Identity and Access Management Framework Book

Over the next week or so, I’m going to look at different players in the identity and access market. It’s a great sign of maturity in the IAM market that there are so many very large players in it. I this case, maturity means there’s money in it. Sure, the identity practice at Oracle is a rounding error, but it’s still 100-million-plus dollars, and the two largest provisioning deployments in the world run on Oracle Identity Manager, and Sun made quite a killing in that department as well (as have CA, IBM, and a few others).

Architecturally, IdM products have a lot of similarities. The difference is in the detail and, to some degree, yeah, in the architecture. Workflow is a good place to start looking. Connectivity to back end systems is another. And between the little guys and the big guys, scalability is a huge one. Smaller vendors mean cheaper development means “it runs on Windows only.” Would you trust your multinational enterprise to, I dunno, M-Tech?

Let me dig just a little on a big guy.

Novell is releasing their Identity Manager 4, claiming greater scalability and integration with Sharepoint and SAP. They also say they’re hooking up with various cloud applications. It might not be a bad strategy, embracing Sharepoint, just as Microsoft is repackaging MIIS with Sharepoint and bunch of other pieces and calling it Forefront (more on that one later in the week).

I really wondered what was to become of Novell, after hedge fund Elliott Associates went after them. I remember a partner in the portal market getting sucked up by a hedge fund some years ago, and it was not pretty, since the assumption was at the time (as it was with Novell this past spring) that a fund company would simply plump up a tech acquisition for later resale, and perhaps sell it off in pieces. This talk led Elliott to specifically state that they would NOT carve up Novell.

Instead of shrinking, Novell forged ahead, and it’s helped their press. Their IdM deployments have been fertile ground for conversions. And there’s been good and bad in the Novell offerings over the years. Way back when, their directory didn’t have a lot of muscle, but they horned in on Netscape’s lead by offering their stuff CHEAP. “Yeah, it doesn’t do a lot in comparison, but it’s a fraction of the price.” It seemed their provisioning approach was far too meta-directory based, which means limited workflow and decision-making capabilities.

Even before that, I remember how much I hated UnixWare and its arcane administrative interface. At a trade show years ago, I had a big hit with a tee shirt that read across the back “It runs with UnixWare,” when I added the words “like crap” after the word “runs.”

Even earlier than that, I certified on Netware, and Novell had the greatest game in the world that came with it, “Snipes.” It was DOS-based, and had a little guy in the middle of a maze, running around trying to shoot the snipes while avoiding hitting the wall. You could play as part of a team, or by yourself. For years, I kept a Windows 3.1 box around for no reason other than to play that game.

I’ve never lost to Novell on functionality, although I have on price. I’ve replaced iChain a number of times. They’re advertising drag and drop role management. Since I don’t know of any dev in that arena, and certainly no acquisitions, I was speculating this is really an OEM, perhaps of Securent, that fine-grained entitlements thing that Cisco overpaid for a couple of years ago, because of their drag and drop abilities. But since Cisco subsequently bought Securent’s competitor Rohati, I assume they’re dropping Securent altogether, meaning Novell is plugging in Aveksa, which is bouncing through its own management changes right now.

The year 2009 saw Novell’s open source offerings doing well, while their IAM practice did just the opposite. And while they fended off the hedge fund offer a few months ago, I’m hearing that the issue is kicking up again. Remember, when you’re buying an IAM solution, you’re not just getting software and/or hardware, you’re getting the whole company. Make sure they’ll be around in one piece to support you.

One of the first things that comes to mind when you mention the term “identity management” is a list of names kept in a directory. Another one is provisioning. When a new employee onboards, you have to give him some stuff, so he can do his job and earn his check. The natural progression of thought moves to de-provisioning, or taking away that same stuff when that employee leaves. So we have Day One, and Day N. But what’s often left unthunk of is Days 2 through N-1.

Sure, a lot of RFP’s include use cases for transfers, but even these leaves out half the details. It’s more complex than “lose your old stuff, gain your new stuff.”

• Do you lose your old stuff right away? Or do you keep it, or even just some of it, as you transition?
• Will your old boss need you to take calls and troubleshoot for another month while he trains your replacement?
• Do you have to be certified for your new duties? Do they have to verify that you turned in your key to the bathroom?
• Are there any possible Segregation of Duties violations to be dealt with, based on your new entitlements?
• What are the audit and reporting requirements to be accounted for, with the change?

The number of changes in an organization will always outnumber the volume of ins and outs. More people will change positions, locations, duties, and access than will be onboarded or terminated. If this level of change isn’t handled correctly, bad stuff happens. Like what?

• You’ll never pass an audit, because you can’t show a nice audit trail
• Your reporting will look like garbage for the same reason
• You won’t be able to readily tell who has what
• When you finally figure out who has what, you won’t be able to tell WHY
• You will have that bane of auditors and security guys, over-provisioned users. “Why does Uncle Ted have a million entitlements?” “Well, Billy, it’s like this. Whenever he gained new ones, they never took away the old ones. Now go get me a beer.”
• You break your user modeling procedures (if you use that for provisioning). Here’s what I mean by that. A lot of places use the tired enablement paradigm, “Make Bob like Tom.” We hired Bob, his duties will pretty much match Tom’s, so just give him whatever Tom has by way of access. But if Tom’s been around long enough, he has privileges you don’t even know about anymore. Thus Bob gets stuff he shouldn’t have.

So how do you fix this? Easy. First off, bake change into your policies. Transfers should have their own workflow definitions. If you’ve got a dynamic enough framework in place (and sure, here I’ll plug Oracle Identity Manager), you can say, “We’re moving Bob from Accounts Payable to Collections,” and all the proper changes and notifications will take place automatically. To account for all the possibilities, this could even be more than one workflow, one to kick him out, and one to put him in. You may even future date the stuff he loses, so that he can handle transitional duties while he’s being replaced. Or if the audit requirements are strict enough, he just plain loses his old stuff immediately.

What I just outlined, in simplified form, is the CORRECT way to handle this. However, you have safety nets you should employ. For example:

Reconciliation. This is an automated, scheduled process that periodically snakes around your user entitlements and compares them to policy. When it finds (not IF it finds) users with improper access, it can take that access away, notify the user and his manager, or both. If it’s an ugly one, like involving sensitive data, you might very well do both. In many cases, notification is the right thing to do, because simply taking something away may interrupt vital duties. In most cases, users with out of band access got that access for a very good reason, albeit an undocumented one.

Attestation. This has become a de rigeur compliance process. A resource is put on a schedule, and when it’s time comes, lists of all its users are routed to the appropriate managers for review. It might be the owner of that app (not likely) or the actual managers for those users (very likely). If you’re one of those managers, you get notified that you need to certify your users for a particular resource. When you enter the interface for this process, it gives you the option for each user to:

• Certify the user keeps access to the resource
• Deny the user that access, and when you hit the button, they lose it
• Delegate that user to another manager who should actually perform the job, because that user doesn’t really belong to you and ended up on your list by mistake
• Punt that user back to the process owner, because you have no idea who they are

Resources get scheduled based on their criticality. SOX-based resources should be done quarterly. Email? Maybe annually, if at all.

Oracle supports additional certification processes, including certifying entitlements contained within a role, through Oracle Identity Analytics (formerly Sun Role Manager).

But of course you start with the policies. If you’re catching a lot of unchanged changes, as it were, with reconciliation and attestation, then your policies are stinkers. You NEED to bake the change processes into your policies, your workflows, your business processes. The auditors will create very ugly reports on you when they find enough users with aged entitlements and roles, or admins with hundreds of thousands of entitlements.

And remember this little gem: termination is really just another change, except that you have those little extras, like loss of email, benefits, and access card. There are a few extra checkoffs, because of the finality. Some terminations are planned, and some are instant.

It would be nice to set things up and just sit on them. But if your organization is so static that it doesn’t have to sweat change management, you’re in the wrong place anyway.



When it comes to protecting unstructured data, usually I'm telling people about sophisticated solutions such as the Oracle Information Rights Management tool (as opposed to the the structured stuff, for which I'm explaining how to use Data Masking or Data Encryption). In other words, I'm covering the enterprise, even against Really Stupid Stuff like misplaced thumb drives or even entire laptops. While visiting a customer in Indiana this past winter, everything came to a crashing halt when they received a call about an employee who lost her data-infested Dell in an airport.

But what about the Fred Flintstone problems, the Even Dumber Than That kinds of breaches? There's been a whole lot of coverage lately about copy machines and the risk they pose to privacy because most modern copiers contain a hard drive that actually replicates all documents scanned on them. Private, sensitive information is retained by these evil devices. Many of these machines are subsequently resold, and even shipped overseas. These hard drives can be recovered, and the documents easily recreated. It's actually pretty frightening.

What's even more frightening is that so many people have been completely unaware of this for the last umpteen years. Police departments, insurance companies, doctors' offices, money laundering rings, they all have these things. Didn't they know what they were getting when they bought them? Didn't they READ THE MANUAL?

In the interest of data protection the whole world over, I will now provide the CORRECT OPINION on how to deal with this security hole.

1) Blow it up. Instead of reselling that old copier for chump change (typically the low hundreds), take it in your back yard and strap a bunch of fireworks to it. Invite the neighbors.

2) Make a bar out of it. Put it in your basement and serve drinks on it. If your friends are anything like mine, they'll be spilling crap all over it and ruining that hard drive in a hurry, anyway.

3) Have my wife's cousin threaten to marry it. We always say she's a vampire, because she's sucked the life out of multiple husbands. When we go to visit, the current husband just stands on the lawn, drained of color, and when he sees that his wife's not looking, he whispers to his guests, "Kill me." If she threatens to marry your copier, it will grow legs and fling itself into the nearest canal, taking its precious data trove with it.

4) Use the built-in option and erase the data. No kidding, I'm not sure why this is news. Whenever one of the bad guys captured Batman, he'd hook him up to a giant exploding layer cake, or hang him over a pit of snakes, or devise some other ridiculously exotic death trap from which he'd ultmately escape, instead of just frigging SHOOTING him. Remember Occam's Razor. The easiest explanation is the most likely. In this case, the easiest solution is the most useful. Stop whining about a problem everybody should have been aware of yeeeeears ago.

When I am helping salespeople (oily tho’ they may be) pitch identity, security, and access management to customers, I am typically in front of people who are one step below C-level. Eventually I will end up speaking with a CSO or CISO, at the invitation of my contacts, but for at least the first couple of passes, I’m just shy of the top. And that’s fine. Typically an understanding of relevant technology is inversely proportional to one’s pay grade. So I work with the guys who actually understand how things work, and how those things will help them DO their work. In other words, they comprehend how technology enables their business processes.

 But when they need the cash to make their dreams come true, and build an IAM system their kids can be proud of, they still have to go to upper management with hats in hand and beg for money. While you try to select components based on ability to satisfy your use cases, your boss might think a “use case” is something made out of leather and which holds your important papers. Therefore you use simpler terms that business people can get:

• Efficiency
• Savings
• Security
• Audit support
• Compliance
• Fraud prevention
• Risk reduction
• Free beer

Even when my customer champions want to present to upper management by themselves, I will more often than not help them build that business case. It’s a good assumption that salespeople can help you sell to your own bosses. So my teams will often help assemble the package that will loosen the grip on budget and allow the dollars to trickle down. This package translates technical function into business value. It includes the hot buttons

• Requirements
• Risks
• Return on investment

One little note here: there's hard ROI, as in actual dollars saved, and there's soft ROI, such as improved user experience, security, improved practices. If somebody tells you they can calculate an actual hard ROI for IAM, smack them in the head.

As part of the ammunition here, you gather qualitative, quantitative, and anecdotal evidence from within your organization to help you make that case. “Here’s how much time the help desk spends resetting passwords. Here’s how long it takes us to enable to newly-hired user. Here’s how long it takes us to deprovision a terminated user. Here’s how long it takes us to certify user access to a given resource. Here’s how long it takes us to generate reports to support our audits.” And so on.

In my upcoming book 

http://www.amazon.com/Designing-Framework-Identity-Management-Osborne/dp/0071741372

I don’t just cover technology. I cover in gross detail how to assemble this information and ultimately build that business case. Whether you build or buy, or build AND buy, you need budget, as well as official time and resources to put together and deploy an IAM framework. Without the business justification, there IS no opportunity to implement the tech.

I do identity and access for a living. But all those IT guys out there working for insurance companies, healthcare providers, manufacturers, telecoms, they’re doing it only because it supports their businesses. So they need the support of the business guys, meaning they have to talk the business talk, so they can get the business to pay the bills.

Actually, I hate cats. A dog tells you what it’s thinking with its tail and its voice, while a cat tells you it doesn’t want to be petted by clawing you. You never really own a cat, just like if you run Windows, you don’t really own your box, you just make suggestions to it while it does whatever it feels like doing.

But I digress. I wanna talk about one of the reasons some of my clients put off deploying an IAM system: they think it’s too huge an undertaking. And it is, if you’re dumb enough to try doing it all at once. Such an attempt is one of my Top Ten Ways to screw up an IAM project, listed here:

http://www.identityaccessmanagementbook.com/download10.html

Not only are there too many tasks to handle at once, there are too many parties to corral, as if you’re herding cats. You might want to get people on board for an overall strategy, because you will (hopefully) one day have that complete-solution IAM framework in place, with all your pieces integrated and all your sins forgiven. But you’re goofy in the head if you try to put it all in place at once. Slow and steady wins the race.

There’s password reset, account creation, provisioning, web access management, fraud prevention, attestation and other compliance cares, and a host of other processes and goals to master. But each one of these is an onion to peel. Provisioning alone means

• An authoritative source
• Defined target resources and connectors
• Role definitions
• Policy definitions
• Workflow
• Auditing and reporting
• Heavy drinking
• Some other stuff

Naturally, you attack your biggest pain points early on, but it’s also a great idea to get some early wins, just for political and feel-good reasons. Pick the stuff that can be set up the fastest, and has some quick, gratuitous value. “Look, kids, we have password reset and single sign-on. One password policy, one password, all systems, and the ability to fix yourself if you forget the thing or wait too long.” It’s something everybody can agree on. Early wins score you points across the board, from the end users who have a new toy to the management types who green-lighted your project in the first place.

Maybe you never end up putting the whole thing in. Maybe your budget gets exhausted. Maybe your organization gets exhausted. Maybe you achieve your initial goals, and take a breath. Maybe you stumble on your way to your first success, and need to convince management to let you build that second stage.

But at least you’ve gotten that first win, and the foundation for going forward. I’ve got clients who put in place self-service and manager requests, then after workflow and approvals, they route the final request to the help desk, so that somebody in the back room fat-fingers the user into the desired targets. That’s certainly not true provisioning, but at least it sets the stage for when they will take the help desk out of the loop and substitute as that last stage the connectors which actually do the provisioning and account creation.

• Everybody has their own path to true identity management, but figure it this way:
• You need an authoritative source for identity
• You need a database or directory to store the metadata for the provisioning and access
• You need to define and store roles and rules
• You need a policy engine to match up the roles and rules with the users, and a workflow engine to push the requests and approvals
• You need to hook up the authoritative source with the engine to get people their stuff
• You need connectors to actually create the accounts

Eventually, you may drive access control off all of this as well. Or you could even start with access, and say, “I have resources, and I have an LDAP. The people in this ou can access this set of URLs.” And then slowly migrate off that help desk procedure for punching users manually into the directory, as you put true provisioning in place.

I’ve had a couple of huge clients over the years, one in transportation and the other in the beverage industry, who had so many resources and such grandiose plans, that they were paralyzed. “How will we ever accomplish all this?” And I would tell them, YOU WON’T. Bite off the piece you can handle. The front of the cat looks tasty, worry about the tail later. Increments. Otherwise, it may not even be a matter of finishing, because you’ll be too intimidated to take that first nibble.