More Reasons Not to Trust SaaS

It might be the most cliche of reasons not to trust SaaS, but I see too many of these types of issues:

• Engineer accidentally deletes cloud
• Amazon S3 Availability Event: July 20, 2008
• We feel your pain, and we're sorry

These events might be rare. but consider that this was the second events for Amazon in the last six months and I think that the fact

Recent DNS vulnerabilities can also affect access to remote services.

I'm thinking we need to be very careful when considering SaaS, particularly in mission critical applications where Identity Management and work flow could be involved.

I just can't help but think I'd rather have these things under my organization's troubleshooting and control rather than someone else's...

A New Whitepaper is born

I'm pleased to announce that Business Trends Quarterly has just published SECUDE Global Consulting's latest white paper! The white paper is called Strategies for Creating an Authoritative Store. I think you'll find that it meshes with several topics I've discussed in this blog and on SECUDE's IdM Blog as well.

Research in Identity Management

I'm always impressed when I see things like this. We in the IdM world already know how important it is and that it is something that should be applied to all organizations and transactions.

As this attention grows we'll be seeing more research, scholarly papers and studies in IdM. We already know that Colleges and Universities are prime places to implement Identity Management solutions of all types. It should be interesting to see how the researchers at these institutions come up with new ideas in IdM. This should be a great bootstrap for the field.

Back to Basics

I was happy to read a recent posting by Dave Kearns and his overview of the NetProConference Survey results. Both Dave's synopsis and the actual survey are worth reading.

Specifically, I'd like to highlight the following taken directly from the survey results:

o User provisioning/ de-provisioning is the toughest challenge for IT organizations. 34% of respondents rate this area as “problematic” or “out of control” at their company.
o Delegating administrative rights (29%) and Compliance Reporting (27%) take 2nd and 3rd place as challenges.

From this, I'm still seeing that the basics of Identity Management, are still the key challenges to be faced by the CIO and IT department.

Without good controls on provisioning and deprovisioning, there is no foundation for compliance and security administration. Creation of central identity stores, and work-flows based on them is a requirement for building out any compliance or security framework. These applications require an authoritative store that can be used to make sure that authentication and authorization take place in the correct context.

Personally, the only flaw I saw in the survey was that it was very much centered in the Microsoft world and did not talk about any of the other players in the IdM world (SUN, Oracle, SAP, Sentillion, Hitachi, etc.) Of course given that NetPro is highly focused on the Microsoft world it's easy to understand. However, I cannot help but wonder how the survey results would change if the scope were somewhat expanded...

Managing your identity (at least in alpha)

Almost as soon as I posted my last link I saw an article about chi.mp, which although in alpha seems to be moving in the direction I was thinking about. According to the chi.mp website:

Chi.mp is building a flexible, permanent home for your online identity on your own domain. You own and are in control of the facets of your digital life, not any one service provider. One place for your profile, your contacts & content, where you have control over who gets to see what.

It will be interesting to see what the eventual model for this service is. Will it strictly be a retail model or will it also be good for all aspects of managing one's identity?

Another thing I wonder about here is where my data sits? Is it somewhere in the "cloud"? How is authorization and authentication to be done? Essentially, how will I control where my data goes and who sees it? This all seems like some pretty ambitious stuff. I'll be keeping tabs on their development.

For more information on what the chi.mp folks are thinking about, visit their blog.

I've been thinking

I've been thinking a lot on what Identity Management means lately. Certainly my posts and thinking have been revolving around Provisioning. No big surprise given my background. But in reading other blogs, articles and papers I'm starting to think more about the "bigger" picture.

Certainly, we'd be nowhere without the infrastructure of IdM. Managing data held in directories and application stores are the basis of our challenges in the field. The fact is there's information about users all over the IT/Web Landscape. Finding ways of managing this information is absolutely critical.

This brings us to the topic of tools. We can think of all kinds of tools for managing identity information. Self Service Kiosks, provisioning UIs and HR applications are all ways of obtaining information. Work-flow engines, Virtual and meta-directories help to synchronize and process data, SSO applications allow us to increase the reach of our identity information. There is also the concept of managing and reducing the numbers of data repositiories using these tools as well.

This is all old news to those of us in the IdM world, however I'm getting more interested in what happens next and I've blogged on this several times before. The way I see it, there's two things that have to happen:

1. The continuing maintenance of Data. This has to happen on multiple levels.

From the perspective of the enterprise, information from all sources in the enterprise should be brought into a unified structure. I won't even touch the question of this structure's format. For the purposes of this discussion, acknowledging the store is enough. This store should be kept up to data with respect to all connected repositories, becoming the central authoritative store.

There's another perspective that I have not really addressed in the past, which is the personal perspective. For too long, I've only looked at the enterprise perspective, but given recent trending I think it's important to look at personal identity management as well. By this, I'm referring to the ability of a given person to build the components of their identity for use by the outside world. What information should be public, what information should be private with respect to other people and organizations.

• Do my friends need to know my work telephone number or will my mobile suffice?
• Do the people in my office need to know my IM handle that I use after work?

I think you get the point. I know there's a lot of people out there thinking about this and it is something I plan on learning more about in the coming months.

2. How do we know that our data, applications and access are secure?

This is another big question and touches on the topic of GRC, which I've also been blogging on recently. There's some debate on this at the moment which I'm not going to go into in detail. However whether you look at this as one discipline or three (or four if you subscribe to GRCE). For the purposes of this discussion, it does not really matter. The fact is that all organizations must manage risk and that includes risk to ones IAM data. The fact is that one's identity data is directly tied into one's access management data and therefore this needs to be watched closely.