Thursday, December 13

Great Answer

I asked for a useful scenario for OpenID in the enterprise. Johannes Ernst delivered.

I do think though that while this sounds like a good use-case for some of the underlying technology, it may not contradict what I was thinking. What I was referring to, regarding user-centricity in the enterprise, was the authentication and user information management model that enables people to manage their own information rather than have that information managed by the application owner (think eBay, Amazon, iTunes, etc.). Rather than have each of those companies store information about me, I can own that information and perhaps store it at an identity provider that I choose. This is the model that I believe, while providing tremendous value in the consumer world, may not often translate to the enterprise.

And I agree with Pamela Dingle who wrote:
My advice to Enterprise decision-makers is simple: take the tools and find out if there is a story that those tools can tell that brings value to the organization. If the story is there, adopt the tool. If the story isn’t there, walk away. Whether or not the marketing term applies is, to me, utterly inconsequential.
But as a technologist, I want to understand all the creative uses of technology so that I can recommend the right approach when I speak to companies who are looking to improve their operations. And as an employee of a company that deals with identity audit, I want to get ahead of the curve. If there will be a need to audit the use of technologies in a user-centric model, I want to know what that means.

I'm not trying to make any statements here about what OpenID should or should not be. I'm just trying to understand what the value-proposition would be that would lead an organization to internally adopt a user-centric model.

And a more secure un-spam-able messaging environment sounds like a good start.

NetVision Webinar: Surviving an Identity Audit

On Tuesday of next week (Dec. 18th) at 1PM EST, NetVision is presenting a webinar on Surviving an Identity Audit. The content is loosely based on our whitepaper of the same title.

You can sign up or get more information at the NetVision Events page. If you attend, we will help you to:

1. Understand the Business Drivers for Identity Audit

  • Compliance: Government, Industry, Internal
  • Organizational Risk: Unintentional, Malicious, Opportunistic

2. Manage the Identity Audit Project Lifecycle

  • Create policies that minimize effort across multiple regulations or best-practice frameworks
  • Implement automated controls
  • Audit identity controls, user behavior, and user empowerment

3. Create a Culture of Compliance

  • Build a multi-regulatory approach to minimize effort and streamline the audit process
  • Leverage tools that automate audit reporting
  • Utilize a continuous audit model

Look forward to seeing you there!

- A condensed version of this webinar has been provided at the NetVision web site.

Tuesday, December 11

Insider Threat - By the Numbers

I've been talking with customers and colleagues about the insider threat throughout most of 2007. I've mentioned stats that 70% of electronic security breaches originate inside the firewall and 90% of those are users with elevated rights (systems administrators, etc.).

For the most part, I've rationalized that most of those attacks are likely in one of these two categories:
  • Opportunistic
  • Unintentional
The category that's missing is malicious. I leave out malicious because I believe the large majority of breaches are not intentional or at least not driven by ill-intent. From what I've seen, people break security policies because their everyday jobs lead them to it. Sometimes, people break security protocols in order to meet a deadline or otherwise get a task accomplished. Other times, opportunity just presents itself.

Consider these scenarios:
  • A DBA opens a database to accomplish a work-related task and encounters data that's just too enticing to ignore.
  • A file system administrator is asked to grant a new HR manager access to the file share that houses previous employees' offer letters and he/she can't help but take a peak at a few co-worker salaries.
  • An employee is asked to take some work home and rather than carry a company laptop, they put sensitive information on a USB key that they often use to share songs or other trivial files with friends. Or they email files to/from a personal account which may not be secure.
  • In software development and/or integration, I've seen numerous people make decisions to share a password, grant full permissions or otherwise remove security restrictions to troubleshoot some software or configuration-related issue.
All of these scenarios represent a real security risk to the organization but none would be considered a malicious attack. When I first saw the 70% number, I thought it had to include these types of scenarios. I know malicious attacks happen, but I just don't see it in my daily life. These scenarios, however, are another story. It's almost hard to work on any corporate project and not encounter these types of security breaches.

A series of articles posted yesterday in Network World by Denise Dubie provides some air cover for the arguments I've made based on personal experience. Check out just a few of these quotes, then go look at the articles for yourself. Great food for thought.

End users behaving badly
Most employees knowingly violate corporate security policies.
By Denise Dubie, Network World, 12/10/07

"most companies say they have security policies in place, yet data breaches continue to plague more than 75% of Fortune 1000 companies"

"More than 50% of survey respondents admit to copying confidential information onto a USB memory stick, and 87% say they believe that the company's policy forbids it. But 40% also reported they knowingly break the policy because the company doesn't enforce it, and another 21% said 'no one really cares about compliance with this policy.' Close to 30% said they'd violate the policy because otherwise they would not be able to complete their work on time."

"46% of those polled said they share their passwords at work, and 40% of survey respondents believe that sharing passwords with co-workers is necessary to get work done within deadlines"

Trusted users pose significant security threats, survey finds
RSA survey data reveals innocent insiders create data exposures of extraordinary scope
By Denise Dubie, Network World, 12/10/07

"35% of people polled said they need to work around their organization's security policies to get their job done"

"34% reported having held a door open for someone they did not recognize"

Scary tech stories: How dangerous user behavior puts networks at risk
IT managers share tales of how users' actions can cause security nightmares
By Denise Dubie, Network World, 12/10/07

"end users just don't think passwords are a big deal and think we are just here to make their lives miserable when we request them to change or update passwords"

User-Centricity in the Enterprise

Most of the on-line discussions about Identity Management over the past few years seem to have been about consumer authentication. The industry has developed solutions for user-centric authentication models. I'm not going to go into detail here or try to define those models. But, now that OpenID and other technologies has brought the user-centric model to reality, I'm beginning to see more chatter about user-centricity in the enterprise.

Patrick Harding doesn't seem to think that the enterprise is the right place for a user-centric model. I agree. I also agree with Pamela Dingle who noted that user-centric technology may be useful in an enterprise for the purpose of users keeping some information up-to-date.
I would qualify that, though, by saying that it's only going to be the information that the enterprise decides is unimportant enough to leave in users' hands. Companies never allow employees to update critical information on their own -- job title, pay grade, SSN, email address, etc.. Nor do they allow employees to decide what information they choose to share with the company's HR department. Companies require forms to be filled out completely. And if there are blank spaces, there's often warning that it could be just cause to rescind the employment offer.

Nishant Kaushik doesn't seem to think that the user-centric model is right for an enterprise environment. And Johannes Ernst disagrees.

I've been thinking about this for a while and I'm with Patrick and Nishaunt on this one. The goal of user-centricity is to give control of their identity information to the end users. That's great in the consumer world. Enterprises, however, have been spending millions on Identity Management specifically so that they (the enterprises) can control identity information more effectively. In the consumer world, it makes sense for people at home to want control over their information as it travels across the Internet. But, in a corporate environment (or government or education) employees and associates don't have rights over their identity information. Since Johannes is the one I've seen to recently claim otherwise, I'll look at his comments.

First, he talks about potential customers. For most enterprises, potential customers are anonymous or simply contact info and notes about whatever the enterprise can learn about their interest in the company's product. He talks about current customers and their desire to use user-centricity when interacting with the enterprise. OK, I can see that point, but that's not really enterprise. To me, that's still a consumer solution.

He then talks about affiliates. This is the typical use-case for Federation. Since this is about business transactions, the most important component of the federation model seems to be the non-technical stuff -- business agreements, contracts, terms of use, processes, etc.. It's not a scenario where you want one business partner to decide to withhold information from the other for the purposes of privacy or information control. Affiliates don't tend to share personal information, but business account information and transactional information that are both critical to the transaction in process.

Finally, he mentions user-centricity within an enterprise's own internal systems. Specifically, he gives the example of a personal cell phone number. To me, that's not enterprise data -- you can manage sharing your personal contact information with friends and close co-workers through social networking sites. Company-sponsored cell phones and IM addresses should be part of the corporate identity management infrastructure. Employees may be allowed to keep information up-to-date, but they're not allowed to decide which managers can view their information and which can't. The company makes the decisions about information use.

I don't know if I'm "defining away the issue of user-centric identity in the enterprise", but I don't see any major value or realistic adoption of a user centric model within an enterprise. The examples presented in the argument for it seem to be consumer scenarios and not enterprise scenarios. If you're expected to be available at 2am, then it's the enterprise who controls where your cell phone number is posted for anyone who needs to find you.

Let me be clear. I'm not bashing Mr. Ernst or trying to minimize his argument. He's obviously an intelligent guy and has contributed a great deal to the industry. But I'm challenging him and others to give me better examples of where the user-centric model may be useful within the enterprise. Because right now, I don't see it.

Monday, December 10

David Rowe - New Blog

I've previously mentioned that David Rowe is the visionary behind Policing the Power of Identity. David has introduced a new blog at where he'll discuss what it means to police the power of identity. He also provides a link to his recent paper on the subject. The paper is not a product pitch and is not written with a customer focus. It describes a vision of how companies can empower employees without fear – and how we as an industry can define standards and leverage open protocols to help our customers achieve that vision.

If finding a balance between freedom and control to empower digital identities within an enterprise environment is a topic of interest to you, please visit David's blog and join the conversation.

Friday, December 7

Managed Identity Management Services

Identropy has brought to life a long overdue idea in presenting their managed service for identity management. As Corbin Links pointed out, it takes a significant skill set for companies to plan, deploy, and manage an identity management infrastructure. It's not always easy to find the right talent for any given project. And there are pitfalls in most identity management projects as Mark Dixon advises in his list of project success factors.

Identropy isn't the first to offer a managed service for identity -- I know Oracle/WiPro and probably others have tried it. But, Identropy is the first I've seen from a smaller services organization. In the services world, smaller generally means quick, flexible, and ready to respond to market needs and changes.

Forrester says we're ready for managed Identity services. They're betting on Mycroft-Talisen to successfully offer a managed service for identity. I don't know if they've brought it to market yet, but the combination of Mycroft and Talisen has the talent to make it happen.

Anybody have other experiences with managed/outsourced identity management offerings?