what access to give people
- IAM Maturity
- Infrastructure procedures ---> business processes
- Security basic -------> managing risk
- Coarse grained access ------> fine grained access
Seven Ps of GRCM
- Principles
- Policies
- Practices
- Processes
- People
- Products
- Production
- IAM timeline
- 2008 IAM to IT Services
- 2012 Business Enablement
- 2016 Profitability
- GRCM timeline
- Today - compliance
- 2008 Risk Management
- 2012 - Profitability
- Multi-regulatory, Cross enterprise - business stakeholders should get into compliance, reports, audits, defining access
Subscribe to:
Posts (Atom)