Monday, July 23 - Identity Management Primer

The next time you're asked to answer the basic question of what is identity management? you can point your audience to an article at titled ABC: An Introduction to Identity Management. Writer John K. Waters provides a nice high level view of the capabilities of IdM systems. He's a little simplistic on the technology part, but if this is the question you're answering, that's probably OK.

Friday, July 20

IdM... So simple a caveman could do it

This isn't new, but I hadn't seen it before. ...not sure where it came from or how I found it. Hopefully, I'm not contributing to the exposure of someone's actual IdM architecture.

Wednesday, July 18

Boeing Data Theft: NetVision Use Case

An Information Week article titled Boeing Employee Charged With Stealing 320,000 Sensitive Files discusses a massive data breach by a Boeing insider. It's another illustration of the fact that the biggest threats for organizations are insiders. The perpetrator (Gerald Lee Eastman) was ready to share Boeing's sensitive information which could cost Boeing as much as $15 billion in damages.

This type of attack is a good use case for NetVision file system monitoring (part of our NVMonitor product). The article explains that Eastman had to exploit a weakness in Boeing's computer system to access the stolen files. Over the course of two years, he methodically searched the Boeing systems looking for unprotected file shares and was routinely denied access to many. As he searched for files and found ways around the file system security mechanisms, NetVision file system monitoring could have caught the behavior and alerted security officers with each attempt. ...nipping this issue in the bud two years ago when it began.

Tuesday, July 17

Anatomy of an Identity Audit project

In speaking with a number of customers about Identity Auditing, it's pretty clear that there's a lack of clarity in the space. And customer needs differ. Some customers want help figuring out how to navigate the regulations that govern their industry. Others want a solution that puts them in compliance. And yet others are looking for a solution that proves that their controls are working. I think this variety of needs is symptomatic of the fact that each of those customers may be at a different stage of the Identity Audit project cycle. Even if you haven't called it an Identity Audit project, simply defining policies related to identity management & access is the first step toward an IdA solution. Here's a breakdown:

I. Determine Policies

Organizations may base IT security and identity-related policies on any number of requirements.

a. Often, identity policies are driven by external regulations. Sarbanes-Oxley and HIPAA as examples help companies determine what security-related policies to implement.

b. Another set of policy drivers are industry standard best practice frameworks like COBIT or ISO17799. An organization may choose to comply with one of those standards and allow it to determine many of the identity policies.

c. Of course, risk mitigation is an obvious driver of security-related policies. So, an organization may implement certain policies to achieve a more comfortable level of risk. For example, a company with no regulatory or standards-based requirement for two factor authentication may still choose to implement a solution to minimize risk associated to a given application.

d. Some policies may be based on business enablement requirements. For example, the policy decision to grant employee access to a given set of files may not be related to regulations, standards or risk mitigation. It may be driven by a new revenue opportunity that's success is dependent upon employee access to those files.

II. Implement Controls

Identity-related security controls can be implemented in a number of ways. A common way to implement policies on a Microsoft network is to build policies into Active Directory and leverage Microsoft Window's built-in file system access security. Access to systems outside of the Windows file system can also be granted or denied based on Active Directory group memberships (via LDAP calls). Identity Management tools help implement controls by enforcing business rules during the user provisioning and reconciliation processes. There are numerous third-party applications and in-house solutions that can help implement identity controls. For example, a PKI infrastructure may be implemented to meet a two-factor authentication policy. An entire book can probably be written on the various methods for implementing identity-related policies. Generally, all of the software vendors in the IdM space attempt to provide this capability to some degree.

III. Test and Confirm Controls (Identity Audit)

Once policies and controls are in place, an organization can start to think about testing and auditing those controls. The goal of these audits is to ensure that the controls in place are putting the organization in compliance with its defined policies. If the policies are driven by regulation, then proving that the policies are being properly controlled also confirms that the organization is in compliance with that regulation. This is really the goal of identity audit solutions -- to ensure that the identity systems in place (which implement controls) are effective at enforcing adherence to an organization's identity policies.


Hopefully, the above provides a basic overview of the core components of identity auditing. One of the main take-aways should be that it's near impossible to prove compliance without defined policies. Without clearly defined identity policies, what would you be complying with? I suppose an argument could be made that there's value in just auditing that the identity system is doing what it's supposed to do as determined by the identity system's requirements document. But, I think the real value lies in proving that an organization is meeting its identity-related business goals as determined by its identity-related policies.

Tuesday, July 3

My daughter is on the cover of Wired least she is on my copy of Wired. They ran a promotion a couple of months back stating that if I send them a photo, it'll appear on my copy of the July issue. This type of personalization is a small example of what happens when we have identity figured out. Some of what we do (identity management) is about security -- and we tend to get caught up in that part of it. At least I do. The other part that we need to keep in mind is the enablement that comes with strong identity controls. If you have control over the identities in your systems, you can leverage that control to create opportunities that didn't exist before. Wired found a way to make its point about the hyperlocal, totally personal geoweb by sending me an ultra-localized version of their magazine. So local in fact, it's just for me. And as a proud dad, I couldn't wait to dive into this month's issue. It's a win for Wired, its advertisers and its customer (me). Think about what the right identity management solution can enable your business to do!