News Update

I'm happy to say that I've started what I hope will be a long and successful association with Commercium Technology Inc. I am now working with them as a Senior Principal Consultant in the Identity and Access Management group.

I'm looking forward to working with SAP Identity Management, Virtual Directory and other exciting technologies like SailPoint. I'm looking forward to learning (and writing) about all of this in the weeks and months to come.

Please feel free to reach out if we can help you or your organization with your Identity Management or Compliance needs!

Where are the controls

I got this "joke" email from a family member, which I think proves some interesting points in the field of Identity Management, especially where governance controls are involved:

Outside the Bristol Zoo, in England, there is a parking lot for 150 cars and 8 coaches, or buses.

It was manned by a very pleasant attendant with a ticket machine charging cars £1 (about $1.40) and coaches £5 (about $7).

This parking attendant worked there solid for all of 25 years. Then, one day, he just didn't turn up for work.

"Oh well", said Bristol Zoo Management - "we'd better phone up the City Council and get them to send a new parking attendant..."

"Err ... no", said the Council, "that parking lot is your responsibility."

"Err ... no", said Bristol Zoo Management, "the attendant was employed by the City Council, wasn't he?"

"Err ... NO!" insisted the Council.

Sitting in his villa somewhere on the coast of Spain, is a bloke who had been taking the parking lot fees, estimated at A£400 (about $560) per day at Bristol Zoo for the last 25 years. Assuming 7 days a week, this amounts to just over A£3.6 million ($7 million)!

So what's the point here? Without governance controls anyone can come in and rule the roost. There is no accountability, control or record. I know I've been harping on this a lot lately, but it just seems to me that if controls are not in place and a means for reviewing the implementation and usage of the controls, anyone can walk away with the keys to the kingdom as it were.

This is much like what happened with Abdirahman Ismail Abdi or even Terry Childs, both of whom I have commented on before. If either one of them had been subject to some sort of governance process it would have been much more difficult for them to execute their schemes.

After all, you know what they say, "a million here, a million there and soon we're talking about real money."

Promising News

Had an interesting article cross my email today from techtarget.com. It nicely dovetails with discussions I've had with many in the IdM and Security fields.

The basic fact is that businesses save money when they implement Security and Identity Management projects. The costs of one security breach, password exploit, compliance violation, etc. dwarfs the investment and maintenance of a sound enterprise security infrastructure.

I found it interesting that the experts quoted in the article specifically referenced, encryption, compliance and Identity and Access Management technologies. I would also recommend the use of SSO technologies which make it easier to enforce password policy and promote compliance.

In the war of data security, a good defense is the best offense.

New School Identity Management?

I'm all for a discussion of changes in the Identity Management world, in fact I encourage them. I think it's a pretty dynamic world. As Mark Diodati mentions in his article "Changing times for identity management" (login required) There are elements of IdM that are established parts of IT infrastructure, and then there is "New School Identity Management, where he talks about Privileged account Management, AD Bridges and Virtual Directories"

All due respect to Mark, who I know has been around the IdM world for some time, but none of these elements should be considered New School and have been around for quite some time.

• Privileged Account Management - I don't know of an engagement I've worked on in the last 5 years that did not have some concern about the creation and management of both Privileged and Service accounts. If anything, because of their nature, these accounts have a greater need to be created in such a way that they are done according to mandated processes and recorded for audit and review.
• AD Bridges - While not a technology I've gotten to work with a lot I know that many a mixed UNIX/Microsoft shop consider the Vintella/Quest tools to be indispensable.
• Virtual Directories - Again, a technology that's been around for a long time. I've been working with Virtual Directory technologies since 2004, where I would commonly show customers how to map information, provide access controls and even used the Virtual Directory as a write back mechanism to supported repositories.

I can say that I'm glad these Identity Management technologies are finally getting their time in the sun. Some of these technologies have not been considered as interesting or sexy since they worked with a subset of users. I think we can all agree that there are more end users than UNIX accounts or system accounts so they should receive some more attention.

However, in the end, the design and implementation of an Identity Management solution must be holistic in nature. Regardless of one's opinion on the New School qualities of the all the technologies Mark mentions in his article, they must all be considered and planned for in the final design.

Where oh Where will MySQL go?

Well it's been just over a day since the announcement of the Oracle/Sun announcement. A lot has been said about the match, some good, some bad. Most note (as did I) that the Java and Hardware additions to Oracle are a plus and that there's a bit of overlap.

One of the most interesting elements of overlap is MySQL.

Sun and Oracle have been going tit-for-tat with acquisitions going back to Waveset/Thor a couple of years ago in the IdM space. Oracle has been doing the same thing with SAP trying to build its own version of NetWeaver and an ERP suite. Now all three companies have the same basic arsenal of products with their own specialties:

1. Sun offers both hardware/OS layers, Java, and is the Elder statesman of the IAM space
2. Oracle offers the database and is showing great momentum in the IdM and ERP spaces
3. SAP offers an ERP suite with tight integration via NetWeaver

I can't see that regulators will allow Oracle to hold onto MySQL while they hold the lion's share of the database market (44.3%) Given this I wonder what Oracle plans to do with MySQL. They could move it back to open source and set up an independent organization to manage it, but this does not seem to mesh with the Oracle Corporate Culture, which has not been historically been keen on open source.

My thinking is that SAP should try to acquire it and I wonder why they did not make a try at this before. My SQL is already the basis for MaxDB and would address a major missing piece of the SAP architecture. Being able to control both the front and back end of the SAP solution set would offer a new level of cohesion for NetWeaver and place it on a more equal footing with Oracle. However, I don't foresee a direct transaction to occur between Oracle and SAP. Look for the spin off to occur and SAP to make the acquisition as soon as they think they can get away with it.

I don't think SAP will pass on this opportunity a second time.

First thoughts on Sun/Oracle

Wow. There's a lot to consider here. On the macro level, I can't see this as a bad thing for Oracle. A hardware stack, ownership of Java, Solaris...

On the other hand, there would appear to be some significant overlap, databases, ERP, IdM...

I think there's going to be a lot of CIOs, CFOs and CEOs who are going to be looking at where they should go now. Taking a very high level look from the IAM/ERP perspective, is this the right time to ditch the current infrastructure and:

• Embrace their ERP vendor and solidify the environment
• Embrace their OS vendor and get everything on one OS
• Embrace their hardware vendor and get everything on one platform
• Embrace Open Source and junk the whole corporate nightmare
• Embrace individual point solutions and get best of breed solutions

There's lots of ways to look at this. The one thing I know for sure is that it's way too early to make any determinations. I agree with Jackson Shaw's thoughts on this in that it is indeed a dog's breakfast and will take at least 18 months to figure out. Also kudos to him for coming up with a quick and witty one liner to describe the situation.

The Next Frontier?

Identity Management continues to find a space in the Enterprise landscape. It would seem that it's been falling into the realm of Information Security. Not sure that I completely agree with this but at least it's being discussed as part of Enterprise Architecture.

Certain business verticals in particular have been embracing this technology more than others. Most notably, Higher Education has been a big proponent of Identity Management (Gotta give it to Oracle's OIM/Fusion Middleware, they're doing well here right now.) As I think about other verticals, it strikes me that it's about time that the Health Care industry embrace, IdM.

Why so, you might ask? Here's a few of my reasons:

• HIPAA -- How can you discuss the Health Care field and not talk about HIPAA? Strict access controls, need for compliance, monitoring of changes to accounts? All easily done by IdM. Advances in GRC apps will make even more of a splash.
• Lots of changes -- Permanent staff, temps, students, visiting professionals means there are lots of changes in the user community, topped with vendors, contractors, patients and visitors makes it seem to me that this should be captured and recorded. Virtual Directories will be key in maintaining these user communities.
• Identity is more than people -- Role management will also be important for business and technical roles. The better we track how these roles are created and maintained, the easier it will be to administer them.
• Physical Access management -- Hospitals by nature are intended to be secure, so including means of physical access management will be important, either through "smart cards", biometrics or a combination of both.

I'll be thinking more about this in the coming weeks and months, what about you? Anyone out there doing this in a medical/hospital facility? What are you doing?

Recent Article

I did not think I'd have anything else to say before the end of the year. However, this was not to be the case... Some months ago I was interviewed, along with several others for an article that has appeared in Information Security Magazine. The article, by Robert Westervelt, talks about Identity Management challenges an economy full of Layoffs and Mergers. It's a very nice high level treatment of some of the strategic reasons to have Identity Management Solutions in place.

You might need to register in order to view the material however, there is no charge to view the content.

IdM and the Economy

I observed two comments on the recent issues in the economy and its relationship to IT initiatives.

The first was from FOX Business which I was watching during lunch today. As they were reviewing the tech stocks one of the panel said something along the lines of, 'with diminished income, companies won'y be buying a new PC for your desk this year' (paraphrased)

When will the business folks get it through their heads that there is more to IT than the computer on their desks! I mean really, even more than email, firewalls and antivirus.

IT provides some essential services for the company that can provide a definite return, either in a direct return on investment or by avoiding fines and penalties through maintaining compliance and security standards.

One person that seems to get this is Ash Motiwala. In his blog entry today, Selling Identity in an Economic Downturn, Ash hits on this directly. It's not that you are spending money, but that you are achieving ROI and Compliance initiatives.

Let us look at ROI, when we don't have to have Network, Database and Application administrators creating and modifying accounts, they can be focusing their attention on making sure their areas of responsibility are working properly. When workflows are processed automatically (save approval actions) There's no need to have admins creating badges, modifying building access, and asking what kind of equipment each employee is supposed to have. Let all of these people do what they are supposed to be doing.

Compliance is another area. Let's face it, compliance is getting more complicated and sprouting up everywhere. Government realizes that charging fines and other penalties are a great way to make money, so there's a lot of attention here. In a time of data loss and identity theft showing adherence to Compliance and other areas of Risk Management are a selling point from a company to its customers, making Identity Management initiatives even more important than ever.