It’s that time of year, when everyone does their best Carnac the Magnificent impression and rolls out their prognostications and top 10 lists. Here at Identropy, we’re not so sure about trying to predict the future, but we do know a thing or two about helping customers succeed in meeting the goals of their IAM programs. So if you’re looking to make a new year resolution, we’re here to remind you of some steps you can take to truly set your IAM program up for success.

First, create an IAM governance body. Without establishing a governance body, your organization is not going to be able to overcome the roadblocks, complexities and sometimes personalities that often derail even the best planned IAM project. Proper governance is also crucial in making sure that the project adjusts properly to the continuously evolving business and policy environment that IAM needs to operate within. Our CTO, Ash Motiwala, recently wrote an article for SC Magazine on how to go about setting up your IAM governance body.

Next, you’ll need an IAM Roadmap (if you don’t have one already – naughty list). If you have more than a few identity related problems that you are trying to solve, an Identity Management Roadmap will be critical to ensure that you tackle it as a program, with various phases that are sequenced in the appropriate priority order and have tangible business benefits and “wins” along each step of the way.  We’ve published a series of blog articles on developing an IAM roadmap that can help you think through how you may want to approach your own situation.

Of course, in order for the governance body to know how the program is progressing and make good decisions, they need good information. To address that, you need to take the final step of using metrics to help measure the effectiveness of your IAM program and identify inefficiencies and issues. Our very own Frank Villavicencio wrote for CSO Online earlier this year about the 10 IAM Metrics that matter. Even if you don’t use a tool like our own SCUID Operations, there are simple reports and analysis you can do on a periodic basis to get some visibility into how your IAM tools and processes are doing against the business objectives laid out by the governance body. It’s a worthwhile investment that can often pay for itself in terms of the improvements it can help identify.

So take some time to figure out how to put in place the support structure your IAM program needs to truly achieve its potential and deliver on the objectives you laid out for it.

And Happy Holidays from the Identropy family to yours!

[Cross posted from the Identropy Blog]

Tags: Best Practices, IAM Metrics, Identity Governance, SCUID, SCUID Operations

Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

Tags: Access Governance, Best Practices, Identity Governance, Identity Management, Provisioning

Oracle Security Governor for Healthcare is a governance solution that is aimed specifically at healthcare organizations, where the introductions of various regulations globally and the transformation of healthcare IT has created a number of challenges in the area of patient confidentiality that need to be addressed.

• VIP record snooping
• Medical identity theft and fraud
• Healthcare data theft and fraud
• Coworker, family member and neighbor record snooping

Oracle Security Governor for Healthcare addresses these concerns by providing a solution that helps proactively protect and prevent privacy and security breaches, insider snooping and medical identity theft in an organization. The solution is based on some key features:

• Rapid Incident Detection: Criteria based automated reporting functionality that allows rapid incident detection, case management and investigations.
• Automated Privacy Audits: Allows audits on activities of various entities accessing the applications and reports suspicious activities.
• Accelerated Enterprise-wide Data Retrieval: Allows rapid integration with existing systems.

Architecture

Oracle Security Governor is built on some key products in Oracle’s portfolio, enhanced with some healthcare specific intelligence and artifacts.

Oracle Security Governor for Healthcare Architecture

• Oracle Security Governor for Healthcare leverages the Oracle SOA Suite Adapters (like Database, Log and HL7 adapters) to pull data in from virtually any data source into a central data warehouse.
• In-database data mining and predictive analytics built using Oracle Data Mining is used to detect anomalies and suspicious activity that may have taken place in the past.
• The solution also uses an advanced risk assessment engine (based on Oracle Adaptive Access Manager), which has been pre-loaded with healthcare specific risk and fraud rules to proactively detect incidents.
• Oracle Entitlement Server provides unique risk-aware fine grained authorization on record and data access, cutting down the possibility of unauthorized activity and fraud.
• Finally, Oracle Business Intelligence Publisher is used to provide insight into all of this through risk analytics, reports and alerts.

Benefits

Oracle Security Governor helps deliver significant benefits to a healthcare organization. Some of these benefits include:

• Historical Detection: that can be used as audit trails and for detection of suspicious activities related to access, privacy, fraud and security breaches, that have taken place in the past.
• Real Time Detection: Oracle Security Governor can also be used to detect suspicious and fraudulent activity, in the real time.
• Real Time Prevention: Oracle Security Governor can prevent suspicious activities, in the real time. The activities detected as anomalous or suspicious can either be completely blocked or the end-user can be alerted or required to meet additional security requirements, depending on the deployment needs.

Oracle Security Governor for Healthcare Benefits

Looking Ahead

Oracle Security Governor for Healthcare is just the beginning. In the future, Oracle hopes to use the Oracle Security Governor framework to build more solutions that address challenges faced in other verticals besides healthcare. But that doesn’t mean you have to wait – you can leverage the products mentioned above to build your own security and privacy solutions. Just ask us how.

You can find more information about Oracle Security Governor for Healthcare here on the product page.

Tags: Healthcare IT, Healthcare Security, Identity Analytics, Identity Governance, OOW10, Oracle Identity Management, Oracle OpenWorld, Oracle Security Governor, Oracle Security Governor for Healthcare, Privacy

I wasn’t quite sure what the first panel, “The Next Step of User Provisioning: Identity GRC as a Natural Evolution” was going to be about. On the surface, I thought it was a fairly obvious discussion topic, since the Oracle Identity Manager product has pretty much seen this evolution in it’s lifetime, where provisioning deployments went from being about IT efficiency to supporting compliance activities like attestation and reporting. Heck, back in the Thor days, we had an offering called Xellerate Audit and Compliance Manager that supported the model of building up the “Who-has-What” identity warehouse first so you could roll out attestion and compliance reporting before embarking on an automated provisioning and de-provisioning path. But our moderator John Hermans (KPMG) really wanted to make the panel interesting, challenging me and the other folks on the panel to a discussion on the value and effectiveness of Identity GRC projects. I think the point that came across consistently was the fact that the new Identity Governance products (like OIA) have evolved as business tools, not IT tools, serving as a way to give enterprises greater visibility into the state and risk of their identity environments. Beyond that, the panel is kind of a blur.

My next panel – on “Private, Hybrid, Public – Which Cloud for What?” – was a far more tame affair by contrast. And the main point I made on the panel was that the choice between the different cloud models is being guided right now by the one word that distinguishes these models from the customer perspective – Control. With a private cloud, an enterprise feels like it has more control over the infrastructure and the risks associated with it, because they have visibility into how it operates and what it is built on. Public clouds today are more opaque than transparent when it comes to their inner workings, and this is a function of the lack of standardization in the identity, security and audit functionality that the cloud services are built on. This divorces the policies and controls that enterprises have developed over the last many years from the cloud services, making it nearly impossible for the more risk-averse enterprises to consider these as viable options. This point came across repeatedly during the conference as I talked to customers and enterprises considering cloud services. Maybe it is a function of the data privacy and protection environment in Europe, but there was far greater mindshare for the idea of building identity services in a private cloud, which you could then connect via federation and service-oriented security to public cloud services.

My last panel on “What the Identity Industry should do to Improve Security for the Cloud” really focused on the idea of standards and adoption of development frameworks for consistent identity inclusion into applications and platforms. And it built on the discussion from my previous panel, as we discussed why it was that cloud vendors have not been able to create more transparency into their offerings. One of the points I focused on was that it isn’t really the cloud vendors fault that they are more opaque than transparent. Often, they can’t provide more visibility because they themselves don’t have that information. And this is a function of how these cloud services are being built, and the lack of tooling they need. We need to make it easier and more transparent for developers to build identity-aware applications. It was very interesting to hear Dr. Barbara Mandl of Daimler talk about their adoption of cloud services as an outgrowth of their adoption of the ASP vision from years ago. The result is that they had put in place a development framework for their applications that was serving them well in adopting cloud services. But she also made the point that the standards are just not mature enough or standardized enough to make this seamless and pain-free, even in areas where we (the identity industry) think we did a good job, like SAML.

A lot of what I said on the panels came together rather nicely in an interview I gave later that day to Felix Gaehtgens of Kuppinger Cole, where we discussed the challenges in identity-enabling the cloud environment, and what Oracle’s approach to this is, both from an identity management perspective and from a platform perspective. Check out the video if you have some time.

Tags: Cloud Computing, EIC10, EIC2010, European Identity Conference, Identity Governance, Identity GRC, IdM Standards

• The Next Step of User Provisioning: Identity GRC as a Natural Evolution
  • 10:30-11:30
  • Room: Galaxis
• Private, Hybrid, Public – Which Cloud for What?
  • 11:30-12:30
  • Room: Helios
• What the Identity Industry Should do to Improve Security for the Cloud
  • 14:00-15:00
  • Room: Helios

And Oracle VP of Product Management John Aisien will be giving a keynote as well on Wednesday on “Extending the Principles of Service-Oriented Security to Cloud Computing”.

So if you see me around the conference, or in the Expo area (where you can also meet the fine folks from our Oracle EMEA team), be sure to stop me for a quick chat. Unless you see me dashing down the hall from Galaxis to Helios, in which case don’t bother unless you want to get bowled over.

Tags: Cloud Computing, European Identity Conference, Identity Governance, Identity GRC, IdM Standards

First up is the European Identity Conference in Munich from May 4-7. Kuppinger Cole does a good job putting together an interesting agenda with a broad array of speakers and a lot of local perspective, something those of us from across the pond don’t always get the opportunity to share. I’m lucky enough to be slated for 2 panels, one on Identity GRC as an evolution of User Provisioning, and the other on the need for Identity Standards as the foundation for Cloud Security. The Cloud theme is pervasive, especially since this is co-located with the Cloud 2010 conference.

The middle of the month brings us the 1H edition of Internet Identity Workshop (May 17-19 at the Computer History Museum in MountainView, CA). This is always a great place to exchange ideas and really plug into some of the brainpower that exists in our industry. I’m really hoping I can figure out a way to spend some time there and keep my finger on the pulse of the user-centric identity community.

At the end of the month (May 26-27 in Denver, CO) is Gluecon, a conference organized by our old friend Eric Norlin, that is focused on “the bits and pieces, APIs and meta-data, standards and connectors that will help us to glue together the varying applications of a post-cloud world.” Looking at the agenda, you can see that it is far more technical than your usual industry conference, and it has a great lineup of speakers. I will be speaking on the topic of Federated Provisioning, an often forgotten but critical component of security in your cloud environment. Hurry up and register, because early-bird registration ends this Friday — and you can use code spkr12 for an extra 10% off.

Here’s hoping I can get through May gathering some inspiration and without getting exhausted. Should be very interesting.

(UPDATE: Details added to my Speaking page)

Tags: Cloud Computing, European Identity Conference, Federated Provisioning, Gluecon, Identity Governance, Identity GRC, IdM Standards, IIW, Internet Identity Workshop

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

• How to Efficiently Implement SoD Controls: Which Level Works?
  • 11am EST| 8am PST | 5pm CET
• How to Start: Recertification or Active Access Controls First?
  • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Tags: Access Governance, Attestation, Conference, Identity Governance, Risk Management, Separation of Duties, SoD

Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer‘s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory