This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability [...]]]> Yesterday CA announced its acquisition of IDFocus,  a small Israeli company.  Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine.  CA has previously integrated this engine into Identity Manager, their user provisioning tool.

This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application.  This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels.  Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.

On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager.  On the other hand, CA’s move may have made things more confusing for customers.  By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging.  What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.

I was speaking on this very topic in Europe last week.  I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services.  (For more on this subject, check out Lori’s report on the matter.)  CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this.

(Originally post on Burton Groups’ IdPS blog.)

For those of you headed to Digital ID World, let me know and we can catch up. (I’m looking at you members of the Mark MacAuley supper club.)

I was at a customer, watching our integration with their provisioning system get [...]]]> I have spent a fair amount of time recently, ruminating on compliant provisioning and what comes after it. It is a fascinating mental exercise and if it remained as such, it would be useless. Yesterday, I got to see it in action.

I was at a customer, watching our integration with their provisioning system get installed and configured. It was, as all good software installs should be, quite boring. But what did captivate me was the business case and drivers for compliant provisioning. Though our customer has a mature provisioning system in production, they have yet to achieve fully automated provisioning. Why? Certainly not for lack of trying. Because their SAP environment is large, complex, and ever-changing, they cannot implement a comprehensive set of automated provisioning rules for fear of SoD creeping in.

They already rely of Approva BizRights to do “What If” analysis. It verifies on an ongoing basis that role definitions do not generate separation of duty problem as well as make sure accounts don’t contain any SoD problems as well. Currently, their outsourced help desk fields access requests. They gather up the roles being requests and use BizRights to perform What If analysis on the proposed account changes and then route the request on for provisioning.

Instead of an access request flowing to the help desk then into BizRights for analysis, they plan on automating the access request via their provisioning system. By using our “What If” analysis within the provisioning system they can cut out the help desk all together, eliminating that manual step. A handful of their SAP systems generate the vast majority of their ticket call volume. By implementing compliant provisioning, integrating BizRights with their provisioning tool, they are looking to cut that call volume down to 0 and save a bundle in the process.

A couple more of these kinds of deployments and compliant provisioning will be the norm in the provisioning market… and then I’ll be talking to you about what comes next.

Compliance Week is researching a story about compliance with identity management and user access policies. We’d like to hear about what policies you have in place for those needs, and what problems you’ve encountered (and solved) along the way. Send us your thoughts, and expect [...]]]> Matt Kelly at Compliance Week threw out a line recently:

Compliance Week is researching a story about compliance with identity management and user access policies. We’d like to hear about what policies you have in place for those needs, and what problems you’ve encountered (and solved) along the way. Send us your thoughts, and expect an article on the topic in upcoming weeks.

Needless to say, I am very curious what people will share on this subject. I’m always fascinated to hear how people apply user provisioning tools.

Back in the day there were two major selling points for user provisioning: compliance and reduced help desk call volume. Customers were quick(er) to recognize the reduced help desk call volume but the compliance aspect lagged, mostly dueto the fact that no one knew what compliance meant. (These were the pre-SOX days mind you.)

Times have certainly changed as has the messaging. Recently provisioning for compliance has morphed into compliant provisioning. User provisioning systems have matured to a point that organizations can use them as service platforms. Organizations are realizing that their provisioning infrastructures are great vehicles for other services: password management, role lifecycle management, and so on. Compliant provisioning is one of the best examples of this.

If our recent webinar with KPMG and IBM was any indication, then the market is desperate for compliant provisioning solutions. We had hundreds of attendees asking some very tough questions about implementation, architecture, and resources needed. I can’t wait to see if Matt’s research reaffirms what we are seeing in the ever maturing provisioning market.