Thursday, November 29

Provisioning with SPML

About 18 months ago, I wrote a paper for MaXware about Identity Management in a Service Oriented Architecture (SOA) and described the scenario of initiating provisioning events from enterprise applications via SPML to the provisioning system (now called the Provisioning Service Provider in an SPML scenario).

Martin Raepple of SAP just published an article titled No Limits for Identities. In it, he discusses the process and business value of leveraging SPML for provisioning. He also discusses the role of the Provisioning Service Provider (PSP).

It seems that SAP has done a good job of quickly leveraging one of MaXware's core strengths to enable the NetWeaver platform to act as an open and available PSP for the enterprise. Many of the other major provisioning platforms also support SPML, but I haven't heard of many customers leveraging a service-based provisioning model. I still expect this type of architecture to become more commonly used. Have you seen it in action?

Wednesday, November 28

Identity Mgt. Deployment Tips

I was soliciting input from Corbin Links on something and it brought me to his latest blog post which is titled When Good IAM Software Goes Bad. It describes the common pitfalls of Identity Management software deployment. He really hits the nail on the head in terms of the types of frustrating issues you encounter when deploying IdM solutions. AND - he provides some tips on how to avoid them and gives some great advice.

Incidentally, it's not the first really useful post by Corbin. If you're a company that needs to roll out Identity Management solutions, he should be on your reading list. e.g.) For a pragmatic approach to dealing with Role Management, check out his post on Role Mayonnaise. ...not to be confused with Mayonnaise on a Roll, which I've been told was a tasty snack during The Depression. (sorry for that)

Monday, November 19

NetVision Links and Stelogging

I haven't been blogging much lately. I've been busy though. I already mentioned my whiteboard presentation and my recent white paper on Surviving an Identity Audit. We also recently launched a new NetVision web site where we talk more about Policing the Power of Identity and our slick new Reporting Console. You might also be interested in NetVision solutions for Active Directory, PCI-DSS, or ISO 17799 / ISO 27002. You can also sign up for our upcoming webinar
on Identity Audit.


I also found out this week via a Google Alert that someone is stealing and reprinting my blog content for profit. And they're using my RSS feed to do it. I've seen it called a Splog, but this is actually not Splogging (according to Wikipedia) because I'm not doing it to drive up link traffic or SPAM my audience. This is someone else re-purposing my content. Maybe this will be called Stelogging? I generally like to see people including my content in their discussions, but this doesn't feel right. What's worse is that Google helps them out by advertising (via Google Alerts) and providing a revenue stream (via Google Adwords). I'm not going to disable the RSS feed -- the point of this is to allow people to read the content. I'm not really sure there's anything to do other than ask them to stop. I suppose I can also include a footnote on my posts to the effect of:

If you're reading this at a site other than, please DO NOT click on the advertising and support the use of stolen content.
I suspect we'll see more of this kind of thing. If this snow balls, it may become difficult at some point to discern the original author from the re-publishers. Is this something I should even care about? I suppose if I had 4 million visitors daily and my blog was my primary source of income, it would be a big deal. As it stands, I'm not sure why I'd be a target for this sort of thing since I have a very niche (but excellent) audience. This is a strange thing to be thinking about.

Monday, November 5

HP's Security Handbook

Thanks Marco for pointing out HP's Security Handbook. It's a guide for securing an enterprise with a focus on identity management, proactive security management, and trusted infrastructures.

One section worth pointing out is in Chapter 1 on Governance where they define the differences between corporate governance, security governance and IT governance. I find that people often use these interchangeably or confuse the regulation-of or solution-for one with another.

I also like the section later in this chapter which suggests a move to continuous, real-time assurance or continuous compliance -- what I (and others) have previously referred to as creating a culture of compliance. Identity Management gets an entire chapter. And there's a glossary and appendices that cover topics such as IPsec-over-L2TP, placement of a reverse proxy server, and the difference between TACACS+ and DIAMETER. Good Stuff.