Role Up-Role Up

Without doubt a very subjective question. Firstly looking at the Access and Identity Management space it’s hard to see any major gaps where new innovations will easily bolt in. My thoughts are there will great deal of consolidation and tidying up to do, ensuring products are more cohesively bolted together and ensuring they become easier to deploy and manage.

The one gap I do see that customers are starting to ask for is Dynamic Segregation of Duties, in principle this should be pretty easy to achieve, but the reality is far more complex. As a starting point any product that offers DSD must be state aware, that is to say it must know where a user is and where a user has been in respect to their IT journey across the enterprise. This is not difficult to achieve in web based access control technologies but will be a bigger challenge across non web based apps. It’s a fascinating area and we may see some of the SSO products such as Imprivata and Passlogix as well as those relying on Kerberos to take a lead in this area.

Compliance is the next area, I know this is pretty old hat, it’s not the technologies that will change here but the customers, particularly across EMEA. The transparency directive becomes effective in June this year, this basically means that any European organisations that may be of public interest must show transparency in its procedures, the easiest way to measure this is via a compliance framework. The big organisations already (to the most part) have a compliance strategy in place. SME’s will start to take a bigger interest in this area but will not have the means or appetite for a full on IAM suite. IMHO SME’s will look to the smaller, specialist independent vendors to meet their compliance needs.

The last thing for 2008 is the whole social networking scene, personally I use Linkedin and think it’s very useful. For some folk one social network is not enough, it seems on a daily basis I am getting requests from all kinds of social networks such as, Facebook, Plaxo, Konnects etc, etc. I am sure these are good things, but can they all survive in a highly competitive space.

2007 was a fast and furious year, I am sure 2008 will be bigger and better. 

A bit of a book review: I have had the above book written by David F.Ferraiolo, D.Richard Kuhn and Ramaswamy Chandramouli, (all names that trip readily of the tongue) sat on my bookshelf for the last 16 months or so. Due to time constraints and other priorities I have never had the time to sit down and read it properly, so instead I have been dipping in and out of it. The book can be used as a reference guide, but this approach does not do it any justice. After reading it cover to cover I have massively changed my opinion on the book, its not as pie in the sky or academic as I initially thought.

The book, is devoted purely to RBAC and its many concepts, incorporated within this is a mass of information with reference to the security aspects and potential stumbling blocks associated with RBAC, at the start of the book these may be a bit basic for the seasoned security pro’s but stay with the book as it covers far more than just security

The SoD chapters of the book is really interesting, particularly the authors perceptions of “dynamic SoD’s” something I intend on picking up on over the next few weeks. The book also moves on to cover NIST’s proposed RBACx standard.

The book is not jammed with technical jargon so it makes easy reading for the more business focused folks. All in all its a very informative and well written book, it’s a must read for anyone looking to embark on any kind of roles project, with an added bonus of it being totally vendor agnostic.  

Old news but Sun has indicated its intent to acquire Vaau, all being well the acquisition will close in early 2008. This is the first time I have been at an organisation that has been involved in the whole acquisition and merger process. I guess with all companies that are being acquired there is a degree of mixed emotions from the staff, on the down side the lose of the small, expert “niche player” status and the perceived lose of feeling part of a close knit team. On the other side, the excitement of new challenges and experiences as well as some of the opportunities that exist within a large multinational organisation.

Sun and Vaau are a great fit, from both a technology and people point of view. From my prospective, looking solely at the Identity and Access market space, I like that Sun are at the top of the Gartner magic quadrant and look ready and willing to invest and innovate to ensure they stay there.

In my opinion everyone wins with this acquisition, Sun have a fantastic reputation in acquiring and strengthening products as they have done with the iPlanet and Waveset technologies, this in turn benefits customers and drives the whole identity management space forward. 

Kevin Kampman, about 12 months ago wrote that ERM vendors were like domino’s, his analogy being that once one vendor went then the others would quickly follow, from an acquisition point of view. He appears to have been pretty close to the money, with Oracle acquiring Bridgestrean and Sun set to acquire Vaau. It would appear that Novell have developed their own role management offering. So out of the large IdM players this still leaves IBM, CA, Microsoft and BMC with a roles/role management gap to plug. On the ERM side Eurekify is possibly the most mature, but there are others such as Aveska, Sailpoint, Bhold and Omada.

Place you bets…..who’s next to be acquired and by who??? Role management is a red hot subject and I am sure there will be further announcements soon.

After a horrendous wait I finally got my CISSP results from (ISC)2 and have fortunately passed the CISSP exam. It is by far the strangest exam I think I have ever taken, 6 hours to complete 250 very fluffy multi choice questions. There is a lot to the exam at a conceptual level, at least. As folks say it is a mile long and an inch thick. Success story for me, but the annoying thing was the delay in receiving my results. The delay was due to systems upgrades at (ISC)2, this upgrade appeared to disrupt all normal operations and created huge delays. These things happen but we are not talking hours or days we are talking weeks. the funny side of this (in a perverse way) is that (ISC)2 are very big on Business Continuity Planning (BCP) and Disaster Recovery (DR), ensuring things run to plan and enabling an organisation to get back up and running as quickly as possible in order to sustain its self. The theory is great but I am not sure how well (ISC)2 heed their own teachings in practise.

It was a good exercise in patience and in my opinion worth the wait, the plan is now to move on and try for CISM, keeps the old grey matter ticking over if nothing else!!!

Shekhar Jha has written an interesting blog “Roles-what ’bout it” by his own admission he is not a roles expert but sits more in the fine grained entitlement/access management camp. Jha argues that he see roles more as an abstraction between policy modelling and policy management. He does go on to say that increasingly people are seeing roles as something more important.

I for one as well and increasing number of clients see role management as a vital element of Enterprise Identity Management, this is not at the cost of fine grained entitlement management but more as an overall integral part of it. Jha’s closing comment are that we must understand the problems/goals we are trying to resolve, I totally agree but there can be no end of drivers behind wanting role management, compliance, ease of use, return on investment etc, etc. One of the primary reasons is to offer the user community non-discretionary access control, where entitlements are clustered and controlled centrally by IT folks but allocated or revoked at a local level by business users. This has huge benefits for all organisations, I am not sure if entitlement management alone can provide such functionality.

As an extension to the same subject Radovan Semancik posted comment on Dave Kearns blog “The rules about roles” saying “Role mining does not work either. It is just a legalisation of chaos. This will make things look better, but will not really solve the problem”  I guess if I was to walk on to a customer site and pull out a bag of tricks and start role mining, the roles produced would not be fit for purpose, its not an approach to be supported. This is where we flip back to Entitlement Management, as a pre-cursor to role mining we need to ensure that the entitlements that users have are exactly what they need to carry out the job function. Once we have clean entitlements we can then carry out role mining and produce outstanding meaningful results.

This is only part of the story and really only address’s a bottom up approach, we need to also consider the top down elements such as location, job, code, job function etc. Then there is context and some element of rule management. When all of these elements come together we have true, effective, enterprise roles. 

Although I can not find an official announcement, it would appear that Oracle are about to acquire Bridgestream according to this article from PEHUB. Its not really surprising or new as there have been rumours and speculation around for a number of months now.

What I do find surprising are some of the figures mentioned. According to PEHUB Oracle will be paying between $33 million and $36 million, the article reports that Bridgestreams revenue figures are $500k pa. As part of an MBA module I was taught that an acquistion figure around 12 times revenue is the norm, using this as a rough guide Bridgestream could be valued at around $6 million. Hats off to the Bridgestream guys for securing up to $36 million.

 The announcement will have very little impact on the roles market place, although Bridgestream as an entity will be disappear there are a number of new entrants that will help keep things fresh and competitive.

After a few months of the EMEA office being in full swing, the marketing machine has come in to force an announced our presence. This article seems to be pretty much everywhere, but for those that may have missed it, you can read it here. The opening of the office is a significant step forward and demonstrates Vaau’s commitments to the ever growing EMEA market by being the first Enterprise Roles Management organisation, to open a base office in the UK from which to service European customers.

Slightly late this blog due to other commitments, but Dave Kearns has written a great article titled  “Is Vaau a Wow“. The easy answer is yes, but I guess I am biased. Dave’s article mentions a short mail I sent him, which seems to have appealed to his sense of humour. On the flip side it did not go unnoticed by other members of the IAM fraturnity!!! And no I do not run a fan club… The article is well worth a read.

At 3 separate meetings this week I have been posed the same questions, “who looks after this roles stuff when its deployed and you guys leave site?” Its a really good question, after all its not just role management (normally part of the IAM team) we are talking about, but also identity compliance (normally part of the audit team).

Its possibly best to work out where this technology and the responsibilities best sit. In my opinion it should be firmly within the Identity Management Team/Practice. Most of the larger organisations now have fully esatblished teams that are dealing with the challenges of IAM, roles are a logical extension to their remit. Additionally the IAM teams are already interfacing with the whole business not just the IT folks and that’s particularly relevant with roles and identity compliance.

So great we can firmly place the person within the IAM team reporting to head of practise, but what about a person profile? The person will be a strange and unique mix of skills, they must understand IAM, not necessarily on a technical level but all the concepts and challenges, they must be fully aware of security concepts, someone CISSP or of that ilk. The individual must have a sound business mind and be capable of interfacing with the business on all levels. They must have a very good understanding around compliance, in finance be SOX aware, in health be HIPPA aware, etc, etc. Technical ability of the person is very subjective, a grounding and high level appreciation would be sufficient as my perception is this person would direct the technicalities of things and employ a hands on technical resource to facilitate the data crunching side.

The right calibre of person is out there, they might not have all the skills as the technology is relatively new, but an individual with the right aptitude and attitude will easily adapt to the challenges of the roles animal.

Dr. Horst Walther has written about the rigidity of roles “Roles are the Organisation“. It’s an interesting piece and one that I do not totally agree on, He writes:

“If you run a company merely ad hoc and a role model is considered as an unnecessarily rigid structure imposed on top of a fluid ecosystem that reinvents itself at every very moment-O.K, in this case forget about role models”.

In my opinion all organisations have their own ecosystems, they appear to be and indeed are organic dynamic entities, in today’s highly competitive commercial environments they have to be. So as Dr. Walther writes, if we apply a rigid role structure to an organisation it can start to become restrictive and could be potentially damaging to the organisation.

At Vaau we have taken a much more flexible pragmatic approach that enables an organisation to continue to be fluid whilst at the same time offers the ability to adopt a hybrid ad-hoc approach to role management with a role model that works and is manageable. Using Pareto law(80/20) and proven experience you bank on 80% of roles within an organisation to be pretty much static and may only need re-visiting as and when applications are introduced or retired or post some kind of re-org, that is to say entitlements, permissions, resource allocation(terminology) for that role will not change.

The issue becomes more profound for that 20% of roles that will be constantly moving targets, Vaau offer the ability for dynamic roles and further to that have the ability to add context restraints to a role based on a certain time period for example. This approach enables entitlements to be granted or removed from a user on an ad-hoc basis without massive time lags and more importantly without breaking anything.

The natural assumption is that dynamic roles disrupt the entire automation process and as such would create huge compliance issues for most constraints for global competition. To negate this very issue Vaau have developed a process called summarisation. It sounds complex but it is very logical and extremely well thought out.

As and when users are given additional entitlements or have entitlements revoked, this information is captured in the RBACx Identity Warehouse, when the time comes for attestation the information in the Identity Warehouse is compared against that within the role management module, attesters are then presented with the role that the user has sufficient entitlements to qualify for a role the attester is presented with a breakdown of entitlements, without role association.

This approach allows for dynamic ecosystems within organisations and also ensures full compliance via summarisation by certifying “who has access to what” and capturing “who says they can have access”.

Regardless of the dynamics of an organisation, a good solid role management tool should be considered a business enabler rather than a restrictive disabler.