IDaas is Garnering more discussion...

My buddy Matt Flynn and Matt Pollicove were exploring the topic of IdM as a Service which we had been discussing back in this post a while back...

While at Burton Group's Catalyst this year I had the chance to speak to some folks about this topic and the mindshare was very clear - automate everything you possibly can and use IdM to do it.

IdM products have matured to the point where they can log and gather thousands of events that feed reports that drive compliance (or non-compliance). The gotchas as I see them are this:

IdM is positioned horizontally and cuts across audit, security, and business process (operations) so it can become a political hot potato quickly

Organizations capture a ton of data today, where the wheat and chaff are separated is making the data useful data, and this is a subjective art project that masquerades as science a lot of the time. I'd be curious to see if data mining would and/or could do the same as IdM in reverse - look at raw data of what happened to build a better workflow based in actual events vs. what we think happened

Bottom line is the bottom line. Automation helps us get smarter, behave more efficiently and lower costs while improving the service to the business cash registers.

Right?

Novell's Endpoint Solution

Novell announced the availability of ZENworks(R) Endpoint Security Management with expanded encryption functionality and local language support. This policy-based security solution offers improved encryption for personal data management, removable storage and white-listed devices, as well as increased security for fixed disks.

This is a great differentiator IMHO in the identity space. Back in the day, it was all about directory consolidation, adapters/APIs, and authoritative sources. All of these server based, centralized (ok, mostly centralized) applications and using IdM to provision and deprovision people.

Ian Glazer and I worked for a company that was focused on tying endpoint identity and machine identity into a comprehensive endpoint to network and application layer identity based system. I still feel that the endpoints are always a bigger concern especially with the well documented tales of people picking up thumbdrives in parking lots loaded with password sniffers and other programs to thwart security that can unnerve risk management and certainly not help justify continued funding of IdM projects.

If I look at this conceptually, I could see a VERY solid solution of Novell's ZENworks Endpoint Security Management offering with NetVision's offerings designed to police the IdM environment so that you truly have an end to end solution covering endpoints (machines/peripherals), people, and a monitoring solution to keep everyone honest and embed transparency into Identity Management.

Lets see how things play out...

Identity Management as a Service

Having been in both the IdM space and the services world for some time, a convergence of discussion topics happened this past week via email when I was thinking about IdM as a service and asking myself, why doesn't somebody do this for a living?

Someone sent me an email asking if I knew of anyone doing this and it got me into a what-if thought parade… What if IdM could be offered as a service? Would it be an elephant or a dumptruck?

My thoughts:

The service’s value would really be in BPR (Business Process Reengineering) since we are talking about streamlining the process by which access to assets is given.

The first part of the service would be a BPR Mapping session – map out what it is you want a process to look like. NOT what the process is and NOT what one group thinks it is (a really cool project with a lot of buzz). Lay out the best possible process. Period.

Then what?

Then you have to look at ways of validating identity. What parts are manual (Are you who you say you are at the other end of the phone)? What parts are automatic (LDAP?)?

Identify what people need access to by macro groups. Is this enough?

Identify what people need access to in micro groups. Is this enough?

Identify the small group of users (Roots) who get access to a lot of stuff, or the keys to the kingdom.

Install software solution(s) to manage and enforce what you’ve identified

Then identify how to un-engineer the process. Does it work? How quickly?

Continually audit to determine how well it works or doesn’t work.

What’s your service offering? An elephant or a dumptruck?