Role Up-Role Up

A bit of a book review: I have had the above book written by David F.Ferraiolo, D.Richard Kuhn and Ramaswamy Chandramouli, (all names that trip readily of the tongue) sat on my bookshelf for the last 16 months or so. Due to time constraints and other priorities I have never had the time to sit down and read it properly, so instead I have been dipping in and out of it. The book can be used as a reference guide, but this approach does not do it any justice. After reading it cover to cover I have massively changed my opinion on the book, its not as pie in the sky or academic as I initially thought.

The book, is devoted purely to RBAC and its many concepts, incorporated within this is a mass of information with reference to the security aspects and potential stumbling blocks associated with RBAC, at the start of the book these may be a bit basic for the seasoned security pro’s but stay with the book as it covers far more than just security

The SoD chapters of the book is really interesting, particularly the authors perceptions of “dynamic SoD’s” something I intend on picking up on over the next few weeks. The book also moves on to cover NIST’s proposed RBACx standard.

The book is not jammed with technical jargon so it makes easy reading for the more business focused folks. All in all its a very informative and well written book, it’s a must read for anyone looking to embark on any kind of roles project, with an added bonus of it being totally vendor agnostic.  

Old news but Sun has indicated its intent to acquire Vaau, all being well the acquisition will close in early 2008. This is the first time I have been at an organisation that has been involved in the whole acquisition and merger process. I guess with all companies that are being acquired there is a degree of mixed emotions from the staff, on the down side the lose of the small, expert “niche player” status and the perceived lose of feeling part of a close knit team. On the other side, the excitement of new challenges and experiences as well as some of the opportunities that exist within a large multinational organisation.

Sun and Vaau are a great fit, from both a technology and people point of view. From my prospective, looking solely at the Identity and Access market space, I like that Sun are at the top of the Gartner magic quadrant and look ready and willing to invest and innovate to ensure they stay there.

In my opinion everyone wins with this acquisition, Sun have a fantastic reputation in acquiring and strengthening products as they have done with the iPlanet and Waveset technologies, this in turn benefits customers and drives the whole identity management space forward. 

Kevin Kampman, about 12 months ago wrote that ERM vendors were like domino’s, his analogy being that once one vendor went then the others would quickly follow, from an acquisition point of view. He appears to have been pretty close to the money, with Oracle acquiring Bridgestrean and Sun set to acquire Vaau. It would appear that Novell have developed their own role management offering. So out of the large IdM players this still leaves IBM, CA, Microsoft and BMC with a roles/role management gap to plug. On the ERM side Eurekify is possibly the most mature, but there are others such as Aveska, Sailpoint, Bhold and Omada.

Place you bets…..who’s next to be acquired and by who??? Role management is a red hot subject and I am sure there will be further announcements soon.

Shekhar Jha has written an interesting blog “Roles-what ’bout it” by his own admission he is not a roles expert but sits more in the fine grained entitlement/access management camp. Jha argues that he see roles more as an abstraction between policy modelling and policy management. He does go on to say that increasingly people are seeing roles as something more important.

I for one as well and increasing number of clients see role management as a vital element of Enterprise Identity Management, this is not at the cost of fine grained entitlement management but more as an overall integral part of it. Jha’s closing comment are that we must understand the problems/goals we are trying to resolve, I totally agree but there can be no end of drivers behind wanting role management, compliance, ease of use, return on investment etc, etc. One of the primary reasons is to offer the user community non-discretionary access control, where entitlements are clustered and controlled centrally by IT folks but allocated or revoked at a local level by business users. This has huge benefits for all organisations, I am not sure if entitlement management alone can provide such functionality.

As an extension to the same subject Radovan Semancik posted comment on Dave Kearns blog “The rules about roles” saying “Role mining does not work either. It is just a legalisation of chaos. This will make things look better, but will not really solve the problem”  I guess if I was to walk on to a customer site and pull out a bag of tricks and start role mining, the roles produced would not be fit for purpose, its not an approach to be supported. This is where we flip back to Entitlement Management, as a pre-cursor to role mining we need to ensure that the entitlements that users have are exactly what they need to carry out the job function. Once we have clean entitlements we can then carry out role mining and produce outstanding meaningful results.

This is only part of the story and really only address’s a bottom up approach, we need to also consider the top down elements such as location, job, code, job function etc. Then there is context and some element of rule management. When all of these elements come together we have true, effective, enterprise roles. 

Slightly late this blog due to other commitments, but Dave Kearns has written a great article titled  “Is Vaau a Wow“. The easy answer is yes, but I guess I am biased. Dave’s article mentions a short mail I sent him, which seems to have appealed to his sense of humour. On the flip side it did not go unnoticed by other members of the IAM fraturnity!!! And no I do not run a fan club… The article is well worth a read.

At 3 separate meetings this week I have been posed the same questions, “who looks after this roles stuff when its deployed and you guys leave site?” Its a really good question, after all its not just role management (normally part of the IAM team) we are talking about, but also identity compliance (normally part of the audit team).

Its possibly best to work out where this technology and the responsibilities best sit. In my opinion it should be firmly within the Identity Management Team/Practice. Most of the larger organisations now have fully esatblished teams that are dealing with the challenges of IAM, roles are a logical extension to their remit. Additionally the IAM teams are already interfacing with the whole business not just the IT folks and that’s particularly relevant with roles and identity compliance.

So great we can firmly place the person within the IAM team reporting to head of practise, but what about a person profile? The person will be a strange and unique mix of skills, they must understand IAM, not necessarily on a technical level but all the concepts and challenges, they must be fully aware of security concepts, someone CISSP or of that ilk. The individual must have a sound business mind and be capable of interfacing with the business on all levels. They must have a very good understanding around compliance, in finance be SOX aware, in health be HIPPA aware, etc, etc. Technical ability of the person is very subjective, a grounding and high level appreciation would be sufficient as my perception is this person would direct the technicalities of things and employ a hands on technical resource to facilitate the data crunching side.

The right calibre of person is out there, they might not have all the skills as the technology is relatively new, but an individual with the right aptitude and attitude will easily adapt to the challenges of the roles animal.

Dr. Horst Walther has written about the rigidity of roles “Roles are the Organisation“. It’s an interesting piece and one that I do not totally agree on, He writes:

“If you run a company merely ad hoc and a role model is considered as an unnecessarily rigid structure imposed on top of a fluid ecosystem that reinvents itself at every very moment-O.K, in this case forget about role models”.

In my opinion all organisations have their own ecosystems, they appear to be and indeed are organic dynamic entities, in today’s highly competitive commercial environments they have to be. So as Dr. Walther writes, if we apply a rigid role structure to an organisation it can start to become restrictive and could be potentially damaging to the organisation.

At Vaau we have taken a much more flexible pragmatic approach that enables an organisation to continue to be fluid whilst at the same time offers the ability to adopt a hybrid ad-hoc approach to role management with a role model that works and is manageable. Using Pareto law(80/20) and proven experience you bank on 80% of roles within an organisation to be pretty much static and may only need re-visiting as and when applications are introduced or retired or post some kind of re-org, that is to say entitlements, permissions, resource allocation(terminology) for that role will not change.

The issue becomes more profound for that 20% of roles that will be constantly moving targets, Vaau offer the ability for dynamic roles and further to that have the ability to add context restraints to a role based on a certain time period for example. This approach enables entitlements to be granted or removed from a user on an ad-hoc basis without massive time lags and more importantly without breaking anything.

The natural assumption is that dynamic roles disrupt the entire automation process and as such would create huge compliance issues for most constraints for global competition. To negate this very issue Vaau have developed a process called summarisation. It sounds complex but it is very logical and extremely well thought out.

As and when users are given additional entitlements or have entitlements revoked, this information is captured in the RBACx Identity Warehouse, when the time comes for attestation the information in the Identity Warehouse is compared against that within the role management module, attesters are then presented with the role that the user has sufficient entitlements to qualify for a role the attester is presented with a breakdown of entitlements, without role association.

This approach allows for dynamic ecosystems within organisations and also ensures full compliance via summarisation by certifying “who has access to what” and capturing “who says they can have access”.

Regardless of the dynamics of an organisation, a good solid role management tool should be considered a business enabler rather than a restrictive disabler.

Burton Group have published a great report titled “Understanding Role Management Applications: No Pain, No Gain”. The report is very comprehensive and looks at the main vendors in the roles arena. Due to copyright I am unable to offer the report via my blog, but if you can hold of a copy its well worth a read.

There are lots of positives in the report from my prospective; the following couple of lines are particularly pleasing to read:

• “Vaau is at the forefront of the role management market.
• “The company’s focus on compliance helps to address immediate customer challenges, providing an extensible solution to address regulatory requirements”  

It really is rewarding when highly respected independent Analyst’s like The Burton Group are writing comments like these.

Prior to starting at Vaau I had a pre-conceived idea about a role. I thought a single role would be all encompassing and would be used for role based access control (RBAC) or by a provisioning engine to simplify the leaver, mover process.

Well thats part of the story, and a single role is achievable. Most organisations embarking on role management projects have a strategic vision and aim for a single set of enterprice level roles. This may be more of a panacea, a vision to aim for. At the coal face things are slightly more complex.

Fortunatly the Vaau product set is very flexible and offers configuration options to accomodate various types of roles and combination of roles. Further to this, organisations can facilitate a program of certification against these roles, ensuring the right users have the right role allocation, helping to increase security and drive compliance standards.

As they say a picture paints a thousand words, my colleague Hemen Vimadalal built this schematic frame work to help illustrate things. The diffrent role types are clearly visable in light yellow, and a rough guide to the information that may be contained within these role types in blue. (NB it’s not exhaustive)

Worth a look :- roles.pdf

The good thing being that all roads lead to Rome, in the roles case, Rome is enterprise level roles. Regardless of the start point a true role management tool, should be able to integrate in to an organisations IT estate and rapidly deliver business benefits, without the need for an exhaustive change management program.

I read with a great deal of interest an article by Erin Norlin headed up Roles: driving network access control, full article can be found at http://blogs.zdnet.com/digitalID/?p=55. To sum up the article talks about sharing role information gathered at the application layer and utilising this information to control access at the network layer, in effect simplifying administration and enhancing policy enforcement, as well as adding to the security mechanisms. 

 I am sure that anyone who has daily dealing’s with products like CA’s Access Control or looks after ACL’s on Cisco routers or firewalls will see massive benefits in this approach, the article does identify the challenges of vendors in “The defining of, management of and refining of” roles. 

This is another (hidden) area where huge business benefits will be gained by the adoption of a provisioning solution and incorporating it with roles based access control. Once this information has been gathered, the steps to extend it beyond traditional applications to the network layer should be relatively painless.