Lean Enterprise Role Management

28.01.2009 by Martin Kuppinger

Role Management projects sometimes are stated as too complex. Yes, there are projects which failed due to their complexity. On the other hand, a recent Kuppinger Cole report based on a survey proves that the average number of business roles is relatively small. On the other hand, the complexity of role models for specific system environments (even SAP) is manageable. Thus, defining and implementing role models with multiple layers can be done – and it can be lean.

The keys, from my perspective, are the use of multiple clearly defined, separate layers of roles, defined responsibilities for roles within a role lifecycle management approach, and a separation of the overall project into different projects for business roles, IT-functional roles and the role models of different systems. There are some other best practices. Anyhow, it is obvious that managing a few Hundred or, at the system level in some cases even some few Thousand roles is much easier than managing all the single entitlements at the system level we are dealing with today. Role Management can be lean. And you can learn more about this in a webinar we will do tomorrow together with some of the vendors in the role management market.

By the way: The emerging market of vendors with strong role management capabilities underlines that role management isn’t too complex. There are many vendors out there which have successfully deployed role management implementations, either as part of specific role management products or as part of their GRC or IAM products.

Why IaaS is mandatory for the cloud…

28.01.2009 by Martin Kuppinger

I blogged several times about IaaS (Identity as a Service), last time only some two weeks ago. We will observe a strong increase in that field, the stronger the more people understand that IaaS is mandatory for the cloud. In our upcoming Market Report Cloud Computing 2009 (available starting tomorrow at http://www.kuppingercole.com/reports) we provide, first time ever, a stringent and valid structurization of the cloud market with all its different segments.

IaaS is part of this market, but it is as well a prerequisite for most other aspects of cloud computing. The more services you use in the cloud, the more you need IaaS and GRCaaS (GRC as a Service, just to create a new horrible acronym). How will you become ever compliant if you can’t manage your identities and their access rights consistently in the cloud? That goes well beyond authentication. We will need approaches for a consistent policy management across different cloud services, which again will require new standards, going beyond what federation standards like SAML, authorization standards like XACML and other standards like the IGF (Identity Governance Framework) provide today.

The biggest threat in cloud computing is manageability. And within that field, the biggest threat by far is managing the identities, their authentication, the authorization and all the auditing stuff, to meet the business policies and rules defined within more advanced GRC approaches. Thus, within a cloud strategy the IAM strategy is a vital part, and a prerequisite for every successful move to the cloud. That is true as well when using only a few cloud services (or even only consuming some external web services in SOA applications) as for approaches where everything including IAM and GRC is moved into the cloud.

We strongly recommend to evaluate today’s options for IaaS and their relationship to cloud strategies. By the way: European Identity Conference 2009 will be a great place to learn and discuss about this.

The European IAM and GRC landscape

26.01.2009 by Martin Kuppinger

These days, we’ve been mentioned by Marcus Lasance, an independent IAM consultant who formerly managed MaxWare U.K., in his blog. Dave Kearns commented on this today in his Network World newsletter. Both, Marcus’ blog and Daves newsletter were about IAM in Europe – and the fact that there are many more vendors and integrators out there than are visible at first glance. And yes, Kuppinger Cole as an analyst company covers them, but isn’t limited to them – for sure we are in touch with the US vendors and companies from other countries (for example Brazil, Australia,…) as well.

My personal opinion is that there are two really important aspects in choosing a vendor: He must be able to deliver to the customer. That might be a limitation – as well for US vendors in Europe as vice versa (and for any other regions). And his product must fit the requirements of the customer. That might favor local vendors which support local regulations, local languages, or just are in sync with concepts and methodologies which are used in specific regions. But there are as well European vendors acting successful on a global basis as (more frequently) US vendors being successful in Europe.

Overall, I fully agree with Marcus and Dave that it is important to consider all choices. Big vendors can be the perfect choice – as well as smaller local vendors. But you will only know when you consider all choices. By the way: There are as well European vendors which don’t fully convice me – and no one provides a solution that fits to any use case, for sure. To support the decision, we’re constantly providing reports for vendors from all over the world. There will be, by the way, several new and updated reports about European vendors within the next three weeks, including companies like Beta Systems, BHOLD, Engiweb, Evidian, G+D, Omada, SAP, and Siemens, to name just a few – complementing the available series of reports which as well covers companies like IPG and Völcker.

Again: Identity Data Theft

22.01.2009 by Martin Kuppinger

Yesterday, news spread about the theft of millions of credit card dates at the US company Heartland Payment Systems, based in Princeton, New Jersey. Even while that might be one of the largest cases of data theft in the credit card industry, it wouldn’t be that interesting that I’d blog about. The – from my perspective – really interesting point is, from what I’ve read in the news, the way the attack has been performed.

The information sent is encrypted but has to be decrypted to work with it. The attackers grabbed the then unencrypted information. Surprise? Not really. The problem with security is that virtually any approach is incomplete – and thus inherently insecure. Examples?

  • Passwords are frequently encrypted via SSL when sent to a eCommerce website but then decrypted and compared – and often they are even stored unencrypted and sent back in case of a lost password. I’ve just seen this again recently, when I received my password in cleartext via eMail.
  • Data is encrypted on a specific type of device using some DLP (Data Loss Prevention) technology. Once delivered, it is decrypted – and might be mailed as an attachment.
  • Access Control Lists are enforced to provide security for data at file servers – but they are sent to the client unencrypted and the user might store an unshielded copy (or mail it or do something else).

These are just three examples – of hundreds or thousands. Another was discussed in a Kuppinger Cole Webinar yesterday, where we talked about “service oriented security”, e.g. application security infrastructures, SOA security, and so on. The question was about the security between the applications and the security systems (and eventually the security systems themselves). That is a good question. Often there are security holes somewhere at the center of the security system. SSL itself isn’t the answer. In that case it is about a consistent security approach. Unfortunately, even many IAM and GRC applications don’t provide a really sophisticated security model.

Another interesting point is that there are always other potential security holes. Trojans which grab keystrokes are one example, the man behind you reading the information at your screen is another one. Some of these problems can be adressed, for example with external keyboards for entering sensitive information in eBanking. Others will be always there.

There is no easy solution to these issues. Information Rights Management will help to address many of these problems – I’ve blogged about the need for IRM some time ago. But IRM won’t solve everything. Information has to be processed, thus the systems which process data are extremly sensitive (like in the case I’ve started with). And a business document in an ERP system is, finally, stored in fragments within a database.

From my perspective, the most important point is to work on an authorization strategy (or access strategy) which covers all aspects. Any investment in DLP is at risk as long as it isn’t part of the bigger picture. Point solutions are perfect for masquerading the real security problems, but they don’t really solve them. An overall strategy which identifies the security holes and which tries to use a limited number of well linked technologies is mandatory to minimize security risks. That strategy has to include everything, from the firewall and SSL-secured connections to IRM and the security of backend systems. That is no easy task, especially because there are frequently many different parties involved which all claim that they have found the holy grail for enforcing security. But it can be done – and it will save you a lot of money by avoiding investments in security technology which don’t really solve your problems.

For the ones of you capable of reading German: Please participate in this survey. That fits well to the topic of this blog post.

Identity as a Service

21.01.2009 by Martin Kuppinger

Some days ago, I had a very interesting discussion with John de Santis and some of his colleagues from TriCipher, one of the vendors which provide IaaS (Identity as a Service) solutions, in that case particularly with their MyOneLogin service. That discussion is one in a row of others I had with several of the other vendors in the IaaS space like Multifactor Authentication, Arcot Systems, or Ping Identity, to mention just a few.

On the other hand, my colleague Jörg Resch (currently very active in organizing the European Identity Conference 2009, where we will have, amongst many other topics around thought leadership and best practice for IAM and GRC, definitely much content about IaaS) some weeks ago asked me about my opinion about approaches like Facebook Connect and related standards (Google Friend Connect, Myspace Data Availability) and, as a result, my overall opinion about IaaS. First of all, the positive things with all these initiatives is that they address the lock-in issues in todays social networks, which I’ve discussed more than a year ago in this blog (by the way a discussion we’ve started at our European Identity Conference 2007).

So where is the link between these two discussions? It is all about the way we can and should deal with identities in the future. In business as well as privately. First of all, identity is core to any of these initiatives like cloud computing and SaaS or Enterprise 2.0 or Web 2.0 – even while many people haven’t understood the impact of identity yet. How will you ever fulfill compliance requirements in an IT infrastructure which consists of multiple SaaS services provided by different companies as well as some still existing internal IT services? How is allowed to do what in that environment? Just think about SoD controls across multiple SaaS services… How do we control the way our employees act in the Internet, still representing our company? What about consistency and reliability there? How about the integration of Web 2.0 services into the enterprise, for corporate use – that what sometimes is called Enterprise 2.0 (I use this term here even while most of the 2.0-terms are just ridiculous)?

It is interesting to observe that there are some initiatives and products trying to address at least some of the problems. Vendors start providing strong authentication as a service, sometimes focused on authenticating to SaaS. Social networks start to open up, even while there is a lack of standards. Information cards might become virtual corporate business cards.

Thus, we have some standards (like OpenID, Information Cards and the underlying federation standards, XACML,…), some IaaS services (mainly for authentication and federation and some provisioning), and some proprietary approaches for exchanging information from social networks. Many areas like policy management and auditing aren’t covered yet. And in the area of social networks, there should be one standard, which might make use of Information Cards instead of some vendor implementations. From my perspective, we are still at the very beginning of the IaaS market. We will need to create more standards and implement more use cases. There is a lot of room for vendors and service providers.

From a corporate perspective, we will observe approaches where companies fully rely on IaaS, putting everything into the cloud. There will be companies which use just some cloud services, like federation or strong authentication. And there will be companies which still mainly rely on their own IAM and GRC infrastructure, with the need to integrate that with cloud services they use.

Today, you can’t fully rely on IaaS but enhance your IAM and GRC infrastructure with some very interesting solutions to become more flexible in your move to cloud computing. But you definitely should analyze which opportunities IaaS provides – and how to do IAM and GRC for cloud computing, Enterprise 2.0, Web 2.0 and all these other initiatives.

Not to forget: I’d like to once again ask for your participation in our current surveys. Thanks!

The effect of the recession on IT security

14.01.2009 by Martin Kuppinger

These days I received a pretty interesting survey compiled by Cyber-Ark, one of the vendors in the market for Privileged Account Management (PAM) or Privileged Identity Management (PIM), like Cyber-Ark calls that market segment. I seldom read such an interesting survey, providing insight in the dark side of many users. The survey which has been carried out amongst 600 workers, mainly from financial districts, in New York, London, and Amsterdam included some really tough questions. People were for example asked whether people would try their hardest to gain access to the redundancy lists if rumors about redundancies were on their way. 46% of all participants – and 57% in the US – answered with yes. And 70% of these US employees said that they would use their IT system to snoop around. On the other hand, 71% of the people from the Netherlands answered that they would preemptively download company and competitive information if their job were at risk. Another interesting number: 62% of the US participants and 54% of the ones from the Netherlands said that they find it easy to take sensitive or valuable information out of the company – with eMail and memory sticks being the easiest approaches to do that.

Honestly, I’m somewhat surprised about the impressively high numbers of people which will do illegal things – even while I would agree that I’m a cynic sometimes, these numbers were somewhat above my expectations. The real important lesson that enterprises have to act. They have to act on Identity and Access Management, GRC, Privileged Account Management, Data Leakage Prevention, and Information Rights Management. And they have to act with a combined strategy which focuses on really closing the gaps – not only some of many doors. PAM is a must in these days, given that privileged accounts impose the highest risks and most companies don’t really know who has access to some of these accounts. Information Rights Management has to become reality. And Data Leakage Prevention has to be performed in the context of the identities – approaches, on which companies like RSA are working in these days. It is time to act – especially in these days, because fear and uncertainty are perfect drivers for computer crime.

I really appreciate the survey compiled by Cyber-Ark. For sure they like to spread their message about the importance of PAM. But even if the numbers where significantly smaller, their message still would be true: It is latest time to really protect the companies valuable intellectual properties and sensitive information – with a mix of PAM and the other technologies mentioned above.

Some new Kuppinger Cole surveys on IAM

09.01.2009 by Martin Kuppinger

We’ve compiled some questionnaires on different aspects of the IAM and GRC markets and put them online. We’d greatly appreciate your participation on these surveys. Most of the questionnaires are very lean, consisting of 10 to 12 questions – only the IAM market survey 2009 is quite a bit longer.

Two surveys are about the RoI of IAM, or, more correct, different aspects of IAM. The Identity Administration RoI Survey analyzes the cost of administering Identity Management infrastructures. The IAM Tools RoI survey focuses on the cost of the core tools (mainly directories and provisioning) in IAM environments. Once finalized and analyzed, we will provide free webinars on the results of these surveys.

For the ones of you capable of reading German, there are two more surveys. The questionnaire of the IAM market survey 2009 is the basis for our annual market report. Whilst this survey focuses mainly on the D-A-CH (Germany, Austria, Switzerland) markets, we will soon release an english version for other markets as well.

Another short survey is about the accepted costs of security (especially hardware tokens). This is in German as well.

Thank you in advance for participating!

From IT to Business

07.01.2009 by Martin Kuppinger

The topic of IT-Business Alignment isn’t really new. It is discussed for years right now. And several software vendors, mainly in the area of “Business Service Management” claim to solve the threats in that area. But, honestly: I believe that we are, in most cases, far from a real IT-Business Alignment. I have blogged several times around this, topic (here, here, here, and here).

But let’s start with my definition of what IT-Business Alignment is: IT does what the business requires – not more, not less. That includes aspects like the ability to efficiently respond on new business requests, the ability to report on and enforce business controls (including all the GRC requirements), and the efficiency of IT itself in the sense of a streamlined, lean IT organization.

There are, from my view, two main steps to go:

  1. Reorganize IT
  2. Implement a consistent control layer between Business and IT

From my perspective, the lessons we’ve learned from outsourcing and outtasking are a good basis for IT reorganization. Strategy has to be in-house – that is the core part of the IT department. Other parts might be done inhouse as well, but organized in own “centers” with clearly defined SLAs. An IT organization which consists of a strategy/architecture department for guidelines, a GRC department which focuses on all relevant controls, and some decentralized IT knowledge in business organizations (define the requirements for applications and other IT services) might be the lean approach. That requires the competency for guidelines and strategies, including a strong influence on sourcing decisions. But IT itself would be pretty small. The “doing”, e.g. running systems can be done inhouse – there is no need to outsource this. But in that case, these are seperate departments which act, like described above, like external entities (or like the internal facility management or corporate security or any of these internal service providers).

The layer between IT and Business is, from my perspective, an GRC layer which goes well beyond Identity and Access Management related GRC approaches and well beyond BSM/ITSM, providing a consistent framework for business controls for IT.

For sure we can’t change an organization immediately. There are several prerequisites:

  1. The CIO role has to change, clearly focusing on that IT-Business Alignment, with the responsibility for GRC as main task.
  2. You will need architects and strategists for the central department.
  3. You will need persons with a good IT understanding in the business departments.
  4. You will need managers which can really manage the IT “centers” as business managers.
  5. GRC tools have to go beyond just IAM or BSM support, moving towards real platforms.

Thus it is a long way to go. But I strongly believe that we have to go that path, for more efficient organizations and to reach the target of IT-Business alignment.

© 2014 Martin Kuppinger, KuppingerCole