It’s that time of year, when everyone does their best Carnac the Magnificent impression and rolls out their prognostications and top 10 lists. Here at Identropy, we’re not so sure about trying to predict the future, but we do know a thing or two about helping customers succeed in meeting the goals of their IAM programs. So if you’re looking to make a new year resolution, we’re here to remind you of some steps you can take to truly set your IAM program up for success.

First, create an IAM governance body. Without establishing a governance body, your organization is not going to be able to overcome the roadblocks, complexities and sometimes personalities that often derail even the best planned IAM project. Proper governance is also crucial in making sure that the project adjusts properly to the continuously evolving business and policy environment that IAM needs to operate within. Our CTO, Ash Motiwala, recently wrote an article for SC Magazine on how to go about setting up your IAM governance body.

Next, you’ll need an IAM Roadmap (if you don’t have one already – naughty list). If you have more than a few identity related problems that you are trying to solve, an Identity Management Roadmap will be critical to ensure that you tackle it as a program, with various phases that are sequenced in the appropriate priority order and have tangible business benefits and “wins” along each step of the way.  We’ve published a series of blog articles on developing an IAM roadmap that can help you think through how you may want to approach your own situation.

Of course, in order for the governance body to know how the program is progressing and make good decisions, they need good information. To address that, you need to take the final step of using metrics to help measure the effectiveness of your IAM program and identify inefficiencies and issues. Our very own Frank Villavicencio wrote for CSO Online earlier this year about the 10 IAM Metrics that matter. Even if you don’t use a tool like our own SCUID Operations, there are simple reports and analysis you can do on a periodic basis to get some visibility into how your IAM tools and processes are doing against the business objectives laid out by the governance body. It’s a worthwhile investment that can often pay for itself in terms of the improvements it can help identify.

So take some time to figure out how to put in place the support structure your IAM program needs to truly achieve its potential and deliver on the objectives you laid out for it.

And Happy Holidays from the Identropy family to yours!

[Cross posted from the Identropy Blog]

Tags: Best Practices, IAM Metrics, Identity Governance, SCUID, SCUID Operations

Want to get a deep dive on how to achieve success with your identity and access management program? Then join us for a lunch and learn where Quest Software and Identropy will share insight on the key technologies and best practices that can help you improve your security and compliance posture while maximizing your ROI and avoiding common pitfalls that doom these projects. During the Identropy session, we’ll be sharing insights we’ve gathered from well over a 100 implementations. Plus you get to network with your peers and some really cool people from both Quest and Identropy (and me!). Space is limited, so register now (locations, dates and registration links below).

Boston, MA

• Date: Wednesday, September 14, 2011 at 11:45 a.m.
• Location: Davio’s Northern Italian Steakhouse
• Identropy Speaker: Ashraf Motiwala, CTO
• Register Today

Livingston, NJ

• Date: Wednesday, September 21, 2011 at 11:45 a.m.
• Location: Strip House Steakhouse
• Identropy Speaker: Nishant Kaushik, Chief Architect
• Register Today

Tags: Best Practices, Identity Management, Identropy, Lessons Learned, Quest One Identity Solution, Quest Software

Is This Your Security Solution?

And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the  pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.

Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.

The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.

It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?

So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.

[Cross-posted from the Identropy blog]

Tags: Best Practices, Risk Management, Security, Security Theater

Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

Tags: Access Governance, Best Practices, Identity Governance, Identity Management, Provisioning

The central idea of the presentation was that the cloud has caused the seemingly well-understood, albeit reviled, discipline of user provisioning to splinter (SPLITTER!) into 3 different factions – the Traditionalists, the Progressives and the New Age Thinkers. You’ll have to listen to my talk to understand it in more detail, but the reviews of my talk on Twitter seemed to be “certified fresh“. While Ian Glazer pondered:

This JIT + Pull model that @NishantK proposes in a new age wrapper on a traditional core – externalized authZ fixes some problems #cis2011

I did have Paul Madsen raving:

I declare @nishantk Python theme for #cis2011 prez a success. And am reconciled to seeing it over and over for next 3 years

All in all, I think I accomplished my goal of edutaining the folks at CIS on the continued existence of user provisioning, and its future prospects. Because the account CRUD problem will continue to be a weight around the neck of enterprise cloud adoption unless we put in place the right solutions.

Tags: CIS11, CIS2011, Cloud Computing, Cloud Identity Summit, Federated Provisioning, JIT Provisioning, Just-In-Time Provisioning, Monty Python, Provisioning

I’m not a Lebron James, so I can’t really drag this out for an unnecessary 5 paragraphs (though I do feel like I am joining an All-Star team). So here it is. Starting today, I am going to take my talents (be what they may) to Moonachie NJ and join Identropy.

For a while now I’ve been wanting to get back into startup mode, to really tackle the identity management problem the way I want to. These are interesting times we are living in, as they say, and there is a real opportunity to turn this space on its head. And I’m going to get that chance now, as Chief Architect in a company that has all the necessary elements in place – a crackerjack team, innovative thinking and an unwavering focus on the needs of the customer. They’ve already had one incredible and unique solution – SCUID Operations – come out of that approach, and I’m excited to see what I can bring to the party.

Like I said in my farewell post, the number one thing for me is the team, and Identropy is an incredibly talented and passionate group of individuals working towards one vision. I’ve worked with some of these guys in the past (and didn’t hold it against them when making the decision to join), and have interacted with others over the years in this little community of ours. I’ve always had a deep respect for their expertise and commitment, and love that they’re the kind of people you want to go out and have a beer with at the end of a hard day. The relationships they have built with their customers are enviable by all standards. And they have an open, collaborative culture that should be fun to work in.

I am really looking forward to what we can accomplish together. It should be one hell of a ride. Of course, all my other nonsense – Twitter, this blog, the conference circuit rounds – will continue as before without interruption. I’ve only just scratched the surface of what I’ll be working on, and will definitely be sharing more in the coming weeks. But if you want an in-person take, grab me in Keystone or in San Diego. Be warned though – you may have to be the one buying the round (I am back in startup mode, after all). See you there.

Tags: Cloud Security, Identity Management, Identity Services, Identropy, Identropy Identity Management, Managed Identity Services, Personal, SCUID

View from my cube at Thor WTC

No, back then I was just a wide-eyed youngster (with a lot more hair) that stepped into an office on the 87th floor of the World Trade Center, met an energetic team roaring to go, saw an amazing view from an empty (and available) cubicle and decided that he wanted to work there, because it would be cool. And it was cool, but not for the reasons I imagined.

It has been a wild, roller coaster ride. The stars in my eyes at working in the WTC were replaced by the bags under my eyes as we tried to salvage our future out of the rubble of 9/11. Weeks spent decompiling demo systems trying to recover lost code (no one ever questioned off-site backups again) gave way to a relentless cycle of code, build, demo. I’ll never forget one hellish 80 hour stretch that involved no sleep, non-stop coding even as I crossed the Atlantic on a flight to Heathrow, going straight from the airport to an office and giving the demo of a lifetime. Getting customers was never easy, but it did get easier (though never more fruitful) than the months negotiating requirements leading up to our first customer win (RIP, Lehman Brothers). Temporary office space on Park Avenue gave way to the most amazing office in the Meatpacking District, well before it was cool to be there. Long, drawn out and painful POCs transformed into great relationships with customers that would explode into a frenzy every year at TAC. It was an unforgettable experience that helped define me and my career.

The Thor Crew At The Farewell Party

And then came the acquisition by Oracle. A new journey started, one which took us from underdog in the space to the undisputed King Kong  of identity management. The problems got richer and more complex. The discussions got more intriguing and part of a larger tapestry. The community got bigger and more raucous. And the bar tabs got progressively more impressive.

Almost on the mound at AT&T Park

None of this would have been possible without a good band of merry men and women, and I certainly had that. These are the folks that taught me about true professionalism and dedication. They showed me just how much can be accomplished, and how much fun it can be, when done with camaraderie, enthusiasm and good humor. From them I learnt that what matters most is the team you work with, a mantra that I have taken to heart and hope to replicate any place I go.

It’s been a great journey. I worked very hard, played even harder, and enjoyed every moment of it. Along the way I felt like I was able to contribute to some great accomplishments.  I learnt a lot – about technology, about teamwork, and about myself. And I met and worked with some inspiring people. All of which I am eternally grateful for.

As for what I am doing next? Well, that’s for another blog post…

Tags: Oracle Identity Management, Personal, Thor Technologies

The week before that, the Cloud Identity Summit (July 18-21) will once again be warming us up for Catalyst by hosting an impressive gathering of subject matter experts and thought leaders talking about the intertwined worlds of identity and the cloud. And this year, I’ll be there too, giving a talk on the future of identity provisioning (July 20 at 12:00pm). Following up on the talks I gave last year at Gluecon and at Catalyst, I’ll be bringing my cred as a provisioning expert to bear in examining if identity provisioning even has a future in the pull-based future of identity (spoiler alert: it does), and what it might look like, given recent developments in the space and advancements in cloud architectures. In an unfortunate scheduling mishap, I will be going up against Pamela Dingle’s session on identity and mobility, which I would have loved to sit in on myself. I’m sure she’ll be peppering her session with cuteness in the form of cats or cuddly toys, so I’m going to have to up the game and incorporate something bad-ass into my session, like Transformers or Angry Birds (Iron Man was so last year). Pam, you’re going down

Two weeks. Two great conferences. And me at both. So be there or be square!

Tags: Burton Catalyst Conference, Cat11, Catalyst11, CIS11, Cloud Identity Model, Cloud Identity Summit, Conference, Federated Provisioning, Gartner Catalyst Conference

1. the need for financial institutions to perform risk assessments against an ever-evolving threat landscape,
2. the need to implement and constantly adjust a layered security strategy to mitigate the identified risks, and
3. the requirement to raise customer awareness of potential risks through education programs.

The most telling aspect of the enhanced guidance seems to be its recognition of the fact that the threat landscape is not just different from what existed in 2005, but constantly evolving. Without actually stating this explicitly, the guidance attempts to make the point that this constant evolution means that any guidance put forth will become defunct pretty quickly, and places responsibility on financial institutions to make the effort in understanding the risks they face (through periodic risk assessments) and continuously improving their security posture in response. Personally, I would have liked to have seen them be much more explicit and take a much harder line on this, because multiple case studies and anecdotal evidence suggests that far too many banks put in the minimal effort necessary to simply comply with the letter of the 2005 guidance without attempting to be true to its intent.

An Emphasis on Risk-Based Authentication

The guidance brings out the need for financial institutions to create a more accurate and granular model of their risks based on a much wider variety of factors than previously described – the evolving threat landscape, the changes in the nature of their customer base and the kinds of transactions being done online. A more accurate calculation of the transactions risk must then be mapped to appropriate security controls, both at the time of the initial authentication (logon) and at the time of the transaction itself. The supplement (smartly) brings out the need to factor in contextual information – from environment variables like device identification and time of day to detection of anomalies in behavior patterns – in any risk calculation. Interestingly, both anomaly detection and privileged account management are emphasized in the security architecture.

Calling Out Outdated Techniques

Both device identification (through cookies) and challenge questions are called out as having to be enhanced from their previous “simple” models to more sophisticated, or “complex” models. While the enhancements recommended in both cases are improvements, I don’t believe they go far enough. In the case of challenge questions, for instance, it recommends

1. increasing the number of challenge questions asked (without actually giving a number, so in theory just increasing from 1 to 2 is good enough),
2. avoiding challenge questions that can be answered by mining the users information through online searches and social networks,
3. including a “red herring” question that a fraudster would attempt to answer but a legitimate user would not (huh?), and
4. using only a random subset of the challenge questions that the user has provided answers for in a single session.

This guidance fails to take into account that this is actually hard to implement without neutering its effectiveness. Forcing users to set up more challenge questions usually leads to selection of easily guessable answers, and more helpdesk calls. The 2nd item above is very subjective, and the harder you make the questions, the more likely the legitimate user will mess them up too. And I don’t even know how the 3rd item is supposed to work.

Also of note, the guidance does point out the decreased effectiveness of multi-factor authentication (even though it was probably drafted before the RSA breach compromised SecurID tokens). It does however advocate it’s use as one of the many controls in a layered model. Out-of-band authentication mechanisms (like those delivering One Time Passwords over SMS) get a fair amount of time in this paper as a practical solution.

Whats Missing

I was disappointed that the guidance didn’t talk more clearly about passwords, and the need to really educate consumers about both better policies and their inherent ineffectiveness. And I think the fact that there was not a single mention of federated identity, especially in the context of “Business/Commercial Banking”, was a real missed opportunity for the FFIEC to move the discussion towards a better security architecture. I’m sure Stephen Wilson is not surprised by that, though.

Looking Forward

The guidance will go into effect starting January 2012, so there will probably be some banks scrambling to understand what the implications are for the controls they have already deployed. Smarter institutions that have been paying attention to the security landscape all along will probably find that they are in good shape, but a lot who did the bare minimum and want to meet these guidelines will face some serious work. I predict an uptick in the interest that risk-based security products like Oracle Adaptive Access Manager will garner in the market. The emphasis on staying up to date with the ever evolving threat landscape will create a requirement for more dynamic security products that aid not just in enforcing stronger controls, but in assisting with the periodic risk assessments (Identity Intelligence, anyone?).

But the fact that this is guidance and not regulatory mandates means that a lot of institutions will continue to pay lip service to it. Which is why the real emphasis needs to be on changing the fundamental security architecture underlying (and infiltrating) enterprise IT. The consumerization of IT will probably play a far bigger role in driving this change than the FFIEC guidance will. Time will tell.

Tags: Federated Identity, FFIEC, Identity Context, Multi-Factor Authentication, Online Banking, Oracle Adaptive Access Manager, Passwords Must Die, Risk Management, Security Architecture

As the article described, part of the banks security infrastructure included risk-based security based on RSA’s Cyota product, which “rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site”. This actually provides a much better layer of protection than simply authenticating the user based on passwords. Context-based security is a key element in the multi-layered security architecture that is the future of enterprise security, as I laid out in my recent talk.

But the bank actually made a big mistake in it’s implementation. As the article describes, the bank reduced the threshold for kicking in the 2nd factor (challenge questions) to $1, effectively eliminating that component from their security architecture. They might as well have not had it, because they were completely ignoring any kind of risk calculation that was being done.

In other words, all they had was “password+challenge questions”!

And as we have talked about ad nauseam, in this day and age this is simply not enough. Passwords and challenge questions are nowhere near what I would call adequate security for an environment that would include high risk transactions (like bank transfers). And while there will be great resistance to any (strong authentication) solution that would appear to increase friction for the user in executing their transactions (witness the continued lack of pins for credit cards in the US), I think the tides are changing with respect to users understanding the risks and wanting more from their online security.

Risk based security models also need to involve monitoring and alerts, even denial of access, for exception conditions (like a new device ID being used). And the 2nd (or 3rd, or…) factors employed must be commensurate with the nature of the online transactions. Challenge questions may be fine when we’re talking about a low risk consumer site like a gaming site (though even they have gone beyond these). Higher risk sites should employ more sophisticated factors like out of band challenges (the occasional SMS based challenge, or voice-based identification, for instance), so long as it is used with the correct risk scoring to trigger it. And despite the naysayers, I do believe externalized identity providers could help serve this market.

Crucially to all this, the FFIEC seems to recognize that security threats have evolved dramatically since their guidance was issued in 2005, and are preparing an update. From all indications, it would seem to put much more responsibility on the shoulders of financial institutions, asking them to put in place greater measures based on layered security to address fraud and attack vectors like Man-in-the-X attacks, and much more. Unfortunately, it will be too late to help Patco Construction. Let’s just hope other businesses are paying attention and getting ahead of the curve.

Tags: FFIEC, Identity Context, Multi-Factor Authentication, Online Banking, Passwords Must Die, Risk Management, Security Architecture