SAP TechEd Days 2 and 3

As usual, events here at TechEd have caught up with me and I missed a post. Sorry, folks!

This does not mean that there has been a lack of activity here at TechEd. Yesterday, I attended an excellent hands on workshop based on Context Based provisioning.  Any organization that is looking into SAP IDM for the purpose of managing SAP Roles over multiple locations or positions needs to look into Context Based provisioning. I think one can make an excellent comparison between IDM contexts and the Derived Role concept within SAP.  I'll have to write some more on that later, either here or on the SCN Blog. I've also come up with some other interesting ideas for Contexts which I will be working on over the next few weeks.  Hopefully, I'll have something to share soon.

There were also a number of good Q&A sessions where users could go one-on-one with some of the SAP IDM experts that came over from SAP Labs in Trondheim, Norway.  For those that don't know, NetWeaver IDM was born as MaXware Identity Server in Trondheim back in the 1990s and core development still happens there to this day.  Concepts such as Assignments, Approvals and Virtual Directory Server were covered.

Today I was able to attend a session on the use of the Provisioning Framework.  Not too much new there, but it was good to hear that SAP is committed to the Framework and feels that IDM is the best way to provision users to SAP systems. During the presentation, the following general IDM points were brought up that I would like to comment on:

Users should consider IDM over CUP if connections to external applications are required (e.g., Microsoft Active Directory)
IDM should be used over other provisioning methodologies for Audit and compliance reasons
Do not think of SAP or non-SAP roles, privileges, provisioning etc., it is all Enterprise provisioning

I'll have a wrap of of TechEd tomorrow with some closing thoughts.

Some quick reads in SAP IDM and IdM in general.

Reporting, Metrics, Audit, whatever you want to call it, relies on being able to extract information from your identity management systems.  This article is a brief discussion on the topic.  I was fortunate to meet one of the authors, Gerlinde, during TechEd last year.

It's also nice to know our market is growing!

2010 and the Year in Identity

As the year draws down, I've been thinking a bit about the year and what's it's meant in Identity Management. There's certainly been a bit of discussion about the nature of Identity, authentication and authorization controls.  As technology, process and legislation grow closer, there's a greater need for Governance and Compliance controls than ever before.  We're also seeing the beginning of the Cloud truly being a part of the IdM solution.

We're also seeing consolidation on the business side in both the product and implementation branches with Oracle, SAP and Microsoft all making purchases.

Related to this, one thing I've been wondering is what will happen with SAP systems if you rely on either CUA or SUN Identity Manager. What are your plans, if any, for migrating off?  I've started a discussion on LinkedIn about this. Please take a moment and  share your thoughts about what you are considering or planning.

On a personal note, I wish all of my readers a happy and healthy New Year.

The meaning of Identity?

I’ve been involved in a number of conversations lately with colleagues and the Identity Commons mailing list about the nature of identity. The fact of the matter is that as far as the Information Technology / Information Security arena is concerned, there truly is no such concept as an identity. Rather what we truly have is a collection of descriptors or “attributes” that when brought together and agreed upon by an organization or group of organizations that describes what we choose to call the identity. Why the vagueness here? Well that’s because an identity can be more than just people, but that’s another story. Regardless, once we have determined what goes into an identity, we can begin to discuss how technology can process it.

The thing that I’m hearing more and more is that just having an identity is not enough. As mentioned previously, the identity is just an agreed on set of descriptors and does not really do anything. So how do we make this happen?

Well it is rather easy when everything is within the same domain. Agreements are easy (well, easier) to make when there is only one organization involved. Once we get outside of the domain, there greater complexity due to meeting the diverse needs of each organization, including (but not limited to) audit requirements, privacy rules, establishing common protocols and, of course, determining a description of what the identity is in the first place.

It’s great that we’re linking in tightly to ERP suites as Oracle and SAP tell us we should do. Leveraging repositories for use in authentication is great as Microsoft says we should do. Federation would be fantastic if we could get folks to come to quick agreements. What we really need is more actions that are associated with what we do with these identities. From what I’m seeing / hearing, there’s not enough being done with the actual identities once we’ve constructed them based on the authoritative sources in the organization’s IT infrastructure.

I think a great example of what can be done is shown in an article in CIO magazine that I saw on Jackson Shaw’s blog the other day.

We talk about these things all the time, but it seems many organizations barely get out of the Authentication / ERP stage since that’s perceived to have more direct impact.
I disagree. Truly actionable items that result in a direct decrease in getting employees functional should be the first effort in any Identity Management project after the data has been cleaned and a definition of what an identity is.

This is an ongoing discussion that’s not going away anytime soon. Not the definition of Identity, not what to do with the Identity, or how to protect the Identity.

Intelligent IDM

Just read a great blog post (Thanks, Dave Kearns for posting in your newsletter) that I think anyone involved in Identity Management Architecture / Design / Management should be aware of.

Earl Perkins from Gartner Group has written a short piece on Business Intelligence information that can be obtained from an IDM solution.

We've spoken for years about making IDM a part of compliance and security, and certainly tools such as SailPoint Identity IQ help provide that data, but I think that all applications, particularly provisioning applications that are long on information and short on reporting and logging could do more to share this information not only with central BI repositories. Certainly there is information that is of interest to a BI warehouse. It would be interesting to see what such a model would look like.

I look forward to seeing what Earl and others develop in this concept.

More on SailPoint

In reviewing yesterday's post, I realized I got a little off my intended track of talking about my SailPoint training, and spent more time talking about IdM Architecture.

In light of that, let me talk a little bit more about SailPoint and what they have to offer.

The SailPoint product seems pretty darn interesting. It does a fantastic job of linking in to various types of repositories (LDAP, Database, ERP, flat files, etc) that are found in the Enterprise and brings them into a common repository known as the Identity Cube (love this name, BTW)

Once the data is in the Identity Cube, all the fun begins, we can then do Role Mining, Segregation of Duties and other forms of Compliance analysis, and most importantly, Certification/ Attestation. It's easy to do all sorts of searches and analysis on the information held within the Cube and produce everything from application centric user role reports to IT Security oriented Risk scores based on role, application and group membership.

I'm going to find it pretty darn hard to believe that Enterprise IT and auditing departments will be able to work without a tool such as this in the future. This application is a great add on to add to current Identity and Risk Management projects and I'm looking forward to working with it.

SailPoint Training

Not too bad when you get to go to two training classes in a row. Even better when they are on cool technologies like SAP NetWeaver Identity Manager and SailPoint's Identity IQ.

Had a great time and learned lots of stuff down in Austin, TX with the SailPoint team. Clearly, the IdM field continues to expand and redefine itself as a combination of regulation and security concerns demand better audit and compliance rules. Corporate Governance policies are finding themselves enforced as IT tools embrace certification and audit along with "old school" concepts such as user provisioning, password management and access control. I think SailPoint will be aggressively moving forward to complete this integration to produce a new "Compliance Driven" IdM model.

Given these developments, I find it hard to understand how Burton Group feels that "IdM is not aging gracefully" as pointed out in an abstract on Bob Blakely's latest paper, "Identity and Privacy Strategies Assessment (Single Instance Use Case)"

While I have the greatest respect for the folks at Burton, I have to say I cannot disagree more with this assessment. (Disclosure: I am not currently a Burton Group customer and as such only have access to the abstract and have not read the whole article)

IdM is rising to meet several challenges, as I have indicated above, and if there are architectural flaws it is due more to the fact that current providers are channeling the products to reflect their application suites. Oracle, SAP and Microsoft all embrace some part of their technologies for application serving or the front end or require specialized programming in the form of JAVA, Xpress or ABAP and are increasingly being engineered to work first with their own products and then addressing the rest of the enterprise (SAP is particularly guilty here)

I also foresee additional growth as IdM embraces new technologies in User Identification. A tighter integration between Biometrics, Smart Cards and other identifiers becomes more mainstream. However, before this can begin, IT and IS have to agree on standards and adoption of these identification methods.

Also let's not forget about the Specter of Federated Identity Services. While there have been several successful architectures developed, it's still one of the most complicated IdM scenarios out there. Perfecting the Federation Use Case and its easy deployment will kick off another chapter in IdM's steady evolution.

201 CMR 17

I've been hearing some buzz about this legislation lately. For those that have not heard, 201 CMR 17 is a Massachusetts state law that specifies standards for the access, storage and management of personal information for state residents. (Full text of the law can be found here.)

While this blog has been more of a forum about Identity Management rather than Identity Theft, I still thought this was an interesting thing to discuss.

For the first time there is real comprehensive discussion of how data should be managed for the general public. While HIPAA and SOX mandate similar practices, this is the first legislation that says all personal information is important, not just the information as it pertains to specific groups or industries.

I do think that this is good for the Identity Management industry for a few basic reasons:

• There's no such thing as too much security
• Laws like this promote development of good access management infrastructure
• It gives us a chance to reexamine existing role / access assignments

Of course this is always interesting to an old fashioned provisioning guy like me since it means we need to develop the existing User Life-cycle process to make sure that we are building in stronger access management as noted above. Laws like this will make us think again about concepts of:

• Attestation / Recertification
• Role Assignment / Segregation of Duties

Sometimes this will be an audit of what rights / permissions users have over various File System / ERP / Database objects. Sometimes it will be a complete reassignment of these rights.

Planning for complying with this law will require planning and forethought. The state of Massachusetts has provided a FAQ and a checklist to help begin the planning process. However, I think at the very least a complete review of current processes combined with a through gap analysis from a knowledgeable project team.

As I think more on this, I will be posting my thoughts on what the 201 CMR 17 planning process will look like.

The Bigger Picture

In the Identity Management field, there's a lot of thought placed on how to provision users, and even more thought (rightly placed) on de-provisioning users. After all, if users can't get into the systems, you get no return from them since they are not as productive. Similarly, we also know that leaving user accounts active in the system leaves an organization open to data loss, financial and legal risk, and loss of productivity.

However, what of the middle of the user life cycle? User profiles and access need to be maintained as they change titles, departments and locations. It is also important to record this information for compliance/audit reasons.

IdM provisioning tools are probably the best tools for managing these changes in access for enterprise systems. While tools such as SAP's GRC are excellent for work in SAP systems, they are useless outside of them. Same goes for Active Directory / LDAP specific tools, PeopleSoft specific tools, etc. IdM systems have the ability to connect to all of these (and more) systems.

Leave the provisioning, role assignment and management to the IdM system and rely on specialty tools for specialty needs.

Where are the controls

I got this "joke" email from a family member, which I think proves some interesting points in the field of Identity Management, especially where governance controls are involved:

Outside the Bristol Zoo, in England, there is a parking lot for 150 cars and 8 coaches, or buses.

It was manned by a very pleasant attendant with a ticket machine charging cars £1 (about $1.40) and coaches £5 (about $7).

This parking attendant worked there solid for all of 25 years. Then, one day, he just didn't turn up for work.

"Oh well", said Bristol Zoo Management - "we'd better phone up the City Council and get them to send a new parking attendant..."

"Err ... no", said the Council, "that parking lot is your responsibility."

"Err ... no", said Bristol Zoo Management, "the attendant was employed by the City Council, wasn't he?"

"Err ... NO!" insisted the Council.

Sitting in his villa somewhere on the coast of Spain, is a bloke who had been taking the parking lot fees, estimated at A£400 (about $560) per day at Bristol Zoo for the last 25 years. Assuming 7 days a week, this amounts to just over A£3.6 million ($7 million)!

So what's the point here? Without governance controls anyone can come in and rule the roost. There is no accountability, control or record. I know I've been harping on this a lot lately, but it just seems to me that if controls are not in place and a means for reviewing the implementation and usage of the controls, anyone can walk away with the keys to the kingdom as it were.

This is much like what happened with Abdirahman Ismail Abdi or even Terry Childs, both of whom I have commented on before. If either one of them had been subject to some sort of governance process it would have been much more difficult for them to execute their schemes.

After all, you know what they say, "a million here, a million there and soon we're talking about real money."

The Next Frontier?

Identity Management continues to find a space in the Enterprise landscape. It would seem that it's been falling into the realm of Information Security. Not sure that I completely agree with this but at least it's being discussed as part of Enterprise Architecture.

Certain business verticals in particular have been embracing this technology more than others. Most notably, Higher Education has been a big proponent of Identity Management (Gotta give it to Oracle's OIM/Fusion Middleware, they're doing well here right now.) As I think about other verticals, it strikes me that it's about time that the Health Care industry embrace, IdM.

Why so, you might ask? Here's a few of my reasons:

• HIPAA -- How can you discuss the Health Care field and not talk about HIPAA? Strict access controls, need for compliance, monitoring of changes to accounts? All easily done by IdM. Advances in GRC apps will make even more of a splash.
• Lots of changes -- Permanent staff, temps, students, visiting professionals means there are lots of changes in the user community, topped with vendors, contractors, patients and visitors makes it seem to me that this should be captured and recorded. Virtual Directories will be key in maintaining these user communities.
• Identity is more than people -- Role management will also be important for business and technical roles. The better we track how these roles are created and maintained, the easier it will be to administer them.
• Physical Access management -- Hospitals by nature are intended to be secure, so including means of physical access management will be important, either through "smart cards", biometrics or a combination of both.

I'll be thinking more about this in the coming weeks and months, what about you? Anyone out there doing this in a medical/hospital facility? What are you doing?

The Real Time Myth

I was talking to a colleague last week and the topic of real time provisioning came up.  This has always been a bit of an issue with me due to the use of the term "real time"  I've almost always found that by the time we discuss what is involved in the act of provisioning and what the requirements really are, it is impossible to have this happen in "real time".  The fact is provisioning takes time.  Always has, always will.  Writing the information to your authoritative store takes a certain amount of time.  As does provisioning to LDAP.  We know it takes at least 15 minutes for AD to begin replication, and regardless of type of Directory Service used, it takes time to replicate in an international setting.

In my experience most organizations are more concerned with improving performance over the old methodology and getting initial provisioning to happen in less that a day.  There's nothing that irritates a manager more than having to sit around and wait for the new person's accounts to be created.  If we can get that time period down to a reasonable wait, hopefully to about the time it takes to fill out the remaining new hire paperwork, tour the facility, get the briefing from HR and have that welcoming cup of coffee, we will have made progress.

In the best of all possible worlds, provisioning should have already been started as soon as HR receives a signed offer letter.  Creating essential accounts in a a disabled state gets a lot of the heavy lifting done and front loads the whole process. This way all that has to be done is wait for the start date to occur and then enable accounts via a regularly scheduled work flow. However, I recognize that even creating disabled, locked accounts poses something of a risk so it will not be for all organizations. 

In the end careful analysis of current state, target state environments is called for along with a thorough examination of compliance, legal and best practices as they relate to the organization's needs.

IdM and the Economy

I observed two comments on the recent issues in the economy and its relationship to IT initiatives.

The first was from FOX Business which I was watching during lunch today. As they were reviewing the tech stocks one of the panel said something along the lines of, 'with diminished income, companies won'y be buying a new PC for your desk this year' (paraphrased)

When will the business folks get it through their heads that there is more to IT than the computer on their desks! I mean really, even more than email, firewalls and antivirus.

IT provides some essential services for the company that can provide a definite return, either in a direct return on investment or by avoiding fines and penalties through maintaining compliance and security standards.

One person that seems to get this is Ash Motiwala. In his blog entry today, Selling Identity in an Economic Downturn, Ash hits on this directly. It's not that you are spending money, but that you are achieving ROI and Compliance initiatives.

Let us look at ROI, when we don't have to have Network, Database and Application administrators creating and modifying accounts, they can be focusing their attention on making sure their areas of responsibility are working properly. When workflows are processed automatically (save approval actions) There's no need to have admins creating badges, modifying building access, and asking what kind of equipment each employee is supposed to have. Let all of these people do what they are supposed to be doing.

Compliance is another area. Let's face it, compliance is getting more complicated and sprouting up everywhere. Government realizes that charging fines and other penalties are a great way to make money, so there's a lot of attention here. In a time of data loss and identity theft showing adherence to Compliance and other areas of Risk Management are a selling point from a company to its customers, making Identity Management initiatives even more important than ever.

Two articles worth reading on IdM.

I read two interesting articles on different topics today and wanted to comment on both.

The first article is simply called "Identity Management" and appears on the Nextgov website. This was a very nice high level introduction to what happens in Identity Management. Just when you get to the point of "I've heard all of this before," it turns around and goes into a quick discussion of US Government requirements for Identity Management technology, particularly in light of Homeland Security Presidential Directive-12, which sets Identity and Access Management standards in the Executive branch of US Government. There are those who feel that this level of security is an excellent blueprint or at least inspiration for how private sector security should be executed.

The second article comes courtesy of the perspectives in the United Kingdom. In the article "Treat data like cash and the leaks will cease" the author, John Higgins makes a point that I think is long overdue. We do not put the same emphasis on data, particularly Identity data that we put on other parts of business and day to day transactions. It's such a basic observation in our field, and one I'm surprised has not been made before. Given recent lapses maybe it is time we started looking at how we treat data a little more carefully. I think it can put legislation like SOX in a whole new light. It might also be something to make us think again about how we make our business case for Identity Management and GRC solutions in the Private Sector.

SaaS-ish IdM

Matt F had some interesting things to say regarding my thoughts on why SaaS doesn't work for Identity Management.

I do agree with his point that most companies "are already outsourcing IdM – they just do it on a project basis" Let's face it, provisioning development is specialized work and it makes sense to let specialists do the work. To me this is the best argument in favor of combining IdM and SaaS.

However, looking back over the past couple of years with data breaches, Identity theft, etc, I still think that it makes more sense to keep everything under one's own lock and key.

Does this solve everything or protect the organization? Absolutely not, unscrupulous folks exist everywhere and keeping data local does not necessarily confer greater protection. However, if I were the person in charge of Compliance and Risk management, I'd want to be able to look at the auditors, police/FBI, Upper Management and lawyers after an incident and be able to say exactly what I did to protect my data and not say, "well the hosting company told me they were secure..." If the organization lacks the expereince of knowledge to properly secure thier infrastructure, bring it in, would be a wise investment.

Value Adding Security to the ROI of Identity Management

I just had the pleasure of reading this fantastic article by my friend and fellow blogger, Matt Flynn.

Matt has some fascinating thoughts on the future of provisioning where he submits that the future of provisioning must include detailed rights management and auditing. Having this infomation increases the Return on Investment (ROI) of a provisioning solution since increased rights management reduces security risk and therefore increases ROI.

I can't say that I disagree with these thoughts. The original goals of Identity Management (which Matt also covers in his article) focused on data accuracy and authoritative stores resulting in increased efficiencies and reduced support costs. Reducing security audit risks results in reduced fines and never having to spend money in cleaning up after a security breach.

It will be interesting to see how the Identity Management vendors and solutions react to these thoughts, but I think we'll see some quickly!