Do security like a start-up or get fired - Own your security

This is part of a blog series. For more details, start with the intro.

Own your security programme

We rarely see start-ups hire consultants to "consult" on IT security (except perhaps if they've had an incident and need to be seen as having done something about it). However, in larger organisations with complex environments this is commonplace. Whether enterprises choose to use external security consultants or outsource certain security functions, the most important thing to remember is this: your external provider must never be responsible for your security.

Unfortunately, in far too many organisations, there is the tendency to fall into the trap of ceding responsibility once they've outsourced something or brought in external consultants. Many forget that outsourcing functions or operations does not imply the outsourcing of responsibility. It is absolutely crucial that the organisations continue to make their own IT security decisions, maintain responsibility and take ownership.

The instant that members of an organisation start thinking that the external provider is responsible for IT security, immediate action needs to be taken to correct the perception (and potentially the processes). A good sign is best illustrated by a question I once asked the security manager of a large bank:

"Why is this security process done this way?"

The answer floored me:

"That's how the outsourcing vendor does it, but we're not sure why. It doesn't actually make sense to us why it's done this way."

How can improvements ever be made if an organisation does not know the reason behind how things are done? This particular issue is not limited to the IT security area. It is a common trap organisations fall into when they outsource anything. But IT security is one of the most critical areas to keep on top of.

There is also the ever-present threat of "analysis paralysis". This is the condition where the consultant or outsourcing provider produces too many documents and designs, which end up gathering dust. All the budget's been spent on producing documents, but there isn't any money left to move forward. Instead of shelf-ware, organisations end up with shelf-paper (figuratively speaking of course, as it's usually a digital shelf in today's environment).

Next up - Evolve.

Another view on outsourcing Identity Management

I wrote about outsourcing Identity Management back in July, which was an extension to another post I made in 2007.

Corbin Links left a well thought out, rather lengthy (in a good way) comment in response and makes a couple of good points.

He submits that businesses do not care about security and best practices:

"I’m sure I may ruffle a few feathers by saying this to some, but business -- by and large -- does not care about security. (Except for providers of security-related products and services...) Or rather, business only cares to the extent that market forces, customers, and regulatory agencies demands it."

...

"businesses invest in security because they have to, not because they want to."

and that best practices

"are the practices all organizations think they should be practicing, but in actuality do not. It’s a term that helps sell frameworks, tools, and conference passes, but that has very little tangible impact in many organizations."

He goes on to say:

"What businesses *do* care about, is processes, methods, and tools that can facilitate making money, improving bottom and top-lines, improving customer satisfaction, improving end-user experience, reducing time to marketing, reducing help desk costs and calls, streamlining processes, etc."

He brings up the point that industries that do not traditionally buy Identity and Access Management solutions would like them, but just don't have the expertise or the budgets. In this respect, they would gladly pay for the service and outsource it all:

"For many, the premise of outsourced management of IAM is very attractive. Because, many organizations realize that they:

1)Do not have the core competencies
2)Will never have the core competencies
3)Will never be in the business themselves of providing IAM-related services
4)Do not have their processes modeled
5)Do not have enough information or expertise, or time to define their current, much less future-state business processes
6)Are not qualified to determine accurately what risks really exist, levels of data protection needed, data classification levels, etc."

I agree with some of what he says through his comments, particularly regarding the fact that the "non-traditional Identity Management buying market" (particularly SMB) just don't do it because they can't justify the costs and effort required. A managed offering would certainly be more attractive in this respect.

I still don't discount the fact that there are data, privacy and security concerns that need to be worked through. Sure, some organisations will not care too much (probably because they don't have the big regulatory stick being waved at them) but it is up to us as professionals to make sure they care, especially if we're the ones providing the service to them. We have an ethical obligation to do so. And if in the process of educating organisations they decide not to buy anything, so be it (I can see all the sales people saying "nooooo why are you saying that?!?!").

As for the statement that business does not care about security and best practices (or only care as much as they need to), it depends. A majority behave this way (and I've been in many sales situations where we play on this fact), but I've also met C-level executives (including CEOs) that certainly do care about security. Sure, most of the time it's because they "don't want to be on the front page of the Wall Street Journal". It is rare that someone will care just because of ethical reasons and want their overal security posture to be sound (or dare I say, world class). But they do exist. And the ones that care know that they MUST have security in mind because they "do not know what they do not know." That is, they need to be proactive about security rather than reactive. Unfortunately, most organisations fall into the reactive category and so Corbin is mostly right.

I encourage you to read the comments and submit your own thoughts.

A little bit more about managed identity services

This isn't going to be a long post. I'm just going to refer to a post I made in July about Managed Identity Services being a hard sell.

If you haven't read it, feel free. If you have, someone made a comment in response to it which I've also responded to which extends the discussion a little.

Incidentally, if you want to keep track of the comments people write, here's the feed. Unfortunately, it's only available for those using RSS readers. Those of you subscribing via email will have to do without it for now. Sorry :(

Managed Identity Services are a hard sell

I came across an announcement today where Wipro and Oracle have apparently partnered to offer customers Managed Identity Services and found it a rather curious move to make on Oracle's part. The only question I have for them is...why?!

I can understand Wipro wanting to explore the opportunities in Identity Management (IDM) outsourcing (they're an Indian company and are trying to get into IDM with a vengeance so it seems a logical move on their part), but Oracle doesn't need something like this. Why? Because they'll fail. The market is not ready for outsourced IDM and may never be. Most are still busy trying to work out their internal processes. Even the companies that have IDM software solutions are still working the kinks out of their processes.

The concept of outsourcing IDM has been around for a while. Access360 (now IBM Tivoli Identity Manager) explored the concept by designing their Enrole product to support the potential that someone might want to outsource their IDM. This feature got quietly thrown out not long after IBM acquired Access360. The reason (I'm guessing) is because there wasn't enough market demand for such a feature.

Think about it. If you outsource your IDM, you're outsourcing the keys to your kingdom. It's akin to giving someone the keys to your front door and asking them to decide who to let in and what they can do in your house. Are they really going to understand that the vase you have on the coffee table is an antique from the Ming dynasty and should under no circumstances be touched and that no kid under the age of 13 should go within 2 metres of it? You really have to trust your outsourcing provider not to screw things up because your business operations rely on the IDM infrastructure being there and functioning properly. Imagine if all of a sudden no one could change passwords or the authentication and access control mechanisms weren't working? Business would just stop.

What about the security implications and risks? Taking the house analogy further, outsourcing your IDM is like giving someone your keys and an inventory of all the things in your house and everything about what can be done to those things. This inventory will also contain the details of every inhabitant within your house or that has a right to visit your house. The keys and this inventory with all this private, sensitive information is now sitting in someone else's place. Sure they tell you it's "locked in a safe"...one which you've never actually seen and have no actual control over who can get to this safe. What assurances do you have that they have the right security measures in place to protect this safe? Or that they have the adequate screening processes to ensure that people that can get into this safe are trustworthy and will not compromise your keys and inventory? These security risks should be enough for an organisation to say "thanks but no thanks."

But if for some insane reason these risks are not compelling enough to say no, let's explore the other issues...

Take into account the experiences most people have in outsourced IT environments and it's not a pretty picture. I've been in enough outsourced accounts to know (and not just ones managed by IBM) that customers tend to be bitter about the outsourcing provider and cannot wait until the day the contract re-negotiations are due so they can throw them out of the account. In fact, I know of a few ex-customers of mine back in Australia that have done just that (some are big financial institutions so the size of the contracts are going to make a dent in someone's ledger). You throw in giving an outsourcing provider the responsibility to manage your IDM processes and infrastructure and it gets a whole lot more complicated.

Outsourcing IT operations is just that. You let someone else worry about where to put those Unix servers and how to connect those cables. You just need to know that there is a server room full of Unix servers that are guaranteed to be up 99.9999999% of the time and they run your business applications which just need to keep running (yes I'm over-simplifying, but you get what I mean). When you outsource a critical function like IDM, you are outsourcing a whole bunch of business processes that are very specific to your organisation and throwing into the mix a whole bunch of IT management issues. Add to that the political and cultural issues prevalent in all IDM projects (most will say this is the hardest part) and you've got a heck of a problem.

Yes people outsource business processes, but they are usually very standard, mature business functions like Payroll or HR. These don't get thrown into the IT management mix. IDM is like taking HR functions, "one-of-a-kind" custom business processes, all your people and all your IT systems and throwing these together into a mixing bowl and hoping you get a nice cake out of it. It usually takes a few attempts before you can even get a simple sponge cake. The first few attempts usually result in some inedible mess of a cake that you give to the dog to eat while you go try again. Problem with IDM is that there is no dog. You have to eat it yourself while trying to figure out why you've got dog food.

All the variables make IDM outsourcing destined to fail (for now). There are too many moving parts. Business processes are too specific to your organisation (e.g. every bank has different processes for the same thing). You're kidding yourself if you think you can make it someone else's problem just by outsourcing it. IDM will never be someone else's problem. It is always your own problem because you're managing YOUR users using YOUR business processes.

Wipro may be on to something because there's definitely a business opportunity for those not put off by the security risks. Who wouldn't want to make their IDM problems someone else's? But until the whole market works on standards and the solutions are commoditised, IDM outsourcing is just too difficult and is destined for failure.

Until IDM can be defined end-to-end as a set of standardised services from IT all they way through to business processes, you can't outsource your IDM with any level of confidence that it'll all hang together. Standardisation is only beginning with things like XACML, SAML, SPML, OpenID etc. But you can't escape the fact that these are technology focused standards. Real life use cases are not about technology.

When the day comes where all the underlying standards to support an IDM SOA infrastructure are there (and we're still working out the whole picture here), then we can start to get somewhere. And even then it'll still be difficult to make IDM someone else's problem. Sure, someone can probably host the stuff for you, but the business process issues are still going to be yours and you'll still need the technologists around to facilitate everything. The day when you can comfortably outsource all your IDM functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.