One of the emerging topics in the broader IAM space integrates GRC and Identity Management: Identity Risk Management, including aspects like Identity Risk Metrics. Identity Risk Metrics are used to measure specific aspects of Identity Management. These metrics can be mapped to risks and thus serve as a means to detect and, in the next step, reduce risks. Such metrics can be defined in many areas.

May be the most interesting are Application Risk Metrics – in the context of digital identities. Elements of this category are things like

• Usage of central identity stores (instead of application specific identity stores)
• Sensitive attributes in decentralized identity stores
• Sensitivity of the application and its data
• Supported authentication mechanisms and their strength
• Number of user accounts
• Encrypted storage of passwords
• and many others…

The analysis of these Metrics automatically leads to a clear view on the level of centralization of Identity Management and, combined with the risk view, to a clear rating of risks which exist due to decentralized user management on the application level and the lack of an application security infrastructure.

Measuring these Metrics can clearly lead in more management support for building application security infrastructures and changing the way security is implemented in applications. It is not very difficult to do this sort of analysis. It doesn’t need a specific Risk Management software, it is just about identifying the applications (which is the hardest part) and counting – and may be some analysis in Excel. And it is about mapping the result to defined risks and to provide an answer on the question of “how to reduce  the risk”. The answer is quite obvious – it is the approach of application security infrastructures.

And that is just one example of what you can do with Identity Risk Metrics.

There are plenty of GRC solutions out there. Products for one specific regulations, industry-specific solutions, and more and more solutions which claim to address the entire GRC problem. The level ranges from paper-based methodologies to more or less complex Excel sheets and complex frameworks.

I’m mainly interested in the generic solutions which try to address the entire problem. Many solutions address some part of the problem, but you will need dozens of different products to solve your GRC requirements. That leads to a complex, expensive infrastructure. Thus, a strategy for a generic approach for GRC which can cover all regulations is inevitable. That’s about compliance automation or governance automation, a topic I have published on our website some time ago.

Read the rest of this entry »

Our upcoming Identity Management market report 2007/2008 shows some interesting results. Not to surprising, at least most of them, but nevertheless pretty interesting. One important information is where the money will be spent next year. For sure there is Identity Provisioning. And, as expected, Role Management is a very important area. Besides these both areas there is Single Sign-On as the third topic on which a lot of money will be spent within the next 12 months. More than 30% of the survey participants will implement SSO, will enhance their implementations significantly or will replace the technology which they use today. Another roundabout 30% will optimize their existing implementations. Less than 30% of the companies won’t spend money on SSO.

The question behind is for the reason why. There are some aspects. SSO helps the users. It eases their lifes with less user names and passwords. SSO makes the user the admin’s friend. Another aspect is compliance. SSO might help in achieving some of the targets of compliance, at least in (the strongly recommended) combination with strong authentication.

It is easier to audit who is allowed to access which applications, who actively uses accounts in which system and who has accessed which system when. Upcoming trends like the integration with events from phyiscal access systems, thus doing the step towards context-based authentication and authorization, enhance the support for compliance requirements.

From my perspective, these two aspects - user friendliness and compliance support - are the most important driving factors for the success of SSO. Besides, SSO is pretty mature, at least the Enterprise SSO solutions which are most common today. But also token-based approaches like the use of Smartcards with certificates and other credentials stored on the tokens shows an increasing maturity, lower costs and a broader availabilty of devices.

Thus, if you haven’t solved your SSO issues until know, start thinking about. But when you think about, don’t remain with an internal solution like Enterprise SSO but think about the future. SSO for your customers through support of OpenID, CardSpace and other technologies shall as well be part of your SSO strategy (look at some of our downloads…) as the role identity federation will play in the next years.

Oracle remains true to its strategic approach of growth trough acquisitions. The next company to become part of Oracle is LogicalApps. LogicalApps, pretty unknown at least here in Europe, is a vendor in the GRC space - more concrete of “automated GRC controls management solutions”. GRC is an acronym for Governance, Risk Management and Compliance. The solution supports SoD enforcement, monitoring of business transactions, and evidence (e.g. audit). The vendor is focused on Oracle Applications with - as they claim - hundreds of successful deployments in these environments.

With this acquisition, briefly after announcing the acquisition of Bridgestream, Oracle proves that they are willing to compete with SAP in the GRC field. In fact the combination of Bridgestream and LogicalApps will lead to a solution which can be compared to SAP’s GRC Access Control solution which has its roots in the former Virsa products. SAP’s advantage is that they are some two years ahead of integrating and enhancing what they had acquired. On the other hand Oracle has proven its ability to integrate products they have acquired. And Oracle has another interesting component in its portfolio with the risk-based authentication/authorization provided through Bharosa, another company they recently acquired.

Both vendors, by the way, face the same challenge: They have to expand the solution scope beyond their own ERP applications. SAP is intensively working on support for Oracle Applications, PeopleSoft and other solutions. Oracle will have to enhance the LogicalApps product to a pre-defined “best practice” support of SAP environments. And both of them will have to enhance the scope of GRC beyond the core ERP solutions to all information (systems) in the enterprise. eMail, for example, is pretty relevant to GRC.

The acquisition strengthens Oracle’s competitive positioning and is, from my point of view, a major milestone towards true competition in the GRC field, because Oracle will now be the challenger number one for SAP in this area. It will be interesting to observe whether other major vendors like IBM or even Microsoft will enter this market - and with which approach they’ll do that.

Today I read a press release from Novell where they claim that most enterprise don’t realize the value of Compliance. For sure, if you think about Compliance, then most of us first think about the pain of being compliant. More reports, more rules, new applications,… And, honestly, Compliance is first of all something reactive, avoiding penalties.

But there are as well some clear advantages, like we’ve mentioned several times. This is especially true if you look on it from a general “Governance, Risk Management, Compliance”-perspective. There are, especially in the risk management area, clearly visible opportunities for enterprises. Detecting, managing and thus reducing or avoiding risks brings value.

The other important aspect is that the process maturity of corporations increases when they start to implement enterprise-wide GRC approaches (even while today mainly the even process-mature corporations are implementing these solutions). Defined processes and integrated data about what happens in the enterprise are drivers for optimization. GRC done right and in the context of business process optimization is a key instrument for the management.

IT has to provide the technology to implement a consistent, automated GRC approach. “Manual” Compliance way to expensive. It requires tool support. But with this approach, where IAM plays a central role, IAM will change - it will become a part of a bigger thing, integrating GRC (and, in this context, Business Role Management) and what I name “Enterprise Information Management” (look here and here).

I definitely agree with Novell on their point that there is business value in Compliance. But I’d like to add: The real value is only visible from an enterprise perspective. From an IT perspective, Governance/Compliance automation is cheaper than manual work - but first you have to invest into IT. Thus, if IT likes to argue with Compliance to gain budgets for their infrastructure improvement they have to argue from a management perspective and an IT perspective and must not remain in their IT-only view of the world.