Wednesday, May 30, 2007

But I'm Entitled to my Entitlements

I was reading an article in InfoWorld about Securent and their ability to manage entitlements and my first reaction was – isn’t that what identity management is designed to do – govern and audit access to applications?

It also got me thinking about the power of Trusted Network Technologies solution and some research being done by HP in the UK around network layer identity and access control and the value of machine identity in the AMIMA space (Access Management Identity Management Applications - It's my acronym).

I will say up front that I have never worked with Securent’s product so I am not going to down that road but stay at 10,000 feet for now. The way the article reads, Securent has laid claim to adding to the SSO functionality and bridging into access management and entitling (enabling) access to applications. It makes me wonder – is Securent saying that other IDM solutions are great for managing the workflow of on boarding but little else, and that SSO is where the rubber meets the road?

Back in the old days, IDM was designed to manage this process and access issue and its popularity swelled, and I saw more projects get wrapped around the axle with entitlements. In my experience, entitlements are phase two of an IdM initiative, the first step is getting the process right. If you nail your process, the technology matters much less.

When I joined TNT a few years ago (I have since moved on) I saw something completely unique, and their patents guarantee that they will be unique for the foreseeable future. In essence it adds identity to the network layer which usurps all of the application layer issues that people seem to run into. It is access control, identity management of people and adds another variable (factor) of access control by binding a unique machine ID created from a unique hash of serial numbers (not MAC addresses) so you are your machine.

The management of a powerful system like this means that you have tamed the identity beast in many respects by having users and machines as the variables that govern access down to the port levels, and controls any and all connections to ANY application or server up the stack. You log in once from your machine and your access to and visibility of the applications and infrastructure is handled in the network – where most hacking starts and where risk is often overlooked.

The HP research is looking at the notion of machine identity, however to do it right and not get stuck in the wrong layer it has to occur in the network, since connections to any server or application start in the network layer.

The dependency in this model? A clean, or clean enough directory to use as the jumping off point. Until the authoritative source(s) are clean and managed well the AMIMA dog won’t hunt.


Post a Comment

<< Home