Role Up-Role Up

At the recent European ID conference Tim Cole from Kuppinger Cole gave a presentation detailing a consultative checklist to be used when procuring an automated compliance tool. Tim suggested a tool must meet the following criteria:

• Policy Based
• Process Driven
• Comprehensive
• Localised
• Dashboard View
• Ex-post Analysis (logs etc)
• Real Time
• Highly Reactive
• Actionable
• Tamper-proof

All really logical, the one checkpoint I do have an issue with is “comprehensive”. Can any tool be comprehensive when we look at compliance documents such as CoBIT or ISO 27001. I guess not, better wording may have been “fit for purpose”. At a vendor panel after Tim’s presentation we discussed Compliance Automation, as you would expect all the vendors agreed that no one solution would meet all compliance requirements, unfortunately there is not a black box that plugs into the network and makes it compliant (I doubt there are any combination of 5 tools that could do this). When we look at comprehensive in Tim’s checklist we need to bring it back a step and address controls or sets of controls, rather than the issue of compliancy as a whole.

Burton Group have published a great report titled “Understanding Role Management Applications: No Pain, No Gain”. The report is very comprehensive and looks at the main vendors in the roles arena. Due to copyright I am unable to offer the report via my blog, but if you can hold of a copy its well worth a read.

There are lots of positives in the report from my prospective; the following couple of lines are particularly pleasing to read:

• “Vaau is at the forefront of the role management market.
• “The company’s focus on compliance helps to address immediate customer challenges, providing an extensible solution to address regulatory requirements”  

It really is rewarding when highly respected independent Analyst’s like The Burton Group are writing comments like these.

I recently attended a presentation by Klaus Thelemann from the Partner Advisory Services at E&Y. Klaus gave an extremely well informed talk on the upcoming changes to the EU compliance legislation. The crux revolve around the changes that are being made to the 4th, 7th, 8th and the transparency directives. Some of the more interesting points are within the 8th directive, this basically states that all companies of public interest are required to conform, previously EU companies have been able to d-list from the US stock market to avoid SOX compliance. Moving forward, the d-list tactic will not allow the majority of EU organisations to escape their compliance commitments.

So, compliance is going to hit Europe in the same way that it has hit the US. It will not be an overnight process as there are still many points to get ratified centrally within Europe, it is envisaged that this process will be completed and passed as European law by the end of June 2008. Post that date, member states will have  to pass the EU legislation as law in their own countries. If the law follows similar a process to SOX I guess companys will have a few years to show they are fully compliant before anyone gets prosecuted.

It sounds like a long time, but in reality most organisations are already looking at compliance at various levels. Within the EU, I do not think we will see the rush to achieve compliance that the US has witnessed. A high percentage of large company’s, especailly within the UK have already adopted or are adopting a strategy that involves Corporate Governance.

The “GOTCHA” in this are the companies of public interest, these may not and will not in many cases be the large corporates. Even the smallest of companies could fall in to this category, as will public sector organisations. Compliance does not come cheap, multi-nationals will be able to absorb these costs with very little impact on Joe public, but SME’s will have no choice but to pass these costs on…to us.

Bit of a personal dilemma, I welcome the extra business that compliance should drive but are not looking forward to paying for it.

At the start of this week I attended the first European Identity Conference in Munich, Germany. A specialist event such as this has been a long time coming. The event was really well organised by Kuppinger Cole Ltd. and was aptly titled “Thought Leadership & Best Practices in Identity Management” As you would expect the entire spectrum of IM was included, from Single Sign On, Federation, User Life Cycle Management to Virtual Directories, Roles and Compliance.

Without exception all of the keynote speakers offered great inside into their field of expertise, the balance of speakers was right as well, a number of vendors, an few from academia and a good percentage of end users who gave some really candid presentations on their own experiences of deploying some of these technologies.

Outside of the normal networking I spent my time in the compliance and roles tracks. Some of the break out sessions where insightful and thought provoking, others where puzzling as to some of the project approaches adopted but equally thought provoking.

I have loads of comments and thoughts that I will blog over the next week or so. (time permitting)

I have attended the InfoSec event in the UK for at least the past 5 years as both an exhibitor and a delegate. The event seems to be on a downward spiral. After speaking to a number of people this year it would appear that the much sought after warm leads are just not materialising, this was very much my own experience. It would appear that it is starting to be the “norm”, I guess the big players must be experiencing the same issues, last year CA took the brave decision and failed to exhibit, this year neither CA or Oracle exhibited.

When the big software security houses do not see any value in the event you have to question the events viability…..

So what is wrong with it..IMHO there are a number of things, the event is too broad, well security is a massive subject I hear you say! It is but I do not think anyone with any buying power goes to InfoSec to resolve all their issues. Buyers are a lot  savvier and a lot more focussed, as and when a business need is identified they look to find a solution to resolve that issue rather than adopting a shopping cart approach.

Secondly InfoSec has become a magnet for pen and mouse mat collectors an open house event with no real vetting of the attendees, hence on the Wednesday it was packed with students stocking up on stationary.

Thirdly USP’s seem to have vanished, this year at a guess I would say 80% of vendors where claiming they had a product to assist in achieving some form of compliance, some of these may be very tenuous. Last year every ones USP seemed to be around Access and Identity Management…what’s next years USP.

On the positive side it is a good opportunity to meet up with old colleagues and friends and carry out some networking.

The conference market is extremely competitive, I firmly believe InfoSec UK will need to change over the coming years to make it a viable option for vendors to exhibit at.

Last week I attended the SunLive event in London, my main role was to support our colleagues in Wipro. Wipro had built a really powerful demonstrator showing the integration between RBACx and Sun’s IdentityManager. Unfourtunately I found the event pretty slow, the audience seemed to be more concerned about virtualisation, Java and Sun’s hardware, all intresting subjects in their own rights, just not my thing.

The one thing that caught my interest was a presentation by Drew Wagar from KPMG on the “Perils and Pitfalls of Identity Management”. The presentation was well informed honest and open, there was very little on the normal best practises around deployment. Drew adopted a refreshing approach and concentrated on the selection process, how in many cases projects are set to fail, due to poor vendor selection or lack of knowledge and lack of clearly defined requirements on the customer side.

The most salient point that Drew made (IMHO) was regarding the ITT process. He concluded that the process is fundamentally flawed, all vendors will state that their products meet all the requirements of any questions posed in an ITT.  On occasions, Drew suggested that vendors may bend the truth to receive ticks in the boxes on a scoring matrix, his comments naturally raised a few smiles. The net effect is that on paper all offerings are the same.

Drew laid out a sensible framework towards vendor selection, his presentation that outlines the approach can be found here. One of the best bits of advice offered to organisations looking for an IAM solution was to try and cut down on the ITT process, the suggestion here was to carry out a mini PoC’s with the same success criteria for each vendor, this approach would self select vendors, as those bending the truth would quickly be exposed.

From my own point of view, it was reassuring to hear one of KPMG’s advisors talking about law and regulatory compliance as a strong driver for procuring and deploying IAM, also the fact that roles, role modeling and role mining need to be considered factors in the selection criteria.  Fourtunatley Vaau have these 2 areas expertly covered within the “Identity Compliance Manager” and “Roles Manager” modules.  

In all it was a great presentation, with a bucket load of free advice from a KPMG advisor.

Prior to starting at Vaau I had a pre-conceived idea about a role. I thought a single role would be all encompassing and would be used for role based access control (RBAC) or by a provisioning engine to simplify the leaver, mover process.

Well thats part of the story, and a single role is achievable. Most organisations embarking on role management projects have a strategic vision and aim for a single set of enterprice level roles. This may be more of a panacea, a vision to aim for. At the coal face things are slightly more complex.

Fortunatly the Vaau product set is very flexible and offers configuration options to accomodate various types of roles and combination of roles. Further to this, organisations can facilitate a program of certification against these roles, ensuring the right users have the right role allocation, helping to increase security and drive compliance standards.

As they say a picture paints a thousand words, my colleague Hemen Vimadalal built this schematic frame work to help illustrate things. The diffrent role types are clearly visable in light yellow, and a rough guide to the information that may be contained within these role types in blue. (NB it’s not exhaustive)

Worth a look :- roles.pdf

The good thing being that all roads lead to Rome, in the roles case, Rome is enterprise level roles. Regardless of the start point a true role management tool, should be able to integrate in to an organisations IT estate and rapidly deliver business benefits, without the need for an exhaustive change management program.

Slightly off topic, but something that has been an issue this week. Being relatively new to the whole flying around Europe scene, I have been bitten twice in 5 days. The first was on a flight into Frankfurt, I booked the flight from Stansted to Frankfurt to be fair it was cheap. I now fully understand why it was so cheap, Frankfurt Hahn airport is a meer 1 and a half hours outside Frankfurt. The second was on a flight from Stansted to Dusseldorf Wesser, this is slightly better but it is still an hour and 15 outside of Dusseldorf. It begs the question are all Ryan air flights really value for money, not in all cases, when a taxi to get to where you want to go costs over €100. Note to self, look at a map before booking a flight.

It seems like ages since I lasted posted, it’s been a manic few weeks, with University assignments to get completed, the family Christmas thing and just general madness of the New Year. As well as all this, I have taken up a new post at Vaau, I would like to reach out and say a big thanks to all those well wishers, particularly Paul Toal for the “big up” on his congratulations post.

I am sure you will start seeing a lot more posts as I slowly but surely get my head around Enterprise Roles Management (ERM) arena. ERM seems like a really bad choice of categories to pigeon hole the Vaau technology into, that title barely scratches the surface of the capabilities of the software.

Anyway that’s for future posts, this years resolution is to post at least twice a week. With my new found knowledge that should be pretty painless, so this is one for this week!

Today I attended a CIPCOG event, these events are not normally my bag but this one carried the strap line “Identity Management” overall the event was very informative, particularly for the target audience whose main interest seemed to be in and around the information assurance arena. There was one presentation that I thought highly thought provoking, the presentation was delivered by Tony Colling’s, who leads the information assurance team within the National ID card program. Colling’s is a seasoned presenter, whose approach was refreshingly frank, honest and open. The guts of his presentation centered around, how, we the citizens in  the UK prove our Identity.

It is widely accepted that a birth certificate, in most instances will be accepted. For a passport a birth certificate will be needed and a photo signed by a responsible person, like wise for a driving licence, an application form and a birth certificate will suffice. Colling’s challenged the concept that a birth certificate is a suitable documentation to use for authorisation purposes. He went on to provide and example of when he registered his child’s birth, he went it to an office informed them he now had a child, they hand wrote him a birth certificate. Easy as that. From my own experience things have not changed much, I think that I was given a letter from the hospital and my wife and I had to produce our passports. Job Done.

The point being made, challenges the rights/wrongs of UK residents being issued with a National ID card on the basis that they have a birth certificate, when we know for a fact that the system of issuing them is flawed, and susceptible to fraud, with out a great deal of sophistication. I am sure we would all say no that’s “terrible”. But what is the answer? What mechanisms and checks and balances should be used? Lots of challenges, one of Colling’s analogies is “juggling chain saws” in this instance I think he could be right. This presentation is yet to be published but an earlier one of a similar ilk can be found here. 

As a pure coincidence, tonight, one of my 16 year old relatives came to me bragging about there ability to go out boozing, when I challenged this fact, they openly admitted to acquiring, shall we say less than genuine ID. I have no intention of doing an advertising job here, but to appreciate the extent of the potential problem have a look at this site http://www.photo-id.co.uk/. This loosely links with one of my earlier blogs around roles. There is one thing for sure, with the ease that fake identification is readily available, Tony Colling’s dilemma seems to grow and grow.