Want to get a deep dive on how to achieve success with your identity and access management program? Then join us for a lunch and learn where Quest Software and Identropy will share insight on the key technologies and best practices that can help you improve your security and compliance posture while maximizing your ROI and avoiding common pitfalls that doom these projects. During the Identropy session, we’ll be sharing insights we’ve gathered from well over a 100 implementations. Plus you get to network with your peers and some really cool people from both Quest and Identropy (and me!). Space is limited, so register now (locations, dates and registration links below).

Boston, MA

• Date: Wednesday, September 14, 2011 at 11:45 a.m.
• Location: Davio’s Northern Italian Steakhouse
• Identropy Speaker: Ashraf Motiwala, CTO
• Register Today

Livingston, NJ

• Date: Wednesday, September 21, 2011 at 11:45 a.m.
• Location: Strip House Steakhouse
• Identropy Speaker: Nishant Kaushik, Chief Architect
• Register Today

Tags: Best Practices, Identity Management, Identropy, Lessons Learned, Quest One Identity Solution, Quest Software

Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

Tags: Access Governance, Best Practices, Identity Governance, Identity Management, Provisioning

I’m not a Lebron James, so I can’t really drag this out for an unnecessary 5 paragraphs (though I do feel like I am joining an All-Star team). So here it is. Starting today, I am going to take my talents (be what they may) to Moonachie NJ and join Identropy.

For a while now I’ve been wanting to get back into startup mode, to really tackle the identity management problem the way I want to. These are interesting times we are living in, as they say, and there is a real opportunity to turn this space on its head. And I’m going to get that chance now, as Chief Architect in a company that has all the necessary elements in place – a crackerjack team, innovative thinking and an unwavering focus on the needs of the customer. They’ve already had one incredible and unique solution – SCUID Operations – come out of that approach, and I’m excited to see what I can bring to the party.

Like I said in my farewell post, the number one thing for me is the team, and Identropy is an incredibly talented and passionate group of individuals working towards one vision. I’ve worked with some of these guys in the past (and didn’t hold it against them when making the decision to join), and have interacted with others over the years in this little community of ours. I’ve always had a deep respect for their expertise and commitment, and love that they’re the kind of people you want to go out and have a beer with at the end of a hard day. The relationships they have built with their customers are enviable by all standards. And they have an open, collaborative culture that should be fun to work in.

I am really looking forward to what we can accomplish together. It should be one hell of a ride. Of course, all my other nonsense – Twitter, this blog, the conference circuit rounds – will continue as before without interruption. I’ve only just scratched the surface of what I’ll be working on, and will definitely be sharing more in the coming weeks. But if you want an in-person take, grab me in Keystone or in San Diego. Be warned though – you may have to be the one buying the round (I am back in startup mode, after all). See you there.

Tags: Cloud Security, Identity Management, Identity Services, Identropy, Identropy Identity Management, Managed Identity Services, Personal, SCUID

Combating insider threats was the topic of the talk I gave at the recent European Identity Conference in Munich. The talk – When Trust is Not Enough – was based on the blog post with the same title I wrote a few months ago. In my talk I expanded on my post to describe how a multi-layered approach to identity management can help combat the risks of insider threats. I have adapted that talk as a slidecast which you can listen to and view below.

After my talk, Tim Cole grilled me on one of the key points I had made – the need to change the culture in IT of treating administrators with kid gloves and a lack of oversight. He questioned whether something like this could actually happen in enterprises. I contend that this is already happening today, and cases like the Bank of America breach offer us teaching moments about the need to bring accountability to everyone’s access, especially our most privileged users.

I fear that we are on the verge of finding out a lot more about insider attacks, as the ability to keep quiet about them is going to end in this era of Twitter, Wikileaks and greater transparency. But enterprises that are interested in making the effort to solidify their defenses against such threats need to know that there are things they can do today to help themselves.

Tags: EIC11, European Identity Conference, Identity Management, Insider Threats, Security Breach

I’ll be kicking off things alongside Vipin Samar and Jeff Margolies on the keynote panel “2011: Information Security Trends for the Next Decade“. And throughout the event, Oracle security solution experts will be on live chat event to answer your toughest questions. I’m only going to stay on for a little while after the keynote finishes, so be sure to join on time if you want to grill me.

Register to attend this online event and find out how you can take a proactive approach to secure your enterprise.

Tags: Conference, Enterprise Identity, Identity Management, Oracle Identity Management

Over the last few years we have been talking a lot about how enterprise identity management deployments have started to expand beyond management of internal users (employees) to external users (partners, contractors, customers) as well. But in that conversation, I had never considered visitors – people who randomly, and often out of the blue, visit enterprise premises for meetings or to just pay someone an unexpected visit. Often (as I have grown accustomed to in the US), the process of getting inside the building takes the form of walking up to reception, telling them who you are meeting, having them call up to confirm that you should be allowed in, getting issued a visitor badge (usually a piece of paper with your name and the floor you are going to), and then getting let in through the security turnstile/gate by the security guard. Sometimes they will ask for ID to confirm that you are who you say you are before calling up to the person you are visiting.

But in Europe, security measures at some of the companies I was visiting are far stricter. And what I came across was a combination of Administrative User Registration with Just-In-Time Provisioning into a Physical Access Control System. Essentially I provided the security personnel at reception some identification (in some cases my passport, in others my US drivers license), observed them enter my details (more on that later!) into a user registration screen, and got provisioned a full-fledged security badge which I could use at the turnstiles to get into the building myself. I could use it inside the elevator to get to the floor I needed to (I didn’t try to get to the floor I wasn’t supposed to go to), and to enter certain rooms. When leaving the building, I had to use the badge at the turnstiles to get out of the building, and hand over the badge (in one case, to get back my drivers license which I had to leave with security as collateral).

Obviously the PAC Systems in place at these enterprises were capable of handling this kind of visitor management. But I wonder if these systems are integrated into the identity management systems of the enterprise at all. What kind of periodic review regarding who was being let into the building is taking place? And it seems quite susceptible to insider abuse. Moreover, the Day 1 type issues regarding time to set up exist at a micro level. The local Oracle teams were aware that this would need to happen, so we had to budget extra time to arrive early to get this done at each place, which with my tight schedule was a bit challenging. The good (and bad!) part was that the account teams that had been there already were already in the system and got their cards provisioned fairly quickly.

Seems like the whole system could be greatly improved by making it a part of a larger Enterprise IdM process. You could incorporate some self-service to have the person being visited pre-register their visitors into the system. This provides you not only audit, but also removes the time issue of data entry at the security desk (by folks who are quite frankly not terribly skilled at this). This would also enable some review processes and integration into monitoring systems. And enable enterprises to add some much needed de-provisioning to the process (see below).

Privacy Problems

With all this, one thing that stood out for me was the privacy issue. Europe is famous for having strong privacy protection (or at least strong privacy protection intentions). Yet my whole trip experience in Europe had me scratching my head a little bit. The amount of sensitive PII getting gathered about me – my name, address, passport/drivers license information, company I work for – at the hotels and office buildings is quite significant (some hotels even photocopy your passport). And there seems to be no mechanism in place to provide me any kind of privacy protection.

From seeing the visitor registration process for my colleagues it was clear that the information entered into the system is retained in case of any future visits, and there was no way for me to ask them to erase it as I left. When I asked if it is automatically removed after some time, all I got was a shrug. And since they didn’t take any contact information for me, they clearly have no way to notify me in case of a breach. Some (limited, I admit) research has not found me a single law/directive that governs how long hotels must keep my information, and how they must destroy it. We’ve heard of identity theft concerns due to PII data encoded into electronic hotel room keys, but not much about the data gathered during registration.

And the fact that these visitor IdM systems (for that is what these are) are not connected to enterprise IdM systems means that it is highly likely they are not being protected, audited, monitored or controlled with the same level of diligence that other systems holding just as sensitive information are. For all I know, all that information of mine is sitting in the clear – in a manila folder in the hotel manager’s office or unencrypted in a database table for the visitor module of the PACS system.

And, of course, there is no way to opt-out of providing this information, as the answer you get is that it is required by law. A little disconcerting to say the least. Does anyone have any insight into this (paging Mr. Robin Wilton)?

Tags: Identity Management, Just-In-Time Provisioning, PACS, Privacy, Visitor Identity Management

It’s that time of year again – when my blog goes silent because I have been heads down preparing for Oracle’s event of the year. And this year’s OpenWorld is jam packed with all sorts of goodness. The lineup in the Identity Management track is loaded with information, especially for anyone looking to learn more about the recent 11g release – you can see the full list of IdM sessions here.

I’ll be following up on my session last year with another one on the topic of Cloud and Identity Management. In my session on “Building a Strong Foundation for Your Cloud with Identity Management“, I’ll describe how enterprises can maximize the security and benefits of their cloud investment by putting in place a comprehensive cloud identity management practice. Identity is the central component not only in securing access to services in the cloud but also in accelerating the adoption of cloud computing and maximizing business agility in leveraging cloud services. I’ll talk about some common cloud identity use cases and describe solutions, tools, and best practices that can help strengthen and future-proof your cloud strategy. Come by if you’re planning to be at OpenWorld next week.

• Session ID: S317276
• Date: Wednesday, September 22 2010
• Time: 1:00 – 2:00 pm
• Room: Moscone South 309

And for a surprise bonus, come by the same room (Moscone South 309) on Monday, September 20 at 11am for the session “Oracle Identity Management 11g Update and Overview“. I’m not going to give away anything, but there will be some pretty cool tech on display.

To my fellow Twitterati, if you can’t make it to OpenWorld, or if you will be there and want to be more involved, use and monitor the hashtags #OOW10 and #IDM for insight and to discuss with folks from the IdM team. And if you are around at OpenWorld and want to meet up the old fashioned way (aka “in person”), feel free to reach out to me on Twitter. It’s going to be an extremely busy show, but I would love to meet up.

Tags: Cloud Computing, Identity Management, OOW10, Oracle Identity Management, Oracle OpenWorld

Last year, as part of the Oracle Fusion Middleware (OFM) 11g launch, Oracle announced the availability of the first components of the Oracle IdM 11g suite, which included Oracle Platform Security Services (OPSS), Oracle Internet Directory (OID) 11g, Oracle Virtual Directory (OVD) 11g, and Oracle Identity Federation (OIF) 11g. OFM 11g provides a unified, standards-based infrastructure allowing customers to develop, deploy, and manage enterprise applications. As part of this, Oracle IdM 11g establishes Oracle Identity Management as a security development platform, delivering on our vision of Service-Oriented Security, and becomes Oracle Fusion applications’ de facto security infrastructure.

This next phase builds on that by focusing on enabling business agility in both the IT and Compliance arenas. Security needs to be agile to keep up with the demands of an ever evolving enterprise architecture, and this is best done through the service-oriented approach that 11g enables. And in this economic climate, being able to make your compliance initiatives sustainable and achieve ROI from your solutions is more important than ever. The innovation and enhancements that are coming in 11g are designed to help businesses struggling with the staggering costs and complexity of meeting emerging security and compliance mandates.

You can learn a lot more about Oracle Identity Management 11g in an upcoming launch webcast that Amit Jasuja, Vice President of Identity Management and Security Products, will be doing on Wednesday, July 21 at 10:00 a.m. PT / 1:00 p.m. ET. And if you are on Twitter, then you can submit questions for Amit prior to the event by marking them with the hashtag “OracleIDM”.

And, for my faithful readers, I will be blogging about the various innovations coming out of this release in the coming weeks. So tune in, through whatever channel you can.

Tags: Identity Management, Oracle Identity Management, Oracle Identity Management 11g, OracleIDM, Service-Oriented Security

Marines can’t use Twitter or Facebook on duty, but soldiers and sailors can. For airmen, it depends on the base.
As for YouTube, the Air Force has created its own channel – which can’t be accessed from work computers.

A lot of people in favor of social media use (including yours truly) view it as an important communication and PR tool, providing some much needed openness and transparency in a time of record low recruitment and mistrust. It is also viewed as a weapon for the military to take back the narrative regarding the wars in Iraq and Afghanistan from the hype-driven media. The rate at which information can be gleaned from these media makes them effective early-warning systems on all manner of critical events – from earthquakes to civil war and revolutions. And don’t forget how incredibly useful it is as a tool for our troops to stay in contact with friends and loved ones. For a much better, insider take on how critical the use of social media is to our national security, read this extremely well-written article in the Federal Times.

I shared the story on twitter, along with my opinion that the ban was the wrong approach for the military to be taking. Brad Tumy challenged me to explain why I thought it was the wrong approach, and what I think they should be doing instead. I promised I would address his question in a blog post soon, so here goes.

Lets take a look at some of the main reasons given for banning social media.

1) Bandwidth Issues

The amount of bandwidth sucked up by YouTube, Facebook and the like puts a strain on limited DoD resources. But today, network tools that monitor bandwidth usage and throttle the traffic based on conditions are quite common. And using geolocation and device identification to cut off access on machines being used in the field (that use extremely limited satellite-based bandwidth) is technically possible (and as someone I met at Catalyst told me in a different context, is being done every day).

2) Spread of Malware

Highly publicized incidents like the Koobface worm spreading via Facebook have led some of the security experts to consider these sites to be tremendously dangerous to the integrity of the DoD networks. But the malware threat from social media is nothing compared to the attacks the DoD has to fend off on a daily basis via sanctioned channels, namely email and so called “good” websites. And the tools to protect against the malware attacks are well understood and widely deployed. Most folks learn pretty quickly to identify and ignore malware messages, no matter what the medium. And cloud-based social media sites will do a much better job of cutting an attack off at the knees than thousands of distributed email systems ever will.

3) Information Leakage

In providing their reason for banning social media, the Marine Corps said

the very nature of social networking sites creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage.

This is probably the most serious cause for concern, and one where IAM and Security technologies can play a crucial role. In many cases, the challenge here is similar to the one faced when dealing with any communication channel, whether it be email or ftp. Many enterprises rely on Security Information Management to protect their most sensitive resources – their data. A well established Identity Management infrastructure provides the first layer of protection by ensuring that only authorized individuals have access to sensitive information, and then providing a complete audit trail around the access of that data. This has been shown to have a deterrent effect in information protection, and can assist in tracing back the source of a data leak. DLP (Data Leakage Protection) tools provide data security by enabling data identification, classification, usage and wrapping controls around it all. Firewalls are getting increasingly sophisticated (take a look at Palo Alto Networks, which is getting traction with a content inspection engine that can “accurately identify applications … and scan content to stop threats and prevent data leakage“). The fact that Facebook and Twitter have APIs that allow the creation of custom clients means that users can be given access in a secure way through apps developed by the military. And there is commercial software out there that does much the same.

Now, the way I see it, the armed forces are facing the exact same dilemma that most enterprises are facing when considering how to tackle the use of social media in the workplace. The only difference is in the amplification of the potential consequences. Exploitation of the attack window that social media use creates could lead an enterprise to lose a lot of money, but in the case of the armed forces it could lead to serious loss of life. That does mean that while the issues are the same, the risks are vastly different. This would necessitate a completely different risk mitigation strategy. But does that mean that the solutions that can help would change too?

A blanket ban such as the one being discussed would lead you to believe that there exists no ability to handle what are essentially security and access control issues in the system, and that simply is not the case. I’m not saying that it is perfect, but a combination of tools, policies and guidelines can make it possible for social media to be leveraged by the military in ways that serves their (and our) national cause without harming their mission. And that would be to everyone’s benefit.

If you ever saw the movie “Breach” about how Robert Hanssen leaked national secrets by photocopying files and carrying them out in his bag, just think of how much more quickly he might have been caught if he had been sending those files over a social media connection. USB drives and email are far bigger threats (right now) than social media. and by being proactive, the military can turn these tools to their advantage. On the other hand, by not playing in one of the emerging technologies in the market, the US military risks becoming outdated, outmoded and outplayed by our adversaries.

Tags: Data Leakage Protection, DLP, Facebook, Firewall, Identity Management, Military, Oracle_IDM, Social Media, Social Networking, Twitter