Posted March 6th, 2009 Being the new-ish addition to the IdPS team is, well, an interesting place to be. Besides the requisite induction activities (ask me at Catalyst how you pick up the dry cleaning for a team who lives all across the country), I’ve been working with my peers on vastly different pieces of research. And being curious by nature, I’m loving the chance to not only dig into different topics, but also observe how different people go about the actual process of analyzing a topic or a market. One technique that Burton Group uses is Contextual Research (CR). Essentially, the CR process is meant to challenge an analyst’s knowledge of a subject and their associated preconceived notions as to what problems enterprises face and how they are facing them. It turns seasoned veterans, experts in the field, into beginners again. This is what practitioners of Zen Buddhism call “beginner’s mind.”
Here’s how it works in a nutshell. Kevin (seasoned vet) and Ian (newbie) identify a bunch of organizations to talk to. So far nothing out of the ordinary as compared to our other approaches to research. That being said, the conversations we have with these organizations is very different from typical research techniques. Instead of coming to the conversation with a fixed hypothesis that we want to prove out, we come to the conversation with nothing. No leading questions. No surveys. No preconceptions. Continue reading "Zen Mind, Newb Mind"...
Posted February 5th, 2009
Nishant has commented on my post about federated provisioning. He has provided two different examples of federated provisioning. One of these, the advanced provisioning example, involves a company who manages its employees’ access to a service provider service via provisioning. In this case, Nishant agrees with me that provisioning of this sort is no different than provisioning the UNIX box down the hall.
But it is Nishant’s second example, the just-in-time provisioning example, which is a bit tougher. In this case, the enterprise and its service provider have a federation in place. Using SAML-based authentication, a new user attempts to access the service provider’s service. The idea (hope?) is that the service provider recognizes the new user request, provisions the user, and authenticates the user in the same conversation. Nishant does add a degree of difficult in this scenario as he ties the federation service to a provisioning service. Grabbing attributes from the SAML token, creating a SPML message, and handing that to a provisioning service is possible, but as a commentator points out this sort of interop isn’t spec’ed out so the heavy lifting is left to the service provider. And even if the service provider doesn’t want to directly link its federation and provisioning services, it still needs to grab that assertion attributes and create the account in the backend system.
Continue reading "Will the “real” federated provisioning please stand up?"...
Posted January 7th, 2009 There’s been a bit of recent blogging activity about federated provisioning and SPML. Having worked on both federated provisioning and SPML in a past life, it warms my heart to see this discussion. Jackson, quoting the CIO of Education Testing Services, Daniel Wakeman, restates the observation that SaaS providers are providing when it comes to federated identity management. This “major shortcoming” leaves service subscribers to fend for themselves in managing user lifecycle events like on-boarding and off-boarding. Not acceptable.
That got me thinking – there really ought not to be a concept of federated provisioning. Provisioning an application in the data center must be the same as provisioning an application in the cloud. However, in the course of the conversation between James, Jackson, and Mark, it seemed SaaS applications and in-house applications were different from a provisioning perspective.
SaaS applications may be harder to provision and de-provision than non-SaaS application, but that doesn’t make them fundamentally different animals. The point was made that SaaS apps lack a standards-based provisioning interface, an SPML interface. The fact is the vast majority of applications, SaaS or not, lack a standards-based provisioning interface and this makes dealing with them very much the same.
Now there are two reasons that we don’t hear the same short of clamor about provisioning non-SaaS applications as we do with SaaS applications: Continue reading "Down with federated provisioning"...
- We’ve dealt with it so long that pain isn’t as acute
Posted October 8th, 2008 Yesterday CA announced its acquisition of IDFocus, a small Israeli company. Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine. CA has previously integrated this engine into Identity Manager, their user provisioning tool.
This is an interesting wrinkle in an ever-changing market. CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application. This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels. Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.
On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager. On the other hand, CA’s move may have made things more confusing for customers. By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging. What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.
I was speaking on this very topic in Europe last week. I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services. (For more on this subject, check out Lori’s report on the matter.) CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this. Continue reading "CA’s Acquisition of IDFocus"...
Posted September 4th, 2008 Matt Hamlin, over at Sun, mentioned a conversation we had last week about a topic in identity management which doesn’t usually get a lot of airtime: the correlation of accounts to people. The exercise is the first step in answering Matt’s simple question of “Who has access to what?” Matt writes:
This step is the foundation for Access Certification, Role Mining, Entitlements Management, Policy Evaluation, Identity Auditing, and numerous other custom services developed by our customers.
There were two major omissions in his list: password management and user provisioning. The reality is the correlating of accounts to people is a requirement for all identity management exercises. This correlation isn’t glamorous work and isn’t a one time affair. None the less, it is crucial “Identity Gold” for identity management projects, but also as the foundation for risk mitigation exercises as well.
Here’s a tip to enterprises out there – ask your software vendors and deployment teams what capabilities they have to help facilitate this correlation. Ask early and before you start down the path of an identity project. Make it an on-going process governed by your overall identity management program.
I’ll be touching on this a bit in an upcoming Telebriefing I am doing. On October 1st and 2nd, I’ll be giving a sneak peak of my research on access certification and will cover this and other topics. If you are a Burton Group subscriber, you should check it out. If you aren’t a BG customer, you should become one. ;-)
|
|
what others say