20.02.2009 by Martin Kuppinger
Novell has announced that they have acquired the technology for privileged account management (PAM) from Fortefi Ltd. PAM addresses the need to better manage privileged accounts. It is a broad field, starting with root account management in the Unix and Linux environments and reaching out to technical user accounts, system users and local as well as domain administrators in Windows environments or database and other system administrators. There are many privileged accounts out there. And these accounts frequently aren’t well managed, despite the fact that they either have full access or at least at lot of access rights. Sometimes they are used by several persons, there passwords becoming (sort of) public. Frequently, no responsibility for these accounts is assigned to a user. A consistent lifecycle management often is missing.
Thus it is no surprise that auditors are analyzing the state of PAM more often than in former days. Missing PAM is a risk, opening the door for insider attacks – and sometimes making outsider attacks more easy and more hazardous. Companies have to act on this.
Over the years, a pretty segmented PAM market has evolved. Some companies only address the Unix/Linux root account management, others focus on Windows accounts. Most of these solutions are point solutions, even while the management of privileged accounts should be a part of the overall identity/account lifecycle management. Thus it is no surprise, that Novell as an established vendor in that market has acquired a PAM vendor. We have predicted this before, for example in our “Trend Report IAM and GRC 2009-2019“. And we expect other established IAM vendors to enhance their portfolios as well. Thus, the Novell deal with Fortefi might be the first one in a wave of acquisitions.
There are two important things to note:
- Novell has done a step into this market, but the solution which focuses on Linux/Unix root accounts doesn’t fully solve the requirements. There are many other privileged accounts out there which have to be managed. Novell will have to go beyond the Fortefi solution.
- When an IAM vendor acquires PAM technology, the logical next step is to integrate the technology with their Identity Lifecycle Management offerings, going beyond the standalone approaches which are most frequently found in the PAM market today.
Overall, the Novell acquisition will have a significant impact on the PAM market, which today is (as mentioned) segmented and where most (but not all) of the vendors are relatively small and pretty specialized.
18.02.2009 by Martin Kuppinger
Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.
Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.
Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:
- Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
- Data ownership: Again, it is my network. I really don’t like to have this lock-in.
In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.
I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.
10.02.2009 by Martin Kuppinger
I think that is an interesting question. Compliance is a key topic for every organization, with many facets. Currently we have an intense debate about the Deutsche Bahn (railway) and other organizations which have for example compared the bank accounts of their employees with the ones of suppliers. The target is to avoid corruption. From a Corporate Governance perspective and from a compliance perspective (mitigating risks of compliance and so on) that is a valid approach. From the data protection law perspective, it isn’t that easy. There are obvious conflicts between different regulations.
What has this to do with the costs of compliance?
There is a solution to the conflict above which as well addresses the increasing costs for compliance (or, correctly, Governance, Risk Management, and Compliance). What has happened over the course of the years? Companies introduced platforms which help to address GRC requirements not only for a specific regulation but in a more standardized way. Even today, most of these GRC platforms aren’t complete. Some focus only on Risk Management (and within that, only on IT Risk Management or Enterprise Risk Management). Others support only specific system platforms, like ERP systems. Some support mainly attestation, but don’t focus on the counterpart, e.g. authorization management. But, anyhow, all these approaches try to consolidate GRC efforts.
The key value proposition of these platforms are reduced implementation costs, lower costs for fulfilling compliance regulations, and a consistent view on different regulations and their fulfilment. Reducing the costs of compliance is one of the main reasons for the success of these tools. On the other hand, the view on different regulations is what we need for the problem I’ve talked about at the beginning. If there are conflicts between regulations, they have to become visible. Then organizations can decide about the conflict. GRC platform approaches – at least the ones which really allow describing regulations and the resulting tasks and business rules – thus can help not only to reduce the costs of compliance but as well to deal in a structured way with conflicts between different regulations.
Currently, most of the GRC tools lack a good support for describing regulations, the associated policies and breaking this down to business rules and IT rules. But I’m convinced that we will see as well an increasing number of standards for such policies as an improved tool support within the next two or three years. That helps to deal with all the different regulations and at least to keep compliance costs under control despite a growing number of regulations.
We will have two Kuppinger Cole webinars this week which are related to the question above. One is on Thursday, 5pm CET, and has the title “Reducing Compliance Costs through Risk-Based Segregation of Duties Management“. The other is on Friday at 3pm CET, in german language, and has the title “Zehn Gründe, warum Sie gerade jetzt in IAM und GRC investieren sollten.” (Ten reasons to invest in IAM and GRC especially in these days). Both deliver some answers to the question I’ve started this blog entry with. More discussions around this topic will take place at European Identity Conference 2009.
Posted in GRC
09.02.2009 by Martin Kuppinger
Last week I’ve been talking with Andrew Ferguson and Steven Legg of eB2Bcom. Probably you’ve never heard of them, at least as long as you are neither from the APAC region nor working in the government and defense business where they have most of their customers outside the APAC region. eB2Bcom is, first of all, a system integrator and distributor of IAM and GRC products.
But eB2Bcom is as well the company which develops the View500 directory service. You haven’t heard of this product? At least it is worth to have a look at. Basically, it is a directory service which goes beyond typical directory service offerings, which mainly focus on being the best LDAP server. They have for example integrated XML support, for SAML, XACML, or ebXML. Thus, they go well beyond the DSML support some directory services are offering – with DSML being in fact sort of a web service incarnation of LDAP. The difference is that the semantics of XML documents are supported. Other features include the matching of synonyms or typing correction for improved search and indexing.
eB2Bcom ist adding additional features. The support for SAML and XACML is particularly interesting. In adding these capabilities to the directory service, that system can for example act as an integrated identity provider for federation. Instead of having a federation system and a directory server, it is one system with obviously less communication overhead. The same is true with XACML support and the directory acting as PEP (Policy Enforcement Point). One system instead of two or three in typical implementations.
Interestingly, what Microsoft is doing around Active Directory with ADFS (Active Directory Federation Services) or the server components of “Geneva” isn’t that different. It is sort of “pimp my directory server” by directly adding additional features instead of delivering separate products. The closer to the directory these features are implemented, the more efficient they are. On the other hand, we might end with well integrated solutions which lack important features. Thus this approach isn’t a no-brainer, for sure. But I think it is really worth to consider if there aren’t features which are best integrated with directory services because the directory service is, anyhow, asked all the time. Thus, instead of having the directory service providing just a part of the answer and another system adding to that answer (with repeated requests to the directory server, complex caching,…) it might be a good idea to do all these things in one place.
That won’t solve everything – but it is an interesting option. By the way it might as well be a good choice to add some virtual directory service capabilities to a directory server like Sun has done this with their Sun Directory Server instead of fully relying on an external virtual directory service. Might also provide a better performance especially in the situations in which most of the requested data is in that directory.
Another interesting point is that XML-enabled directory service will become an interesting option for a centralized policy management. They can store these policies and provide them or answer requests about these policies. Another emerging field where that approach might become popular over the next few years.
I will have a look at the evolution in the directory services market. And, from a vendor perspective, it is worth considering these options because it would move directory services back from a commodity to a market segment where companies can earn a lot of money because they have strong unique selling proposition due to the services they’ve added to their directory service.
05.02.2009 by Martin Kuppinger
There is no doubt: We are in economic turmoils. And no one really knows when things will become better again. It is definitely interesting to observe what is happening from a risk management perspective (Why didn’t governments have pre-defined actions prepared? Why didn’t financial institutions understand the risks or, if they understood them, why were they willing to take them? What happened with all the positive cash-flow of many organizations which are now in trouble – too much dividends?). But that isn’t my topic here. The topic is why organizations should invest in IAM and GRC – especially in these days. From my perspective, there are good reasons. And, from what I hear from vendors, especially the GRC market is still very strong, as well as at least many segments of the IAM market.
From an enterprise perspective, investments in these days should be even more focused on business value than in good days – maybe a little bit more on short-term values than before. Regarding IAM and GRC, there are – for sure – the negative inhibitors. Auditors might mandate some investments especially for SoD management, PAM (Privileged Account Management), and defined, auditable Identity/Access/Role Lifecycle Management.
But there are as well positive aspects. To name just a few:
- Using clearly defined role concepts reduces the amount of single entitlements which have to be managed, thus reducing the overall administrative workload.
- Management by risk is sort of “management by exceptions”, focusing on the aspects which are really at risk. That’s more efficient, for sure.
- Any initiative in the area of IT risks supports Operational Risk Management. Any IT risk is, in fact, tied to an operational risk. On the other hand, virtually any operational risk is related to IT risks because IT systems are used to run the business. Very easy: Why do we talk about SoDs? Because of IT? No – because of business.
- IAM and GRC are key to the flexibility of IT and to support changing business requirements, especially in industries which have to react fast on changing customer demands (and who hasn’t)? Changing business processes requires a flexible security and identity infrastructures as well as flexible controls – that’s what IAM and GRC are providing. Some BPM and non-IAM-aware SOA approaches aren’t sufficient.
I’ve blogged also several times about the CIO agenda. It is obvious that from the things which are top at the CIO agenda, many are tightly related to IAM and GRC. Any initiative towards cloud computing requires a strong IAM and GRC backing, because IAM and GRC will become much more complex when using as well internal services as cloud services.
These are just some few reasons. IAM and GRC are an important foundation for any enterprise IT. And you shouldn’t build your IT on sand.
We will have some webinars around these topics. The first one will be in German language, naming 10 good reasons to invest in IAM and GRC. You can register now. We will do the same webinar in English some weeks later and additional webinars on how to do lean, focused IAM and GRC projekts as well. Another interesting place to learn about these topics is, for sure, the 3rd European Identity Conference held in Munich May 5th to 8th. The place to be!
03.02.2009 by Martin Kuppinger
There is no doubt that the attestation capabilities which can be found in many of today’s IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well:
- Preemptive controls which avoid that there is any access right granted which later on has to be revoked
- Controls in the sense of really managing and not just auditing
That is where active Authorization Management comes into play. In my definition, Authorization Management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be “Entitlement Management”), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles. Better than nothing… In fact, most GRC solutions are limited because the provisioning solutions used are limited as well. There are only few products which can granulary manage entitlements at least for a few target systems.
But at least using higher level policies (and thus rules) and business roles to manage authorizations, e.g. in most cases controlling provisioning systems, is a huge step forward – even more if the GRC system can use the reconciliation capabilities of provisioning solutions to detect issues on the fly and not some weeks or months later when next time going through the attestation process (that might be too late – the money might be at some strange caribeean island at that point of time).
Anyhow, the big gap of provisioning still remains. Provisioning (or GRC) are in control down to the assignment of users to groups/roles/profiles in the target systems. But what these group, roles or profiles are allowed to do is managed by someone else – the operator/administrator of these target systems. You should always keep that in mind, because it is the reason why we will need not only one level of attestation but a multi-layered attestation, starting with the sysadmin who confirms that groups, roles, or profiles still have correct access rights at that level.
There is another interesting aspect of Authorization Management: Dynamic Authorization Management. Most of today’s approaches are static, e.g. they use provisioning tools or own interfaces to statically change mappings of users to groups, profiles, or roles in target systems. But there are many business rules which can’t be enforced statically. Someone might be allowed to do things up to a defined limit. Some data – for example some financial reports – have access restrictions during a quiet period. And so on. That requires authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly.
Today, in most cases companies rely on a single-layer attestation – which isn’t sufficient. They have to move to multi-layered attestation, to static authorization management and to dynamic authorization management. And vendors will have to enhance their products significantly to support every aspect. There is still a long way to go for IAM-GRC vendors, not even talking about extending GRC platforms to SIEM, BSM, and other aspects.