To wrap up my thoughts on SaaS, I wanted to take a moment and discuss why I do not believe that SaaS is good for IdM and a little bit of how it could be made to do so.
I have a lot of trouble getting my head around the idea that I should (or ask some one to) trust an out side source with holding and processing my organization's identity data. Frankly, it scares the crap out of me. In this situation there would be terribly few controls over who accesses my servers and when. What happens when an upgrade goes in? How do I know what's going on? Basically, how do I guarantee the security of my implementation when it lives among people that "don't wear my company's shirt"?
Aside from this, I'm relying on a whole lot of infrastructure to make sure that my IdM applications stay up and running. What happens if there's a networking issue between my organization and the data center? How do I ensure scalability? What's the assurances on hardware availability?
These are the top two things that are on my mind when considering IdM and SaaS. Now I personally dislike it when someone comes to me with issues and does not have any ideas on how to remediate them. (I also think it's a downer) So here's some quick thoughts:
As far as security goes, one would have to assume that we can lock down the boxes and grant temporary access to the host/implementers for upgrade purposes. At a more basic level at some point there must be some level of TRUST between application owners and system administrators. If that trust is not there, then there's a more basic problem that needs to be addressed. I seem to recall a couple of years ago an article that discussed the need for trust between System Administrators and Application owners. I'll have to see if I can find the reference.
Hardware availability falls under the same umbrella. Great care needs to be taken when choosing a SaaS host that they have good failover and DR solutions. As far as scalability goes, I would suggest that if at all possible, test SaaS in a controlled pilot setting, possibly between the data center and the DR data center as a means to test availability, security and failover capabilities. Know that everything works in a way that fits the company's IdM mandate, GRC requirements and IT standards before looking for that SaaS provider.
Friday, June 27, 2008
Thursday, June 26, 2008
Who's at Burton
On the serious side... I'm seeing a lot of people in Higher Education and it's been great to catch up with some people that I've not seen in a while. I've always said that IdM and Higher Ed are a great match since among other things, there's a population that changes over at least twice a year. On the darker side, there are some real challenges to Higher Ed. I will dedicate a future post to te challenges and opportunities when IdM is matched up with Higher Ed.
On the fun side... I got a chance to catch up with a number of people from former lives including Mycroft and MaXware, customers and employees. It's always nice to catch up with old Friends.
I also got a chance to meet with some new people as well who've given me much to think about in the Role Management and GRC arenas. When I can get my head around all of this, I will report on that as well.
On the fun side... I got a chance to catch up with a number of people from former lives including Mycroft and MaXware, customers and employees. It's always nice to catch up with old Friends.
I also got a chance to meet with some new people as well who've given me much to think about in the Role Management and GRC arenas. When I can get my head around all of this, I will report on that as well.
Why SaaS
Yesterday, I gave a general overview and opinions on Software as a Service (SaaS) and how it pertains to the IdM space.
Today I wanted to speak about why SaaS might make sense for the IdM world.
First of all there's a definite possibility of reducing cost. If the applications are hosted elsewhere local costs (hardware, power, manpower, network bandwidth, etc) can all be reduced. From discussions here at Catalyst savings of up to 80% have been realized in some SaaS efforts. (In the spirit of full disclosure not all of these are IdM related)
Next, there's reduced support costs. Upgrades can be executed on site at the data center, travel and other consulting costs go way down. On the implementers side, efficiencies rise as engineers can easily work on multiple projects, implement updates, react to crises and have easier access to peers for support and escalation.
So basically SaaS gives us the opportunity to achieve economies of scale that allow customers and application providers to best provide service and reliability.
Today I wanted to speak about why SaaS might make sense for the IdM world.
First of all there's a definite possibility of reducing cost. If the applications are hosted elsewhere local costs (hardware, power, manpower, network bandwidth, etc) can all be reduced. From discussions here at Catalyst savings of up to 80% have been realized in some SaaS efforts. (In the spirit of full disclosure not all of these are IdM related)
Next, there's reduced support costs. Upgrades can be executed on site at the data center, travel and other consulting costs go way down. On the implementers side, efficiencies rise as engineers can easily work on multiple projects, implement updates, react to crises and have easier access to peers for support and escalation.
So basically SaaS gives us the opportunity to achieve economies of scale that allow customers and application providers to best provide service and reliability.
Wednesday, June 25, 2008
SaaS: The Series
As you might know from reading the SECUDE Global Consulting Blog, I am at the Burton Catalyst Conference this week. One topic that I got into a lot during the first evening was about Software as a Service (Saas)
I heard a number of arguments, both Pro and Con about this topic. Over the next few days I plan on discussing a number of things about SaaS on this blog.
Rather than starting off with Pros and Cons of SaaS (those who know me, know my feelings, but I'll hold off for the moment) I'd like to start with what I call the Chicken and the Egg issue.
In some way shape or form, SaaS will come to IdM as it will to other areas of the IT world. However, I believe that IdM has some specific challenges that need to be addressed, namely in security and reliability.
Due to these considerations I'm thinking that only firms that specialize in the IdM space will be able to be successful hosts. However will firms be willing to be early adopters? This is where the Chicken and Egg argument comes in. Customers are going to want experienced hosts, but I do not believe there are any hosts out there that are ready.
I'll be discussing some of the details of what an experienced host will offer and some potential stratgegies for mitigating the risks in the coming days.
I heard a number of arguments, both Pro and Con about this topic. Over the next few days I plan on discussing a number of things about SaaS on this blog.
Rather than starting off with Pros and Cons of SaaS (those who know me, know my feelings, but I'll hold off for the moment) I'd like to start with what I call the Chicken and the Egg issue.
In some way shape or form, SaaS will come to IdM as it will to other areas of the IT world. However, I believe that IdM has some specific challenges that need to be addressed, namely in security and reliability.
Due to these considerations I'm thinking that only firms that specialize in the IdM space will be able to be successful hosts. However will firms be willing to be early adopters? This is where the Chicken and Egg argument comes in. Customers are going to want experienced hosts, but I do not believe there are any hosts out there that are ready.
I'll be discussing some of the details of what an experienced host will offer and some potential stratgegies for mitigating the risks in the coming days.
Thursday, June 19, 2008
SECUDE Global Consulting Blog
SECUDE Global Consulting now has its own blog! Look for the members of the IAM team to be posting their thoughts on the entire Identity landscape. We'll be passing along lessons learned, thoughts on IdM architecture and the odd philosphical thought or two.
I will continue to post here as well with my own thoughts and comments that are outside of the charter of the corporate blog. Remember, as always, my comments here are my own and not to be taken as those of my employer or clients at any time.
I will continue to post here as well with my own thoughts and comments that are outside of the charter of the corporate blog. Remember, as always, my comments here are my own and not to be taken as those of my employer or clients at any time.
Wednesday, June 18, 2008
Burton Group
I'm happy to say that I will be attending the Burton Catalyst conference next week, from June 24th through the 27th.
I'm looking forward to seeing what's new in the IAM field and reconnecting with old friends and associates.
If you're planning on attending the conference, please drop me a line, I'd love to meet up with you to discuss your thoughts on Identity, GRC. Risk Management and anything else that might come up.
I will be making it a point to post from San Diego next week!
I'm looking forward to seeing what's new in the IAM field and reconnecting with old friends and associates.
If you're planning on attending the conference, please drop me a line, I'd love to meet up with you to discuss your thoughts on Identity, GRC. Risk Management and anything else that might come up.
I will be making it a point to post from San Diego next week!
Monday, June 16, 2008
Value Adding Security to the ROI of Identity Management
I just had the pleasure of reading this fantastic article by my friend and fellow blogger, Matt Flynn.
Matt has some fascinating thoughts on the future of provisioning where he submits that the future of provisioning must include detailed rights management and auditing. Having this infomation increases the Return on Investment (ROI) of a provisioning solution since increased rights management reduces security risk and therefore increases ROI.
I can't say that I disagree with these thoughts. The original goals of Identity Management (which Matt also covers in his article) focused on data accuracy and authoritative stores resulting in increased efficiencies and reduced support costs. Reducing security audit risks results in reduced fines and never having to spend money in cleaning up after a security breach.
It will be interesting to see how the Identity Management vendors and solutions react to these thoughts, but I think we'll see some quickly!
Matt has some fascinating thoughts on the future of provisioning where he submits that the future of provisioning must include detailed rights management and auditing. Having this infomation increases the Return on Investment (ROI) of a provisioning solution since increased rights management reduces security risk and therefore increases ROI.
I can't say that I disagree with these thoughts. The original goals of Identity Management (which Matt also covers in his article) focused on data accuracy and authoritative stores resulting in increased efficiencies and reduced support costs. Reducing security audit risks results in reduced fines and never having to spend money in cleaning up after a security breach.
It will be interesting to see how the Identity Management vendors and solutions react to these thoughts, but I think we'll see some quickly!
Friday, June 13, 2008
New Happenings
I'm pleased to say that I am now working at SECUDE Global Consulting in the Identity Management Practice.
Working with SECUDE Global Consulting brings me back into actively participating in Identity Management Engineering and Architecture full time. As an added bonus I get to work once again with the MaXware Identity Center (now called SAP NetWeaver Identity Management) and customers throughout the United States and around the world.
As SECUDE Global Consulting and SAP enjoy a strong relationship, I look forward to remaining at the forefront of the Identity Management world. Look for some new things to be happening in the coming weeks.
Subscribe to:
Posts (Atom)
