Identity Capacitance

Continuing on Andre’s thoughts that there are more identities coming from the Internet than from internal networks… The challenge for the enterprise is managing this vastly larger population without overrunning the systems and services currently in place. The problem is one of identity capacitance; how many identities can the company manage and how many identity services can it offer?

A company, can manage its 10,000 employees and their identity-related needs, and it can do this within budget and operational constraints. The systems that it employs to do so gives the company an identity capacitance of X. Using federation tools, the company can raise its identity capacitance to 100X. But the total numbers of identities out there is far far greater than that. To address this, the company has to increase its identity capacitance, but it can’t and still stay within budget and operational constraints. Enter Identity Service Providers. With theoretically infinite identity capacitance, the provider can let the company sanely managed the oceans of identities out their while providing all the qualities of services that customers expect.

Questions I don’t have answers to: Is an identity service provider different than an identity provider? Do they compete with each other? Are they opposite sides of the same coin?

Two populations, two approaches

Andre over at Ping Identity has clearly been doing some heavy thinking. First, he connects internet-scale security and the continuing death of the firewall. Then, he raises the point that there are more identities outside the enterprise than within. The implication is that those external (Internet-based) identities are of real value to the enterprise; they are partners and customers. These external identities need to be “secured and tracked.” Two questions come to mind. First, do both populations require the same kind of identity management and services? At issue here is context. The context of a customer or partner is different from an employee. Yes, they may need similar identity services, but the manner in which they consume those services is context driven. This may lead to different sets of identity services, which must be centrally orchestrated and audited. Second, is the application tier really the best place to tackle these problems? I think the two different populations require different approaches. Companies needs to tackle inside identities from the network layer up. Why? Because people on the inside have greater access to the soft fleshy underbelly of the business. Even the most well intended employee can inadvertently cause damage once he’s on the enterprise network. Meanwhile, outside identities should be dealt with at the application tier as that is their access path to corporate systems.

Are we there yet?

This week, I spoke at the International Information Integrity Institute’s Forum in Dallas. The I4 is an interesting bunch. This member’s only event brings infosec practitioners from around the world to swap war stories and hear about new trends. I was blown away by the attendees and the raw frank nature that they discussed their issues.

“Sox sucks.” That was the gist of what one attendee said to me. She outlined the myriad of hoops she has had to go through dealing with SOX. Behind her frustrations was an implied question shared by many attendees – “When will we be done?”

When it comes to regulatory pressure, sadly, there is an inverse relationship between how tightly written the regulation is and how long it will take to be compliant. The tighter the reg, the less time it will take, and vice versa. PCI is fairly tight, whereas SOX (and its interpretations) are pretty loose when it comes to IT.

When it comes to major IdM projects, they often get presented to the enterprise like a decree from the Kremlin: “Good news, Comrades! We have a five year plan for achieving compliance through user provisioning. We shall be victorious.” The reality is that it really may take five years, but there’s no way you’ll sell upper management going that route. Successful projects use guerrilla tactics; find a small target, plan thoroughly, achieve the goal, move on to the next one. You can make the big five year plan work by stringing small victories together to achieve the end goal.

Unfortunately, in this litigious world, getting to “done-ness” is getting and harder. The good news is – every small victory and all the steps we take along the way make the business better.