CA’s Acquisition of IDFocus

Yesterday CA announced its acquisition of IDFocus,  a small Israeli company.  Among other abilities, IDFocus provides a finer-grained segregation of duty (SoD) analysis engine.  CA has previously integrated this engine into Identity Manager, their user provisioning tool.

This is an interesting wrinkle in an ever-changing market.  CA now possesses a preventive-controls engine with the ability to look further into the security stack of an application.  This engine allows customers to make SoD decisions below the role or group level, at the lower ACL/security object levels.  Provisioning vendors have until now done this by calling external services provided by Enterprise Application Controls Management (EACM) vendors.

On one hand, CA has partially obviated the need to integrate with an SAP, Oracle, or Approva by integrating the IDFocus capabilities into CA Identity Manager.  On the other hand, CA’s move may have made things more confusing for customers.  By increasing the number of controls repositories that a customer has to maintain, integration of IDFocus makes compliant provisioning deployments more challenging.  What would be really slick is if CA could find a way to work with the EACM vendors to synchronize SOD tests so that a customer could use the same test for both detective and preventive applications.

I was speaking on this very topic in Europe last week.  I commented on the various architectures for integrating EACM into user provisioning to provide compliant provisioning services.  (For more on this subject, check out Lori’s report on the matter.)  CA has now introduced a fourth deployment model in which the provisioning engine owns the entire compliant provisioning event from the request through the SoD test to the provisioning event itself. An interesting alternative. I’ll be curious to see where CA takes this.

(Originally post on Burton Groups’ IdPS blog.)

What happens in Dapoli stays in Dapoli: A Trip Report

[Some friends from Approva were in town from Pune, India.  They had read my trip report on our company trip to the beach in Dapoli and found it hilarious.  They implored me to post it up on tuesday night.]

Day 1 – A Good Start

Hare Krishna bus: hare, hare, krishna, krishna
Hare Krishna bus: hare, hare, krishna, krishna

After Shamshu (or Uncle as he is known in the office) picked me up at oh-dark-thirty, we headed to the office. There in watching everyone try and get organized, I introduced him to the expression “herding cats.” I knew I was in for a good time when I noticed dried vomit festooned on the side of the bus. Shortly after, Shamshu asked, with a slight malevolent grin, “Do you get the motion sickness?” I do, Shamshu, I do indeed, but I had prepared for such a situation by doping up appropriately.

So off we went, about 2 hours later than we were supposed to. And by off we went I mean to say, we started fighting through traffic in Pune. Both buses stopped a while later to pick up more people. (There were two buses. Hare Krishna, seen above, and The Short Bus, which will be taking a prominent role in a moment.) In the crew that we picked up at the second included Shishir, Kaustubh, and Aniruddha. After much back and forth, it was decided that the drinkers and smokers would take The Short Bus and everyone else would ride with Krishna. So off we went… again.

Breaks to pee: A common trip activity
Breaks to pee: A common trip activity

Queue Bollywood sound track at earsplitting decibels. After an hour of that I did make out the distinct sound of a beer being opened. Okay, I’m thinking, this is a good old fashion road trip. Kingfisher in hand I sat back and enjoyed the drive out of Pune and into the hills. Stopping at a Tata Power Generation control reservoir I got a good sense of the landscape reminded me of Southern California.

Good luck
Good luck

On the way back to the bus I saw something hanging from the open engine compartment. Shamshu called it lemon chili and it was, supposedly, for good luck. Keep that good luck charm in mind.

Continue reading What happens in Dapoli stays in Dapoli: A Trip Report

Off I go

I’m headed to India in a few hours, off to meet up with everyone in our Pune office.  I have to say, I am really looking forward to this trip.  I’ve never been to India before and there’s nothing like a two week trip to serve as a very limited crash course.  One added bonus on this trip, I’m lucky enough to tag along on our company retreat.  Two days on the beach in Dapoli… sounds like fun.  Pictures at 11.

Why Compliance Cannot be Delivered as a Service

My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.

Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.

The trouble is that Mark refers to Compliance as if it is an IT service that can be delivered like outsourced help desk or security management. Compliance, the Big “C,” cannot be delivered as a service. The Big “C” is the interplay between people, processes, and IT systems to achieve the mission of the business in the context of regulatory and market pressures. It isn’t binary; it isn’t something you have one day and not the next. This dynamic interplay requires continuous measurement and feedback loops to ensure that deviations are corrected and, ideally, prevented.

Compliance is a matter of controls – instituting a variety of controls and then charting the business’ distance in relation to those controls at all times. Let’s take a simple common non-business example. When a cop pulls you over for speeding, you often get asked two questions:

  1. Did you see that speed limit sign?
  2. Do you know how fast you were going?

This is a simple example of controls in daily life. To track towards Compliance, first, you have to know about the control – awareness of the speed limit. Second, you have to be aware of your relationship to the control – how fast you are going. Finally, you, as a safe driver and responsible citizen, have to continually measure your relation to the control – keep your eye on the speedometer, unless you want a visit from auditors or enforcement agencies.

Expressing, understanding, monitoring, and enforcing controls CAN be delivered as a service. These services, including controls documentation and controls management, address automated and manual controls for IT and non-IT systems and processes. And it is the delivery of these capabilities as a service that can reduce the cost of compliance.

Matt Flynn get’s in on the action and provides a crucial point, if indirectly:

I think there are definitely organizations out there that would love to have a third party who is willing to be an expert and own compliance for them.

It’s people! Compliance is People! This is the other piece of the puzzle and as Matt says, it can be delivered by a third party. Service providers, with deep domain expertise, armed with controls documentation and management tools, can provide holistic compliance services, and with a little creative thinking, a bit of indemnity insurance, they can truly own compliance for an enterprise.

The Big “C” Compliance cannot be delivered as a service, nor by Santa Claus, not for all the tea in China. But that being said, compliance experts and expertise bolstered by controls management and documentation services can help organizations track towards Compliance and be able to adapt as any of the variables in the Compliance equation shift.

(Originally posted over on Audit Trail.)