Sunday, July 27, 2014

Time To Kill RBAC In Order To Save It?

I’ve made a very good living implementing RBAC solutions over the years and preaching the virtues of role-based security. In fact, I wrote an extensive white paper on best practices for RBAC implementation just a couple of years ago. However, I’m slowly coming to the painful conclusion that RBAC no longer meets the business needs of the modern enterprise.

I know this is a controversial position that will likely attract some fire from some of my peers in the IAM geek-space, so allow me to explain.

Role based security is a concept almost as old as the microprocessor itself. The basic principle of RBAC is simple enough. By aggregating entitlements into meaningful roles, the complexity of user-permission relationships is theoretically abstracted from the business.

There’s one major flaw with that theory. By design, role compositions and assignments tend to be static, but we now live in a world where privilege needs are not.

The current standard for RBAC has remained mostly unchanged since it was first introduced by Ferraiolo and Kuhn in 1992. While there have been several enhancements to that model over the years, such as the unified NIST standard in 2000 and support for attribute-based roles in 2010, most modern RBAC implementations look exactly the same as they did twenty years ago. 

RBAC was conceived in an era when user-system interactions were predictable and I.T. environments were homogeneous. In those days, we mostly used corporate-owned devices to access systems behind a corporate firewall. You knew with a measure of certainty that you would need to access the same systems in the same way with the same device every day. But that paradigm doesn’t describe a world of mobile devices, “anywhere/anytime” connectivity, identity convergence and hybrid cloud systems.

Another issue we’ve seen with roles over the years is with the complexity of role hierarchies in increasingly heterogeneous I.T. environments. Inheritance is a great theoretical concept, but in large dynamic organizations where privilege needs are constantly in flux, it can create an enormous operational burden. The impact of every role change, whether the change impacts membership or composition, must be carefully evaluated to avoid unpredictable effects on end users.

Even in the most successful RBAC implementations, it is rare for more than 70% of user-permission relationships to be covered by roles. Maintaining a reasonable level of coverage requires strict operational governance in order to avoid role explosion while keeping pace with organizational changes, the introduction of new systems and updates to existing systems. Put another way, RBAC does not lend itself to agility, which is a major problem for large organizations with complex I.T. infrastructures and dynamic user populations.

For these reasons, I’ve come to the conclusion that RBAC as we know it must be killed in order to save it.

I know what you’re thinking. This is going to be a pitch for ABAC. Well yeah, kinda sorta, but it’s more complex than that. I don’t view the ABAC vs. RBAC question as an either/or proposition. In fact, I believe that if properly designed, the two models can be complimentary rather than exclusive. In order to save RBAC, we must therefore enhance it with the characteristics of ABAC.

ABAC provides the ability to grant permissions by evaluating not only static identity attributes such as job title, but contextual factors such as location, device and risk. This feature alone makes ABAC far more dynamic than RBAC, since privilege assignments become dynamic rather than static. When you log into the corporate network using your company laptop in the home office, you may get a completely different set of privileges than when you log in from your personal iPad in a coffee shop.

Another major advantage of ABAC is the ability to confer negative permissions, which is to say that access to a system or operation can be denied based on the evaluation of static and contextual attributes.

The XACML standard offers a universal syntax for expressing ABAC policies. The lack of a corresponding standard for RBAC means that every IAM product implements roles in a slightly different way. Some products support session-aware roles, others don’t. Some products support attribute-based roles, others don’t. Some products support constrained hierarchies, others don’t. This means role modelers and engineers are often restricted by the features of whatever IAM solution their company has decided to buy.

Does this mean there is no longer any place for roles? No, far from it. What I am suggesting is that we abandon complex role hierarchies and limit automatic role assignments to coarse-grained birthright privileges such as “Employee” and “Contractor”. Elsewhere, roles can still be used to represent bundles of entitlements where those entitlement groupings are known to be stable, but instead of statically assigning roles to users, assignment should be driven by context-aware ABAC rules.

Rethinking RBAC to incorporate the contextual features of ABAC is, in my view, the only way to save it.

So what does this all mean in practice? Let’s take the example of a system administrator working at a large corporation. As an employee, he automatically gets a birthright role of “Employee”. This grants him access to the corporate network, the email system and the employee intranet. That doesn’t need to change. In the RBAC model, however, he also has a “Production Support” role that allows him to access a bunch of production servers. Because that role is statically assigned, he can access those servers with any device from any location at any time. In the new world, we can create an XACML policy that only grants him the “Production Support” role if he is using a company-owned device, is within the United States and is working off-shift. So when he tries to make changes to a production server while using his iPad in a Paris coffee shop in the middle of the day, he will be blocked.

Right now, surprisingly few IAM offerings support XACML although I expect this to change as more organizations gravitate towards more dynamic ABAC frameworks for entitlements management. Fortunately, very few organizations have successfully implemented RBAC, which lowers the barrier for adoption of a hybrid ABAC/RBAC model.

Saturday, July 26, 2014

IAM is Not So Smart!

Recently, I was cleaning out my den and came across a clunky old pager that felt like an ancient museum relic. Then I realized that I'd been using that thing as recently as 2003, just eleven years ago. This caused me to ruminate on how dramatically my working habits have changed over the past decade or so.

When I landed my first I.T. job in the 1990s, I came into work in the morning and logged onto the corporate network using a Windows NT workstation. For the rest of the day, I did my work on that old Pentium 3 machine and then returned home, completely disconnected from the office until the next morning (yes, those were the good old days when we actually had lives outside of work... remember that?) A couple of years later, my employer gave me a pager, so they could notify me if an off-shift emergency occurred (clue: it was used often). Then they gave me a clunky laptop, which allowed me to log into the corporate network from home using a Cisco VPN client and RSA SecurID token. Now I could work on weekends too (yay me!) It wasn’t until about 2007 that I got my first Blackberry. That wretched device allowed me to access emails from anywhere at anytime, even though I still needed a laptop to access other corporate systems. A couple of years later, I got a smartphone, and then a tablet, and then started working mostly from home. Now in 2014, I no longer even need an office. I can do nearly all of my work from a plane, train or automobile, from a beach in Mexico or from a vodka bar in Helsinki, and all I need is an iPad. In other words, my life is over... but that's another story.

It’s remarkable to think how easily we’ve assimilated these changes in our working lives within such a short space of time. Yet, even more remarkably, the basic fundamentals of identity management haven’t evolved much at all, even though the way we interact with systems and with each other has been radically transformed by mobile technology, social media and the cloud. Hell, most folks still think of IAM in terms of provisioning and single sign-on. I mean, come on, seriously?

Yes, we have a bunch of cool new standards like SCIM, oAuth and OpenID Connect. We use cool new terms like Access Governance and Risk Analytics to paper over the fact that we're basically doing the same things we were when I was using a Pentium 3. We use IAM tools that are much more sophisticated than they were ten years ago (oooh look, shiny widgets!). All of those are great things. But under the hood, IAM is still about assigning static privileges to users that allow them to access “stuff”. As for the concept of consumer identity, we haven’t even scratched the veneer of the surface yet.

It’s time for a revolution in the way we think about identity in the era of the Smart Web (I prefer this term to “Internet of Things” for reasons I will explain much, much later).

As IAM practitioners, we like to tell ourselves that we are responsive to the demands of evolving business and technology trends. Except that we’re sorta, kinda kidding ourselves, aren’t we? If we were really that effective as an industry, then why is it that the number of material breaches have increased exponentially over the past decade? If we were surgeons and the number of deaths had increased tenfold on our watch, we'd be sued for malpractice. So clearly we’re doing something wrong. If anybody has become more sophisticated, it’s the bad guys, not us. And this is because most IAM solutions are still addressing the security needs of the 1990s, albeit with.... uh, shiny widgets!

As the number of internet connected devices and consumer facing services has exploded, so have the number of potential attack vectors (as an aside, there is a very good reason that you no longer hear about bad guys in masks robbing banks with shotguns… just think about it). Identity theft impacts nearly 10% of the adult population of the United States every year, and we’re supposed to be in the business of identity management? We should be ashamed of ourselves.

So with all of that said, I’ve come up with a brain dump of five guiding principles for IAM in the era of the Smart Web. This is a work in progress, but hopefully we can get some kind of discussion going here:

1. Rein in Attribute Providers
Today, I have separate accounts with Facebook, Google, Twitter, Snapchat, LinkedIn, Amazon, eBay, Dropbox, my 401K provider, my bank, my credit card company and a bunch of other service providers that I’ve probably forgotten about. Each of them stores various (often identical) attributes about me, including my name, address, date of birth, telephone number, email address and my cat’s favorite brand of kibble. And those are just the accounts I use as a private citizen, never mind all the SaaS and on-premise applications I use as a corporate employee. At a rough guess, there are probably more than 100 different companies that maintain various attributes about me. If any of those were compromised, I could become yet another victim of identity theft. And statistically, I probably will at some point.

Being a security professional, I follow the best practice of creating a unique password for every system I use. But this is an onerous burden that most people don’t observe. More than 70% of users have been found to use identical passwords for every service, meaning that if their password is compromised in one place, it potentially exposes all of their web accounts.

But even if passwords are compromised, they aren’t necessarily useful unless they expose personally identifying attributes about the user. Therein lies the problem with classic IAM architectures, where every company insists on maintaining their own attribute store, and each of these stores represents a juicy target for the bad guys, not to mention a potential liability for the service provider.

So why are we still doing this? Mainly because nobody can agree on a single unified authority for identity related data. Would you trust Google to be the central repository for people data? Or Facebook? Or Amazon? Apart from the fact that a central repository would represent the juiciest target of all, there is something creepy about one monolithic corporation owning all of your data.

However, there is already an authoritative source for your data and it is far more sophisticated than any system that Google has ever designed. It’s you, stupid! If you carry all of your identifying attributes with you, say on your smartphone, then you can control what information you share with each service provider without them having to store it.

Yes, I hear you say, but what if your smartphone is stolen? Well, that’s where biometric and contextualized device security becomes essential, although this is only one factor in a truly secure AuthN/AuthZ solution for unified identity…. Unified WHAT? I hear you say. Haha, we’ll get to that later.

Oh, and while I'm at it, we need to kill LDAP. I'm serious! But that's a whole other blog article.

2. Identity Is People, stupid!
This is my entry for the annual “Stating the Obvious” contest. An identity is nothing more than a digital representation of a human being. It is unique to you, belongs to you, is known by you and (ideally) can only be changed by you.

Now let’s think about that applies to the real, non-digital world. When you meet somebody, you might choose to share your name and phone number. Once you get to know them better, you might also share your address and even your age. But how many people would you ever share your bank account details or social security number with? You’d have to know them extremely well before you do that, right?

In today’s IAM world, all attributes are treated equally. Nobody can steal your identity just by knowing your name and telephone number, but if they also know your date of birth, bank account number and/or SSN, all bets are off. We need to come up with an empirical standard for classifying PII by sensitivity, so that truly sensitive attributes can only be shared in a limited fashion with trusted parties. For example, SSN may only be shared with known financial institutions, while DOB may be shared with trusted service providers with the user’s permission. Meanwhile, your credit card and bank account information can be shared on a transactional basis but should never be stored by a service provider.

3. Context Is Everything
As a service provider, how do you really know I am who I say I am when I log into your system? In most cases all I have to do is provide a password and we all know how secure that is, right? Even when I log in, my privileges are statically assigned so I can typically perform exactly the same operations when I’m on a corporate network as when I’m sipping cocktails in Mombasa.

That paradigm is no longer effective in a mobile world. In order to make intelligent, real-time decisions about granting access to sensitive data, context is everything. You now not only need to know who I am, but potentially where I am, what device I’m using and even whether my interactions with your system are consistent with my past behaviors. These kinds of situational and environmental attributes are not recognized by most access management systems, which is why static access management models such as RBAC are failing to meet the needs of the modern web.

ABAC is certainly a big part of the solution, which is why I expect to see XACML-based solutions gaining huge traction in the coming years, but it is not a panacea. You also need to be able to make risk-based decisions when granting access. Modeling risk on a transactional basis requires algorithms that combine data classifications with operational sensitivity metrics and then evaluating that in the context of a user’s situational and behavioral profile.

Sounds complicated? Well, it is, which is why we get paid the big bucks! But let’s dumb it down with the example of my fictional friend John, an account administrator in XYZ Corporation. When John is at the office, the location service on his authentication device (say, a smartphone) knows exactly where he is. His device is used to communicate his location to a Policy Enforcement Point, which makes a decision to grant him full permissions for the finance system while he is in the office. Because his home address is also known by XYZ Corporation, it can grant him similar permissions when he is logging in from home. But let’s say he attempts to log in from China, even though he logged in from his office in Chicago two hours earlier, the PEP can flag that access attempt as a potential breach, particularly if he does so from a device he’s never used before. Similarly, if John’s behavioral profile shows that he issues an average of 20 checks a day from the finance system but then one day issues 5,000 checks, that might be flagged as an unusual behavior pattern requiring immediate investigation.

Contextual access can also be used to enhance user experience. For example, John is not only an employee of XYZ Corporation, but he is also a consumer who buys stuff from their stores. When John enters an XYZ store instead of the corporate office, he can use the same identity to buy products as he uses to log onto the corporate network, but using a consumer rather than an employee profile. This is possible because his device automatically detects that he is in an XYZ store rather than in the office. After all, John may be both a consumer and an employee of XYZ, but he is still the same person, right?

4. YOU Are The Authoritative Source
Earlier, I mentioned the concept of unified identity, where you have one profile that can be used to interact with any system, anywhere and in any context. Let’s explore what that might look like in practice.

Imagine a smartphone app that stores all of your personally identifying information (in secure encrypted fashion, of course). I’m talking about everything from your name to your social security number to your bank account details to your spouse’s favorite reality show character. Some of this information, such as your SSN, may be restricted so that it can only be shared with certain parties. Using your smartphone, you can control what attributes to share and with whom. You may choose, for example, to share a different subset of attributes with your employer than when using your personal Facebook account. In other words, YOU operate your own identity management system.

So what’s stopping us from adopting this model? We have the standards (oAuth with OpenID Connect). And we have the technology (strong authentication and adaptive authorization). As always, the barrier to adoption is cost and motivation. 

5. Devices Are People Too!
No, I’m not advocating that we build artificial intelligence into our smartphones, although with many of the folks I meet, it could be argued that intelligence is often artificial within humans too, but that’s another story.

Until now, we have always focused on identity as purely a human construct. But every device also has a unique identity. This has never been an important concept in identity management until the Internet of Things (or as I prefer to call it, the Smart Web). Let’s go back to the example of John, our account dude working at XYZ. In that example, John was able to use a single identity as both an employee of XYZ and a consumer of their products, because his smartphone was intelligent enough to tell when he was in a store as opposed to the corporate office. Now let’s talk about what happens when John leaves the store. He gets into his internet connected car and programs the GPS to drive him home. The car automatically notifies the internet connected thermostat in his house that he is on his way home and instructs it to turn the heating on (I should have mentioned that John lives in Nebraska!)

This kind of system-to-system interaction requires no human intervention whatsoever, but it does require some kind of rule-based intelligence, hence why I use the term “Smart Web”. But if no human intervention is required, then how does the car identify itself to the thermostat? Well, because the car has a unique identity, of course.

Okay, you say, but aren’t we just talking about a form of MDM here? Well yes, but it’s more than that. I’m talking about the need to unify IDM and MDM so that we can manage device privileges in the same way that we do for humans.

To make all of this a reality, we need to work together as an industry to establish best practices and architectures for next-generation IAM. But that isn’t enough. We also need to be working with standards bodies such as NSTIC and OASIS to promote adoption of these standards, and with product vendors to develop the enabling technologies. This effort will take years to accomplish, but it has to start now, because the Smart Web isn’t slowing down for anybody.

In my next article, I will discuss some possible approaches and solutions for how we need to think about identity for the Smart Web.

Wednesday, December 21, 2011

Fired Up About the Kindle Fire

A couple of months ago, I wondered whether I had any use for a Kindle Fire, and concluded that while it was an intriguing device, I probably didn't need another tablet in my life. Well, it turns out I was wrong. A few days ago, Santa came early with an Amazon "smiley box" containing a brand new Fire. Within ten minutes of ripping open the box, I was hooked.

I've owned an original iPad for over a year now, and use it mainly for watching movies on planes, reading eBooks on the Kindle app, playing Angry Birds when I need to take out my frustration on defenseless cartoon piglets, watching streaming media on Netflix, Hulu and SlingPlayer while on the road, and taking notes in meetings. The iPad hasn't quite replaced the need for a laptop yet, but I've certainly made good use of it. So it never occurred to me that there was room in my gadget-filled life for another tablet. That was, until I opened the smiley box.

Like the iPad, the Fire "just works" out of the box. No instructions are needed, there are no complicated setup procedures; you just turn it on and go. If you don't know what the Kindle Fire is for, the simple home screen menu says it all (Music, Video, Apps, Books, Newsstand, Docs, Web). No ambiguity there. Simply go through a simple Wi-Fi configuration screen, enter your Amazon ID to register the device, and you immediately have a wealth of media at your fingertips.

Make no mistake, media consumption is what the Kindle Fire is all about; specifically, consumption of media from the Amazon ecosystem. The first thing that impressed me was that every streaming movie I have ever purchased from Amazon (usually through my TiVo box) was immediately available in my Video library. I'd forgotten that on a cold, rainy day about five years ago, I'd paid ten bucks to stream Love Actually from Amazon (don't say a word!), but there it was, sitting right in the library.

Needless to say, every eBook I'd ever purchased on my iPad Kindle app was also there. And I quickly discovered that by connecting the Kindle Fire to the USB port on my laptop, I could transfer MP4 movies to the device for subsequent viewing. Yes, I know the iPad also allows you to do that, but the Fire doesn't require a clumsy, heavyweight app like iTunes to synchronize files; it operates just like a flash drive, so transferring media is simply a matter of copy and paste. Gotta love that!

The OS is based on a custom implementation of Android 2.3 Gingerbread. While it is heavily "Amazonized", there is no hiding the fact that an Android kernel lurks under the hood, and I don't necessarily mean that in a good way. No matter how much you try to put lipstick on that Angry Birds character, Android lacks the polish, elegance and responsiveness of iOS. Functionally, it works great, but if you have been spoiled by iOS, the jerky scrolling and occasionally erratic keyboard can get a little tiresome.

Perhaps the weakest feature of the Fire is the Silk web browser, which I found to be painfully slow, especially when loading Javascript-intensive webpages. Granted, the iOS implementation of Safari is no speed demon, but compared to Silk, it is like putting a Formula 1 car up against a 1987 Chevy Nova. I'm not sure whether this is due to the Silk application itself or the Fire's low-end hardware spec, but considering that the Fire packs a not-too-shabby dual-core OMAP 4 1GhZ processor, I suspect it has more to do with the former.

I found it strange that the home screen menu does not contain a link for email; instead, the email client is buried under Apps. The email client offers a basic set of functionality but does what it is designed to do and worked fine with my work and personal GMail accounts, aggregating all of my mail into a "Unified Inbox". In many ways, I prefer it to the iOS mail client.

Speaking of apps, the Amazon App Store offers a surprisingly large and growing range of them. Within minutes of opening the device, I had installed Netflix, Pandora, Facebook and Hulu Plus. There wasn't a Kindle version of SlingPlayer yet, but I was able to obtain the generic SlingPlayer app for Android and then install the package using the ES File Explorer app. Simple. And yes, Angry Birds is available too.

So what of the device itself? Given that my tablet experience so far has been limited to the 9.7" iPad, I found the 7" form factor of the Kindle Fire refreshing. There is something nice about being able to comfortably hold a tablet in one hand, particularly when reading an eBook or magazine. Strangely, the smaller form factor isn't as constraining as I expected it to be; writing emails using the onscreen keyboard is no more cumbersome on the Fire than on the iPad. If anything, it is slightly easier, since the 7" form factor allows you to thumb-type in much the same way as one would on a smartphone.

The most pleasant surprise was the display, which I expected to be slightly below par given the Fire's price point. Colors are rich and vivid, contrast is outstanding, and videos are razor sharp. Some may disagree, but the Fire's display is more than a match for the iPad. And the embedded speakers are, if anything, superior to those on the iPad with a slightly broader volume range and less tinniness.

That is not to say the Kindle Fire is perfect, by any means. The omission of volume buttons is extremely puzzling, given that the device was clearly designed for media consumption. To compound matters, the onscreen volume slider is always in a different place depending on the app you are using. As for capacity, the miniscule 8Gb storage doesn't offer much room to store music or videos. Yes, I know that Amazon's cloud infrastructure theoretically reduces the need to "store" media, which is fine if you always have a Wi-Fi connection. But for a road warrior like me, Wi-Fi isn't always an option. Not all planes are Wi-Fi enabled, and have you ever tried streaming media using a hotel Wi-Fi connection? Still, the lack of storage isn't a dealbreaker, given how easy it is to transfer files back and forth over USB.

If the Kindle Fire were priced similarly to the iPad, any of these shortcomings would be enormous. But it isn't, not by a long shot, and that is the point. Given the Kindle Fire's $199 price tag, what might be fatal shortcomings for an iPad or similarly priced tablet are trivial gripes in this case.

But the real test for me is how frequently will I use the Fire compared to the iPad. Well, after two weeks with the Fire, I've learned that it depends on the use case. If you read a lot of eBooks and eMagazines, then the Kindle Fire is a superior option given its weight and form factor. For movies, there isn't much to choose between the two; the Fire is great if you don't mind a slightly smaller screen, and it compensates for this with superior sound quality. Given those two factors alone, I have found myself more inclined to use the Fire when on a plane, grabbing a latte at Starbucks, or just catching up on some late night reading.

But the Fire isn't a productivity device like the iPad. I could not imagine myself using it to take meeting notes, fire up a quick spreadsheet, edit a slide deck or even act as an RDP thin client to access my remote servers. Then again, Amazon didn't design the Kindle Fire to be a productivity device. They clearly built it to provide a portal into the Amazon media ecosystem. The device ships with a free 30-day subscription to Amazon Prime, which in addition to free two-day shipping, provides access to a range of free streaming movies and TV shows. While this library isn't as extensive as that of Netflix, it seems to be growing rapidly and you also have the option of renting or purchasing more recent movies directly from the device.

So just when I thought I had all the gadgets and devices in my life that I could handle, the Kindle Fire has found a niche that I didn't even know existed. I may not have needed one, but iPad or not, I will certainly make good use of it. Even had it not been a Christmas present, the $199 price tag is a bargain. For consumers who want a tablet but cannot justify the $499 entry point for an iPad, the Kindle Fire offers a compelling alternative. It may be less than half the price of an entry-level iPad 2, but certainly offers more than half the functionality and features.

Monday, December 19, 2011

Gartner 2011 Magic Quadrant for IAG: Tight Competition in a Maturing Industry

Gartner has just released its first ever Magic Quadrant for Identity and Access Governance (IAG), and SailPoint appears to have emerged as a narrow victor. Unlike the Forrester Wave for IAG published earlier this year, which showed SailPoint and Aveksa leading the competition by a mile, Gartner has 4 of the 7 evaluated offerings in the top quadrant, with CA on the borderline.

Admittedly, I'm more familiar with SailPoint IdentityIQ and Oracle Identity Analytics than any of the other products featured here. Both are extremely mature, versatile offerings that are simple to deploy and provide a full range of access governance capabilities, including role analytics, detective/preventative policy enforcement and certification/remediation. From a pure governance perspective, there isn't much to choose between them.

SailPoint's acquisition of BMC's identity management offering and their incorporation of BMC's provisioning engine into IdentityIQ means that they are no longer a pure play IAG vendor, and can compete on equal terms in the IAM space with the likes of IBM, Oracle, CA and Microsoft. In recent months, SailPoint has also been adding provisioning capabilities to their extensive range of native governance connectors, which ship with the product. Of course, OIA also offers provisioning capabilities, but only when integrated with OIM or another supported provisioning product.

As I've noted before, the maturation of identity management is driving a trend away from bottom-up identity administration tools, towards more holistic, governance-based solutions. Visionaries such as SailPoint have long anticipated this evolution and are ideally positioned to take advantage of it as organizations become more sophisticated in how they approach identity governance.

The decision by both Forrester and Gartner to begin publishing IAG market analytics in 2011 acknowledges the increasing maturity of IAG. The explosive growth being experienced by Aveksa and SailPoint offers further validation, if any were needed, of this trend.

The question is, what does this mean for identity management practitioners?

Well, as one might expect, there is good news and bad news. The bad news is that it is no longer sufficient to be a technical whizz who can develop advanced customizations, custom connectors and sophisticated workflows in their product of choice. As IAM/IAG offerings become easier to deploy, offer richer, more business-friendly functionality, and adopt a less I.T.-centric approach, I expect the demand for advanced technical customizations to diminish. The good news is that the increasing maturity of these offerings will allow identity management professionals to spend less time focusing on arcane technical integrations and more time devising robust, governance-centric solutions for customers.

I'm not saying that the market for identity administration tools will go away. Of course it won't; there will always be a demand for automated provisioning. But identity administration is becoming more commoditized, and over time I expect it to be increasingly viewed as just one component of a more holistic IAG framework. Just because the tools are becoming more sophisticated doesn't mean that the operational challenges that create a need for streamlined identity administration are going away.

The real implication is that IAM/IAG solutions are evolving from mere I.T. tools into corporate governance suites, which in turn suggests that the target audience for such offerings is increasingly likely to be a CTO, CISO or CIO than the Manager of Enterprise Applications. For identity management professionals, this means that the ability to articulate business value to a non-technical audience, deliver policy-driven solutions and demonstrate a sophisticated awareness of the regulatory landscape will become just as important as the ability to create a kick-ass workflow. Individuals with that balance of soft and hard skills are difficult to find, and will therefore remain in extremely high demand.

Which, in my opinion, is exactly how it should be.

Friday, December 9, 2011

Access Rights versus Access Usage

Having been in the IAM space for enough years to remember when the idea of a metadirectory was still "cool", I spend a lot of time thinking about where the industry is going, and more specifically, how we can enhance the value that IAM brings to our customers. Recently, one such customer articulated a requirement for an identity governance solution that not only provided them with a global view of access privileges, but allowed them to see who was accessing a particular server or file share.

It occurred to me that most modern identity solutions do a great job of providing a view into who has access to what, but not what they are actually doing with that access. These are two completely different concepts, but from a technical perspective, they don't necessarily need to be.

A standard identity management suite ships with a connector framework that exposes a common interface to abstract the logic that interacts with the target system. These interactions generally comprise standard IdM events such as account creation, modification, enablement, disablement, retrieval and deletion. Obviously, each connector "type" is required to invoke native API calls.

Since vendors are already building connectors that manage accounts across a wide range of target systems, how difficult would it be to extend these connectors to inspect logs on those same systems, and then correlate each log entry to an identity object in the same way that we already do for native accounts? For example, in addition to pulling a list of local accounts from a UNIX server and correlating them to a person's identity, a UNIX connector could expose a method to pull the server logs and update identity records with information about what actions each user had been performing on that server.

It's just a thought, but it strikes me that being able to see who is doing what is as foundational to robust identity governance as being able to see who has access to what.

More Thoughts on Cloud Identity

Unfortunately, I haven't had much time to blog lately, as November was essentially a wash. First, we were left without power for a couple of weeks by the epic Halloween storm that crippled much of New England early in the month. Then I took off on my annual pilgrimage to visit relatives in England. And then, of course, it was Thanksgiving. Next thing I know, the malls are filled with Christmas shoppers and the drone of those annoying seasonal tunes to which we are thankfully subjected for only a few weeks a year.

Anyway, I'm back now. While catching up on my favorite blogs, this comment on cloud-based identity by Sean O'Neill---who I consider to be one of the best minds in the business---caught my eye, mainly because it echoes my own sentiments on the topic.

Sean notes that from a technical perspective, there is nothing earth-shatteringly new about cloud computing itself, except that we now give it a fancy name. No argument from me there. But his more important point is that the increasing adoption of cloud services creates a whole new set of governance headaches for CIOs. To illustrate this point, he quotes the CIO of a major insurance company:
“One thing I have come to realize is that when I move my application to the cloud, all of the security of my networks and firewalls that I have invested in over the years disappears. The only defense I have left is identity and data security in the application”
In my experience, that sentiment is probably not unusual among CIOs and CISOs, particularly in highly regulated verticals such as financial services, pharmaceuticals and healthcare. Entrusting identity management to the cloud may seem like a good idea to analysts, vendors and techies, but they are not the ones who would be laying awake at night, worrying about the legal and regulatory implications of their cloud identity provider suffering a catastrophic breach.

As Sean explains:
Even if you can sue the pants off of your cloud provider, the basic problem is a breach would have occurred and your people are not involved at the security level.
In other words, if you are a CIO and sensitive personal information about your customers and employees is leaked due to a breach at a third-party identity provider, the victims aren't going to give you a pass because you entrusted security to a cloud service. If anything, they will hold you even more liable for gross negligence. Not to mention that "not my fault" will do nothing to mitigate damage to your company's brand reputation.

The increased adoption of cloud computing is inevitable, but it is both reckless and unrealistic to view IAM as just another one of those services, particularly for large organizations.

Currently, everybody seems to be focused on the idea of moving IAM tools to the cloud (which, by the way, does nothing to alleviate the process and governance issues that make IAM projects so notoriously complex---it simply moves these problems somewhere else). Instead of viewing IAM as just another commodity, we should be thinking about how to help organizations evolve robust governance strategies for managing cloud identities. I know this isn't as sexy as the idea of cloud-based IAM products, but it is far more relevant to the average CIO.

Saturday, October 29, 2011

Is Logical/Physical Convergence the Next Big Thing in IAM?

Traditional identity and access management describes the processes, systems and policies that are used to identify individuals to information systems, control what privileges they have, and what they are doing with those privileges. By now, this is all well understood.

But why should IAM be restricted only to systems? For most large organizations, the need to control physical access to secure facilities and locations is every bit as relevant to a holistic security strategy as controlling access to applications and data. Corporations spend millions of dollars on physical security systems such as CCTV, electronic barriers and identification cards, designed to prevent unauthorized personnel from accessing restricted areas. Typically, these systems are centrally managed by a Corporate Security department, so that individuals are only granted the physical access required of their jobs, and any attempted security breaches can be immediately detected.

You see where I'm going with this, right? Conceptually, physical security represents the most basic IAM use case. One could almost think of buildings as applications and areas within those buildings as fine-grained entitlements, and the paradigm for physical security is identical to that of I.T. security. Once you make that connection, there is no reason why physical security could not be assigned using RBAC. Indeed, most commercial physical security systems already provide for role-based access.

Yet, for some inexplicable reason, physical and logical security are still generally viewed as two separate disciplines, which makes no sense to me. I suspect this is because in most organizations, I.T. Security and Corporate Security are distinct organizations, and there is often very little cross-pollenation between the two. IAM vendors, for their part, clearly haven't felt any pressing need to address this gap, and still focus almost exclusively on managing access to I.T. systems.

Some of the advantages to logical/physical convergence seem glaringly obvious:
  • Reduced TCO achieved by centralized management of all access policies, instead of having to maintain separate systems and processes for logical and physical access.
  • Greater compliance with regulatory mandates such as HSPD-12, GLBA, SOX and FIPS-201.
  • Streamlined offboarding processes, which is particularly important when dealing with a sensitive termination scenario.
  • Smartcards can serve a dual purpose of granting physical access to corporate facilities and providing a second factor of authentication to sensitive systems and data.
Of course, a converged IAM offering would need to be sold in a different manner from traditional IAM solutions. In many cases, IAM products are pitched at the Director/VP level of an I.T. organization, and sometimes at an even lower level than that, particularly when the solution is being acquired to address an urgent tactical need. But only a CIO, CEO, CTO or CCO usually has the appropriate authority over both I.T. and Corporate Security to appreciate the value of a converged offering, and has the political muscle to mandate its implementation. This is yet another reason, as I've argued before, why IAM needs to be positioned more as a corporate governance asset than a back-office I.T. function.

From a technical standpoint, supporting logical/physical convergence should not require a significant re-engineering effort for most IAM vendors. So I find myself asking, why hasn't this happened so far, and who will be the first to address the gap?