Yesterday I had the pleasure to attend this year´s last CAST workshop in Darmstadt, Germany. CAST,
Competence Center for Applied Security Technology, is a non-profit organization that provides security information for its members as well as the broader public. CAST is led by representatives of academia (Technical University of Darmstadt) and applied research (Fraunhofer SIT and IGD) as well as corporate and SME members. Yesterdays´ event had “cybercrime and forensics” as headlines and the keynote was delivered by the famous president of the Federal Policy of Germany, Joerg Zierke (who attracted quite a number of additional participants, obsviously).
Zierke talked a lot about why Germany is very special with regard to cybercrime: on the one hand, internet safety and security is quite mature here, compared with the UK, US or other leading countries. On the other hand, criminal activity also is very elaborate and specialized individuals co-operate in ever changing teams – cross-border and and cross-competence. The president brought lots of evidence for his claims, especially regarding trojans “hand-crafted” to target German banks, browser data-manipulation and online-fraud in general. While creating giggles and smirks when claiming DDoS attacks were executed with emails (aka using smtp), he showed substantial knowledge of the threats and attacks currently seen. Zierke went on to showcase cases of child-pornography and “real” terrorist activity and explained communication schemes of these cells. Impressive, scary and at the same time disturbingly “close”… Anyway, he lost my support (and I guess most of the others as well) when he drew the conclusion that all this could only be tackled, handled and investigated, if the much-discussed BKA-law (comparable to the patriot-act in the US) would be set into place.
From this rather general talk, the topics went into more and more detail, ranging from judicial analysis of new cyber-laws, a presentation about their use in jurisdiction across business-related fraud detection (impressive presentation by PwC!) up to forensic analysic of digital photography. All in all the event covered a breadth of topics I rarely see anywhere else.
All that I missed was the INTERnational perspective, hence the topic of my post I can only urge lawyers, forensic specialists, cryptanalysts and politicians/judges/law enforcement (LE) to work closer together. Especially expert advice of all of the former groups to the latter three is needed. LE is usually drowning in open cases, judges have no clue what goes on “in the internets” and politicians are seldomly aware of what evil might lurk behind that link (or what good can be created through others).
Experts of all cyber-related technologies are needed as advisors and subject matter experts!
Do not ask what this community can do for you (e.g. tax-cuts ) – ask your judges, police-officers and politicians what you can do for them!
WARNING: you might end up explaining to your “senator-of-choice” how to send email…lets´ not talk about using S/MIME or PGP here

Well, I thought nothing could puzzle me regarding the IAM market these days - acquisitions, mergers, emerging start-ups.

This ONE “acquisition” really hit me: Dick Hardt joins Microsoft! I almost dropped my morning espresso shot, when I received his (mass-)email… Once I read through his blog-posts here and here  though, I fully understand and congratulate both Dick and my former co-workers at Microsoft! It almost makes me wish I was still there  - now with even more big AND versatile brains in Redmond it must feel like the “in the old days”… Nevertheless, I think the (not so evil) empire really was able to “strike back”. Hiring Dick shows that Microsoft really wants this IAM thing to work – not only product-wise for the enterprise market, but also for the general population “BORGrosoft drones”, which most of us still tend to be…

It really makes me book a flight to Seattle next spring to have some good Mac&Jack´s Amber, deep-fried turkey (see Dick´s blog) and most of all: some great discussion on Identity 2.1 , as I would call it from now on!

Dick & Jennifer: I wish you all the best in and around Redmond, it IS a great place to stay in the US!

Ray & Kim: nice catch

Looks like IAM and GRC is all about roles, doesn´t it? Well, for the sake of simplicity it does. Simplicity you ask, having had trouble defining these in a year-long struggle and ending up with worthless collections of access rights and user profiles due to the latest merger and the finance -crisis consolidation?

You have pretty good company as many organizations face these problems. A few years back when I worked for CA, a good portion of the IAM projects also included considerable amounts of work to be done on roles. VAAU, at these times the preferred role-mining specialist in the market, helped a lot getting this work done, especially in the early phases of the projects.  As companies are comparable to living organisms, they tend to change over time (sometimes rapdily), thus affecting the roles and profiles user might be mapped to.

Early role-mining only provided insight to the current situation the snapshot or analysis was made, leading to frustration and incorrect roles once the IAM system was about to be delpoyed. Vendors like former VAAU (now with SUN) and the recently acquired Eurekify (now with CA) learned their lessons, providing consistency checking and automated role-monitoring as new key-features. This evolved the early role-mining tools from providing fuzzy “best-before” role data into helpful GRC supporting tools, that constantly check if former analysis is still valid. One example: if members of a certain group of user sharing the same role get the similar exception or add-on to their access rights, Eurekify would suggest to make this exception a part of the role. This helps to manage expceptions before they become a labyrinth while making the life of admins and auditors easier.

Speaking of “easier”… during my recent briefing with a former Eurekify EMEA VP and now CA employee, the question came up on how CA will leverage the power of Eurekifys tools in their customer base. I was told that both existing IAM customers – regardless of which vendor they chose – will remain to be primary focus of the team, as the above mentioned role-management and role-auditing capabilities are available for all major IAM products in the market. I was pleased to hear that CA will continue to sell Eurekify technology without limitations – and was even more happy to hear that integration will extend the available webservice interfaces. 

Keeping this open mind and easy way to dsicover, integrate and manage will definitly be advantageous to CA partner community, providing audit, role-mining and compliance services with the former Eurekify tools.
I am looking forward to what happens next regarding the role-management tools and offerings – and also to what and when CA merges the Eurekify capabilities into their GRC and IAM tools!