RSA Conf. Notes: Looking For Practical Approaches to IAM

I attended a very informative session entitled “Enterprise IAM Challenges – A Practical Approach to RBAC” given by Jeff Bardin, the CISO at Investors Bank and Trust. It was a frank, open account of his experience leading a team on an IAM project that took his previous employer from a failed audit to a successful delivery of compliance objectives. He talked about how his team tackled three main problem areas – employee on-boarding, RBAC and user provisioning.

The team used a variety of tools (including, to my surprise, the Thor Xellerate product, now Oracle Identity Manager) to clean up roles across systems, folders and files, simplify the employee on-boarding process, introduce user provisioning, and bring order to what he termed “identity chaos”. Some of the numbers were very impressive – going from about 320K unused datasets in RACF to 90K, going from about 12000 userids to just less than 6000, and so on.

He described some project management techniques (such as mapping out the new employee process as swim lane and contact point diagrams in order to identify the pain points and inefficiencies) that are fairly simple to understand, yet don’t seem to be employed that often. He detailed cost savings achieved from three sources – directory synchronization, password management and user provisioning. Their approach to RBAC was to centrally administer but locally enforce RBAC policies. They created global roles based on a combination of functional (truly related to job function), geographic and affiliation (employee, consultant, temp) criteria.

While Jeff’s session did not identify any revolutionary approaches to solving the identity problem, it was one of the most complete and thorough descriptions of a large IAM project undertaking. If you were at the conference but unable to attend his session, check out his session presentation (which was made available to all conference attendees).

Jeff’s work at his previous employer proved so successful that he received the RSA Conference 2007 award for “Excellence in the Field of Security Practices” on Monday, an award his previous boss nominated him for after he had already left the company. Now that shows how impressive the job he did was.