fidzu : Identity

We just released this "for Dummies" book which gives a good overview of what multifactor authentication is, the challenges it helps to solve and how the Quest Defender product fits into solving customer's problems in this area.

You can download your copy of this book here. I hope you find it useful.

Photo credit: Alessandro Silipo

One of the most widely read series of posts on my blog relate to entitlement management (part 1, part 2). In fact, do a search on Google for "entitlement management" and part 1 appears on the first page of search results (albeit below the fold). Don't read them yet. You'll get tired and won't come back to continue reading this :-)

I wrote those posts over 2 years ago to stir the pot. They served their purpose and garnered some great discussion with a few luminaries in this space (including esteemed analysts from Gartner and Forrester).

At the time, I argued that the term "entitlement management" was typically used to refer to fine-grained access management or real-time, attribute-based, authorisation enforcement (e.g. as per the products offered by IBM, Oracle, Axiomatics and BiTKOO (now part of Quest Software)). But on the flip side, I did acknowledge (in part 2) that there were other ways to define it:

1. The processes and solutions around gathering, interpreting, and cleansing entitlements.
2. User-managed (or user-centric) entitlement management.

Point number 2 is a topic best left for another day, especially as it involves discussions around online services (see UMA for more info).

The first point however, is what we now commonly refer to as access governance (e.g. SailPoint, Aveksa). Some use "identity intelligence" (thanks to the analysts), but in my opinion, identity intelligence is a broader term that also includes data analytics and Security Information and Event Management (SIEM). However, "manage user entitlements" is another commonly used term in access governance discussions. In fact, it is used so often that I'm starting to find when anyone talks about entitlement management, more often than not, they mean managing user entitlements for access governance purposes.

Back in 2009 (when I wrote the posts referenced above), I was convinced that real-time, attribute-based, fine-grained authorisation enforcement would take off. IBM and Oracle certainly thought so too. I have yet to come across a security architect who doesn't think it's a good idea. I still think it's a great idea. But in the world of Information Security, just because something is a good idea does not make it compelling. Compelling; aye, there's the rub. If I had to distil security spending decisions down to one word, it would be: "compelling". In a recent presentation I gave, I said:

"Sexy technology doesn't sell security. Interesting technology doesn't sell security. But give someone a compelling reason, and they'll buy a security solution."

That statement sums up why entitlement management has evolved to be more about access governance than fine-grained access management.

Trying to sell someone on the fine-grained access management story is an almost impossible, thankless task. If any of you have ever had to sell a provisioning solution without out-of-the-box adapters (or agents, or drivers, depending on which vendor's solution you are familiar with), multiply that pain by a factor of 100 and you might start to get close to the challenges faced with selling a fine-grained access management solution. It's like saying: "please buy our power station, but you have to figure out how to build the light bulbs yourself after ripping out the ceiling to install wires and by the way, there are 1000 ways you can build light bulbs using 1000 different sockets into the wiring with each bulb running at a different wattage".

Access governance initiatives on the other hand, are almost always driven by regulatory compliance requirements. This makes access governance initiatives compelling. It is also why SailPoint and Aveksa are doing so well.

To be successful at selling fine-grained access management solutions, you have to go to customers with a pre-built set of light bulbs and only focus on the ones with wiring compatible with your set of light bulbs. It's why BiTKOO does well in Microsoft SharePoint environments.

Essentially, access governance solutions are much less intrusive, much easier to integrate and are supported by compelling reasons to buy.

As reliant as we are on electricity nowadays, if we were told we had to rip our ceiling out, install wiring ourselves and build our own light bulbs, most of us would say:

"F@#$ it, I'm lighting 100 candles."

I've never done a book review, and I don't plan on making it a habit. But this one is worth a mention given many of us have to do some level of marketing, even if it's not officially in our job description. And in today's Facebook/Twitter centric world, marketing's changed a lot from the good old days.

Grouped, by Paul Adams is an easy, interesting, worthwhile read. It has the distinction of being the very first e-book I've ever bought. Essentially, it talks about the social web and how people are influenced in today's constantly connected world. You'll feel smarter after reading it, but you don't need a PhD to understand it. Paul's done a great job of distilling and simplifying copious amounts of PhD-worthy research for the masses.


If what you do relates to marketing in any way, you'll appreciate the ideas Paul puts forward. Even if you're not, you'll learn enough to make it worth your while and it'll make you see many things in a different light. For example, where you may not have realised an online interaction is actually influencing your behaviour in the past, you'll sure as hell notice once you've finished the book. Our emotions and subconscious play a much bigger part in our seemingly logical decisions than we realise.

The best ideas are the ones that are easy to understand and seem obvious, except they didn't occur to you until now. For example, the fact we work hard to conform to social norms, observe how others react to understand what is acceptable thus shaping our behaviour seems obvious. But we don't consciously realise that's how we tend to behave. We apparently also communicate with the same 5 to 10 people most of the time, but it's not something I realised until I thought about it. I'm not doing the content justice in my paraphrasing, so you're better off reading the book than trying to gain any useful insights here.

The book is well researched, has a nice selection of case studies and examples, and best of all, doesn't take long to read. I should point out a lot of the examples are from Paul's experiences at Facebook, but I don't think he means for the book to be a big advertisement for the Facebook platform. He simply used the relevant data he had access to given his position at the company.

Then again, the fact I'm being positive about this book could be because we generally don't want to appear to be negative in public, especially when doing so in a non-anonymous manner. Perhaps I've been Jedi Mind Tricked into this way of thinking by Mr Adams.

In Kuppinger Cole Podcasts

In diesem Webinar erläutert zunächst Martin Kuppinger die aktuellen Trends im Markt für PxM (Privileged Access, Account, Identity, User Management) und die Frage, wo und wie man PxM-Lösungen mit seiner übrigen Identity und Access Management-Infrastruktur verbinden sollte. Daran anschliessend stellt Jochen Koehler von Cyber-Ark praktische Ansätze zur Verwaltung von privilegierten Identitäten vor.



Watch online

Access Risk Management Blog | Courion

Protecting against loss of intellectual property and vital data is mission critical, and a big part of what keeps IT managers up at night.

But a recent survey conducted by Courion of IT managers revealed there's a disconnect between the top concerns of IT managers and what they're doing to protect vital corporate information.

While potential loss of sensitive data, corporate reputation, intellectual property or revenue topped the list of risks to the organization, IT managers also struggle with actually identifying their biggest access risks and the need to put processes in place to manage them.

But surprisingly, only 12 percent of those responding conduct reviews more than monthly to certify that user access risk poses no threat to their critical assets. Over 60 percent of IT managers review user access privileges only four times per year or less, and those reviews only ensure companies are observing security and best audit practices - they're not focused on identifying new or growing areas of access risk - such as internal users abusing privileges.

That said, more than half of the survey respondents know they need to start doing things differently. They'd like to use near-real-time graphical profiles of Identity and Access Management (IAM) activities to help them manage the most critical risks to corporate information, but said they currently lack visibility into the access risk management data they need to create the profiles.

Lack of data also prevents IT managers from identifying user access associations and patterns that violate company policies or could enable users to circumvent internal controls. Nearly 60 percent of those polled said they can't compile the data for that kind of analysis from their existing IAM systems, and many who use IAM data to manage risk are doing it manually - it's not only time consuming; it doesn't provide a business context for evaluating access risk.

While survey results show obvious gaps in access risk management programs, they also show that IT managers are very aware about what's needed to address these gaps. The key is having more access intelligence about their access risk - insight into which users have access to what vital information and knowing if they're doing the right things with that access.

To learn more, click here.

blog.courion.com

Would you like to reduce your IDM Operations costs by 50%, while still proving that the IDM program is meeting its goal?

Is your IT team overburdened with IDM operational support in response to a constant stream of patches and updates that were never budgeted for?

Do they lack the bandwidth to get to strategic new tasks in an ever-evolving, increasingly important IDM program?

Do they lack the time or subject matter expertise to enhance your IDM solution in response to changing organizational needs and business objectives?

If so, this webinar is for you.

The successful deployment of an Identity Management (IDM) infrastructure is only the first step of a continuous journey. Join Identropy and IDC for a webinar on how Identity Management-as-a-Service can help overcome the challenges of successfully and cost-effectively running an IAM program. During this webinar, guest speaker Sally Hudson, Research Director within IDC's Security Products and Services group, will discuss why many of these projects fail and what operational areas need to be accounted for to help bridge the divide between project-go-live and long-term success. Nishant Kaushik, Chief Architect at Identropy, will discuss how their SCUID Operations offering has helped many customers address their operational concerns and yield long-term and increasing value from their IDM investment.

As Google+ continues to grow, reason prevailed over insanity: they relented on their silly pseudonym policy. Sort of. Read the official announcement and rationale from Google's Bradley Horowitz, then read Identity Woman's reaction:

• Toward a more inclusive naming policy for Google+
  "Today we're pleased to be launching features that will address and remedy the majority of these issues. To be clear - our work here isn't done, but I'm really pleased to be shipping a milestone on our journey."
  Identity Woman: The new Google+ Names process

There were several other items of interest to the identity community (click more for the list and links):
[More]