Friday, May 25

More on The End of IdM

More evidence of the end of IdM and Identity being baked into the platform as BMC is forced to discontinue it's .NET Identity Management suite. I would blame big bad Microsoft, but I think this is just more of the same with the entire industry. And there's actually some value to having baked-in Identity capabilities. But, it's more foreshadowing that the end is near.

Data Loss Worse Than I Thought

Here is the list of Data breaches provided by the Privacy Rights Clearinghouse. We keep hearing about the same two or three events (VA, TJX), but there seems to be a new one almost every day. And the data is sneaking off the network in almost as many new ways as there are incidents. If you're building a data security policy, this list can be helpful in identifying areas where policies can be useful.

Thursday, May 24

Information Centric Security

I received an email today asking for clarification on the concept of information centric security. I don't know if he'd want me to use his name, so I'll call him Dan. Dan watched Art Coviello and Bill Gates speak about information centric security but felt like he wasn't getting the whole picture. The main point of confusion seemed to be that Dan is technically-minded and wasn't able to see a clear path from nice story to technology solution. I'll see if I can help.

The move from perimeter security to information centric security is really a paradigm shift. It's a new way of thinking about securing enterprise information. It's not a specific technology or even a specific set of technologies. Five years ago, securing an enterprise meant standing up hardened firewalls and protecting against incoming email attacks. But, we've seen that this type of security is insufficient. 70% of electronic attacks originate inside the firewall. 90% of attacks are perpetrated by technical employees with privileged access. So, how do you protect against that? Well, you apply security to the information itself rather than only building walls around the network.

Now, to get to Dan's question. How is that security implemented? As I mentioned, there isn't any one particular technology set that provides a silver bullet for this problem. Solving the information centric security challenge requires a long hard look at what information needs to protected, where it lives, who should have access, what is the perceived and actual risk associated with loss of that information and what are the policies or regulations associated to that information. That's the first step and it's as important as any technology portion of the solution. One you know what your information security requirements are, there are a number of technologies that can be combined to provide a secure information infrastructure. These include authentication & authorization solutions, a secure hardware & storage platform, data encryption & key management and audit & reporting solutions. So, to give a few examples, information centric security solutions could include the following:

  • Required strong authentication to servers that store information (even for local access in the data center)
  • Encryption for sensitive information as it's written to a database or file system
  • Encryption of information as it's written to tape for off-site storage
  • Rotation and secure management of encryption keys
  • Protection of individual files via DRM so that sensitive information can not be shared via email or USB key
  • Real-time alerting when policy is averted
  • Easy to use reporting on the information life cycle

Part of Dan's question was specifically about RSA and EMC. Hopefully, it makes sense how RSA/EMC can provide customers with a secure information infrastructure. EMC has core strengths and industry leadership in each of the sample solutions. The actual technologies include RSA SecurID, RSA Key Manager, RSA enVision, EMC Documentum with IRM and EMC's SAN solutions. And there are a wealth of others. Some requirements are better met by partners - like whole disk encryption for laptops. And some may have yet to be developed or marketed or just widely adopted. Dan specifically mentioned a Mandatory Access Control -based file system. Interesting concept, but not one I'm too familiar with.

Hope this helps.

Wednesday, May 23

Identity Management Success Factors

In his post on Identity Management Success/Failure Factors, Mark Dixon asks:
Please send me your list of the five most important factors that contribute to the success or failure of Identity Management projects.

I know this is going against the grain, but I think the reports of wide-spread failure of Identity projects are grossly exaggerated. At least, troubled projects are no more prevelant in the IdM space than they are in relation to other technology projects. Technology for enterprise information management is inherently complex. But, I've been a part of a number of successful projects - their success measured by the feedback of the project sponsor at the conclusion of the effort. And I've spoken to a number of people in the field who tell similar tales. I only occasionally hear a real horror story about an IdM project. Usually those troubles are based on misaligned expectations or poor project management. That is, an executive sponsor expects a project to solve 100 problems, but the implementation only solves 50 and it seems like a failure. Or a development team tries to build a solution based on a half-baked design which keeps changing and there's no change control in place so the project quickly falls off schedule and over budget.

With those comments in mind, here is my list:

  1. Establish clear and attainable objectives up front. This is vital. The only way to acheive success is to make the criteria for success clearly known and agreed-upon by all those involved. If this process is rushed or not clearly articulated, then there will be no consensus on the success of the project. While establishing criteria requires some knowledge of the business and the technology, this is primarily a perception issue -- not a business challenge and not a technology challenge. But, I think it deserves the #1 spot on the list.
  2. Strong Project Management. The project manager is the person who establishes the objectives and manages the project toward those objectives. In a complicated project involving complex business and technology challenges, strong management is extremely important to keep things on track.
  3. Build the Right Team. If the project requires interviews with business personnel, don't rely on a programmer and a DBA to deliver the project on their own. And don't expect a project manager to create a technical architecture. You need to understand the skills and roles required to reach your objectives as well as the capabilities of those on the team. Get the right team in place to cover all the roles. If the DBA is also a good business analyst, then maybe they can play two roles, but pay attention and spend the time and budget to build an effective team. I would also say that previous experience with the specific technology you're using would be great, but it's actually less important than having the right people in each role.
  4. Have a Project Champion at the Right Level. IdM projects cross organizational boundaries and sometimes cross organizations. They tend to need executive sponsorship. The projects that were easiest for me to get through were sponsored by the CEO (or other business leader) and not only the CIO (or related technical folks). I was once working as a consultant interviewing a phone system admin for a provisioning project. During the interview, he asked if we had seen the movie Office Space because he felt like he was interviewing for his own job. This was, of course, not the case. But, it illustrates the importance of executive sponsorship. If it was the AD admin instead of the CIO that had brought us in, we may have had trouble scheduling time with this particular gentleman.
  5. Build Cyclical Iterative Successes. Although I think the first four items are a sufficient recipe for success, if I had to come up with a fifth item that would make success more easily acheiveable, it would be to follow an iterative process rather than trying to do too much in a single project. Nothing builds momentum better than a few quick wins. In a large IdM rollout, this could mean having a project just to create an enterprise directory. Don't build the directory as the first step in the enterprise provisioning project but rather make the directory the result of it's own project. That success builds confidence amongst the team and the stakeholders. ...and divides up success into smaller, more easily measurable chunks.

There's definitely some overlap here with what Mark wrote. But honestly, I'd be more surprised if anyone presented a list that didn't have significant overlap. Thanks for the effort Mark!

Tuesday, May 15

SAP acquires MaXware

There are some readers of this blog who read based on their interest in MaXware and MaXware's identity management products. Well, if you haven't seen it anywhere else, MaXware is now part of SAP. Congrats to all those who worked hard to make MaXware an attractive purchase for a successful company like SAP! I suppose it's too early to speculate on the future of MaXware's products, but... I don't know SAP as a company that would bring to market a stand-alone utility product like a virtual directory or metadirectory. I'm sure however that MaXware's products will compliment SAP's core product architecture. This may be good news for Radiant Logic, Symlabs and other virtual directory vendors who may begin to see less of MaXware in customer product comparisons. On the other hand, if SAP decides to throw their weight behind MaXware's products as stand-alone offerings in the IAM space, I wouldn't want to be the competition.

Wednesday, May 9

Identity via SOA

Nishant Kaushik of Oracle provides an excellent overview of Identity as a Service and raises a good point about the ambiguity of the phrase. The industry has become comfortable with the phrase Software as a Service to represent hosted software solutions. So, IaaS will naturally bring to mind hosted Identity services analogous to that of SaaS. We have enough ambiguity and confusion in this space, don't we? (see: SSO vs. RSO vs. ESSO) I vote for a rename of the enterprise identity-via-SOA concept. Then, mass education of this important concept. If we want people to immediately understand what this is, how about something along the lines of i4SOA - Identity for SOA. Of course, this can cause confusion with providing identity and security services for the SOA itself. Or IvSOA - Identity via SOA. Whatever we call it, this is the direction we need to be heading. Build an identity services layer based on open protocols and reachable via SOA standards and integration & infrastructure flexibility will become significantly easier to achieve. Thanks Nishant! The diagrams are well done.