Thursday, April 26, 2007

Thanks to Dave Kearns...

I was dubbed 'super salesman' by Dave Kearns in his recent blog, and I do appreciate the title. Especially given the reputation of the person bestowing it. Dave is smarter, better looking, and I hold him in the highest levels of respect.

I try my best to talk of reality from experience vs, just selling stuff and place a high value on asking the right questions, listening, and having the stones to tell people when they are about to replicate any past fiasco I may have lived through to tell about, and why they shouldn't go down that path. Most take it with a grain of salt and a cup of vinegar...

Thanks again Dave!

Thursday, April 19, 2007

Who knew it was this easy?

A Babe and a Hershey Bar and the World is Yours...

Two thirds of workers reveal passwords for chocolate and a pretty smile

17/04/2007A survey by Infosecurity Europe of 300 office workers and IT professionals has found that 64% were prepared to give their passwords in exchange for a bar of chocolate and a smile.

The survey also found that 67% thought that someone else in their organisation knew their CEO’s password with the most likely candidate being the secretary or PA. The survey was carried out to find out how easy it was to extract peoples work passwords using social engineering techniques with literally just the offer of a chocolate bar for taking part in a survey.

The survey was carried out amongst commuters in London Stations and also at an IT exhibition full of computer professionals just to see how much more security savvy they were compared with the average worker. The survey found that it took a little more probing and a bit more coercion than the average office worker, but even the IT professional eventually succumbed to the questions of the attractive researcher who still managed to extract their passwords in exchange for a smile and a chocolate bar!

The researchers asked the delegates if they knew what the most common password is and then asked them what their password was. Only 22% of IT professionals revealed their password at this point compared to 40% of commuters, if at first they refused to give their password the researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team. By using this technique, a further 42% of IT professionals and 22% of commuters then inadvertently revealed their password. This then took the total number of people who revealed their password to 64% overall for both groups.

What many of IT professionals failed to realise is that the researchers, who conducted the survey at the IT exhibition, had also read their names and organisation from their delegate badge as well! The survey found that 20% of organisations no longer use passwords, with 5% using biometric technology and tokens for identity and access management and a further 15% using tokens. The average number of passwords used at work was 5 per person, with some using as many as 20.

The frequency of changing passwords was 71% monthly, 10% rarely and 20% never as they used biometrics and tokens instead. Some of the IT professionals said that the real issue was not user passwords but the passwords on servers or buried in applications which were never changed as the consequence of changing them on the overall company IT system was unknown and there was a fear that if they were changed a critical part of the system could crash. Some other IT experts said that they often come across servers on which the administrator password was left blank.

When asked if they knew any of their colleagues passwords 29% admitted that they did. A person should never need to give their password to someone claiming to be from the IT department but 39% said that they would give their password to someone who called them from the IT department. They would not be quite so trusting if asked by their boss as only 32% said they would be prepared to give their password if asked.

When asked about confidential information two thirds said that they would look at a file containing everyone’s salary details if they were sent it by mistake and 20% said they would pass it on to colleagues. A third said that they would keep it confidential, with many of them also saying that their IT systems tracked everything they looked at and if they passed this type of information on to anyone it would mean instant dismissal. When asked if they would take any contacts or competitive information with them when they left their jobs, 58% said that they would.

One senior sales manager said I left my job last week and took my whole pipeline with me.Just under half of people used the same password they used for their corporate access for all their personal web accounts such as online banking, retailing, and email. When asked if they felt safe using online banking half said that they did but only a fifth said they felt safe using online retailing but this figure rose to 52% if the retail site was a well know reputable one.S

am Jeffers, Event Manager for Infosecurity Europe 2007 the number one event dedicated to information security which takes place at Olympia, London from 24th to 26th April 2007 said, “This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security. What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk.

It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network.

The free education programme at Infosecurity Europe covers all the key issues of keeping information secure and there is a keynote dedicated to Identity Management”.At Infosecurity Europe 2007 Lord Erroll will lead a panel debate on Identity Management examining how to pick the right tools for the job. The panellists will include Toby Stevens, Vice Chairman, BCS Security Forum, Andy Kellett, Senior Research Analyst, Butler Group and Maury Shenk, Partner, Steptoe and Johnson LLP and Head of European Legal Programme SANS.

The keynote, which is free to attend for Infosecurity Europe visitors, takes place at 3:15 pm on Tuesday 24th April 2007.Andy Kellett, Senior Research Analyst, Butler Group commented on the issue of Identity and Access Management (IandAM) “Today, if there is one justified criticism of the IandAM sector, it is that the complete service-delivery model is too complex for most organisations to handle from a standing start. End-to-end projects that have been put forward to deal with all IandAM control issues have often proved to be unrealistic, and indeed, for some, far too difficult to achieve.

Whereas organisations that have taken a more structured and prioritised approach to the IandAM service delivery model, have and do achieve better results in the long run.”Infosecurity Europe is the number one event dedicated to information security. With over 300 exhibitors, the event is the most comprehensive showcase for the most diverse range of new and innovative products and services from the World’s top information security experts and vendors. The event enables security professionals and business managers to establish a commercial justification for information security, refine their security policies and select the most appropriate solutions to support their security strategy in order to safeguard their company’s reputation and assets.

Over 11,000 visitors are expected to attend this year’s event with many travelling from overseas to participate in the FREE education programme that addresses both strategic and technical issues drawing on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall, Olympia, London from 24th to 26th April 2007.

www.infosec.co.uk

Tuesday, April 17, 2007

Disaster (Recovery) on my mind...

Given the weather we've had in the Northeast the past few days, I think the issue of Disaster Recovery (DR) is on more minds than a few weeks ago. It also got me thinking as to why DR and Identity Management are linked.

Specifically, governing access to the DR site, data, and infratsructure to be able to recover whatever was lost or went down. Granted the time frames are short, but a few hours to an insider is all that is needed to create some back doors in all of the mayhem and leave things exposed with little or no audit trail. I equate it to remembering to grab the last several years of tax returns on your way out of your house that is engulfed in flames or a tidal surge. Stuff happens and in the midst of the stress of survival (personal or business) we focus on the most important things and we don't sweat the little stuff (and by the way it's all little stuff).

So having identity based access controls in place long before a disaster happens is key because:

1. The controls are in place long before they need to be
2. You don't need to think through the process (technical and business) while things are going wrong and the world is screaming at you for everything STAT from email to pictures of the CxO's vacation
3. You are certain that only those people AND machines who should have access will have access and there is an audit trail to capture all activity

Long story short, get a solid DR provider, implement an Identity Based Access Control solution as part of the environment, and if you're going to nickel and dime on the cost, take the budget and use it for job placement services for you and your team. We all know there is never money to fund a 'what if', but we all find money when the doo doo hits the fan.

It's a lot better to have access to an entire hospital after an unplanned loss of limb than to realize you only have band aids to stop the bleeding.

identitystuff@gmail.com

Monday, April 16, 2007

Is the Sun Setting on IdM

I got a call from an old friend in India today and we were talking about the state of IdM on a global scale and since he travels every week around the APAC region, I wanted to see what his candid feedback was. In short:

'Sun is on its way out in over 12 accounts that I know of, being replaced by IBM and Oracle. Their projects are really going horribly.'

I asked him why and he replied:

'Because everyone looks at IdM as a technology project, not a business project and people just want to hook up connectors and think they're done'.

This confirms my position of 2 years that I learned with working on several projects at GE a few years ago - if you focus on the process you want and use the technology to enable that process, you'll do very well. Treat IdM like rolling out a new piece of technology and you would be better off donating the millions to charity.

I am sorry to hear that Sun is sucking wind right now. I always thought it was a decent product. I do not think it was sold correctly most of the time, and it took me 7 projects to figure out the right way to implement it, but I got there.

identitystuff@ gmail.com

Wednesday, April 11, 2007

SMB is in the air…

I had dinner last night with the CEO of a company I sit in the advisory board for and we were discussing Identity for the SMB space. Then I wake up this morning, and happen upon Nishant’s blog (he’s a smart guy at Oracle) who was blogging about… Identity for the SMB space. Long story short, it is what I have been thinking about the past couple of weeks, and I thought I would share my experience in the SMB space and where I think software vendors could do well…

I view the SMB space as companies with <$1B in revenue, with a few hundred to several thousand employees. These companies want what the Fortune 10 want, without the price tag and without the associated overhead of Day 2 issues – Training, support, and management of infrastructure and applications. They also want most of the configuration and/or customization to be baked into the offering.

Nishant solicited some feedback, so I’ll put it up here and send it to him in an email:

Where I think companies will be successful in rolling out identity management solutions will be related to how many best practices are baked into the offering. I also strongly believe that mid-market companies will want to eat the identity elephant in bites, that is to say to roll things out in phases for a fixed cost. They will also likely want to host some or all of their identity/access management solutions with a hosting company such as NaviSite, who can offer the infrastructure (ping, power, pipe) as well as the expertise to manage a deployment and in many cases provide the implementation services as well. They will also want to outsource the care and feeding (patches, OS, DB, capacity management, backups, etc) of their environment since they want to spend as little time as possible managing infrastructure.

Where I see Oracle, Sun, IBM and others having the best reach in this market are to offer Identity solutions that are useful (processes and configuration thought out and included), managed by others (outsourced), and at a price point that is calculated per user, and spread out monthly so the infrastructure is not an asset to be depreciated, but a service that is an expense. This give the SMB companies solid functionality, intrinsic value beyond the feature set, and a way to enable trust inside and outside their companies.

identitystuff@gmail

Labels: ,

Monday, April 02, 2007

Are you making a Cookie or a Meatloaf?

As I was driving to meet a prospective client today, a thought popped into my head about the unanticipated issues that may arise and why. And then it hit me – IdM is a chance to correct a lot of business processes that were developed by humans, and by association there are people to blame (theoretically) on why things have become so complex, and it is our job as professionals to help clean up the broken glass at the very least, or perform a process detox for our organizations. Where did the trouble start? What contributes to the confusion? In the words of the Talking Heads – How did I get here?

So I have blogged about roles, I have blogged about products, and I have blogged about process, I have put my old high level playbook out there, and I have blogged about other identity related drivel and I never stopped to think about how people may have come to the point that they stumble across my blog and start asking questions about identity management. So I thought I would share a few insights:

Where you are doesn’t matter.
Where you want to get to does
How you got to where you are doesn’t matter
How you get to where you need to be does
Knowing that difference is the only difference that will matter

How can I say this? Having helped provision over 1M users and spending WAY too much time on the where my clients were at piece, I can say this with a lot of scars to show for it.

Where was I successful? When I focused only on where my clients needed to get to and focused them and my project teams on the best way to get there.

Let me put it another way – it’s the equivalent of me sitting down with a baker who has called me in to taste a cookie that tastes like crap and they can’t understand why. It’s a complex recipe, lots of ingredients that have been added over the years to make this fantastic cookie and it has crossed the chasm and has gone from cookie to meatloaf. For the record I hate meatloaf (food not the singer), love cookies.

If I was after billable hours, I would review the entire recipe, examine the ingredients, check the measuring cups and spoons, etc. etc. I’m not after extraneous billable hours (or at least I shouldn’t be as a trusted advisor), so in today’s world I would ask, what kind of cookie do you want to make? And then we’d make it with a simpler recipe and one that wasn’t so complex that what started out a cookie has now become meatloaf.

What are the flour, sugar and eggs of IdM?

A single Authoritative source
A well defined to-be process
A team of people that may not have baked before but clearly understand what a kitchen is and know that hamburger doesn’t make a good cookie. Ever.