tag:blogger.com,1999:blog-21995415.comments2024-02-01T11:08:01.659-05:00Matt Flynn: Information Security | Identity & Access Mgmt.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.comBlogger207125tag:blogger.com,1999:blog-21995415.post-29242850433597920992016-05-18T15:17:54.728-04:002016-05-18T15:17:54.728-04:00Hi Amar,
Thanks for the questions. First, I stat...Hi Amar, <br /><br />Thanks for the questions. First, I stated early in the post that I was primarily talking about enterprise IAM requirements rather than consumer scenarios. But, since you asked about customer or consumer IAM, here's what I'd say:<br /><br />I don't think the distinction between enterprise and consumer matters as much as some vendors want you to think. My point was that the types of rules we put in place have traditionally been more obstructive in nature. We were trying to prevent people from accessing sensitive things. The on-going shift to Digital Business includes a shift in IAM to be more open. Grant first, but with controls in place. Perform security checks without the user noticing. Force strong authentication only when necessary. And these requirements may apply in both enterprise and consumer scenarios, depending on the organization's requirements.Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-48997921810675860352016-05-06T09:58:34.798-04:002016-05-06T09:58:34.798-04:00Very insightful post on the evolution of Identity ...Very insightful post on the evolution of Identity and Access Management systems. You pointed out that the basic role of IAM is shifting from "one of defense-and-control to one of enablement." But isn't enablement the mandate of an IAM system that is external users, or what is now called Customer IAM. Wouldn't this mean that there is a sort of convergence between traditional IAM and Customer IAM? Or is it just that traditional IAM is becoming more user friendly due to organizational and employee pressures?Anonymoushttps://www.blogger.com/profile/04255941860246708660noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-47622793404021873582013-07-02T10:42:56.014-04:002013-07-02T10:42:56.014-04:00Matt,
Good points, and not just because you refer...Matt,<br /><br />Good points, and not just because you referenced me! :)<br /><br />Between Access Management, Security, User Provisioning, Compliance, Certification, Federation and all of the other issues in today's IDM/IAM space, the Identity Officer makes more sense than ever. Adding in new standards and SSO methodologies that will only blur the line between one's personal, business and other forms of identity will only make this more complicated.Matt Pollicovehttps://www.blogger.com/profile/11479416427404291100noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-48337316430432839182013-07-02T10:27:01.886-04:002013-07-02T10:27:01.886-04:00BTW, an Identity Officer could improve security as...BTW, an Identity Officer could improve security as well. Because identity data is so sensitive, the number of identity data stores should be as few as possible. Data should be redacted when appropriate and only exposed as-needed. Non-production systems should only use masked data. And identity data stores should be protected with encryption, internal access controls, etc. Encryption solutions typically have a master key that needs to be owned by someone. The Identity Officer role could own the keys and manage policies that restrict access to identity data even to the teams that build and manage the IAM systems.Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-13665943222294324772013-02-21T13:39:58.463-05:002013-02-21T13:39:58.463-05:00Hi Charles, thanks for the question! The premise a...Hi Charles, thanks for the question! The premise assumes that applications are pretty well locked down. If that's the case, two additional areas of concern are unstructured data (like file systems) and back-end access to databases.<br /><br />Even if the application (front door) is bulletproof, the DBA still has access and can snoop whatever data may reside in the DB by running direct queries. That's where managing EUS and <i>who has access</i> to the databases becomes very important.<br /><br />I think it's preferable to use a single solution to manage all access rather than have one for apps, one for databases, and one for file systems.<br /><br />It's about identifying all the access points, locking them down to appropriate levels, and then managing that access over time.<br /><br />Hope that clarifies!Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-53401550696015053062013-02-18T19:56:11.320-05:002013-02-18T19:56:11.320-05:00Hi Matt,
Can you elaborate on the comment about th...Hi Matt,<br />Can you elaborate on the comment about the back window open? Didn't quite understand the point.<br />cheersCharles Poulsenhttps://www.blogger.com/profile/01908257636257717349noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-28127013095309416042012-12-06T21:38:09.360-05:002012-12-06T21:38:09.360-05:00Interesting perspective Richard. I think what Gart...Interesting perspective Richard. I think what Gartner does well is help vendors understand what their customers are struggling with and to help customers understand what's being offered by the vendor community. Being on the vendor side, I always felt it was up to us collectively to be the innovators. I also witnessed that customers are struggling with ROI and that some of Gartner's techniques were helpful. <br /><br />Sounds like there will be numerous lessons learned on your project. I'd love to hear more when you're ready. The message I've heard thus far about moves like that is one of caution.Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-75946896198638022802012-12-06T19:12:15.618-05:002012-12-06T19:12:15.618-05:00So not much has changed really in the past 5 years...So not much has changed really in the past 5 years except that Gartner has absorbed some of the experts through their acquisition of Burton Group and they are all still singing from the same old song sheet. Clearly tere's not much thought leadership going on there. For me it would bring into question the value of having an analyst on board as companies move through the IAM process to deployment.<br /><br />There is way too much stating the obvious going on but specifically on ROI, not only do the analysts keep putting their heads in the sand over a commitment on ROI, but they keep raising it like someone is going to come along and answer their prayers with a 'How To' guide to calculating ROI. I used to think it was an important factor in evaluating the commitment to an IAM project but my views have changed. The value for the CIO is in the enhanced protection, the peace of mind, the automation to stop human error, and the drop in FTE headcount.<br /><br />After twenty years of directory services, identity and access management projects and enterprise mail deployments I can quite honestly say I am working on the most exciting and stimulating project to date. No analyst has even considered a case study for an enterprise migration to Google yet and frankly I hope they stay out of it until we have completed the mammoth task of moving this enterprise, in a highly regulated industry, from Exchange to Google mail and docs. The IAM processes for users and their use cases in 160 countries are fascinating, entirely different, and light years away from analyst conference counseling today. Let it mature before barging the door, and then take a fresh look on ROI. You'll be amazed.Richard Blackhamhttps://www.blogger.com/profile/01985020272635647913noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-37141114089146060192012-12-06T18:14:30.336-05:002012-12-06T18:14:30.336-05:00Yeah! I was begin to think blogging conferences w...Yeah! I was begin to think blogging conferences was as dead as SAML...Dave Kearnshttps://www.blogger.com/profile/11089258393497844520noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-1644135029288906132012-11-22T11:41:56.013-05:002012-11-22T11:41:56.013-05:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/14470135447763391063noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-13627141867706405492012-11-20T08:56:52.457-05:002012-11-20T08:56:52.457-05:00When Identity management is properly deployed, use...When Identity management is properly deployed, users are forced to select strong passwords and when SSL is employed for logons by remote users, two factor authentication is an unnecessary expense and inconvenience to the user community. Most business simply do not need this level of security.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-12126844397530597432012-10-10T06:54:37.004-04:002012-10-10T06:54:37.004-04:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/10295854960276974131noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-4755792996400079702012-10-05T11:43:05.450-04:002012-10-05T11:43:05.450-04:00Great information.. Always like your blog
Amit (h...Great information.. Always like your blog<br /><br />Amit (http://siteminderconsulting.com )Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-65247615485261688142012-08-30T08:39:54.514-04:002012-08-30T08:39:54.514-04:00Clear info as intro on this subject!Clear info as intro on this subject!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-2286897607801273172012-07-04T19:13:10.675-04:002012-07-04T19:13:10.675-04:00Hey Matt
Nice article. Due to the fact that it...Hey Matt<br /><br />Nice article. Due to the fact that it's posted in the Technet Magazine it's related onyl to Active Directory, but overall it applies also to environments driven by other directory services such as OpenLdap or whatever. The challenge stays the same.<br /><br />I like the 6 step model into Access Governance, but at the end it opens up the following questions:<br />1) How are user account provisioned to access granting roles in out of an controled environment?<br />2) How would the provisioning process itself fit into the governance piece?<br /><br />I think the answer is pretty simple: You'll need an deep integration of IAG and IAM to achieve the long term goals forcing IAG projects.<br /><br />Cheers<br />Carstenichhttps://www.blogger.com/profile/04389339213747149360noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-48754358858366153462012-07-02T11:00:06.683-04:002012-07-02T11:00:06.683-04:00Matt,
It's been a while and I know that this p...Matt,<br />It's been a while and I know that this post is from a few years ago, but EmpowerID offers cloud based provisioning, RBAC and federated single sign-on.<br /><br />Thanks,<br />EdwardEdward Killeenhttp://www.empowerid.comnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-79781788097847257742012-06-11T10:30:55.355-04:002012-06-11T10:30:55.355-04:00Aveksa "approach" is that here is my dat...Aveksa "approach" is that here is my data service bus. Come and grab the data. But feel free to manipulate the data the way you want instead of having someone program the connector for you. I see this as a over simplify approach to shifting the problem onto someone else. In some cases if the other party is willing to do the work sure. But most likely the other party are just as short staffed as the provisioning team. this is not the case where 2 -1 = 1. But Aveksa's desperate need to come up with less proserv service ratio (which it really just shifting the cost onto other business units).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-88403463065668203812012-06-10T18:17:09.370-04:002012-06-10T18:17:09.370-04:00Aveksa "approach" is that here is my dat...Aveksa "approach" is that here is my data service bus. Come and grab the data. But feel free to manipulate the data the way you want instead of having someone program the connector for you. <br /><br />I see this as a over simplify approach to shifting the problem onto someone else. In some cases if the other party is willing to do the work sure. But most likely the other party are just as short staffed as the provisioning team. <br /><br />this is not the case where 2 -1 = 1. But Aveksa's desperate need to come up with less proserv service ratio (which it really just shifting the cost onto other business units).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-85447498352343461832012-05-30T14:08:28.433-04:002012-05-30T14:08:28.433-04:00Thanks for the feedback! I have no skin in this ga...Thanks for the feedback! I have no skin in this game - the approach just sounded interesting. Glad to hear that others have went down that road. I'd love to explore in detail at some point.Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-60440953440619769702012-05-29T14:22:11.183-04:002012-05-29T14:22:11.183-04:00Hi Matt - Great job on your blog, I enjoy reading ...Hi Matt - Great job on your blog, I enjoy reading your posts. I read this recent post and felt compelled to let you know of another vendor who has not only simplified the development of connectors, but has a rich connector library that contains hundreds of connectors for a variety of platforms. Our infrastructure consists of a large number of applications, systems and networks and because of Courion’s vast connector library we were able to connect to all the platforms necessary (Cerner EMR, SSO infrastructure, BMC ITSM change management system, GE PACS, Active Directory, MS exchange, etc) to ensure appropriate user access to sensitive company information. We also use Courion’s Rapid Development Kit to create custom connectors and we can easily modify and update the connectors without any technical hiccups. We’ve had a successful technology partnership with Courion for many years and the extensive connector framework is an important part of that.Randy Yates, Memorial Hermann Health Systemhttp://www.memorialhermann.orgnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-1273044298854967912012-05-25T00:54:54.359-04:002012-05-25T00:54:54.359-04:00Welcome to the year 2000.
Aveksa is correct that ...Welcome to the year 2000.<br /><br />Aveksa is correct that business logic does not belong in the connector layer, but they are far from the first to come to this conclusion.<br /><br />This is the approach used by the Waveset architecture which has found itself replicated across many products and projects over the years. This is neither revolutionary nor reduces the complexity.<br /><br />The hard part in connector development is modeling the myriad of authorization repository data models into a common model that can be represented in a business friendly and intuitive way.<br /><br />For a directory or a UNIX system where account attributes and entitlements are mostly name/value pairs, this is really easy. For complex systems like mainframe authorization systems or SAP or ..., this becomes much more complex.David Crownoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-163482058114883992012-05-24T16:11:34.975-04:002012-05-24T16:11:34.975-04:00Courion has been building their connectors like th...Courion has been building their connectors like this for the past 16 yrs. I would say that Aveksa still has a lot of catching up to do considering Courion has built 300+ connectors.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21995415.post-9925286592052945582012-02-13T22:07:30.816-05:002012-02-13T22:07:30.816-05:00@Steve - Well, I realize from a general IT standpo...@Steve - Well, I realize from a general IT standpoint, nobody thought of it as the era of IdM, but IdM (user management) was probably higher on the attention scale than it may ever be again. Attention has shifted.<br /><br />@Alek - you may be right ;) ...but in fairness, if you want to automate the creation and management of accounts, it's not too difficult to get it done at this point.Matt Flynnhttps://www.blogger.com/profile/09902381553517250020noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-30696034760498289372012-02-13T16:47:57.744-05:002012-02-13T16:47:57.744-05:00I think you could argue that there never was an er...I think you could argue that there never was an era of identity management.Stevehttps://www.blogger.com/profile/18314282546530456146noreply@blogger.comtag:blogger.com,1999:blog-21995415.post-61548339282782156672012-02-13T15:45:41.316-05:002012-02-13T15:45:41.316-05:00I'd say this is an overstatement, at least as ...I'd say this is an overstatement, at least as long as we agree on the meanings of "plenty" and "mature". :-)Alek Davishttps://www.blogger.com/profile/00436676606581042455noreply@blogger.com