Wrapping up 2008

Like 2007, 2008 has been an interesting one for me:

• I spent my first full year living in London.
• I saw quite a lot of Europe, but this time it was more often for play than business.
• I got back into the "Identity world" full time (2007 was very data security centric for me).
  

From a blogging standpoint, it's been great too:

• I had many more conversations with other bloggers than in 2007.
• I've met and spoken to many interesting, influential people in the industry. Some I've blogged about, others I've kept to myself.
  
• I've been able to spend more time blogging than in 2007.

Thanks to everyone who reads anything I write on here, even if it's just the headings. Whether you're a regular subscriber/visitor or have accidentally stumbled across my blog I humbly thank you for taking time out of your busy schedules.

Hope everyone had a great 2008 (except for that little financial crisis thing of course) and here's to a much better and more positive 2009.

My top 8 posts for 2008

I've been reflecting on the year that was 2008 and my thoughts moved to the blog. I was wondering whether I'd done it justice so I took a look through my posts and some of the stats. I started to wonder which ones were mildly useful (as opposed to a complete waste of time if some poor person had to read them). I came to the conclusion that a decent way to measure this was to figure out which ones were linked to most and/or generated the most reactions.

As a result, I came up with my top 8 (because it's 2008) posts of the year. I should probably note that this is more for my own benefit than anything else (e.g. I may want to look back at this in a few years).

Anyway, here they are (in reverse order):
8. CA positioning itself to be a GRC vendor that matters
7. Identity Management Top 10 List
6. Roundtable with Oracle President Charles Phillips
5. Part 2 of my conversation with Amit Jasuja from Oracle
4. Can Identity Management really be outsourced?
3. IBM acquires Encentuate - did they just dump Passlogix?
2. Managed Identity Services Survey Results

and the winner is...

1. Metaphysical Directory Virtual Storm and Directory Trek Wars - Act II

Ok, so I cheated a little bit because number 1 combines two separate posts. But they are related and I couldn't separate them, so one could argue they are two halves of the same post :-)

Download the Managed Identity Service Survey Results

When I released the results for the Managed Identity Services Survey, I said I would make it available as a PDF that could be downloaded. It took me a little longer than anticipated but I finally got around to it.

I actually turned it into an online presentation using Google Docs, which meant it could be embedded (see below) and also linked to directly. If you follow the direct link, you should be able to download the presentation as a PDF by clicking "Print Slides" and then "Save as PDF" (or you could actually print it).

And the iPod touch goes to

Remember my Managed Identity Services Survey and how the good folks at Identropy offered an iPod touch as an incentive to participate? It's taken some time thanks to various emails falling into spam folders and/or not getting through email filters but we finally got it sorted.

The recipient of the iPod touch has been announced over on Ash Motiwala's blog. Congratulations Niall!

Special thanks to Ash and Identropy for the prize. Also, thanks to Matt Flynn for helping us out with the logistics around selecting the winner and ensuring it was completely random (if anyone feels like they need to know the boring details around how it was done, contact me using the form on my blog).

Signs your Identity Management project is in trouble

While I'm at it, here's another Top 10 list (Letterman style). I should point out that I'm not being serious this time...well, not really.

Of course, like Letterman's top 10 lists, it's a bit of a hit and miss affair. That is, sometimes the lists aren't funny at all (cringe-worthy even). Anyway, here goes...

Top 10 signs your Identity Management project is in trouble:

10. Each time you ask which systems need to be part of the Federation project, the person in charge says that the Borgs from Microsoft land and the Romulans from (insert random vendor here) are going to take some convincing.

9. The executive sponsor for your project actually carries a toy light saber to your meetings in case they need to "unleash the force" on the team (see my previous post for this reference to make sense).

8. The answer to every problem seems to be "why don't we use that darned Meta-Directory synchronisation thingamajiggy"?

7. The company implementing your project replaces their whole team and you don't notice for a week (note: this might actually happen if you go with a large multinational consulting company).

6. You ring the sales guy who sold you the software and his voice mail says he's on indefinite leave in the Bahamas.

5. You try the vendor's support number and it says they're in the Bahamas with the sales guy.

4. The help desk asks if you would like your head to be provisioned up where the sun don't shine when you call to say you can't reset your password.

3. When you click on the "I forgot my password" link, you're presented with a screen that says "Go look in the configuration file for the master password and reset your own damn password".

2. Your vendor says there will be a delay on the media (DVDs/CDs) because the police raided the warehouse yesterday and it'll take them time to burn you a new set in the "back shed".

And the number 1 sign that your Identity Management project is in trouble is...

You actually believed that everything you saw in the product demonstration would work in your environment without customisation.

*Bada Boom*

Identity Management Top 10 List

Ash Motiwala threw out some one-liners that relate to Identity Management projects in general. Jeff Bohren added a few of his own as did Mike Conklin. Ash decided it would be fun to "tag" a few others (yours truly included) and ask us to contribute a few of our own.

Here's a few from me in Letterman top 10 list style (note: I realise some of these are longer than "snappy one-liners" if you include the explanations but I figured it was better being clear than leaving everyone scratching their heads):

10. Exec can haz light saber
If you don't get business buy-in and an executive sponsor (with a big light saber they can pull out when required), the chances that your Identity Management project will succeed are significantly reduced (note: this one's true of most IT projects, but it's especially important in this context because Identity Management projects typically touch every single department).

9. An internal a** needs to be on the line
An internal person needs to own the project and be accountable. Don't pretend everything will be fine by assuming the vendor and service provider know how your business processes work.

8. Big bang will blow up
Take a phased approach to Identity Management, not a "big bang" one.

7. Go for the quick visible win first
Solutions that visibly improve the end user experience will go a long way towards the project being viewed as a success (note: this is actually the way the single sign-on products are typically sold, but it can apply to other types of Identity Management solutions as well).

6. The vendor should catch any S*** splattered from the fan
The core Identity Management technologies are largely commoditised. Pick a vendor that will stick around when the S*** hits the fan, not the one with the shiniest new toy.

5. "The grad got hit by a bus? No problem, here's another one we hired last week" is not the right answer
Pick an implementation partner with real expertise, not one that knows how to hire a shed-load of University graduates and send them on product training before promptly rolling them onto your project and charging them out at a rate that is 10 times the amount they actually get paid (I'm looking at you Accenture, Deloitte, IBM GBS et al).

4. Entitlement Management is not a new concept
It's just a fancy-schmancy name for fine-grained access management, which has been around for years. People are just getting around to worrying about fine-grained stuff because they've already implemented some sort of web access management product.

3. You probably don't need the whole suite of products
If the sales person tells you that you do and can't explain why, boot their a** out the door. Of course, quite often they'll give you a larger discount for buying the whole lot up front so you'll need to decide if it's worth the money potentially ending up with a bunch of shelf-ware.

2. RFPs are a waste of time that won't die
They are a necessary evil that some large organisations need to go through, but vendors fill them in by doing copious amount of copying and pasting and the evaluation teams select a shortlist by counting the number of "comply" responses. Why? Because Identity Management projects that need RFPs are too complex to evaluate using a tender process.

1. If you think the software's expensive, wait until you get the bill for the services!
This isn't always true, but unfortunately it's all too common. In short, pick your implementation provider carefully and keep a tight leash on the scope and milestones.

CA sprints towards 2009

Oracle acquired Bridgestream (I wrote about this here). Then Sun acquired VAAU. Now CA's acquired the last remaining high profile role management player, Eurekify.

First of all, congratulations to founder Ron Rymon (he's the only person from Eurekify I've actually met) and the team. As I said to Ron earlier this week, it makes a lot of sense and I think it's a good fit.

I've written about CA's moves in the past and also mentioned the CA-Eurekify partnership in passing. It looks like they're keeping the momentum up and making a lot of headway towards competing with the other leaders in the Identity and Access Management marketplace.

I don't think the Eurekify acquisition is going to change the landscape too much mainly because of the existing partnership. The initial benefit is going to be that their sales reps probably get paid more commission for selling "CA Role Manager" or whatever they call the Eurekify product. In the longer term however, they're obviously going to have to integrate Eurekify's products into the CA stack so there's eventually going to be the "out of the box" integration benefits. Of course, the main benefit to CA as a company is in being able to market the fact they are now a serious role management player (along with Oracle and Sun).

The Eurekify acquisition also plays very nicely into CA's move towards being a strong GRC player. Eurekify's product set does include some GRC components geared towards identity compliance with an obvious focus on roles. CA's existing GRC Manager lacks some of the features around the identity-centric compliance niche that SailPoint and Aveksa play in but I'd be very surprised if CA doesn't fill the gaps using Eurikify's technology given that Sun just released their Identity Compliance Manager (which I believe was based on VAAU technology - all you Sun bloggers can correct me if I'm wrong about this) product and the fact that Oracle has something along these lines on the roadmap (according to Amit Jasuja when I spoke to him).

CA compounded their GRC march this weekend at CA World by announcing a Software as a Service (SaaS) version of their GRC Manager product, dubbed GRC Manager On Demand. This makes them the first large Identity and Access Management software vendor (the others being IBM, Sun, Oracle and Novell) to release a SaaS offering. I'm unsure how well it's going to sell given the results of my Managed Identity Services survey but what it does show is intent on CA's part to get serious about competing and getting ahead.

Oracle, Sun and CA have been very active of late. IBM and Novell have not. In fact, they have been VERY quiet. IBM will actually be releasing a new Entitlement Management product later this year but that's a little ho hum as I've already said. I have a feeling something is brewing because IBM and Novell cannot afford to sit around and watch everyone else get waaaay ahead. Novell's Access Governance Suite is an OEM of Aveksa's software. In other words, if Novell acquires someone in the role management/identity compliance area, my money's on Aveksa. This leaves IBM and SailPoint as the remaining pair. Watch this space.

Is Centrify DirectAuthorize one of a kind?

I'm sure many of you read Dave Kearn's NetworkWorld Identity Management Newsletter. I certainly do and noticed something buried near the end of his most recent edition regarding Centrify's DirectAuthorize product:

"The new product centrally manages and enforces role-based entitlements for fine grained control of user access and privileges on Unix and Linux systems. If your organization has a mix of operating systems you need a product like this. And the “jungle drums” (Tom – Tom, get it? OK, you can groan now) assure me that this is the only product “like this”."

The "only product like this" comment jumped out at me because I'm wondering what Centrify actually means. If they are implying that it is the only product on the market that does fine-grained access management for Unix and Linux systems and is hooked into some sort of centralised Identity Management infrastructure, they need to do a bit more research because I can point to at least 2 products that can do the same thing:

• IBM Tivoli Access Manager for Operating Systems
• CA Access Control
  

If on the other hand, they simply mean that they have a nicer interface that is easier to use and tighter coupling with Active Directory then they have a very good point.

A blog post where I mention IBM and don't take some sort of "pot shot" at them would be incomplete. So I'll say this: If IBM ever decides to design user interfaces where the user doesn't scream "owwww my eyes" when they look at it, they might actually sell more software.

Update: Dave's left a comment in response to this post that clarifies things slightly. I'm still not 100% sure what "like this" means. However, I'm sure someone from Centrify could explain it in detail and sing about the benefits around how DirectAuthorize does whatever "like this" means.

Referencing the Managed Identity Services Survey Results

I've had a few requests from various people asking if they can refer to or quote the Managed Identity Services Survey results. My answer each time has been that I have no issues as long as they don't re-sell the results in any way and to make sure they attribute it to my blog.

So, I've taken the liberty of licensing the survey results under Creative Commons as follows:


The Managed Identity Services Survey and Results by Ian Yip is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

In fact, if you cast your eyes over the right column of the blog, you'll notice I've now licensed everything I write/produce on here the same way. Of course if you're planning to refer to the survey results, it would be great if you could tell me just so I know. You don't have to, but it would be nice :-)

Results for Question 14 of the Survey

If you were paying attention when I released the Managed Identity Services Survey results yesterday, you may have noticed it was missing the results for question 14.

As I explained at the time, the graphs didn't reflect the actual numbers so I had to take a closer look before publishing them. They've now been corrected and the results updated accordingly.

Now comes the task of working with Identropy and our unbiased third party helper to determine the recipient of the iPod touch. Stay tuned.

Managed Identity Services Survey Results

The Managed Identity Services Survey was closed 2 weeks ago. I said at the time that I had to consolidate the data to produce useful results. It took a little longer than I expected but it's done. A very special thanks to my better half for helping to produce the charts below. And if you thought question 14 was a pain to answer, it was nothing compared to trying to graph the results for it. (Update: I had to remove the results for Q14 because the numbers were a little wonky. Something was lost in the translation between the raw results and the visuals. I'll update accordingly when they are corrected. Update 2: Q14 results have been corrected and uploaded. They are now available at the end of this post.)

If you don't see your exact answer (for those that bothered to type into the "Other" box for your response) in the results it was because I consolidated it into one of the other answers.

Unfortunately, I can't seem to figure out how to make this blogging engine display images at full size within the page. It seems to only allow for a much smaller version to be inserted and forces the reader to click on each for a full size image. In light of this, I'll take some time within the next week to produce a PDF version of these results for those that prefer an actual document and don't feel like clicking through each image. I'm also planning to write a whitepaper that aims to summarise the survey and give some additional insight based on viewing the data in different ways (this one will take some time so please be patient).

If you are up to it, please feel free to write up your own analysis of the results. Be sure to let me know and I'll link to it.

Without further ado, I present *drum roll*...the results along with the corresponding questions (as I said, you'll need to click on each image for a larger version...unless you have a magnifying glass).

Question 1 - Which country do you live in? (optional)

Comment: Although this was optional, almost everyone completed this question.



Question 2 - Which organisation do you work for? (optional)

Comment: I won't publish the breakdown of all responses here because only roughly half the respondents filled this in. Here is a sample of some of the companies represented: IBM, Oracle, Accenture, Duke University Medical Center, Lehman Brothers, Apple, Tiffany & Co.

Question 3 - How large is your organisation?



Question 4 - Which industry vertical does your organisation best fit into?



Question 5 - What is your role within the organisation?



Question 6 - What do you consider to be your primary area of focus?



Question 7 - Where do you fit into the decision making process?



Question 8 - What services (if any) do you currently outsource?



Question 9 - What stage of your identity management journey are you currently at?



Question 10 - Which of the following solutions have you implemented and how?














Question 11 - If you decided to outsource your identity management infrastructure, which model would your preferred approach be?



Question 12 - What do you see as the biggest barrier to outsourcing identity management?

Comment: I included some of the raw answers left by various people here because while I could probably have consolidated them, I felt it was useful to leave them alone for all to see.



Question 13 - What do you see as the biggest benefit that outsourcing identity management provides?

Comment: I included some of the raw answers left by various people here because while I could probably have consolidated them, I felt it was useful to leave them alone for all to see.



Question 14 - When do you believe your organisation (or other organisations) will be ready for each of the following outsourcing options?

Part 2 of my conversation with Amit Jasuja from Oracle

I mentioned yesterday that I spoke with Amit Jasuja, Oracle's Vice President of Development for their Identity Management Product Suite. This is the follow up post to part 1, which focused on Oracle Adaptive Access Manager (OAAM). In this post, I'll cover some of the other things we discussed.

It's probably a good idea to point out that we discussed some roadmap items and even though Amit didn't remind me that items on a roadmap are not guarantees that functionality will make it into the planned release, I'll do Oracle the favour of mentioning it on their behalf. I used to have to do this all the time so I'm aware of the drill :-)

Apart from discussing OAAM, I revisited some of the questions I asked Oracle President Charles Phillips when I met him earlier this year (because Charles didn't really answer them completely) and Amit obliged.

Essentially, part of the strategy for Oracle's overall software stack (particularly Fusion Middleware) is to have everything be "hot pluggable" with their Identity Management suite. But let me take a step back for a moment. Like many other large vendors out there, Oracle's been pushing an open strategy around Service-Oriented Architectures (SOA) and the fact that all their products will eventually support the ability to leverage (and underpin) an enterprise service bus (or whatever buzzword you feel like using). One of the main benefits in doing so is to allow for a vendor agnostic architecture where organisations aren't "locked in" to specific products (note that the industry is a long way from this being a reality despite all the hype). There are other benefits but that's a topic for another day.

The organisations arguably making the most noise around SOA are IBM and Oracle. But Oracle is making more noise (and it seems progress) around the notion of Enterprise Identity Services (Nishant Kaushik in particular seems to be spending lots of time on this) and Amit was quick to point out that the Identity Management group will be keeping with the strategy of openness while being mindful of having to show the value Oracle's products can provide over their competitors. In short, most of Oracle's software will eventually be built to support the use of SOA-like interfaces thus allowing for interoperability with competitive solutions (assuming the likes of IBM, CA, Sun and Novell build products that support the relevant standards for the relevant use cases). It will then be up to Oracle to convince organisations that even though they could use a competitor's product, Oracle's Identity and Access Management suite is the best option because of additional benefits. Amit mentioned some examples like certified support for the Identity Governance Framework (which I should point out was originally an Oracle initiative but has since been submitted to the Liberty Alliance to carry forward) and perhaps things like "quick start" initiatives with pre-built policies for use with Oracle software.

It's great to see Oracle's strategy is to make all their software "play nice together" while being open at the same time. In reality however, the sales teams will sell whatever combination of products that will fit into a customer's budget. If they have to drop products out of the solution proposal to bring it under budget, they will. It's just how the sales teams work, especially if their numbers aren't 100% tied in to Oracle Identity and Access Management software sales :-)

We also briefly touched on various pieces of the Identity and Access Management suite being "pre-baked" into other Oracle software products (e.g. there's a lot of work being done to embed Oracle Virtual Directory within other products) before moving on to exploring Oracle's relatively new Entitlements Server (OES), itself a prime candidate for being embedded within other products. I didn't want to focus on functionality because I already knew about it at a high level. I was more interested in where Oracle's headed with the product from a strategic standpoint.

The obvious direction is to have OES be the fine-grained authorisation engine for just about everything, but Oracle's software stack is HUGE. In other words, it's not an easy task (even if they go with the SOA approach) and I don't think it's going to happen very quickly. Knowing this, I shifted the focus purely to the Identity and Access Management products and their use of OES to externalise authorisation. The answer: yes, but not yet. I used Oracle Identity Manager (OIM) as an example and Amit told me that the plan is to allow for the externalisation of OIM authorisation policies to OES in the next release (e.g. delegated administration settings). He did note that OIM can already provision to OES out of the box (I would have been VERY surprised if that wasn't the case).

Finally, we moved on to speaking briefly about Governance, Risk and Compliance (GRC) that controversial "catch all" three letter acronym. I wanted to know Oracle's plans around identity-centric GRC. If you aren't familiar with the whole GRC thing, I've written about it in the past so have a quick read and then come back.

As it stands today, Oracle's GRC product is much more focused on the financial and enterprise governance (and compliance) aspects and is hooked into their Finance, ERP and CRM applications. In terms of Identity Management and compliance however, we tend to hear a lot more about identity and user account focused access controls, attestation and segregation of duties (SoD). The products in this area receiving the most press of late are SailPoint's IdentityIQ and Aveksa's Compliance Manager.

Oracle's GRC product doesn't actually compete in the identity-centric GRC area (at least not directly). But in light of Sun's very recent launch of its Identity Compliance Manager and Novell's entry into this space through their Access Governance Suite (which is actually Aveksa re-branded via an OEM agreement), I wanted to know if Oracle had any plans to expand their GRC offering to address identity-centric compliance.

Amit's answer was that Oracle does in fact have plans to do this and they are looking at expanding the capabilities of the existing GRC product instead of building a brand new one. This essentially means that the GRC product will get additional features and hooks into the Identity and Access Management suite and vice versa. This includes things like building on the existing attestation capabilities of OIM and supporting the ability to deal with SoD policies through mining existing user entitlements and also using preventative measures (like CA will have once they finish integrating the features of the recently acquired IDFocus product).

Despite Amit almost calling me a journalist on the call, I'm far from one. What I'm trying to say is that I didn't really take any notes. I just spoke to him about a topic I find very interesting and now I'm writing about it. Hence if any of you in the Oracle community (Nishant? Clayton? Mark? Anyone else?) want to confirm, deny, correct or add to any of this (or part 1) feel free to do so via the comments. If not, we'll all just take everything I've said as fact and hold product management to my claims :-)

Ultimately, talking about plans which make a lot of sense means very little other than to communicate intentions. They key will be how Oracle executes and how quickly they do it. Otherwise, they might as well be telling us they want to put a guy on Jupiter.

Part 1 of my conversation with Amit Jasuja from Oracle

For those that are unaware, Amit is Oracle's Vice President of Development for their Identity Management Product Suite.

I tried to catch him during his last visit to London but our schedules didn't allow for it. This time, it hasn't quite gone 100% to plan either as I'm not available on the day he's in London this week. So we had to make do with a chat on the phone today while he's in Prague for the Burton Group Catalyst Conference. And before anyone asks, yes Oracle PR set up the call. I'm not one to turn down interesting conversations about Identity Management.

Naturally the topic of conversation was related to all things Oracle, particularly their Identity Management products. Top of the list of topics was Oracle's release of the new version of their Adaptive Access Manager (OAAM) product. To his credit, Amit let me take the conversation wherever I wanted.

I did actually start by asking about OAAM, given how little I knew about it (never having seen it in action). This blog post details the part of our conversation that was focused on OAAM. We spoke about other things as well, which I will write about in a follow up post.

I'd only read about OAAM through articles, data sheets and whitepapers. Oracle's whitepapers are actually pretty good compared to the other large vendors as they give away quite a lot of information. Others tend to release short, crappy whitepapers that don't say a lot so you're forced to speak to their sales reps in person if you want to learn anything.

I didn't want to focus on the press release because to a person who doesn't know a great deal about a product (i.e. me), being told about new features is pretty useless. My aim was to understand OAAM a little better. So I started by asking how Oracle positions OAAM against Access Manager (OAM), and Entitlements Server (OES) (which they got via the BEA acquisition earlier this year).

Oracle sells their products much like other large vendors. They go with a solution approach and then figure out which products fit the specific customer requirements. Oracle does this by using an "Access Management Suite" umbrella, under which they slot OAM, OES, Oracle Identity Federation and to a certain extent their Enterprise Single Sign-On (ESSO) offering (which is actually Passlogix re-branded via the OEM agreement).

The other bits and pieces I just mentioned are as you would expect: OAM does web access management and course-grained access control (just like the other large vendors), OES does fine-grained access management and is very much focused on programmatic controls and SOA (with a big dose of XACML), Identity Federation does all the Federated Identity stuff (SAML, Liberty, WS-* etc.) and ESSO does desktop single sign-on.

OAAM on the other hand, is another animal altogether. None of the other large vendors have a product like it (I wrote about the Bharosa acquisition last year) and it does do a lot of useful things (assuming it works as prescribed). Amit mentioned that OAAM is typically implemented by organisations that are looking to address fraud or simply want more than prescriptive, static, course-grained access controls that the standard web access management products provide.

OAAM does this via behavioural analysis based on risk scoring. I don't know how sophisticated the policies can get but the key is that it does this in real time based on a multitude of factors including the meta-data around the user's persona, session details, contextual information and historical aspects of the user's known actions. For example, if a person typically puts through a trade once a week of a value around $1000 and they suddenly do multiple trades on a single day, each of a value greater than $5000 then this could raise a flag or even prevent the actions. There are obviously thresholds and a bunch of policies that need to be implemented to make this happen and I'm under no illusions that it's the easiest thing in the world to do.

Amit was also correct in pointing out that people have to be careful when implementing these policies because you can potentially get lots of false positives and will have to spend time tuning them. This is something I'm quite familiar with from my time spent in data security. Whenever there are a bunch of contextual factors in play, you will no doubt get false positives. If you don't manage it properly, you will get LOTS of false positives effectively rendering your solution useless.

The thing that surprised me was that it also takes into account the information you're dealing with, not just identity and session information. I'm talking about the business data, which allows for more data-centric policies (something that is sorely lacking in many access control environments). Of course, I'm a bit biased in this respect because thanks to my time in data security, I now think everything should be related back to data in some way instead of being based on static, reactive access controls. In other words, I think real-time security controls need to take identities, context and data into account. Again, Amit did warn against balancing the data-centric stuff against performance. The more in-line data you watch for, the slower OAAM is going to get.

OAAM does have more features than I've mentioned (including additional authentication mechanisms you won't find in stock standard web access management products) but I don't work for Oracle so I won't go through all of them. If you're really interested, go read the supporting materials.

I still think there's more that could be done to improve the product. They've only scratched the surface of sophistication that one could have in performing data-centric, identity and context aware controls based on real-time behavioural analysis. But it's a decent start towards making access control more pro-active instead of the traditional reactive measures we've had to implement in the past. Most importantly, it's something the other large vendors don't have (but would love to be able to whip out in a sales situation). So for now, Oracle can wave it around in the faces of the competition.

I should stress once again that I have yet to see it in action so I can't speak for its reliability, ease of implementation or that it does everything Oracle says it can do. But as the saying goes: "in the kingdom of the blind, the one-eyed-man is king" :-)

I'll write about the other things we spoke about in a follow up post.

Managed Identity Services Survey now closed

The survey's officially closed. Thank you very much to the 70 respondents who took the time and effort. I know question 14 was a real pain :-)

I'll be releasing the basic results soon (and follow up with a more detailed analysis later), but here's a teaser:

• Over half work for organisations with more than 1000 employees.
• Many work for organisations in the technology industry, but financial services and healthcare are well represented too.
• In the decision making process within their organisations, roughly 43% consider themselves decision makers while around 36% consider themselves influencers.
• The most commonly outsourced service is...you guessed it, software development.
• When asked what stage of their Identity Management journey their organisation was at, one response gets rather specific: "Sunsetting an old provisioning tool (CA's) (in production 3 years) and replacing it with a new one (Sun's)".
• Lots of people have implemented Active Directory and LDAP (not surprising), but Federated Identity Management is the least prevalent solution (I'm actually not surprised, but some might be given all the vendor hype around Federation).
  

The full results are very interesting. I'll post them up as soon as I consolidate the data (e.g. USA, US, United States, United States of America all mean the same thing so I have to standardise the result set accordingly).

I'll also organise the logistics of determining the lucky iPod touch recipient with Identropy. The process will be as transparent as we can possibly make it.

October is the month to be aware

I must have missed the "World Security Awareness Month" memo.

I've already pointed out the awareness initiatives in Australia and the UK this month. Apparently the whole of October is National Cyber Security Awareness Month in the US. This one's a US Department of Homeland Security initiative though, not one conjured by an office equipment supplier as a marketing exercise. Here's an article that summarises some of the things going on. For some comic relief, here's what Microsoft suggests that people do.

Without further ado, I officially declare October to be:

Worldwide Don't Let The Bad Guys Steal Your Financial Details To Commit Fraud But Then Again It Doesn't Matter Because There's No Money To Be Stealing Anyway Thanks To Greedy Bankers Awareness Month.

That should cover any other "awareness initiatives" that pop up this month.

It's National Identity Fraud week in the UK as well?

I mentioned the fact that next week is National Identity Fraud Awareness Week in Australia. What I failed to realise is that this week is National Identity Fraud Prevention Week here in the UK. I've either been REALLY tuned out of the mainstream media or their marketing needs some work.

The same company is behind both initiatives. I gave them a bit of a backhanded compliment remarking that I thought it was a good marketing campaign to sell their paper shredders. But the execution needs a little work and they need to pay attention to the finer details starting with:

1. The URLs - the Australian site's URL is http://www.stopidtheft.com.au while the UK site is http://www.stop-idfraud.co.uk. No wonder I couldn't find the UK site when I first heard about the Australian one. Also, both campaigns officially use the term "Fraud". Why the heck does the Australian URL have "theft" in it? Fellowes need to hire some "consistency police". To that effect, I rescind my kudos to them for being educated enough to use the term "fraud" instead of "theft".
   
2. Why does the UK get a "Prevention Week" while Australia gets an "Awareness Week"? Are they implying the UK have gone beyond awareness and need to think about prevention while Australia are behind the times?
   

On the other hand, I'm probably just being really picky.

We've hit the target of 50 responses

I extended the deadline for the Managed Identity Services Survey yesterday, but the number of responses crept over 50 overnight. This is great news of course because it means that I'll be able to release the results and a lucky person will be the recipient of the iPod touch.

As a result, the survey will definitely be closed at 11:59pm GMT (London time) on Sunday 12th October 2008 and won't be extended.

Survey deadline extended

We've just gone past the deadline for the Managed Identity Services Survey. Unfortunately, the number of survey responses hasn't quite hit 50, although it was very, very, very close.

If you read the full set of rules, you would have noticed the following:

"The survey will be closed at 11:59pm GMT (London time) on Sunday 5th October 2008 unless the target number of 50 responses has not been reached."

As the rule states, I have to extend the deadline. The new deadline is now 11:59pm GMT (London time) on Sunday 12th October 2008, which is an extension of a week (the survey rules have been updated to reflect this extension with a link back to this blog post for details). The number of responses should hit 50 well before the week is up, but there's no harm in collecting more.

Here's the direct link to the survey. Once again, thanks to all participants to date. I know it takes some effort to fill in, but we're in for some very interesting results (not to mention the iPod touch).

Survey closes in a few days

Here's a friendly reminder that the Managed Identity Services Survey closes on Sunday night (October 5th). That's in 2 days so if you've been meaning to get around to it, now's the time if you want a chance at the iPod touch courtesy of Identropy.

I know some find it difficult, which might be why we haven't hit the 50 response mark yet. We're over 50% of the way there though so let's make an effort to get to the target. Feel free to forward it on to other informed individuals. Remember, unless there's 50+ responses I'm not publishing the results. It also means no one gets the iPod touch :-(

By the way, if all the "bail-outs" actually bothered to complete what they started we'd be well and truly past the finish line with time to spare.

I'm not a baseball fan, but I can't think of another corny cliche at the moment: "Bottom of the 9th and we need a home run. Batter up!"

IBM tries to rain on Novell and HP's parade

The cynic in me is crying out for this blog post, so here I go.

It's not that I enjoy pointing out my ex-employer's boneheaded moves, but...ok so I do just a little bit.

IBM issued a press release today harping on about:

"migration services and competitive migration pricing for abandoned HP Identity Center security software customers aimed at helping them benefit from IBM's broad capabilities for securing and efficiently running IT for their business."

For those that don't remember, HP got out of the Identity Management software business earlier this year and left their existing customers with a bit of a problem. Then along came Novell on their horse offering to ease the pain in partnership with HP.

From what I can gather by reading the Novell and HP partnership press release, existing customers get equivalent Novell Identity Management software for free (until the middle of 2009) and some migration tools jointly developed by HP and Novell. There is no mention of free services however, so I assume there's some cost there.

I didn't see the word "free" anywhere within IBM's announcement. So my question is, are they going to guarantee that the combined software and services costs are going to be less than Novell's? If not then what the heck is the point of offering to "Bail Out HP Security Software Customers" (part of the press release's headline)?

Oh, it gets better:

"In response to HP's discontinued identity management products, IBM offers competitive migration pricing for software and migration services through IBM Internet Security Systems (ISS)..."

Notice the problem? IBM ISS specialise in network security! Talk about picking the wrong business unit to offer up as the service provider. It would have made a bit more sense if they had said IBM Security and Privacy Services (which was the division I worked for before doing my IBM Tivoli thing) or IBM Software Group Services (who used to try to bill me out to customers because I knew stuff, even though I worked for the IBM Tivoli technical sales team - management usually said no by the way, except for a few times I had to run customer training sessions because they supposedly "asked for me by name"). Both these business units have had years more experience deploying the Tivoli Security suite of products. They also have a heck of a lot more people that have the necessary skills to do the work.

Here's a few speculative reasons why they might have made this announcement:

1. To piss Novell off a little bit and also hopefully catch all the existing HP customers that don't like Novell for some reason. Of course, there's nothing stopping customers from going to Oracle, CA or Sun. I dare say they'd willingly give existing HP customers "competitive pricing", which by the way means nothing becase it's not quantifiable.
   
2. A boneheaded IBM ISS executive was trying to figure out how to increase ISS revenue and decided on this particular tactic.
3. A boneheaded IBM executive was trying to figure out how to increase IBM revenue and decided on this particular tactic. The executive then thought that since it was security related, they would use the ISS business unit to deliver the solution because "hey, we acquired them 2 years ago as one of the world leaders in providing security solutions right?"

I wonder if the other consulting and services business units within IBM knew about this before the press release. My guess is not, but all you IBMers out there can correct me if I'm wrong. And if I'm right, there's going to be a few IBMers walking around today asking the same question and wondering why IBM has once again decided to compete with themselves.

This ISS rant assumes one thing of course, and that is that they actually find customers who want to switch from HP's Identity products to IBM Tivoli at a potentially higher monetary cost. I've already said I don't really see the financial value (I won't argue all the other bits because I'm trained to argue IBM Tivoli business value in my sleep).

In short, all of you working for ISS can just go about your business as if none of this ever happened. Well, all except the sales people who I'm sure will be told that they now have a new "innovative offering" to be peddling.

In other news buried within the same press release (I don't know why IBM keeps mashing multiple bits of news into the same press release), they announced:

"IBM Tivoli Security Policy Manager -- Brand new IBM software that provides customers the ability to develop centralized security policy management for managing application entitlements driven by compliance, data security and intellectual property protection. The adoption of SOA and Web 2.0 technologies poses unique security policy management challenges for managing user entitlements -- the loose coupling of services and mash-up applications across a business creates multiple policy management points, each of which may require its own administration. The IT reality to manage these policies and entitlements in an environment full of different vendors' technology is manual, error-prone and creates costly islands of security administration. Tivoli Security Policy Manager, available by end of 2008, provides standards-based, centralized application entitlement and SOA security policy management capabilities to help users strengthen access to new applications and services and improve policy compliance and operational governance."

Are you back from your eyes glazing over yet? Let me cut to the chase for you: the long marketing blurb basically means IBM Tivoli are releasing their Entitlement Management product later this year. I've seen it in action but am not at liberty to say anything at this stage thanks to the NDA. That said, it's probably not fair for me to be commenting anyway because I've only seen the Beta version, not the fully-fledged "we've tested the crap out of it and made it all nice and pretty" version. Well, maybe not the "nice and pretty" bit. If you've seen IBM software interfaces, they are rarely "nice and pretty". But I'm biased because I use a Macbook Pro as my personal computer :-)

If you work for IBM ISS, feel free to send any hate mail my way...

Is the PCI guy serious?

Version 1.2 of the PCI Data Security Standard was released yesterday. If you're really interested, you can find some analysis on what's new here, here and here (or via your favourite search engine of course).

I'm not sure how much more useful PCI DSS version 1.2 will be compared to the "worthless v1.1 incarnation" in a practical sense, but if comments by Bob Russo, General Manager of the Payment Card Industry Security Standards Council are anything to go by I'm not holding my breath.

On page 2 of an article today, he's quoted as saying:

"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally. But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn't have to do that. So we'll be looking at that next year.

Is he serious? Or was he misquoted? Or maybe the comment was taken out of context? Or maybe my eyes are deceiving me?

Just because you have end-to-end encryption doesn't mean data is any more secure. Sure, if you have any of your disks stolen, then you're probably ok. But what about protecting consumers against your employees that have legitimate access to the data? If there's no monitoring and logging then there's no psychological deterrent and audit trail if something does happen!

I'm shaking my head in disbelief right now...

National Identity Fraud Awareness Week Australia

Here's a first, at least for Australia. A company has taken the initiative to raise awareness of Identity Fraud.

National Identity Fraud Awareness Week Australia is being run in partnership with Crime Stoppers Australia, the Australian Taxation Office and Veda Advantage (who do credit scoring of some sort). Apparently they've also run it in the UK, Canada and Japan.

The most interesting part of this is that the company responsible for the initiative is Fellowes. And what do they do? They sell office equipment! Strange you say? That's what I thought too, until I realised that one of the things they suggest people do to help prevent Identity Fraud is to shred all documents. The shredders they suggest? Fellowes shredders of course!

So here we have an office equipment company running a marketing campaign to sell shredders by promoting Identity Fraud awareness. I might sound a little cynical here, but I actually think it's a really good "think outside the box" marketing campaign. I'd never heard of Fellowes before, but now I have. They also picked up on something people are REALLY concerned about and will naturally take notice of.

Extra points to them for using the term "Identity Fraud" and NOT "Identity Theft". Kudos also for getting the ATO and Crime Stoppers involved.

I wonder if my bank just lost a whole bunch of credit card numbers

I'm talking about one of my banks in Australia, specifically the one that issues my credit card.

I'm wondering because they left a message for me to call them back URGENTLY. When I called, they basically said they had to cancel my card and issue me a new one because it had "potentially been compromised". When I asked if there had been any fraudulent activity, they answer was no.

So here I am, scratching my head wondering why my credit card had to be cancelled when there wasn't any suspicious activity (actually there wasn't any activity whatsoever on my card because I tend to use my UK credit card nowadays). The customer service person simply said "oh, the security department has determined that your card might have been compromised. It could have happened when someone swiped your card using a card reader capable of capturing the information required to produce a duplicate card."

I'm no genius, but if someone had indeed done that, how the heck would the bank know unless the card is actually used (and even then it would be speculation because they don't actually need to copy the card to commit fraud)? It's not like there's a big alarm that goes off and gets sent back to my bank when a card is copied. If that's what happens, then it would have had to be a criminal smart enough to hook their system up to the bank and send them the information successfully (kinda like the virus Jeff Goldblum uploads to the alien spaceship in Independence Day) yet be stupid enough to actually do it.

I suspect that they just lost a bunch of credit card numbers. I may never know for sure because it's not mandatory in Australia for companies to disclose any data loss incidents (this should change in my opinion - every institution in the world that stores personal or financial details should be made to disclose incidents just like US companies).

Which bank? No not that one (you'll only get this reference if you're familiar with the banks in Australia and have seen some of their marketing campaigns).

The Managed Identity Services brick wall

I've been wondering if each data loss incident is a brick in this wall I'm referring to, so I thought I should take a closer look.

I read about a survey today (I'm all for surveys at the moment) that found at least 80% of the British public don't trust companies to hold their personal details securely. Apparently, 89% also think that repeated incidents should be a criminal offence.

Here are a few tidbits:

• Most think there should be no second chances for data loss offenders.
• Most don't think they'll want to give up any information to a company that has had a data loss incident.
• Half think the single worst offender is the UK Government.
• Most people don't do a thing to protect their information with some not even knowing how to ensure the security of their online transactions.
  

I didn't list all the findings, but basically people don't see it as being their problem. They believe it should be up to companies to ensure security.

This survey is UK centric, so I dare say the same numbers don't apply across the rest of the world (thanks to the UK Government's well publicised, regular data loss incidents in recent times). But I don't think the perceptions will be too different elsewhere, although the figures may be a little be less drastic.

I'm not trying to focus on consumer perception as such. What I'm trying to link up is the fact that decision makers within organisations are also consumers, which means these perceptions matter in the enterprise solution marketplace.

This is one of the things I'm trying to get a better handle on through the Managed Identity Services Survey. What's the big stumbling block stopping people from outsourcing anything where it involves enterprise identity details? Do people automatically equate "identity" with "personal data"? It's a rhetorical question because I think we do. As I've said before in the past, it's mostly psychological but that means everything and makes outsourcing Identity Management a "hard sell".

I should probably cover my bases and mention that there's typically also the concern that external people are able to have access to your enterprise identity information if you outsource any identity-related services, but this is really a moot point. Who's to say your insiders are any more trustworthy than the employees of the service provider (yes I know we could argue this point back and forth and get nowhere - the point is that internal people should not be trusted either, because that's usually how data leaks)? Matt Flynn's also pointed out in the past that whenever you have external consultants working on your internal systems, they too have access to all your precious identity information. In other words, this is a stupid point to be debating. Internal or external, someone is going to look at it and you should assume they are a security risk (even if they don't mean to be)...which is where data security measures come in, but that's a topic for another day.

Now that we've conveniently parked that debate, we can address the other typical concern: the storing of identity information on infrastructure that is not controlled and/or owned by the organisation. Is there actually a good reason to be so concerned about letting enterprise identity details be stored outside of the organisation? Consider the following...

I'm going to pick on the poster-child for Software as a Service (SaaS), SalesForce. I do this because they are the extreme case in that everything is completely hosted and managed by SalesForce. An organisation that uses SalesForce does not own any of the infrastructure. In fact, it's completely exposed to the Internet. How much more of an exposed example can you get? Organisations simply log in and use the software. Also, more often than not when you speak to someone about using SalesForce, the concern over sensitive company details being held in an environment not owned by the organisation and being potentially accessed by external people doesn't come into play. If you ask them, they typically say something along the lines of: "oh but that's all just CRM information".

Think about that statement for a moment. Now, can anyone seriously tell me there's not a S*&%-load of personal data in there? SalesForce is primarily used as a CRM platform, which means that it's full of contact details! Things like: name, job title, employer, business address, phone numbers and email addresses at a minimum. I'm not even including all the other bits and pieces companies might store against each record. For example, the notes may include things like "this guy is an idiot but he signs the contract so be extra nice".

Let's move on to the type of information companies REALLY NEED to be holding in their enterprise identity stores: Unique identifier (usually an email address or employee number), authentication credentials (e.g. encrypted or hashed passwords - if you have passwords in clear text someone should be fired), group (or role) memberships, applications that employees have access to and the corresponding privileges (or entitlements) for each application. You don't even REALLY need someone's name, although most of the time it's stored for display purposes. We could extend this set to include things like manager, department, applicable workflows and so on. A lot of this is dependent on the identity service in question and the business logic involved, which is why on occasion you might see things like salary floating around (although this is not exactly a good thing - you really should be using a third party service that spits out an assertion that "their salary is above $40,000" instead of "salary=$49,890").

I may be over-simplifying here, but this post is long enough as it is so I don't want to put you all right to sleep (or maybe you already are). My point is that at the very basic level, identity stores don't need to contain personal information. They only need to contain information relevant for determining the correct authorisation levels an individual needs to do their job (to be governed by compliance policies which on their own do not store personal details either - at least none that can be tied to an individual). And as far as authentication is concerned, if you're not comfortable having things like credentials stored externally, you could always use Federation (and I don't mean the Star Trek kind).

In short, if you model your identity and access control models correctly, you can do it without personal details. And even if some personal details do creep into the identity stores for legitimate business reasons, it's unlikely to hold more information than one would find in a CRM contact record. What does this boil down to? Your identity stores shouldn't contain more personal data than SalesForce!

Here's where I think the core of the perception problem is:

1. The Media - They link EVERYTHING about personal data to the word "identity", usually throwing the word "identity theft" around as a catch all because they don't understand enough about the subject matter. Those of us in the field know it's a stupid term because you can't steal a person's identity. You just commit fraud by stealing personal data. Of course, even those who know better can't help but be sucked into the whole thing when all we hear about (other than the credit crisis) is data loss and identity theft. When will they understand identity DOES NOT equal personal data?
   
2. Lazy consultants - They look at the HR system and just suck EVERYTHING out of there because it's easier. They make the false assumption that data is safe within an organisation's walls and that some of the information might be required later on so they're saving everyone lots of work by making it available up front. Well, they're not because there's now an additional egress point for data to leak from, which means more work (and cost) is required to secure that information. Because of lazy consultants, you've now got systems all over the place that HAVE personal data. So anytime a person looks at an "identity system", they see personal details all over the place and automatically assume that's the way it has to be.
3. People are self centred, even when they don't mean to be - Employee details aren't typically stored within CRM systems. In other words, the decision maker doesn't care because their own details aren't sitting on SalesForce's infrastructure. When it comes to an identity store however, they immediately think: "hang on a minute, that's my identity information sitting there! There's not a chance in hell I'm letting my details sit within a service provider's environment or let an employee of an outsourcing provider look at them!"
   

To summarise:

• Consumer perception and fear of data loss directly contribute to organisational fears about outsourcing identity management.
• Identity stores do not need to contain personal data (unless authorisation rules dictate - even so, there are other ways like leveraging assertion services).
  
• Identity != Personal Data

Of course, if you aren't even allowed to use outsourced services or software because corporate policies forbid the storage of data on infrastructure not directly owned and under the control of the organisation, then you have a whole other problem. You should probably take the time to question the underlying reasons for this policy however. For example, was it written over 5 years ago and based on fear? Was this fear valid or based on paranoia? Should it be changed? If so, can it be changed or does your organisation submit to the "if it ain't broke don't fix it" mantra?

Are there other factors are play here? Are there "different coloured bricks" in this wall that you're concerned about?

Let me know by completing the survey! Or if that's too difficult, then just leave a comment.

A good primer on Authoritative Identity Stores

Just a quick one. Many of us spend too much time thinking about and dealing with all these new, shiny Information Security "toys" (a lot of which is just hype and marketing). The problem is that we sometimes lose sight of the core pieces.

One of the basic, important steps in implementing an Identity Management infrastructure is the planning around where your new, shiny provisioning engine is going to get all the identity information it needs. Sometimes the answer is very straightforward (e.g. "oh, we just suck all the information out of the HR system"). Unfortunately, life is not always this simple. Quite often, you need to think about where your disparate, authoritative sources of identity information are. Once you figure that out, you then need to determine how to get that information easily (in a manageable and maintainable way) on a regular basis, preferably in an automated fashion.

Your friendly sales rep at whatever software vendor you deal with will immediately throw a tool at you. This said tool will probably be one of the following:

• An LDAP directory which includes synchronisation capabilities with other data stores.
• A Relational Database (RDBMS) which includes synchronisation capabilities with other data stores.
• A plain old synchronisation tool that transports data between various sources.
  
• A Meta-Directory (which could leverage an LDAP or RDBMS depending on the architecture).
• A Virtual Directory (which could leverage an LDAP or RDBMS depending on the architecture).
  

Before you bring your favourite software sales rep in to beat you over the head with their tool, take a step back and think about how you actually want to solve the whole Authoritative Store issue. If you're not sure where to start, Matt Pollicove's written a whitepaper outlining how one might go about doing it (actually released over a month ago, but it's been on my "to-read" list until today when I finally got around to it). It's a pretty good read for those that want to get an informed start on the things you need to be considering and how you might go about putting a solution together. Matt also does a good job of talking more about abstract concepts instead of telling the reader which tool to use in each situation (because there's no right answer - it depends on what your requirements are).

I'll stop now because I don't particularly want to start the "Directory Trek Wars" again despite the fodder it would provide me to do part III :-)

Is the Managed Identity Services Survey too difficult?

I relaunched the Managed Identity Services Survey a week ago with an added incentive to participate courtesy of Identropy. There's been a decent number of responses to date, although we have yet to hit the target of 50 responses (remember, the rules stipulate that unless I get 50+ responses, the results will not be published - which also means Identropy don't have to hand over the brand new iPod touch to a lucky survey participant).

At this point, I thought it may be of interest to provide an update of sorts in the interest of openness and transparency...

While I didn't set out to create a particularly difficult survey, it seems to have turned out to be less than trivial. I've re-read the survey questions over and over again to determine exactly how difficult they are and this is what I've concluded: the questions aren't that difficult but do require some thought...and that's a good thing.

In going through the responses so far, I've been analysing the "bail-out" responses with particular interest. I'm referring to the half-filled surveys where the participant got to a certain point and decided not to continue. Here's what I've found: most people "bail-out" at either question 9 or question 10. Question 9 is the first Identity Management related question. Answering this requires that you know something about what your organisation is doing in this area. Question 10 is one of two questions within the survey that require some level of effort because it's a matrix of options that need to be selected.

My guess is that people who are in it only for the iPod touch but know nothing about Identity Management are typically the ones that stop on questions 9 and 10. Some are honest in that they get to question 9, realise they know nothing about the subject area and just bow out gracefully. The ones that are unfazed simply click a random option to "answer" question 9 and continue. They then hit question 10 and stop because it's just too hard for them. I guess you can call questions 9 and 10 the "filter" questions.

Question 14 is the other question formatted as a matrix. This happens to be the last question in the survey before the participant is allowed to provide their details for the giveaway. Your reward for answering it is the chance to enter the giveaway (should you choose to provide your details and agree to the terms and conditions).

Sure, there are persistent types who will complete the whole survey without knowing a single thing about Identity Management. But "frivolous", completed surveys have been rare so far (there's 1 or 2 at this stage). I'm a little disappointed that the person claiming to be from "Horse and Hound" magazine didn't keep going though. I wonder if it was Hugh Grant? If you're reading this with a puzzled look, you haven't seen Notting Hill so ignore what I just said.

If you have another reason for not completing the survey, please let me know via the comments or by sending me a message (you can use the "Email Me" form on my blog).

Now we just need to get to 50. There's an iPod touch at stake and just over a week left before the survey closes. Most importantly, we want to see the results so what are you waiting for?

Note: I should point out that I didn't place questions 9, 10 and 14 in their respective positions to act as filters. I just wanted to know the answers and thought they belonged in those positions. The fact they turned out to be good filters is a happy coincidence.