Friday, May 25
Thursday, May 24
I received an email today asking for clarification on the concept of information centric security. I don't know if he'd want me to use his name, so I'll call him Dan. Dan watched Art Coviello and Bill Gates speak about information centric security but felt like he wasn't getting the whole picture. The main point of confusion seemed to be that Dan is technically-minded and wasn't able to see a clear path from nice story to technology solution. I'll see if I can help.
The move from perimeter security to information centric security is really a paradigm shift. It's a new way of thinking about securing enterprise information. It's not a specific technology or even a specific set of technologies. Five years ago, securing an enterprise meant standing up hardened firewalls and protecting against incoming email attacks. But, we've seen that this type of security is insufficient. 70% of electronic attacks originate inside the firewall. 90% of attacks are perpetrated by technical employees with privileged access. So, how do you protect against that? Well, you apply security to the information itself rather than only building walls around the network.
Now, to get to Dan's question. How is that security implemented? As I mentioned, there isn't any one particular technology set that provides a silver bullet for this problem. Solving the information centric security challenge requires a long hard look at what information needs to protected, where it lives, who should have access, what is the perceived and actual risk associated with loss of that information and what are the policies or regulations associated to that information. That's the first step and it's as important as any technology portion of the solution. One you know what your information security requirements are, there are a number of technologies that can be combined to provide a secure information infrastructure. These include authentication & authorization solutions, a secure hardware & storage platform, data encryption & key management and audit & reporting solutions. So, to give a few examples, information centric security solutions could include the following:
- Required strong authentication to servers that store information (even for local access in the data center)
- Encryption for sensitive information as it's written to a database or file system
- Encryption of information as it's written to tape for off-site storage
- Rotation and secure management of encryption keys
- Protection of individual files via DRM so that sensitive information can not be shared via email or USB key
- Real-time alerting when policy is averted
- Easy to use reporting on the information life cycle
Part of Dan's question was specifically about RSA and EMC. Hopefully, it makes sense how RSA/EMC can provide customers with a secure information infrastructure. EMC has core strengths and industry leadership in each of the sample solutions. The actual technologies include RSA SecurID, RSA Key Manager, RSA enVision, EMC Documentum with IRM and EMC's SAN solutions. And there are a wealth of others. Some requirements are better met by partners - like whole disk encryption for laptops. And some may have yet to be developed or marketed or just widely adopted. Dan specifically mentioned a Mandatory Access Control -based file system. Interesting concept, but not one I'm too familiar with.
Hope this helps.
Wednesday, May 23
Please send me your list of the five most important factors that contribute to the success or failure of Identity Management projects.
I know this is going against the grain, but I think the reports of wide-spread failure of Identity projects are grossly exaggerated. At least, troubled projects are no more prevelant in the IdM space than they are in relation to other technology projects. Technology for enterprise information management is inherently complex. But, I've been a part of a number of successful projects - their success measured by the feedback of the project sponsor at the conclusion of the effort. And I've spoken to a number of people in the field who tell similar tales. I only occasionally hear a real horror story about an IdM project. Usually those troubles are based on misaligned expectations or poor project management. That is, an executive sponsor expects a project to solve 100 problems, but the implementation only solves 50 and it seems like a failure. Or a development team tries to build a solution based on a half-baked design which keeps changing and there's no change control in place so the project quickly falls off schedule and over budget.
With those comments in mind, here is my list:
- Establish clear and attainable objectives up front. This is vital. The only way to acheive success is to make the criteria for success clearly known and agreed-upon by all those involved. If this process is rushed or not clearly articulated, then there will be no consensus on the success of the project. While establishing criteria requires some knowledge of the business and the technology, this is primarily a perception issue -- not a business challenge and not a technology challenge. But, I think it deserves the #1 spot on the list.
- Strong Project Management. The project manager is the person who establishes the objectives and manages the project toward those objectives. In a complicated project involving complex business and technology challenges, strong management is extremely important to keep things on track.
- Build the Right Team. If the project requires interviews with business personnel, don't rely on a programmer and a DBA to deliver the project on their own. And don't expect a project manager to create a technical architecture. You need to understand the skills and roles required to reach your objectives as well as the capabilities of those on the team. Get the right team in place to cover all the roles. If the DBA is also a good business analyst, then maybe they can play two roles, but pay attention and spend the time and budget to build an effective team. I would also say that previous experience with the specific technology you're using would be great, but it's actually less important than having the right people in each role.
- Have a Project Champion at the Right Level. IdM projects cross organizational boundaries and sometimes cross organizations. They tend to need executive sponsorship. The projects that were easiest for me to get through were sponsored by the CEO (or other business leader) and not only the CIO (or related technical folks). I was once working as a consultant interviewing a phone system admin for a provisioning project. During the interview, he asked if we had seen the movie Office Space because he felt like he was interviewing for his own job. This was, of course, not the case. But, it illustrates the importance of executive sponsorship. If it was the AD admin instead of the CIO that had brought us in, we may have had trouble scheduling time with this particular gentleman.
- Build Cyclical Iterative Successes. Although I think the first four items are a sufficient recipe for success, if I had to come up with a fifth item that would make success more easily acheiveable, it would be to follow an iterative process rather than trying to do too much in a single project. Nothing builds momentum better than a few quick wins. In a large IdM rollout, this could mean having a project just to create an enterprise directory. Don't build the directory as the first step in the enterprise provisioning project but rather make the directory the result of it's own project. That success builds confidence amongst the team and the stakeholders. ...and divides up success into smaller, more easily measurable chunks.
There's definitely some overlap here with what Mark wrote. But honestly, I'd be more surprised if anyone presented a list that didn't have significant overlap. Thanks for the effort Mark!