IDaas is Garnering more discussion...

My buddy Matt Flynn and Matt Pollicove were exploring the topic of IdM as a Service which we had been discussing back in this post a while back...

While at Burton Group's Catalyst this year I had the chance to speak to some folks about this topic and the mindshare was very clear - automate everything you possibly can and use IdM to do it.

IdM products have matured to the point where they can log and gather thousands of events that feed reports that drive compliance (or non-compliance). The gotchas as I see them are this:

IdM is positioned horizontally and cuts across audit, security, and business process (operations) so it can become a political hot potato quickly

Organizations capture a ton of data today, where the wheat and chaff are separated is making the data useful data, and this is a subjective art project that masquerades as science a lot of the time. I'd be curious to see if data mining would and/or could do the same as IdM in reverse - look at raw data of what happened to build a better workflow based in actual events vs. what we think happened

Bottom line is the bottom line. Automation helps us get smarter, behave more efficiently and lower costs while improving the service to the business cash registers.

Right?

Novell's Endpoint Solution

Novell announced the availability of ZENworks(R) Endpoint Security Management with expanded encryption functionality and local language support. This policy-based security solution offers improved encryption for personal data management, removable storage and white-listed devices, as well as increased security for fixed disks.

This is a great differentiator IMHO in the identity space. Back in the day, it was all about directory consolidation, adapters/APIs, and authoritative sources. All of these server based, centralized (ok, mostly centralized) applications and using IdM to provision and deprovision people.

Ian Glazer and I worked for a company that was focused on tying endpoint identity and machine identity into a comprehensive endpoint to network and application layer identity based system. I still feel that the endpoints are always a bigger concern especially with the well documented tales of people picking up thumbdrives in parking lots loaded with password sniffers and other programs to thwart security that can unnerve risk management and certainly not help justify continued funding of IdM projects.

If I look at this conceptually, I could see a VERY solid solution of Novell's ZENworks Endpoint Security Management offering with NetVision's offerings designed to police the IdM environment so that you truly have an end to end solution covering endpoints (machines/peripherals), people, and a monitoring solution to keep everyone honest and embed transparency into Identity Management.

Lets see how things play out...

The Identity of a Nation...

Those of you who know me, know how much of a Boston Red Sox fan I am. I watch over 100 games in the regular season, and have seen all the games in the post season thus far. Last nights win to send the Red Sox to the World Series was awesome. It was 11:54 PM with Papelbon on the mound and shutting down the Tribe, with some help from Coco Crisp slamming into the same wall Johnny Damon did to make the game ending catch.

So to those of us who are part of the Red Sox Nation, we don't need identity cards, biometrics, or poorly designed provisioning processes to help us define who we are. We know. And we know we actually have a shot at taking the World Series this year.

I am proud to say that if the Red Sox puu it out, there will be 4 generations of Red Sox fans who have seen them win twice (my Grandmother, who passed away after the 04 win and meeting her great grand-daughter, my dad and uncle, me, and my son) in their lifetime. The profoundness of that statement has me reaching for a box of Kleenex.

GO SOX!!!!!!!

Identity Management as a Service

Having been in both the IdM space and the services world for some time, a convergence of discussion topics happened this past week via email when I was thinking about IdM as a service and asking myself, why doesn't somebody do this for a living?

Someone sent me an email asking if I knew of anyone doing this and it got me into a what-if thought parade… What if IdM could be offered as a service? Would it be an elephant or a dumptruck?

My thoughts:

The service’s value would really be in BPR (Business Process Reengineering) since we are talking about streamlining the process by which access to assets is given.

The first part of the service would be a BPR Mapping session – map out what it is you want a process to look like. NOT what the process is and NOT what one group thinks it is (a really cool project with a lot of buzz). Lay out the best possible process. Period.

Then what?

Then you have to look at ways of validating identity. What parts are manual (Are you who you say you are at the other end of the phone)? What parts are automatic (LDAP?)?

Identify what people need access to by macro groups. Is this enough?

Identify what people need access to in micro groups. Is this enough?

Identify the small group of users (Roots) who get access to a lot of stuff, or the keys to the kingdom.

Install software solution(s) to manage and enforce what you’ve identified

Then identify how to un-engineer the process. Does it work? How quickly?

Continually audit to determine how well it works or doesn’t work.

What’s your service offering? An elephant or a dumptruck?

Who Entitled Me Anyway?

So I got to thinking this morning as I was out catching a few waves before work, that with all the buzz and thought going into entitlements I had to wonder - how did things get so f)*&^(^% up in the first place?

I got to thinking back over the years and how it all starts with onboarding. Remeber onboarding? That was the pain in the ass du jour a few years ago with identity management since it was crucial for provisioning - a big topic 2 years ago at Catalyst in San Diego. So I determined that it all goes back to HR. And perhaps Dogbert is the wizard of it all, but I digress...

If we think about roles and entitlements, I would think that there would have been more backlash in HR groups since they are the ones who ultimately control creation of an identity within a company. At least I hope we don't fill out all of that paperwork for a self service app...

So I got to wondering, what could Oracle and SAP bring to the table around getting off on the right foot to pre build roles into their applications that automatically take care of provisioning and to a certain extent, entitlements?

I have to believe it would simplify some things, especially new deployments and it's not like they haven't been doing this for 20 years and have no idea what to do or where to start. Granted every company has their own set of roles which drive the entitlements so if we address it at the source, wouldn't that help?

Identitystuff@gmail.com

SMB is in the air…

I had dinner last night with the CEO of a company I sit in the advisory board for and we were discussing Identity for the SMB space. Then I wake up this morning, and happen upon Nishant’s blog (he’s a smart guy at Oracle) who was blogging about… Identity for the SMB space. Long story short, it is what I have been thinking about the past couple of weeks, and I thought I would share my experience in the SMB space and where I think software vendors could do well…

I view the SMB space as companies with <$1B in revenue, with a few hundred to several thousand employees. These companies want what the Fortune 10 want, without the price tag and without the associated overhead of Day 2 issues – Training, support, and management of infrastructure and applications. They also want most of the configuration and/or customization to be baked into the offering.

Nishant solicited some feedback, so I’ll put it up here and send it to him in an email:

Where I think companies will be successful in rolling out identity management solutions will be related to how many best practices are baked into the offering. I also strongly believe that mid-market companies will want to eat the identity elephant in bites, that is to say to roll things out in phases for a fixed cost. They will also likely want to host some or all of their identity/access management solutions with a hosting company such as NaviSite, who can offer the infrastructure (ping, power, pipe) as well as the expertise to manage a deployment and in many cases provide the implementation services as well. They will also want to outsource the care and feeding (patches, OS, DB, capacity management, backups, etc) of their environment since they want to spend as little time as possible managing infrastructure.

Where I see Oracle, Sun, IBM and others having the best reach in this market are to offer Identity solutions that are useful (processes and configuration thought out and included), managed by others (outsourced), and at a price point that is calculated per user, and spread out monthly so the infrastructure is not an asset to be depreciated, but a service that is an expense. This give the SMB companies solid functionality, intrinsic value beyond the feature set, and a way to enable trust inside and outside their companies.

identitystuff@gmail