Wednesday, August 11

Identity as a Platform

I was asked for my thoughts on an article titled Hosters Need to Think about Identity as a Platform Play. When I clicked to read the article, I was happy to see it was written by Novell's Dale Olds who always has interesting and informed things to say.

I agree with Olds' assessment. SaaS platform vendors (hosters) should really get on the ball with offering identity services as part of their hosting packages. They should do similar with data encryption as well (both to the endpoint and in storage). Security is complicated -- extremely important and extremely easy to get wrong. It only takes a small oversight somewhere along the line to break the chain. SaaS application vendors would be wise to leverage proven, trusted solutions for access management rather than trying to create their own.

I think Olds overstated how simple it would be for applications to switch platforms. It seems to me that it's pretty complicated even in the case of moving a simple PHP website to another host. And most SaaS applications will be much more complicated than that. And the other part of that thought was that providing identity services would tie-in the application provider to that platform. I would recommend to hosting providers that they make it easier rather than harder to move. That'll be a key differentiator and ultimately drive more business/revenue to your brand. (I'm not saying that Dale was recommending to purposely make it complicated - it's just how it is.) BUT - there's still a business driver to build identity into the platform. Removing the complexities of security from the application development process could save 30% of time and resources in standing up a new application versus having to build it all from scratch.

And to Steve (from Axciom)'s point (in the comments), yes! Ideally, Platform as a Service vendors will provide more than authentication. Baked in security could incorporate firewalls, authentication, multi-factor authentication (& transaction-based), authorization, encryption (in-motion and at-rest), activity and access audit, SoD monitoring, and more.

We're obviously very early in this whole process. I think we're moving in the right direction, but it'll take time to get it all right.

Thursday, July 29

Next Generation Compliance: Expect Answers

As an industry, we've been getting much better with understanding access rights and enabling compliance with access-related regulatory requirements. I know there are nay-sayers out there who focus on the negative - what we haven't done well. But, overall, given the speed at which we've enabled access to sensitive information, it's pretty amazing that we have any control at all.

Having said that, one of the primary problems with our current solutions for tracking changes and enabling audit response is that we just can't make sense of all the data that's being collected. One of the findings in the SANS Log Management Survey for 2010 is that the top two challenges with log management are being able to search through the data and being able to interpret the results. That's no surprise given the mountains of data generated by log management solutions. But it's also alarming because that's the exact value proposition that those solutions are supposed to provide. It's like a car that does everything well except move from one place to another.

Failure: Mountains of Data with No Actionable Information
There's a better way. In this SC Magazine article titled Answers, Not Data: The Key to Access Security, David Rowe explains that next generation audit solutions need to focus on providing answers and enabling continuous audit rather than stubbornly latching on to quantity of data as the success indicator. Give it a read and please let me know what you think.

Tuesday, July 27

How to clean up years of permission bloat

Since joining NetVision a few years ago, I've spoken to countless organizations who are faced with clean up duty. For years, administrators have granted permissions, added group memberships, created countless new security groups, delegated rights in Active Directory and have been mostly in a reactive mode. That is, they grant permissions in response to some member of the business asking for new rights. Unfortunately, business managers have not had motivation to request that permissions be revoked when appropriate. So, in many cases, there are hundreds or thousands of security groups that nobody seems to know what they're for or how they should be used. And some big percentage of the user population has access to files/folders that they shouldn't.

In an ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships, NetVision CEO David Rowe discusses the challenge and explains how you can regain control over network access rights.

Thursday, June 24


I discovered a few interesting technical bits this morning that I haven't seen before.

First, DNS operating order (as you may know) is:
(1) Check local host name
(2) Check hosts file
(3) Check DNS servers

If you query for domain name on an Active Directory domain controller, it doesn't resolve in the first step. So, you'd need proper DNS entries for the domain (or an entry in Hosts). I would've thought a query on a DC for domain name would resolve immediately, but when using a client that relies on DNS (like an ADSI script), it doesn't resolve.

Next, I found that a simple LDAP lookup (using domain name / rootDSE) via ADO resolved fine where a similar script using ADSI did not. So, apparently, ADO does NOT rely on DNS to attach to the rootDSE but ADSI DOES rely on DNS.

When evaluating whether to use ADO or ADSI, I recall that ADSI was generally easier, but there may be improved performance with ADO for larger record sets. I'm not sure if that's true, but that's what I remember reading years ago. I wonder if use of DNS should be an additional consideration in some cases?

Wednesday, June 16

Value Beyond Bits

An article in the June 7 edition of ComputerWorld discusses the IT industry's energy crisis. People are overworked and tired.
"Head count is decreasing, and workload is increasing. User expectations and regulatory requirements are expanding exponentially."
The article goes on to discuss how to re-energize IT. It specifically mentions removing negative people (yes!) and improving upon IT finances (not sure about that one).

I would add something to that short list - take a look at managed services or cloud solutions. These solutions present an opportunity to get IT professionals' heads out of the 'bits and bytes' that can really drain energy. I've been there. When you spend 4 or 8 hours focused on applying some technical fix or getting a program to work, it can be physically and mentally exhausting. Those are the parts of the IT job that many people don't enjoy. And those are precisely the aspects of the job that get handed off with SaaS and managed solutions.

By removing those annoyances and freeing IT staffers to be proactive about providing greater business value, it generates new energy and enthusiasm. Clearly though, many IT folks disagree.

Another article in the same edition discusses the issue of IT staff mistrust of cloud solutions. One IT director states:
"They flat-out asked. 'What does this mean for me and my job?'"
IT professionals are clearly concerned. I've heard it first hand. Why would I want to recommend a managed solution when that's my job.

Well, I understand the concern, but I think that viewpoint is a bit myopic. Think of car ownership. If you can offload the maintenance and upkeep of the vehicle, driving is much more fun. You can accelerate quicker, take turns tighter, brake harder, take it off road, etc. and let someone else worry about changing the oil, maintaining tire pressure and watching the treads. In my opinion, managed solutions equate to more freedom.

And the first time you (as an IT staffer) show a business manager how you can save them time or money in their job through creative use of technology, I think you'll be hooked. You'll appreciate that you were able to put your creative, problem-solving mind to work on business issues (still requiring in-depth technology knowledge) rather than being bogged down in the bits.

Just a thought.

Thursday, April 29

Steve Jobs on Flash

A little off-topic for Identity Management, but once a year or so I post something just for amusement.

In Jobs' open letter on why Apple doesn't support Flash, he makes some valid points. Among them, he states:

We strongly believe that all standards pertaining to the web should be open. Rather than use Flash, Apple has adopted HTML5, CSS and JavaScript – all open standards.

HTML5, the new web standard that has been adopted by Apple, Google and many others, lets web developers create advanced graphics, typography, animations and transitions without relying on third party browser plug-ins (like Flash).
So, then, what's wrong with this picture?

Hint: click to enlarge and notice the message:
This website wants to run the following add-on: 'Quick-Time' from 'Apple, Inc.'


IAM in the Cloud - from Verizon and Novell

Interesting newcomer to the Identity in the Cloud space. I look forward to seeing a side-by-side comparison of these solutions. Clearly, when organizations are ready to have their identities managed outside of their own walls (even if just external accounts), there will be a number of options available. I see an opportunity for a few good independent consultants to really understand the intricacies of all these options so they can help customers wade through all the terminology and misconceptions. ...because I don't think it'll be easy.

Wednesday, April 28

TEC 2010: Optimal IdM

The third and final TEC 2010 vendor to participate in a video message is OptimalIdM who was at the conference demonstrating their Virtual Directory solution and its ability to simplify deployment of Sharepoint 2010.

TEC 2010: Symplified

This is the second in my TEC 2010 Vendor video series. In this video, Symplified describes their TEC 2010 experience and let's you know how to get 3-D glasses for their upcoming 3-D announcement.

TEC 2010: Imanami

While walking the floor at TEC 2010, I spoke to a few vendors who agreed to provide a quick video message. The first is Imanami who was demonstrating a pretty interesting solution for managing Active Directory group memberships.

Identity Enablement

I just got out of a session led by The Burton Group's Kevin Kampman who made the point that the Identity Management conversation is changing. It can no longer be about technology. It needs to be about business needs. Don't ask what is the tool? Ask what problem are you trying to solve?

During Q&A, somebody made the point that currently, Identity Management is often mandated by the security team who is implementing it as a way to enforce secure practices and restrict access where appropriate. The business owners may not always have the right to choose where they're comfortable with increased risk and where they're not. Valid point.

I think Kampman's point, though, is that in a larger sense, as the industry moves into the cloud and becomes further distributed, Identity tools will be more about enablement rather than restriction. Identity Enablement tools such as Federation solutions will enable conversations and transactions to take place that haven't been possible in past (and current) models. So, the conversation starts with a business team that is looking to expand its capabilities rather than with a technology team who might be focused on specific tool sets.

To me, it's a whole different mindset than traditional enterprise Identity Management. And therefore, it's an entirely different conversation (not just a re-focusing of the existing conversation.)

It will be an interesting decade for identity.

Tuesday, April 27

TEC 2010: A few more notes

The Experts Conference is living up to its name. The hallway and lunch conversations are extremely technical - the right approach to move an Exchange mailbox or how to best create a stored procedure that captures some set of information beyond what the native system will do.

A few of the folks I spoke with:

- The DOT NET Factory has a user management (provisioning) solution based on Active Directory. It provides full, highly extensible work flow with full audit trails of all changes. Some customers choose to shut down all access to Active Directory

- Dimension Data is perhaps the largest company you've never heard of. The more than 11,000 employees of this $4 Billion IT services firm serve the world's largest multi-national firms. Through tight partnerships with Microsoft, Cisco, Quest, and others, they're uniquely positioned to provide integration services between those companies' products throughout Africa, EMEA, and now North America as well.

- Optimal IdM and Radiant Logic both report that the experts in the crowd are starting to finally understand the value of virtual directories. A few years ago, the conversations around virtual directories were largely educational - What is it? and Why should I care? Now, the conversations have shifted to practical implementation ideas.

btw, I overheard an interesting customer story on OptimalIdM. An organization who already had licenses for a a well-known Virtual Directory (because it was included in a larger suite) chose to work with OptimalIdM's solution because it provided point-and-click simplicity for object joins whereas the other solution required significant Java and Python code to achieve the same task. It's a nice real-world David & Goliath story.

- Rackspace is here educating people on how to deploy Sharepoint and other applications in the cloud. As with most technology conferences these days, there's a lot of discussion here about the cloud. Rackspace is clearly positioned as a leading cloud service provider. I use Rackspace for personal home file storage through its JungleDisk, which is a very cool solution.

- I also had a conversation with a principal consultant at CSS Security who clearly had a firm understanding of FIM 2010 and how to implement. They're based in Cleveland but serve the entire U.S.

Monday, April 26

TEC 2010: Active Directory Family

The day one keynote speech this morning was presented by Microsoft's Conrad Bayer. One of the key take-aways from this morning's keynote for me for a consistent theme throughout the talk that Microsoft's Identity & Access solutions are now all part of the same product group. The Identity & Access group's solutions include Active Directory, ADFS federation, RMS rights management, FIM life cycle identity management, PKI/Certificates, identity synchronization, etc.

Bayer also talked about the future of these solutions and briefly discussed that ADFS could evolve to become an authorization server. Specifically, he talked about attributes and claims being the core components of authorization. The idea would be that ADFS could sit in between local and remote directory environments and provide answers to standards-based requests about claims. Bayer was asked later about the challenges around the idea that, for AD, groups are equivalent to roles, but other systems' roles require more than just group memberships. His answer pointed back to attributes and claims as being the way to meet those business requirements and seemed to say that applications would be where you would manage roles. The application would define and manage roles while leveraging the AD infrastructure to answer access-related questions via claims. He didn't say it (or even suggest it), but I wonder if this is a move toward a completely different paradigm than one based on roles. Perhaps roles will never be the right answer since what we've all seen is that in reality, people don't fit nicely into a pre-defined set of business roles.

Another thing that caught my ear was Bayer's point that Smartcards and Certificates are becoming more important as environments move to distributed and cloud-based solutions. Could it finally be the year of PKI? BTW - I see 'the year of PKI' as a modern-day proverb about something that it perpetually about to happen but never really does. Having said that, I'm a fan of PKI as a technology and can see that his point has some validity. The fact that a particular solution is in the cloud is not necessarily the problem. The bigger problem is that there are a variety of apps moving into the cloud each with different security models and underlying security mechanisms. PKI technology might help us figure out how to provide a manageable solution for that complexity.

At the end of the day, I think Microsoft made the right move by bringing these technologies together, but it sounds like it'll be a while before we see a truly unified, native/out-of-the-box set of identity features such as point and click federation, PKI, or rights management.

TEC 2010

I'm approaching noon of my first morning at The Experts Conference (TEC).

During introductions this morning, Gil Kirkpatrick, who founded the conference years ago while at NetPro (acquired by Quest), reiterated the conference commitment to provide training and support for industry experts in Active Directory, Exchange, and now Sharepoint as well.

Adding to that support and bringing it beyond the annual conference is The Experts Community. I'll try to get more on that, but the idea is obviously a community of knowledge sharing that goes beyond basic training into in-depth knowledge sharing for expert-level practitioners.

And the audience has already proven that they fit the description of experts challenging speakers and presenters in each session. This is NOT a conference where vendors could put up a marketing presentation and hope nobody notices some omission or flaw in the underlying technical approach.

As an example, someone stood up and asked Conrad Bayer (Microsoft's General Manager of Identity and Access) during his keynote about a slide he had put up during the presentation. The slide indicated that small businesses would be faster to adopt cloud solutions because they were less concerned with security and privacy. So, the question was important. Is that true? Does Microsoft believe that small businesses care less about security and privacy? And also - is Microsoft saying that cloud solutions are inherently less secure? Bayer clarified that small businesses are certainly concerned and that the slide content was probably referring to customer perceptions around security driving those decisions - and not actual security implications.

He also went on to confirm that Microsoft is working toward creating security symmetry between cloud and on-premise solutions to eliminate the concerns about security when moving solutions to a cloud model.

...more to come.

Thursday, April 8

Governance the next Era of Identity Management

Ben Goodman, in an Intelligent Workload Management article, notes that there's a coming paradigm shift in the world of compliance. He talks specifically about the new trend of turning to identity management solutions for help with compliance. We heard more about this trend from Dave Kearns in his discussion on SailPoint expanding its Access Governance solutions into the Identity Management space and Courion doing the inverse.

I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.

Mr. Goodman can correct me, but I boil his point down to one easy statement:

Start with Security and compliance will follow.

I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.

If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:

a) Secure them to satisfaction
b) Enable auditing to prove that security is real

We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.

If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.

Tuesday, February 23

"Automated Provisioning Machine" (in quotes)

I like the cartoon at this Imanami blog entry. It's funny and makes a clear point about identity management (provisioning) solutions. I'll let them make the point rather than re-write it here. But like the old cliche says, a (moving) picture is worth a thousand words.

Friday, February 12

Identity Governance is not One Size Fits All

I read an article this morning written by SailPoint's Darran Rolls titled How Identity Governance Solves the Compliance. Aside from my feeling that the title was either cut-off or misprinted, the article makes a lot of sense. Rolls writes:
The identity management landscape is changing. The need for stronger auditing controls is giving rise to identity governance tools that are supplanting ID provisioning solutions as the centralized management layer for identity.
and later makes the point that:
This ability to translate technical identity data into business-relevant context is a critical advancement from old-school provisioning technology.
Yes and Yes.

This is exactly what I've been spending my time on at NetVision. One difference though. Much of Rolls' article focuses on the topics of platform coverage and correlation. While our solution scales and is deployed well into the Fortune 500, most of the organizations we speak to are turned off by the complexity involved with integrating numerous platforms.

NetVision's focus is on core network systems - Microsoft and Novell. That's Active Directory or eDirectory, which hold network user accounts, security groups, and some other entitlements based on account attributes -- and the associated file systems, which are a breeding ground for unauthorized access of sensitive information. Our goal is to be simple and easy to use, with no requirement for in-house expertise on access rights. And we get results on day one.

I'm not trying to give a pitch. My point is that Identity Governance is important. But, it's not one size fits all. While some organizations are looking for the solution with the broadest range of platform coverage and are willing to accept the inherent complexity, many are looking for easy-to-use, simple-to-own solutions that cover core networking platforms.

Who Has Access to What? is the question of the year. Tools that enable you to audit, monitor, alert, and report on access rights are a must-have for driving down audit costs and improving your ability to answer that question. We're entering the next wave in Identity Management. And it's not a pie-in-the-sky utopia of federated identity with built-in governance (yet). It's real-world solutions for answering the question of year with zero effort.