Archive

Posts Tagged ‘directory’

Policy Translation – The Art of Access Control Transcends RBAC, ABAC, etc.

After some holidays, lots of internal meetings, and some insane travel schedules, things are settling back down this week just in time for me to head to TEC. So I can get back to spending time with Quest’s customers, partners, and having great discussions with people. In the last week, I had three excellent conversations, one with a panel of folks moderated by Martin Kuppinger from Kuppinger & Cole set up by ETM [link to podcast site], another with Don Jones and an audience of folks asking questions set up by redmondmag.com [link to webcast], and the third just today with Randy Franklin Smith [link to webinar site]. All these discussions revolved around managing identity (of course); they focused on the business’s view of IAM, wrapping proper security controls around Active Directory, and controlling privileged user access, respectively. Even though the subjects seemed quite far apart, a common question emerged: how do you translate the policy the business has in mind (or the auditor has in mind) into something actionable which can be enforced through a technical control? Put another way, the problem is how to take wishes expressed in business terms and make the come true with technology. To me, this is the central question in the IAM world. We have many ways to enforce controls, many ways to create compound rules, many ways to record and manage policies. But the jump from a policy to a rule is the tricky bit.

Let’s take an example and see what we can do with it. Everyone in the US and many around the world know SOX, and most that know it are familiar with section 404. There is a great wikipedia article about SOX section 404 if you want to brush up. Section 404 makes the statement that it is “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” While this makes sense, it’s hardly actionable. And businesses in the US have relied on many layers of committees and associations to distill this. What is that process? It’s lawyers and similarly minded folks figuring out what executives can be charged for if they don’t do things correctly in the face of vague statements like the one above. So they come up with less and less vague statements until they have something they feel is actionable. Of course, what they feel is actionable and what some specific IT department sees as actionable may be quite different.

From the filtering at the high levels of the interbusiness activities you get a statement like “Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise,” which comes from the work done by the SEC and POCAB to interpret SOX section 404. That approaches something IT can dig into, but it’s hardly actionable as is. But now a business can take that, bring it inside the organization, and have their executive management and IT work out what it means to them. Of course, there are scads of consultancies, vendors, and others who would love to assist there. Your results may vary when it comes to those folks, or your own folks, being able to make these statements more or less actionable. With this specific statement about the “flow” of data and not allowing “misstatement” to arise, there is general agreement that having IT staff with administrative powers that could, in theory, alter financial data is a risk that needs to have a control. And from that general agreement has risen an entire market for privileged access management products that allow you to restrict people who need administrative rights to do operational tasks in IT infrastructure from using those rights to somehow change data that would be used in any kind of financial reporting (or use that access to do any number of other things covered by other sections of SOX or other regulations like PCI, etc.).

What should be apparent is that things like RBAC, ABAC, and rules based approaches to access control are all simple and straightforward when compared to taking policy and making it actionable. Putting an RBAC system into place is taking action. But, as anyone who has been through an RBAC roll out will tell you, the hardest bit is figuring out the roles. And figuring out the roles is all about interpreting policies. So what is the answer for all those folks on these webcasts who wanted to know how to master this art? The short answer is like the old joke about how you get to Carnegie Hall: practice. The medium length answer is to find a consultancy and a vendor that you trust and that have had the right amount of practice and make them do it for you. The long answer is to follow the path I took above trying to explain the question. You need to analyze the requirements, break them down, and keep doing that until you start getting statements that look slightly actionable. Of course, that takes a huge amount of resources, as evidenced by all the money that’s been spent on SOX alone in the US (that same wikipedia article quotes one study that says the cost may have been 1.7 trillion USD). And the final trick is to take your actions and breakdowns back to the top, your auditor or CISO or whomever started the chain, and validate them. That’s a step that gets skipped all too often. And then you see million dollar projects fail with one stroke of an auditor’s pen.

ghosts of the interscaler directory at #cat10; let’s do it!

There were a lot of points at Catalyst 2010 where Kim Cameron’s Interscaler, Federated Directory and Identity Schema came up in my mind, though went unmentioned by the speakers. I know I wasn’t alone, either. It was there like a ghost in every discussion. When Anil John spoke about Background Attribute Exchange (BAE), one of the first questions was about how to ensure schemas would be in sync. When Nishant Kaushik spoke about federated provisioning, again questions had everyone talking about how directories would be able to rely on attributes being “exchangeable” across domains. And when the folks from GM gave their talk the second or third question was about how they decided what attributes would be included in their avatar identities and which would not.

How does this move forward? I get dizzy when I look at all the standards bodies around identity. I’ve got a lot of energy to offer around this and don’t know where to push it. It’s not about a product or a vendor. I’d like to see this be an industry thing that everyone can benefit from.

an identity schema: less is more

June 22, 2010 1 comment

My degree is in philosophy; specifically I studied what would be called cognitive science or philosophy of mind. I still read papers and articles about the field occasionally as they come to my attention. Doing some pleasure reading this father’s day weekend I came across this passage in a paper called “Conceptual Problems in Memetics in a Multi-Level View of Evolution and Behaviour” which seemed to call out a problem that is worth considering for those contemplating the next generation of directories:

Consider the problems of ostension for a mother who points out and names the species of a bird that is singing in a tree to her infant child. How does the child know what precisely is being given a name: the name could refer to all trees containing birds, or all small, noisy objects, or of that particular bird, or of the underside of its belly? To avoid ambiguity, the child needs some low-level schemas, perhaps reflecting the nature of taxonomy and the economy of expression, which act as “attractors” for the acquisition of new higher-level schemas. These aspects might allow a child to surmise firstly that the mother is referring to the bird in itself, and not as part of its relation to this particular tree, or the fact that the bird happens to be singing. Secondly, these aspects should allow the child to realise[sic] that it is the “whole” object of the bird that is being referred to, rather than, say, only its underside. While the child has not yet developed a detailed knowledge of birds and their general relations to other very basic categories in the world, he or she is unlikely to expect the mother to be referring to detailed aspects of a bird.

We all know what someone means when they say “there is a need to track all the accounts and rights granted to those accounts that are associated with any specific person”. There are definitive ideas of an account, a person and a right – though a right is likely the one most likely to admit something inexact into the conversation. But these very concrete things are not first order objects in directories, they don’t have their own schema. Instead they are all persons or, worse, accounts, and the very obvious classes they fit into described in that simple to understand requirement are merely attributes assigned to them. That seems like something worth fixing. When the technical and real life descriptions diverge that much, it can never be good for your ability to get things done.

If you look at the language I’m using, my prejudice becomes clear. The concepts of object oriented programming seem to be very useful in this problem space. The idea of having a base class, like a person, and having classes that extend that to be an employee or similar flows very well. It also fits very well with reality. All these entities are people after all. And that base object becomes implemented through a schema for entries in a directory. If one organization relies heavily on contractors and another does not, it’s likely that contractors will have very different “schemas” defining them in each. If those two organization now want to share data about identity including the contractors, they may find themselves with a big job of mapping. If they had a shared basic schema that has been used by another more complex one as a parent in the more contractor reliant shop, there are well established ways for those interactions to take placed based on patterns from object oriented designs. And imagine how much better that could be using something similar to a common schema everyone used.

Doing things along these OO lines would also allow us to do more with less.  Since the base classes are shared, changes to those would make their way through everything.  And as new use cases arise, simple inheritance would allow for quick work making these new classes of schemas that map to the needs.

 

#eic10 part 1, 2010 an interstellar odyssey -or- the directory monolith

No one knows how to make a big proclamation in the identity world like Kim Cameron. His keynote at #eic10, the Kuppinger Cole European Identity Conference for 2010, was no disappointment. Kim reviewed his ideas for the “Federated Interscaler Directory”, which was often misquoted as saying “Interstellar”. The basic idea was to “extend” the current ubiquitous Active Directory platform to hold a more flexible framework for relationship expression, policy enforcement and other elements that directories of today are missing. While adding all that, this new directory platform should also scale, in the sense that it could administer millions of identities, as well as support advanced features like federation, token translation and other things that are clearly becoming part of next gen identity.

On it’s surface, that all sounds nice. But it also sounds dangerous to me. One other theme at #eic10 throughout many talks, and something Kim even said during his, was that we shouldn’t want identity systems to be monolithic (he said so in reference to the ability to federate with other IdP’s outside the directory itself). But the system Kim described and the picture he used to illustrate it looked pretty monolithic to me. A lot of what he described is possible today already with a loose federation of platforms from many vendors and open source projects. You can enforce all the policy you need with a XACML authorization engine and properly tooled interfaces and proxies for applications and providers. You can manipulate schemas and the objects they serve up as needed with virtual directories. If Microsoft were to make AD into one big solution for all that, then the biggest differentiator would be having its monolithic status versus the loose coupling of many other components. I tend to be a fan of loose couplings, but I’ll keep the jury out until I see more from Kim.

One thing that I really liked was Kim’s call for everyone to work together on a common identity schema. It’s not the first time he’s done so. At PDC he made a great presentation that described the same idea in much greater detail [link to the PPTX Powerpoint file from PDC]. A project of this kind, if well done, could solve many, many interoperability and operational challenges in the identity world. So much time is spent now negotiating, either in research or in calls at run time, to figure out what attributes and properties of an identity are available. If there were a completely standard schema and a means to publish it easily, then that goes away.

I’ll have more thoughts from the conference later.  For now I’m going to put on my space suit and leave the Microsoft ship and hope Kim hasn’t locked the bay doors when I get back.

%d bloggers like this: