Mat Hamlin's Identity Management Blog: Keepin' it simple

I am very proud to announce the release of Sun Identity Compliance Manager.  

Sun Identity Compliance Manager is an offering targeted directly at buyers and markets where compliance and risk reduction related to access control is a key driver.  ICM is a subset of Sun Role Manager and includes the Access Certification and enterprise-wide Separation of Duties scanning and enforcement capabilities. 

ICM is a simple and efficient solution that can provide a return in as little at 90 days, helping your organization prove that the required identity based access controls are present.  It can automate the processes needed to answer these questions:

Who has access to what across the enterprise? 

Is this access correct? (determined through Access Certification and SoD)

Does any current access represent a risk to my organization?

For more information on the benefits of Access Certification, check out my short blog series on the topic (1, 2, 3)

For more information, please check out the official product page, which includes the data sheet, podcast, video podcast, etc...

Read what the press is saying:

**********************
HEADLINES:

*Novell, Sun, Oracle crank out identity and access wares – Network World, 10/21

*Sun launches slimmed-down identity and access management product – Ovum (Analyst Report), 10/21

*Security surge – Government Computer News, 10/21

*Sun, Oracle and Novell Take Aim at Identity and Access Management – eWEEK, 10/20

*New Sun product illustrates identity management trend – Information Security Magazine, 10/20

*Sun Pounces on Access Management – InternetNews.com, 10/20

*Making ID Access Management More Accessible – Dark Reading, 10/20

*Sun Microsystems launches Identity Compliance Manager-- eChannelLine, 10/20
**********************

 Keep up with future news and blogs:

Google news search

Google blog search

Finally, I'd like to give a special shout out to KH, who did a great job driving this launch. Thank you!

How can managers, when presented with their employees' access across all enterprise applications, make a determination of accuracy?  They can't, or won't, if they don't understand what they are attesting to. 

So, we have to make it easy for them.

Here are a few ways to make it easier:

Glossary

For business users to understand a list of fine grained access rights currently held by their employee, the information must be easy to understand.  There needs to be a translation between the IT representation of access and what it actually means if you were explaining it to someone face to face.  For example, if I were to ask a manager, Joe, if his employee, Suzy, should have SAP TCode 'BGM1', Joe would have no idea... let alone sign his life away on a decision.  We must translate it to, "Is it ok if Suzy has rights to create master warranties?"  Ideally, your company would establish a cross-departmental governance board to translate these items, and manage and maintain them over time.

ID Card / Contact Information

During the attestation process, if a manager is provided translated access information, but still doesn't know if the access is correct or not, who can help?  The owner of the access.  During automated access certification, the contact information of the owner of the access could/should be presented to the person making the decision about appropriateness, so they can contact them directly and talk about it.

Delegate the decision

What if a manager is reviewing access for an employee, and finds entitlements that they believe are tied to a temporary project, or cross-functional task?  They really are not the appropriate attestor of this access....  So, a manager should be able to delegate the decision about access to the appropriate business owner.

Present the right information to the right people

From the outset of you access certification process, you should be thinking about who should be determining appropriateness of access to what applications and data.  Building on the example above... the project manager should be presented a list of access relating to the project for individuals on the project.  Ensuring your automated solution provides this flexibility of certification populations is important.

Present information about the access data

Enable your attestors/certifiers to make an informed decision.  Indicate to them during the certification process if certain access is deemed high risk, or is part of an existing SoD violation, or is of a certain classification (like Finance), or is access that has been previously revoked.  All of this metadata about the access information will increase the effectiveness of your access certification process.

Simple Answer: Sit with your certifiers and understand why and where they are having difficulty completing their certifications, and apply some of the items above to make it easier for them.

Correct...

What is correct?

• Is the data in the warehouse up to date?
• Are the accounts correlated correctly to their owners?
• How do you know?
• What about the accounts that can't be correlated to an actual person?
• Are they system accounts (used by applications)?
• Are they privileged accounts, used by IT administrators (bad!.. no shared passwords)?
• Are they accounts that were once owned by employees, contractors or partners who no longer have a relationship with the business?
  
• Is each person's access correct based on least privilege? (only access needed to perform their job)
  
• What is least privilege for Suzy? Bob?
  
• Does any of the current access represent a risk?
• Does anyone have the ability to perform an unwanted transaction (or set of transactions)?
• Who has privileged access to applications and data?

To properly answer these questions, you have to ask the people who would know...  The Business. If you ask the IT department, they might be able to tell you when the access what granted, and maybe even how... but it is unlikely that they can tell you why... and even more unlikely that they know if it is still needed.

The business also knows if the current, static access of each person is correct.  If there is anyone in the company that knows what access Bob or Suzy actually needs, it's their manager or possibly the application owners on which they have accounts.  The business owners need to review each individuals' exact access, down to the entitlement level and make a determination of appropriateness.  This is the process of access certification.

Additionally, the business should be engaged to decide what entitlements, when granted to the same individual, constitute a Separation of Duties violation.  These SoD policies can typically span the entire enterprise, and all applications should be considered during the evaluation cycle.  For example, your vendor management (for creating vendor records) could be in an operational application, like a fulfillment or inventory solution, while your vendor payment process may rely on the records in your accounting application.  In this scenario, if someone had the ability to create a vendor in the inventory solution, and then pay the vendor in the accounting solution, this would constitute a SoD violation, or a "Toxic Combination" of access.  This is why the ability to define and enforce SoD policies across enterprise applications is critical.

Simple Answer: Once you've build an identity warehouse, execute an SoD evaluation an complete and access certification.  Once they are complete, you truly have "Identity Gold"... all nice and shiny.  

....next question: How the heck are managers supposed to know if access is correct?

Who has access to what?.. a simple question, but one that is not so easy to answer for a lot of companies... Companies compelled to answer this question and meet their regulatory obligations.

Siloed IT departments, mergers and acquisitions, employee transfers, contractors hired to full time positions, and terminations can all lead to proliferation of invalid access.  Getting a handle on who has access to what is often times a difficult task that requires cross-departmental cooperation and process development to even gather the data.  Once gathered, correlation of accounts to an actual person or "subject" needs to occur, and is also not an easy task.

We often overlook the value of gathering Identity data.  In a recent face-to-face meeting with Ian Glazer of the Burton Group, he referred to this as "Identity Gold", and I completely agree.

This step is the foundation for Access Certification, Role Mining, Entitlements Management, Policy Evaluation, Identity Auditing, Provisioning, Password Management (thanks Ian) and numerous other custom services developed by our customers.

Simple Answer: Build an Identity Warehouse... next question: Is this access correct?