Intersting week in the trenches...
I had a chance to talk to some great companies this week about identity management, where they thought things were headed, how they now view identity management, and we shared some horror stories along the way. I also had a chance to validate my hunch that identity management and access control are converging and the convergence is best handled, and will ultimately occur in the network layer.
My first meeting was a dinner with a global financial services firm that like many global FS companies has an issue with how they operate in Switzerland, and ultimately manage the delicate and mandated balance of control, identity, and privacy.
As it was explained to me, you need to be a Swiss citizen physically in Switzerland to access Swiss Bank information. Because the system has a high degree of anonymity/privacy this is not easily accomplished when your networks in the Americas, APAC, and elsewhere are all connected, yet operationally Switzerland is a walled off silo.
The good news was that over the course of a couple of beers and some fantastic Chinese food, we came up with a solution that we both hope to pilot in the next few weeks that will segment users, by machine and by network, so that this company can know absolutely that the users are Swiss citizens accessing data from machines and networks physically in Switzerland. Very cool brainstorming in 95 degree heat in Manhattan.
Tuesday I met with a global information concern and we traded stories about IdM implementations. They had decided to abandon their incumbent vendor to go with one of the big guys – it was not Sun, BMC, or IBM – and they were very interested in learning more about what not to do in their implementation, which I felt compelled to share based on my experience of dealing with large organization implementations. We laughed a lot and I probably saved them $100,000-200,000 on sharing a few key questions they need to answer before they start thinking that they can jump in and start writing XML code.
Wednesday I met with a juggernaut in the IT business twice. Once in the morning to discuss the notion of removing anonymity on the network, implementing policy and ultimately enabling control of the entire network by user, device, or subnet. We met for 30 minutes and they asked us to stop – I’m thinking game over – and they asked us to come back at 4 pm to talk to a bigger audience that was working on a $400M project. Who was I to say no…
The 4 PM blew their hair back to the point that I stayed over another night to meet with an even broader audience to pitch the notion of control to. Funny thing is, they were far more interested in audit capabilities since that was the immediate need. What I learned was that in a project of this size, magnitude, and importance (people will die if it doesn’t go well) is that knowing what is happening in real time on the network by who is on the network and what they are accessing (whether they are supposed to or not) will drive the best possible policy development, and ultimately policy enforcement which is the end goal (I think) of implementing an identity management solution.
The issue with IdM to date has been establishing the correct identity of a user and automating what applications they get access to, as well as automating the termination of what applications they have access to. Control. I guess to a certain extent audit – how many users do we have? Are they legit/known? How do you know this?
The rub is that someone will always have root access to a server, and/or administrative rights to applications and guess what – they can establish whatever access they want without IdM or even in spite of it.
My first meeting was a dinner with a global financial services firm that like many global FS companies has an issue with how they operate in Switzerland, and ultimately manage the delicate and mandated balance of control, identity, and privacy.
As it was explained to me, you need to be a Swiss citizen physically in Switzerland to access Swiss Bank information. Because the system has a high degree of anonymity/privacy this is not easily accomplished when your networks in the Americas, APAC, and elsewhere are all connected, yet operationally Switzerland is a walled off silo.
The good news was that over the course of a couple of beers and some fantastic Chinese food, we came up with a solution that we both hope to pilot in the next few weeks that will segment users, by machine and by network, so that this company can know absolutely that the users are Swiss citizens accessing data from machines and networks physically in Switzerland. Very cool brainstorming in 95 degree heat in Manhattan.
Tuesday I met with a global information concern and we traded stories about IdM implementations. They had decided to abandon their incumbent vendor to go with one of the big guys – it was not Sun, BMC, or IBM – and they were very interested in learning more about what not to do in their implementation, which I felt compelled to share based on my experience of dealing with large organization implementations. We laughed a lot and I probably saved them $100,000-200,000 on sharing a few key questions they need to answer before they start thinking that they can jump in and start writing XML code.
Wednesday I met with a juggernaut in the IT business twice. Once in the morning to discuss the notion of removing anonymity on the network, implementing policy and ultimately enabling control of the entire network by user, device, or subnet. We met for 30 minutes and they asked us to stop – I’m thinking game over – and they asked us to come back at 4 pm to talk to a bigger audience that was working on a $400M project. Who was I to say no…
The 4 PM blew their hair back to the point that I stayed over another night to meet with an even broader audience to pitch the notion of control to. Funny thing is, they were far more interested in audit capabilities since that was the immediate need. What I learned was that in a project of this size, magnitude, and importance (people will die if it doesn’t go well) is that knowing what is happening in real time on the network by who is on the network and what they are accessing (whether they are supposed to or not) will drive the best possible policy development, and ultimately policy enforcement which is the end goal (I think) of implementing an identity management solution.
The issue with IdM to date has been establishing the correct identity of a user and automating what applications they get access to, as well as automating the termination of what applications they have access to. Control. I guess to a certain extent audit – how many users do we have? Are they legit/known? How do you know this?
The rub is that someone will always have root access to a server, and/or administrative rights to applications and guess what – they can establish whatever access they want without IdM or even in spite of it.
posted by Mark Mac Auley at 7/21/2006
Get My Identitystuff Newsletter
0 Comments:
Post a Comment
<< Home