Archive

Posts Tagged ‘burtongroup’

2010 #GartnerIAM – the rise of identity intelligence

November 22, 2010 1 comment

If you attended Gartner’s IAM Summit in San Diego last week, you may have a few lumps on your head. They’re from being beaten over the head with the identity intelligence stick. Earl Perkins led a charge up the slope of business importance for identity management that hopes to secure it a place in the highest levels of business intelligence and decision support. I’m all for it. One thing that was said on stage more than once was that if the IAM professionals of the world keep concentrating their efforts on plumbing like provisioning connectors they are going to be out of a job as vendors make those bits of pipe commodity. A bit melodramatic, but not entirely untrue. But what didn’t float down from the high minded discussion on stage was a clear set of examples for this identity intelligence. Even in the final session of the conference’s second day, the audience was asking in several forms for the panel of analysts to give some clear use cases. And in the very last session folks commented that they felt like most of this intelligence stuff was too high minded to use in practice. Of course, it’s not really fair to ask for all that. Partly because it’s not the place of the analysts to put things into a final form and partially because it breaks their business model to give you the whole picture in the conference. The conference is that start of a process they would like to draw you into – a process the people who can’t see it all clearly probably need more than those who can.

I think intelligence, on every level of IT and security and especially in the world of IAM, is poised to make a big impact. It only makes sense. The technology is there to do it. Intelligence is all about saving time and effort, which means saving money. There is no better time for money saving ideas than right now. Some in the hallways were very unconvinced. But it reminded me of the quote from Gandhi: “First they ignore you, then they ridicule you, then they fight you, then you win.” I’d say the majority of the people in the halls were somewhere between the ignoring and the ridiculing. Few seemed prepared to fight. And just a handful came by the Quest booth asking about that label “Identity Intelligence” on our signs like it was a good thing. We’ll be rolling out our vision of a way to apply intelligence to IAM soon enough. And the idea that there is too much emphasis on plumbing is exactly the right mindset. Those seeking use cases really ought to look in the pantheon of classics. Because intelligence won’t be about doing different things in most cases. It will be about doing the same things in a better way. Intelligence will also deliver on goals in IAM project plans that, in the past, seldom became reality.

Not every session was focused on the intelligence theme. The sessions with Bob Blakley and Lori Rowland were much more practical, of course, having the Burton Group spin to them. My personal favorite session was one presented by Perry Carpenter called “Innovative Plumbing: Five Out-of-the-Box Ideas for Leveraging Your IAM Investment in Unexpected Ways“. Perry took the audience through some counter-intuitive sounding pieces of advice that were very practical. You can get the slides online, but the gist of the list was this:

  • use a virtual directory for easier migrations & application development
  • use ESSO usage statistics to provide BI/DSS for roles & provisioning
  • save on cost with identity graveyard outside directories where you’re paying per user fees
  • use your web proxy to deliver policy detail that explains effects of bad behavior like malware just in time as users commit out of policy offenses

All of it is sound advice. It all stresses something we don’t hear enough in IAM – KISS (keep it simple stupid).

a new SPML? a provisioning problem.

Mark Diodati of Gartner (that was a bit hard to type right the first time) has published the results of the SPML SIG held at #cat10. I think it captures the feeling of those present very well. At about the same time the minutes of the first meeting of the SPML PSTC for a long while were published. It seems there’s a much different split there than there was at the SIG. The split is basically between folks who want to see a “clean start” with a version 3 and those who want to see version 2 revved so it’s more realistic. I’m on the latter side, and so are the folks at Quest that I’ve spoken to. In fact, both and Quest and at customers, everyone I’ve spoken to about this outside a tight circle of “identity gurus” have all agreed that SPML would best serve the larger community as means to have systems communicate. Anything beyond that is overkill. At least for now. If all the different solutions had a standard way to do CRUD operations between one another, that would go a long way to solving many practical issues in heterogeneous IT environments.

I’d like to get more involved and I’m working with Quest to see if that can happen. This is something I’d like to see done from start to end.

BF8XDEVU8PDS This is here for Technorati. If you’re seeing it it’s because you’re reading this content somewhere besides my blog site and I couldn’t hide it from you. Sorry =]

ghosts of the interscaler directory at #cat10; let’s do it!

There were a lot of points at Catalyst 2010 where Kim Cameron’s Interscaler, Federated Directory and Identity Schema came up in my mind, though went unmentioned by the speakers. I know I wasn’t alone, either. It was there like a ghost in every discussion. When Anil John spoke about Background Attribute Exchange (BAE), one of the first questions was about how to ensure schemas would be in sync. When Nishant Kaushik spoke about federated provisioning, again questions had everyone talking about how directories would be able to rely on attributes being “exchangeable” across domains. And when the folks from GM gave their talk the second or third question was about how they decided what attributes would be included in their avatar identities and which would not.

How does this move forward? I get dizzy when I look at all the standards bodies around identity. I’ve got a lot of energy to offer around this and don’t know where to push it. It’s not about a product or a vendor. I’d like to see this be an industry thing that everyone can benefit from.

mii parade – identities go marching at #cat10

August 4, 2010 2 comments

I’ve just returned from Gartner/Burton’s Catalyst 2010 in San Diego (“just” returned when I wrote the first draft, not so much now that I’m finally getting to edit and post…). One of the sessions (Wednesday morning in the identity track) featured GM presenting about their fairly advanced and very well thought out identity management processes and platforms. They had a very mature outlook on what the real sources are for identity and how to empower the business to leverage the value of those identities over time and through the lifecycle.

Perhaps the best example of that was how they manage identities that are not really fully baked, management of avatars. The presenter from GM made a great analogy to explain this. He talked about the Mii parade from the Wii. If your not a Wii person, this needs a bit of context. On the Wii you have an avatar called a Mii. In many games that Mii is what you see on the screen to represent you. Since the Wii is designed to be multi player, you can of course have many Mii’s on a system. Apparently his daughters are just like mine. They make a Mii for every kid that shows up at their home; mine even make them for characters in books and people they meet away from home. What use is the Mii if there is no one to play as them? In some parts of some games, there are parades and other places where crowds appear. And these Mii’s, played with or not, show up on those crowds.

GM will make an identity for anyone that comes to their facilities, even going as far to assign them a unique identifier. If that person eventually ends up as a contractor, then they will retain that identity. If they become an employee, they keep the same identity. And if they leave, the identity is still maintained. They also do similar things for what they termed “people of interest”. These are people like an employee’s spouse, who would be in some systems to receive benefits and there for have one of these avatars or half-baked identities. So, with all these avatars in their systems, when they go through to do large reports and such, they end up with a Mii parade with all these avatars that are not users as such showing up in the crowds.

This struck me as being deeply right. Most organizations want to reduce the identities they have at all costs. But identities are data, and data has value. Of course, Quest and I are fans of reducing accounts and points of access, but that’s quite different. This is about having many singular identities that can be used to fill out your Mii parade so that it acts and feels as real as possible. The rich context can only lead to better and fuller business decisions over time.

For those of you who made it down this far, here’s a sample of what a Mii parade can be like when you just tell the Wii to have all the Mii’s go marching:

Categories: iam Tags: , , , , ,

Access Certification CBT/video for non-IT folks

November 19, 2009 1 comment

I’m always in catch up mode with my reading. I finally got to Ian Glazer’sAccess Certification and Entitlement Management” on a plane to California. If you are in the market for access certification, trying to understand how to construct and approach to managing entitlements or just want to understand the moving parts of access in any reasonably complex organization, then this is a must read. What got me thinking most was the tone of the paper. Essentially it boils down to the good advice to make sure you define boundaries for tasks well and get the people from the business who should own the information to become the owners by the end of the process. Ian also encourages you to use whatever resources you can, even if they make strange bedfellows. It reminded me very much (and I’m going to mix analyst firms here so forgive me) of Earl Perkin’s thoughts about making the auditor your friend and making sure you “care, but not too much”, which he communicated at the Gartner IAM Summit last week (and blogged about previously as well).

All this got me thinking about the actual content of such IT to business communication regarding access certification. And, since I was trapped on a 6+ hour flight with a power outlet but no internet, I came up with this small, tongue in cheek video. I know the terms will feel like nails on a chalkboard to some since they are not exact. But I really tried to exercise that “it’s more important that they get the right ideas and not the exact right terminology” notion as best I could.

entitlements and access – separate but equal?

So I’ve finally had the time to digest a lot of the materials and notes I collected at catalyst 2009. Though the identity track had a lot of content around many topics, there was one theme I kept hearing again and again. Access control is king. That’s not news, but it seems like everyone is just coming back from role management, provisioning and other IAM projects to find that the core issue is still waiting to be solved.

The other thing that seemed to emerge, at least to me, was a distinction between the definition of entitlement management and access management. Entitlement management is the practice of deciding what business functions a person should have access to. So a statement about entitlements would be: “Sally Brown the Accounting Director may sign off to close the books at the end of a quarter”. That may be recorded in a system. And I think that is the ultimate goal of systems like Aveksa, Sailpoint and CA/Eurekify. But what seems to happen in those systems in a practical sense is that people record things at a technical level. So they end up with statements like: “people belonging to a group with an ID of 3345 may execute the sys_plx_camp_fog procedure in the PROD system”. Of course, that is useful to know. But it is still something that needs to be decoded. To their credit, all the systems let you put friendly names around these things, but that doesn’t address the core issue. The core issue is that people are using an entitlements tool to solve access issues. It is a process issue.

Access management is the practice of encoding and enforcing entitlements in the IT infrastructure. It’s where the rubber meets the road. So things in your access management solution should actually be able to touch your infrastructure and make it listen to policy. This type of tool has been around forever. Quest’s own ActiveRoles Server, Privilege Manager for Unix and others perform this role in various types of infrastructure. Another prime example is Keystone from BiTKOO, which does this using all the new OASIS pizzazz of XACML, PDPs, PEPs and such. And just like the entitlements tools get abused by the IT staff to do technical duties, you also see these tools getting pulled by the business to try and to entitlements work.

Of course, all of this goes back to that ever present prime mover in identity – compliance. Not the only reason people do IAM work, but one of the major drivers to be sure. And so the use of one product to do entitlements and access work is natural because people are trying to get things done under time constraints to avoid failures in the next audit and also under budget constraint since they (IT) are spending someone else’s money to do it.

AD Bridging gets respect at Burton’s Catalyst09

day two at catalyst09 was very on target for me. the identity track was all about leveraging existing resources for bigger ROI and that’s all we ever talk about in PM meetings around here. Burton’s Mark Diodati presented about the AD Bridge space, a name he may have invented, and then there was also a customer case about the practice of doing AD Bridging for Unix, Mac and Linux systems. the best part was when a person in the audience took the mic during Q&A and thanked Mark and Burton for taking the AD Bridge products seriously and the whole audience erupted in applause.

i’ve got lots of notes and thoughts about everything that went on. i’ll likely be posting reactions to catalyst09 over the next week.

%d bloggers like this: