I’m not going to recap all the interesting sessions that I attended. If you followed my twitter postings (and a big “Hi and Thank You” to everyone who tripled my following last week by connecting, including some folks who signed up for Twitter just to follow me), you got a sense of what was being talked about, and my thoughts on the same. For some great reporting on the key sessions, read Mark Dixon’s blog postings (this post is a map to the various posts he has written covering the conference).

I’ll simply present what I saw as the theme of the conference: Reality Hits The World Of Identity. People are realizing that the only way this identity stuff is going to work is if the online experience and constructs mirror how we operate in the real world. And this opens up a whole set of new areas to explore.

You Complete Me
A key realization that is taking hold is that relationships must be made a key part of the fabric of identity, and that relationships can form the trust basis for identity related transactions. While I don’t completely agree with Jamie’s assertion that a lot of work in the real world happens before any contracts are drawn up (no contractor can even begin work for Oracle until a contract is signed; similarly I can’t work for Oracle and get access to systems till an employment agreement is in place), I do recognize that the value proposition of transactions is a continuum, along which are different levels that require different levels of assurance. Assurance can be built up over time as a function of relationships (user is related to this company, user has X friends, user is certified by this identity provider, etc). Eve Maler gave a very interesting talk on how relationships can be nurtured and made available in the online world, and connected it to some of the work being done on R-Cards and Project VRM.

I Need An Authority Figure
Another sign that real world concepts are seeping into the online world was the increased discussion on the topic of Identity Proofing, and the externalization of Authoritative Identity Providers. Just like in the real world, companies are realizing that in order to scale  and distribute liability, they would like someone else to be responsible for vetting identity data and providing a validated, trustworthy identity into their environments. This is the first sign of a legitimate market emerging for the Identity Oracle that Bob Blakely has defined, and that I have discussed so often in the context of Identity Services. The Liberty Alliance has jumped in here to help out by proposing an Identity Assurance Framework (our old friend Frank Villavicencio is co-chair of the effort) that can define a trust language in this context. And everyone knows that I consider the work being done on the IGF a critical part of such an infrastructure.

I Got Your GRC Right Here (Not!)
Burton decided to take the IAM vendors to task for using GRC as a crutch to sell all manner of products. Referring to GRC as a four letter word, Bob attempted to blow up the myths surrounding GRC and posited that all the bluster around GRC has made companies lose sight of what they really need to address. He stated that each discipline conflated within GRC should be looked at independently by businesses with regards to its objectives, and that tools and processes should be put in place that address the specific needs identified. The message was clear – there is no such thing as a GRC product; instead there are a multitude of products that provide tools for addressing specific problems that fall under one of these disciplines, and enterprises should take a fresh look at what GRC means to them and how to approach it.

For me, the highlight of the conference was the talk by Nick Leeson, the securities trader who brought down Barings Bank. Not a technical talk at all, his explanation of how his actions exploited failings in the areas of governance and compliance drove home the point about process and tools being complementary parts of the puzzle.

The rest of the conference had some interesting announcements and decent discussions on the usual topics of Authentication, Provisioning and Role Management. I did what little I could to break the monotony and generate some controversy, but I’ll cover all of these in my upcoming posts.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, GRC, Identity Assurance Framework, Identity Governance Framework, Identity Oracle, Identity Proofing, IGF, Nick Leeson, Relationship Management

Maarten Stultjens (of Bhold company, which is a vendor of RBAC solutions) agreed with Roberta that role management systems will become the central point of compliance shortly. But he further qualified his perspective: “of course (this is) ‘only’ with regard to authorization management. The main reason for this is not so much the IT perspective Nishant is mentioning in his blog, it is the business perspective which is driving Role management systems. To find patterns and get these approved via attestation is an IT perspective towards authorization management.”

Now, one thing I take great pride in is my being able to always maintain a business perspective of the IAM problem. I have never thought of it as an IT problem (but one that requires and impacts IT infrastructure). So I promptly challenged Maarten to duel for besmirching my reputation (Just kidding).

Maarten further elaborated: “The main reason why role management systems are so important to achieve compliance with regard to authorization management is that role management systems are able to (1) store and maintain the company policies and (2) enforce these policies (through provisioning engines or manually) and (3) audit if the policies are actually implemented. Compliance is all about ‘defining a policy’, ‘enforce the policy’ and ‘proof that the policy is implemented’. There is nothing to audit when there is no clear policy. Sometimes we – IT people – overrate ourselves by talking about compliance and audit. This is the job of auditors.”

Again, I have no argument with the statement that RM systems are “important” to achieving compliance, just with the notion that they are the focus. Roles have long been viewed as the Holy Grail of IAM – true role-based identity management will solve all problems. But like the Holy Grail, it is really hard (nearly impossible) to achieve. So I tend to have approach blanket statements with some perturbation. I don’t disagree with Roberta or Maarten on how important role management is to compliance. I just want the message to be balanced, and not get exaggerated to the status of “all important”.

Looking at Maarten’s position, I agree with point (1), but disagree with (2) and (3). RM systems will not be able to do those because they present only a partial picture of the reality of a business. If I can simplify an example to make my point, it is fairly common for people to be given privileges in an ad-hoc, but entirely proper, manner. This is invariably done through a request-based, approval enforced mechanism that today is handled by provisioning systems (OIM, for instance). These privileges are therefore out of policy, yet are not exceptions. And a role management system should not have to deal with this kind of scenario (even if it could).

Yes, compliance is the job of the auditor, but an auditor is only as good as the tools they are given, which is where the various IAM solutions come in. Auditors care about the roles because knowing the roles a user has tells them about what access the user has and does not have. But they also care about the out-of-policy privilege grants, and want to know that the correct procedures for approving, tracking and attesting those privileges are being followed. They care that audit trails are being maintained, and that there are no loopholes in the business processes.

Another person sent me an email saying “Role management is vital method to achieve compliance while user provisioning is a method to deliver proper user- and permission-information to distributed environments and applications. (yes, UP also collects information from distributed sources for the centralized Role Management)”. This points out one of the main misconceptions that I have been trying hard to fight, and which is probably at the core of the misunderstanding of the space. Too often, provisioning is viewed simply as (to quote) “the bus to deliver this user-permission information, with all required attributes, to all those environments where it is needed.” This really is the IT-centric view. Provisioning systems today (OIM in particular) are actually much more of a business solution than an IT solution, providing rich policy definition and enforcement, and end-user and administrative request-based, approval driven tools for managing privileges in a fluid business environment.

To me, role management is an essential part of IAM. In fact, in today’s environment it is probably the most important part of a compliance-driven IAM solution. It should not, however, be the focus of a IAM-based compliance project. Any good IAM strategy must be a mix of role-based, rule-based and request-based management (think of the old 80-20 rule, just broken down to 50-30-20), with a good overlay of audit and compliance tools. At Oracle, we feel that Identity Administration, Provisioning and Role Management are the three pillars on which (the newly emerging) identity GRC tools are overlaid to provide the foundation of a good identity audit and compliance practice.

(Of course, knowing how IAM is constantly evolving, I am sure we will be adding more “pillars” to this diagram soon, so take this position with a pinch of salt)

This is driven by the reality of modern business – one that is fluid, ever-changing and way too complex to only codify in the structured system that role-based management represents. Over the last few years, I have dealt with a number of customers that have made the effort to incorporate role management into their IAM projects. Invariably I encountered the following:

• No one agrees on the definition of a role
• Most of them only manage to use roles in a limited manner

The mantra of the day is balance. I think Dave Kearns response to my post was best: “While I do agree that RBAC is the ‘wave of the future’ and is, indeed, necessary to good IdM and compliance, I think of it as being one of the foundations of compliance, not the tool that compels or insures compliance. And certainly not a tool for attestation…”

Tags: Compliance, GRC, Role Management