Wednesday, May 23

Aveksa and Radical Changes to Identity Management

I don't generally like to discuss specific vendors - especially if I don't have a strong relationship with them. But I saw a press release last week that was titled Aveksa Radically Changes the Economics of Identity and Access Management. I have to admit that I probably grimaced and thought "radically changes... seriously? Are they kidding?" The release stated that they introduced a new product called Access Fulfillment Express that's going to break "the cycle of heavy investments". I sarcastically thought "Yeah, sure it is."

I know Aveksa to be good within their sweet spot - Access Governance across enterprise applications - but I didn't think of them as an influential player in Identity Management (provisioning) probably because I knew they integrated with most of the major IAM vendors for provisioning tasks. So, I was pretty skeptical that they'd be doing anything that "radically changes the economics" of an IAM project. That was, until today when I had an opportunity to speak with someone from Aveksa.

Consider my tune changed.

One of the most complicated parts of any IAM deployment traditionally has been the development of the connectors. The connectors establish the link to the target systems and define the rules by which data will be managed. There's a lot of work on both the business side and technical side to get the connectors working properly. The connector work often makes or breaks the entire IAM system.

So, what has Aveksa done to the connectors to improve upon them? Essentially, they've dumbed them down. If the connector is JUST a connector and doesn't have all that business logic built in, the process of deploying a connector becomes much easier. They called them Lightweight Adapters. It's analogous to a set of APIs that can carry out whatever commands are sent to them. And the commands, then, and business logic, is managed by the application.

IAM solutions originated as complex systems of connectors that later bolted on a UI to provide workflow. By starting with the UI as the real business value, Aveksa may have stumbled upon (or brilliantly planned?) a way to radically simplify deployment and management of IAM solutions.

NOTE: I haven't vetted Aveksa's approach in any detail. I haven't deployed the solution or even looked at the documentation, but I thought the shift in approach was worthy of discussion.

Thursday, May 10

Access Governance on Unstructured Data

Gartner research VP Earl Perkins posted a few days ago on the intersection of data and applications within IAG (Identity and Access Governance). I've certainly seen the same issues and we've been working with customers on these challenges quite a bit over the past six months. In fact, I authored a paper on the topic in April which is available in the STEALTHbits resource library titled Access Governance on Unstructured Data.

I hinted at the paper back in February and it was clear from the response I got that many are not willing to acknowledge a shift from the era of Identity Management to the era of Access Governance. But, I still see our current Access Governance efforts (as an industry) as analogous to what we did about a decade ago for Identity Management. Obviously, the industry remains dynamic and there's overlap but I think we have a pretty good handle on managing accounts while we're still working on the best ways to provide governance over access (whether to applications or data).

In my own phrasing (and ignoring structured and semi-structured data for the moment), the issue Earl addresses is, essentially that traditional IAM and IAG solutions are application-centric but a significant portion of enterprise data is unstructured (many estimates indicate that 80% of data is unstructured) rather than accessed and controlled via applications. IAG vendors are struggling with getting their arms around data as it sits out in the environment. And it's a hard problem.

I've been a part of two software vendors who addressed access rights to unstructured data. Neither company nailed it in the first attempt and there were challenges along the way. I've spoken with three large companies who tried to build in-house solutions for themselves. All failed and eventually sought commercial solutions. And I've spoken to IAG vendors who struggle with unstructured data solutions - even having tried popular brand name commercial solutions with unsatisfactory results. In my paper, I point out many of the challenges (platform coverage, geography, scalability, deployment, etc.) and how we've addressed them.

The one item that I'd differ on in Earl's post is that he mentions IAG vendors as looking to partner with SIEM and/or DLP solutions to address the issue. I don't think either is a good fit. SIEM is obviously event-driven and relies on logs. It may answer a piece of the question but it's not a direct fit. Even where it does provide value (who is doing what), it's data is limited to what shows up in logs, which isn't ideal for this scenario and doesn't generally enable context-based filtering.

And DLP may get much of the right information but the folks I've talked to describe it as overkill (too expensive and too difficult to deploy). Where DLP seems to shine is in the actual prevention (blocking action at the end-point or at the firewall). But for a quick, efficient scan of access rights and the ability to analyze high-risk conditions, I'm not sure you can bend DLP solutions to do what you need.

I'd love to discuss more with anyone interested. Let me know. I can also get you a copy of the paper. It's short and to-the-point, but is a good conversation starter.