Wednesday, July 16

Something Old and Something New

Eric Norlin provides some insight into what to do (related to identity management) in an economic slowdown:

Something Old:

"1. SSO and Password Reset: The facts are on the wall. If you can reduce the number of helpdesk calls for password reset, you're going to save a TON of money. You can do that through self-service modules, E-SSO, web sso, or even federation. Just do it."

Something New:

"2. Automating Compliance: This is a big one, and you probably won't get it done before the recession ends. However, the more you achieve automated compliance controls, the more big bucks you can save on manual audits. Throw everything from RBAC to de-provisioning into this bucket and then get started looking at what really will slice greenbacks soonest."

Password Reset and SSO have long been good entry points into Identity Management and also proven creators of cost reduction and efficiency.

Automated Compliance is a somewhat more recent phenomena that also yields cost reduction and efficiency. You may be wondering though how many companies are able to get to automated compliance without giving an arm and a leg to define requirements and processes that enable automated compliance. Might the initial effort might defeat the purpose of cost reduction?

One thing Eric wrote is probably key to that discussion – "the more you achieve automated compliance controls..." which to me means, let's not get caught up in the grand notion of automated compliance. Implement a few key automated controls that eliminate significant manual effort in the compliance audit process. And that will bring you cost reduction.

SaaS Eases Security Cost and Complexity

I first read an article in InformationWeek titled SaaS Makes A Run At Security and then found this very similar article by the same author online.

I've posted recently about identity as a service (be sure to check the comments and links if you visit that posting). But my day job dictates that I think more about identity reporting as a service. (intelligence around who has what access and what changes are being made).

One of the striking take-aways from the article is the Gartner estimate that by 2018, 85% of security intelligence will be offered as a service. I guess the words "offered as" seem to deflate the energy of the claim. I wonder what the estimates are for how much will be consumed as a service in 10 years.

In any case, I think the writer hits on the right points - cost and complexity. Especially for the mid-market (his target audience). I think (particularly in the mid-market) the simplification of key capabilities will outweigh the emotional hurdles that make SaaS a tough sell for security. Of course, actual security capabilities may remain a harder sell than security capabilities. That is, companies may be more willing to have managed identity reporting than managed provisioning.

I think mid-market security practitioners want their lives to be easier. They're not driven by the same concerns as large enterprises. What do you think?

Wednesday, July 9


Dave Kearns calls my argument smoke and mirrors and labels it FUD. His argument is that the Global 2000 have more users and are therefore more important? Should their needs drive solutions for the mid-market?

Dave, I don't think the number of users is even relevant. What is relevant is the experience of those customer organizations and how they can meet their requirements. The number of infrastructures is more relevant than the number of end users in this discussion. I don't think a huge amount of them have a need or desire for multiple user directories. They seem to run off of AD and seem to prefer to have apps leverage AD instead of figuring out how to use a virtual directory (or metadirectory for that matter). Where is the FUD in that? Where is the smoke? What would be my motive to raise smoke and mirrors?

The discussion of how should Oracle build a product is very different than whether customers should consider metadirectory as an alternative. I think they should. I think there are still plenty of environments that could benefit from that approach. But I conceded Clayton's point -- if Oracle wants to build a virtual directory into it's suite to enable flexibility for customers, that's great. I just don't think a virtual directory is the answer to everything (and I spent a lot of time discussing the various use-cases that cry for one).

I would just hate to have people shy away from a good technology because some people say it's no good anymore. That doesn't make sense.

Ultimately, we might agree. Dave's conclusion is one that I've echoed over and over:

The need for, and uses of, virtual directories is growing and is still a few years away from peaking.

Let's just not declare something dead because it no longer seems cool to the in-crowd. It's OK to take a pragmatic approach to whatever challenge your organization is facing. That's my point.

Tuesday, July 8

Metadirectories: What's left to say?

If you haven't been following the flurry of conversation since my post last week stating that metadirectories aren't dead, well you're in luck. We couldn't have asked for a better recap of the conversation than the one provided by Ian Yip (although I think he gave Nishant a bum rap on this one).

There were so many different angles explored that I'm not really sure where to start or what's left for me to say.

  • I'll restate that I see perfect use-cases for both metadirectory and virtual directory. Now and in the near future. In the far future, there will probably be better ways to achieve the same goals.

  • Also, it sounded like Clayton took my comments to mean that "everyone needs to be using Active Directory for everything", which was (I think obviously) not the intent. My point is that although the top 500 or 1000 companies may have a number of directories for various strategic uses, there are probably 20x that number of companies that use only Active Directory as the central and primary user store because of it's network and email integration. And those companies might like for their application vendors to offer direct plug-in to AD as an option.

    Plugin to LDAP might be another good option and virtual directory technology would be a great enabler to incorporate various vendors, schemas and even relational databases through that single mechanism. But those mid-market companies probably would prefer not to take on the complexity of virtual directory (even if relatively simpler than writing numerous connections) if they could just use AD natively. And I think some percentage of the Fortune 1000 would see AD as strategic enough to ask the same as well.

    That's my guess based on a customer perspective as opposed to a software vendor's ideal state of architecture. And I don't think this is limited to companies who are 100% Microsoft shops. AD just has a very far reach and because it holds email in most of those companies it will already have an account for every employee, be available, etc..

    I don't think any of this should be seen as threatening to the role that stand-alone directories or meta- or virtual- directories play. The difference in viewpoint between me and Nishant & Clayton (if I can group them together) might be in the types of customers we've been talking to. There are still a ton of companies out there that aren't super-strategic about their Identity Management architecture. Or that just want a point solution because it fits the current business needs.
I think that's it. For now.

[UPDATE] - forgot one:

  • Bavo, I wasn't requiring that the HR database is the primary source for account creation and status. I also wasn't telling you that the HR database should be the primary source for Identity information. (However, I think it's more true than you think.) I was stating a requirement (one that I've seen many times). HR has been deemed THE authoritative source for employee existence in a majority of the companies I've worked with. My experience seems to differ from yours. [That's at least interesting! ...and one of the reasons I blog – to engage with people that have different experiences.]

    Yes, companies struggle with getting HR updated for the employee's start date. But, I've actually seen more than one customer implement a complicated AD-to-HR-back-to-AD process to accommodate for the issue. One customer integrated the candidate review system into the provisioning system. I think the reason for HR being authoritative is usually for deprovisioning. They want a disabled HR account to ripple downward.

    I think what you call the IDM system assumes a provisioning solution with work flow and its own internal store. These are luxuries that are not always available. In my scenario, the cost and complexity of a provisioning solution is probably overkill based on the requirements. And that's my point. There are scenarios where the simplicity of a metadirectory are not only sufficient to meet the requirement but actually a bit more of an elegant way to meet the requirements.

OK, now I'm really done for the night.

Monday, July 7

What to Monitor in Active Directory

If you manage an Active Directory infrastructure, you probably know that you should be monitoring activity or data or something. But what exactly needs to be monitored? Well, as I say in my latest paper, there is no one-size-fits-all prescription for Active Directory monitoring. But, there are five items that carry particular interest. In this paper, I go into detail on each of the five – what needs to be monitored and why.

For many mid-market organizations, these five may cover 80% of security monitoring needs – especially for organizations that are strategic about their use of Active Directory. As the title says, it's strictly limited to Active Directory, so don't look for firewall logs or changes to virus protection files. There's a short excerpt here if you'd like to take a peek.

If you're a security or Identity Management consultant, feel free to contact me directly and I'll be happy to send you a copy.

...The 5 Most Critical Points for Active Directory Security Monitoring

Tuesday, July 1

Metadirectories Aren't Dead (They're Just Aging)

Nishant Kaushik updated his blog and one of his old posts showed up on PlanetIdentity reminding me of the recent discussions on metadirectories and virtual directories between him and others (Dave, Jackson, Kim).

Not that I want to pick a fight with any of these guys, but for anyone who thinks the metadirectory is dead, I have a simple (albeit a bit late) scenario for you.

There are three identity stores:
  • An HR app built on a black-boxed Oracle DB
  • A custom-built line of business app built on MySQL
  • Active Directory
  • The HR system needs to be authoritative for account creation and status.
  • Active Directory needs to feed email address to the other apps upon creation (and occasional changes).
  • Systems should be updated within 4 hours.
That's it. What do you think? Is a virtual directory the best solution to meet these needs?

I love virtual directory technology as much as the next guy (Hi Mark), but claiming that any technology is superior to another without a discussion of the specific requirements being met just doesn't seem to make sense. Companies, departments, and projects within departments have different needs.

I've said it before. They're just tools. So, when James McGovern asks what the role of virtual directory should be, I don't have an answer. There is no should in this discussion. Ian Yip had a similar pragmatic answer. And Nishant echoed with "the mantra should always be to choose the right tool that solves your problems". Exactly.

If the idea is simply to talk about what the future should look like, I think James hit on something. There has been a ground swell of apps that directly support Active Directory as the user store. So, maybe the next versions of the HR and LOB apps in the above scenario would attach directly to AD eliminating the need for any solution here. As prevalent as AD has become, that seems more likely than mass-consumption of virtual directory technologies. And it's probably what Jackson was alluding to (Quest enables *nix systems to leverage AD).

Another possibility is that apps will support SOA-based authentication and authorization, though that hasn't quite spread like wild fire quite yet.

Don't get me wrong – I don't think the need for virtual directory technologies will go away anytime soon, but I wouldn't be surprised if it never becomes a standard in the mid-market. And I don't think it'll ever completely replace metadirectory technologies.

Metadirectory may be aging, but hey, 50 is the new 30. It's not dead yet.