RocknRole: RBAC musings...

At the start of the week I attended the IDM09 Conference in the Docklands in London.  This relatively new one day event was host to several key security, identity and access control vendors and partners as well as delegates from the private and public sector.  Most delegates held positions in leadership, architecture or implementation positions related to security or audit.

The attendance was fair considering the time of year and the ongoing economic uncertainty and credit issues facing many finance related organisations - the very companies that most security solutions are aimed at.  The vendor sponsorship list contained the standard big name players including Sun and Oracle as well as developing vendors such as Aveksa, Courion and the Benelux based Bhold.  The consultancy partner and SI space was also well attended with the likes of DNS, Infinitum and Oxford Computer Group sponsoring and presenting.

Due to the event being only the single day the agenda was quite compact with the idea of 15 minute bullet style presentations, case studies and vendor pitches spread throughout the day.  The case studies were mainly SSO based with some touching on the provisioning arena, covering the implementation and project deliverable cycle.  An increasing focus was on the goverance and compliance aspect of access control, be it from a provisioning perspective or from an audit and reporting perspective.  Sun's SRM tool is one of the industries leading compliance, certification and identity cleanup tools and many of the techniques, and methodologies used by Sun are now being adopted by the industry and other vendors as a means to cleanup identity data either before or during a provisioning project.

Conversations were again placed on Microsoft and their small scale attempts to enter the full identity lifecycle and provisioning landscape with their ILM tooling.  Many of the features discussed - like a UI for management or workflow design - were new to Microsoft and again tend to focus on none-heterogenous landscapes.  Many were discussing the use of AD as a central repository for authN across legacy and *nix based applications.  Whilst this is a great idea in principle - reduction of silo'd LDAP repo's, easier provisioning/deprovisioning, centralised identity information and so - the main question was still around authZ.  Unless an applications is being designed from scratch, existing deployments will need to have considerable remodelling with regards to internal access control in order to use AD as an authZ store.  The discussions will continue no doubt due to the omnipresent nature of Microsoft in the desktop and directory landscape.

One of the other areas I took note of, was the discussions surrounding the Kantara Initiative.  The relatively new organization is to focus on "Bridging and harmonizing the identity community with actions that will help ensure secure, identity-based, online interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments".

An interesting presentation by ex-Sun employee Robin Wilton on the focus and benefits of the initiative gives food for thought.  Like most cross vendor forums however, the most notable vendors tend to be the ones not involved.

Overall the event was a worthwhile addition to the identity calendar.

I was recently presenting to a customer who is about to embark on an RBAC and Role Management project.  They knew the technical features they wanted to implement but their main concern was focussed more on the underlying business process.

An RBAC project can cover multiple areas of a business, not just he IT Security and Administration teams.  Obviously there are technical aspects, features and metrics that need either automating or consolidating.  These can include:

#    Automatic creation of a role object (including the entitlements a role should have)
#    Automatic association of users to role objects
#    Automatic reportin of role objects, user entitlements, user exceptions
#    Automatic recertification of user entitlements and role entitlements
#    Automatic Audit analysis like Separation of Duty or compliance policies

This list is obviously non-exhaustive but gives an idea of the sorts of tasks that a piece of software can be used to automate and a manual process.

In addition there are several business related aspects that need considering also.  Introducing an RBAC security method into an organisation requires additional support and steps from a non-IT perspective.  These can include:

#    Training for line managers to request a role for access instead of an individual entitlement
#    Providing a non-technical naming standard for role objects so business leaders understand their meaning
#    Identifying who should 'own' the roles themselves, to provide goverance for role to user memberships
#    Which parts of the organisation should have priority for an initial wave of RBAC deployment
#    Who from the organisations board should sponsor and direct the project
#    If a user requests access to a role who should manage compliance exceptions and the process flow
#    what reports need creating, when they should be stored, for long and by whom?

Again, this list is only a sample, but should give a picture of the more process related issues involved in deploying an RBAC tool.  The tool itself will not fix the process if it's either broken or missing entirely.  The implement a solution of any kind, the underlying actors need to be involved, know their role and be able to follow a prescribed process in order to deal with the general management issues that arise from using roles in an access management platform.

By simply automating bad process, all we are doing is accelerating the issues the processes cause due to their lack of scope, detail and focus.  

If you're walking in the wrong direction, starting to run only makes you further from your correct track.  It is better to slow down, stop, understand the underlying issues first, before starting to use a tool to automate and influence the critical access framework you're trying to develop.

Following on from the success of the SRM5 Catalyst event this week in Austin by our colleagues in the US, next week will see a similiar smaller scale Transfer of Information session for the new Sun Role Manager 5 product.

This will consist of three 2 hour accelerated sessions focusing on standard installation, deployment and feature configuration covering Certification, Audit and Role Mining.

 The sessions will be driven by live webex on October 20th, 21st and 22nd between 1330 and 1530 GMT.

For more information and registration go to the internal wiki page for the event at

http://swtech.france.sun.com:8080/wiki/Wiki.jsp?page=SRM5-Sessions-09

Sun Role Manager 5.0 has been released this week.  The new release see's enhanced features such as a granular certification engine, advanced rule management and a new event listener engine to allow a dynamic response to data changes.

New features include:

    * Data Owner certifications to allow single attributes on a resource to be managed certified separately
    * Application entitlement sets allow multiple resources to be managed as one entity
    * Advanced Top Down role mining enhancements to allow extensive and scalable HR mining
    * Enhanced integration with Sun Identity Management for Resource imports and meta-data synchronization
    * True Closed-Loop-Remediation for life cycle management of revoked accounts using SIM
    * Enhanced SIEM / CEF integration to allow user activity analysis on target system entitlements

The features should increase SRM's reputation as the industry's most mature and feature rich Identity Compliance and Roles engine.

The official press release is here - http://www.sun.com/aboutsun/pr/2009-10/sunflash.20091008.2.xml

Kuppinger Cole recently had a discussion covering the potential boundaries of standard RBAC and if there are any potential next steps.  The talk focused on why RBAC projects fail and what are the main limitations of a static RBAC implementation. 

Most projects tend to fall foul of the main RBAC confusions:  What is the role supposed to represent?  A user? A job function? A set of entitlements?  In some cases the role will represent all of these things, but to different people.

One of the common scenarios we have seen during our deployments, tends to be the concept of role explosion.  The rapid increase in the number of entitlement carrying roles that attempts to match every possible access scenario within the organization.  In addition every department, area or even user adds to the concept of role exceptions where new and unique roles need to be created to match a particularly different set of entitlements or scenarios.

(Rock and) Role Explosion??

A lot of the underlying confusion manifests itself from the idea of access context.  Babak Sadighi from Axiomatics describes this concept as "..not always about who? and what? but also when? where? and why?.." access permissions are required and used.  His argument is to focus on 'privilege giving attributes' or Attribute Based Access Control (ABAC), with each of these attributes covering non-application specific characteristics such as environmental or resource based.

This allows Fine Grained Authorisation (FGA) to be done based on a users characteristics, their intent, the time of execution and also against the objects context.  If this scenario were to be managed using static RBAC, this would result in role explosion due to roles covering every possible combination of users,
 environments and sessions being created.

The role explosion arises due to the assumption that a role is simply used for static provisioning.  Once a user is associated with a role, they will receive the entitlements of that role.  If a separation of duty needs to be fulfilled, multiple accounts or roles could be used to cover the multiple combinations associated with the context.

One of the ways to overcome this scenario is to use XACML and the concept of ABAC.
XACML has seen prominence in recent years with increasing emphasis placed on interoperability and E2E access control with
several vendors entering this space, including Cisco with it's December 2007 acquisition of Securent.

The main idea with XACML is to allow authZ decisions to be made using the subject, action, resource and environmental characteristics extending the static RBAC and user model with a real time Policy Decision Point.

As more and more organisations deploy an RBAC model of some description, be it to aide provisioning or to simplify administration tasks, the need for a more dynamic and extensible access control framework will develop and the maturity of something like XACML maybe help this process.

The Sun Identity Demonstration platform SEDemo has reached iteration 2.  This was formally released this week and is available to Sun employees at

http://sedemo.sun.com/

This is a major release of the integrated demo set of Sun Identity Manager 8.1, Sun Role Manager 4.1.4
and OpenSSO Enterprise 8.0 that you can use as a foundation for customer demonstrations
and Proof of Concepts. This is a Sun internal tool only as it represents several years of IP and
the most popular customer use-cases collected over time.

Over the last couple years working with customers embarking on RBAC implementations, many ask during the PoC/workshop stage, what is the 'best' RBAC model we should aim for?

Many attempt to compartmentalize the question using tangible benchmarks. Numerical normally so they can attempt to visualize, model and compare to either other vendors or to compare the approach to a scenario if no roles based access were used at all.

This results in many questions so as: How many roles per user should we have? How many entitlements per role? How many exceptions? How many users with out any roles? How many roles in department X if they have 650 people and 10% turnover? Etc etc. It can be very difficult and misleading to suddenly dive straight into a details base discussion with absolute facts and figures. I don't personally think this is the way RBAC should be approached or bench marked. There are several white papers (mainly academic) that discuss the value of RBAC from a quantitative perspective performing user to role modelling based on various functions.

In reality however I don't really believe there is a set number for things like user to role associations, or business role to IT role relations. A lot depends on the organization. How is access managed today? Centralised/decentralised, branch level, application centric, business driven etc. In addition what does the organization do?  Are they a blue collar office company with many large teams of tele operators? Or a mid sized mining company with hundreds of locations with small numbers of localized workers?

Each of these factors can all affect the RBAC model and in turn the ratios.

With that said, best practice and the leading experience we have at Sun allows us to start and develop a more qualitative approach to how RBAC should be modelled. In reality although RBAC and role based services are not a new concept in operating system security, large scale enterprise implementations are relatively immature - the oldest probably being less than 8-10 years old at most.

This results in a new opportunity over time to develop a model and approach that not only utilizes our toolset efficiently but also allow businesses to understand and analyze themselves in a non-tangible way. A colleague of mine compared this to the patterns approach used in OOP and I can see why. The benefits are much greater than a standard numerical even ROI approach and will allow RBAC to start becoming a well versed approach to access modelling rather than a longer term dream of provisioning.

Ex-Vaau colleagues in the US have created a great new internal Wiki that contains substantial document and training material for Sun Role Manager.  The Wiki is available on SWAN and after registering for an account allows access to great labs, video sessions and tutorials on some of the key features of the Role Manager solution including role engineering and role management.

Check it out at http://gte3.central.sun.com:8080/wiki/Login.jsp?redirect=Main.

I was recently engaged with an EMEA customer who was starting to evaluate role mining tools and methodologies to allow them to start developing an RBAC model for user access and provisioning.  The organization already had some concept of application specific metagroups or universal groups that allow the pairing of users from different areas to access similar entitlement sets.  Their main driver, as with many customers looking to utilize roles, was to migrate what they already had an application level and attempt to group people together in an easy and time efficient way using role and data mining techniques.

The main focus from the customer then tends to be at the application level.  Performing mining or clustering purely at the application level, looking at entitlements, ACE's, groups, profiles and so on, but taking no interest in the business related characteristics of the users involved.  In my experience this can be quite dangerous.  It can be quite easy to data mine on a group of users within a single application.  You simply select which application attributes you want to analyze and the role generation tool - whether that's Sun Role Manager or not - will simply analyse the data it's presented with and produce a recommended list of roles.

These roles will contain groups of users mapped to values of the attribute you wanted to analyse within the application.  The resulting roles are simply a list of user accounts mapped to potentially several hundred application specific groups.  As a pure data mining exercise I am sure this is quite exciting.  Looking at attribute values, performing a simple boolean evaluation against every subject in the user set, and adding the user to the object listing if it matches.  Then move onto the next user...

In business terms though, what can we do with these roles?  Here's an example.  We take an Active Directory domain which contains 10k users and 30k groups.  We perform application centric role mining.  Looking just at memberOf for example within this AD domain.  We analyze all ten thousand users and come back with - for arguments sake - 500 roles.  Each role contains approximately 20 users and 50 groups.  The roles map well.  No outliers, no users associated where they shouldn't.  But how do you then name these roles?  This may sound like a simple question but how do you name the roles?  The role contains so many groups that it would be impossible, to associate a logical application function to the group.  As we analyzed all users within the domain regardless of their location, job function or position it is impossible to associate a business function to the role.  The roles simply then become a data classification exercise.

Without being able to name the roles and apply some sort of function, it becomes increasingly difficult to use the roles in a provisioning landscape.  How do you know which new users should be associated with the role in the future?  who should 'own' the role?  Who needs to be contacted if the role needs to be changed?  The role will simply remain in the ownership of the IT security administration team.

The end goal of any role mining exercise is to give business value:  Reduce the time costs associated with user provisioning.  Increase audit effectiveness.
 Create a stronger foundation for reporting and access management.  Improve security by imposing work flow management on entitlements with specific owners and actors. And so on.

The main deliverable must always be to give value to the business and the best way to achieve that is to include the non-IT functions of the organization during any role creation and mining processes.  This could be as simple as using HR data during the mining exercise, or consulting team leaders on role membership results.  The main result though is to be able to give a level of business understanding to the roles that are created.  This increases the level of ownership the non-IT functions will have over the role framework and increase the effectiveness of any roles created.

From a practical perspective perform hybrid mining - include HR attributes during application mining.  Or perform business role creation first to group employee's together before analyzing entitlement sets.  Engage non IT teams and functions in access management and role engineering workshops and project initiation.  Just like any software design process, role mining is quite iterative.  It requires customer involvement for feedback and understanding to help bridge the gap between the business and technical streams.  A business analyst role (pun intended) can help with this by bringing together the business requirements to the IT tooling.

Like any technical IT project, no matter how fancy or clever a piece of software is, it MUST give business value.  The best way to do that is include the business in every step practically possible.

This month saw the release of a market overview paper by the research group Forrester focusing on Identity Compliance and Enterprise Role Management.  Sun with it's Role Manager solution was named as the vendor with the largest market share in 2008 as well as being one of the vendors with the largest number of active production customers.  The paper focused on the main players in the certification and RBAC market place as well as the niche vendors who are developing customer ready solutions with success.

The core reasons for developing a role management solution are generally agreed to be the benefit of increased security, faster user administration and better reporting.  Certification and business understanding of the user access process are also seen as the bi-product of the initial role engineering process.

 The increased demand for complete identity provisioning, certification and role management solutions has lead Forrester to estimate the 2008 market to be worth in the region of $70m with 'high double digit' growth.  In the times of economic downturn, large scale company restructing and redundancies, the need for short term identity cleanup and faster user provisioning should see this revenue opportunity grow further.

The Forrester report also listed Sun as having the largest number of users with entitlements managed in a single deployment, with over 1.1m under control.

The Sun Role Manager solution is based on the Vaau RBACx product acquired in 2008.  Vaau had a strong history of consultancy in the certification and role management space and this has allowed Sun to continue to dominate large opportunities especially in the financial services sector.

The technical strengths of the SRM solution are also evident with it's ability to work on virtually any J2EE support platform, without the need for complex adapter development or large scale integration time.  Out of the vendors analysed Sun were part of only a select group of 3 with a fully functioning WSDL webservices interface documented and available for third party integration.

The 12 months since the acquisition of Vaau have seen the Sun solution seize the initiative in the market place, driving strategy and shaping the once buzz topic into a high revenue emerging market.

Yesterday I was invited by my Dutch colleagues to present a Technology Track session hosted by the Identity Software Sales Practice in Holland.  The event was well attended and approximately 70 existing and new customers came to view presentations on the new Identity Manager 8.0 feature set, partner prepared case studies as well my short talk on Sun Role Manager and it's position and offering within the Sun Identity Portfolio.  I focussed my 45 minute talk on Access Compliance - what it is, how to acheive it and how Sun can provide an integrated solution to allow organisations to become 'compliant' and more importantly stay 'compliant'.

Compliance, GRC and Identity Risk Management are all the recent cool 'buzz' words surrounding the need for large scale companies to become more in control of the access employees receive in order for them to do their jobs.  In my presentation I focussed on the need for a complete and more rounded solution in order to acheive compliance utilising not only Sun Identity Manager (SIM) as a user CRUD enforcer but also Sun Role Manager (SRM) as the starting point for compliance.

The main starting point is generally the need to cleanup existing entitlement data through certification, attestation and detective audit features of SRM.  This helps create a baseline entitlement framework which SIM can consume and enforce the remediation tasks that SRM has identified.  The next stage is to then attempt to compartmentalise user entitlements into a roles based framework.  This acheived by using the role discovery and entitlement discovery wizards within the role engineering module of SRM.  By selecting a group of users, teams, or applications, SRM's data mining algorithms recommend roles with a high degree of flexibility and accuracy.  Those roles are simply a collection of employee's with similiar entitlements or business characteristics.  The role framework then allows the user provisioning process to become less error prone, simplied and more able to enforce the concept of least priviledge.

The use of SRM as the authority for compliance and roles engineering and mapping allows SIM to consume both the roles and remediation tasks before enforcing the results through SIM's adaptor framework against the online applications.

The remainder of my presentation then focussed on the growing need for role management once a roles framework has been created.  This is used to manage the role life cycle, from role changes to role decommissionings, through to role approval and verification, role SoD management and role consolidation.  One of the newer features of SRM 4.1 is the concept of role 'rollback' (pun intended).  Each role within the SRM repo has a version number assigned and a history catalog showing exactly what changes the role has gone through.  The advanced rollback features allows a previous version to be selected and after approval, can allow a 'go back in time' or 'entitlement rollback' scenario to be completed.

I ended my presentation with a simple use case from the new Identity Management Sales Engineer demonstration platform showing the seamless integration between SIM 8.0.1 and SRM 4.0.1.  The use case showed the process of data flow between SIM and SRM when a user is on-boarded into an organisation through the HR auth source.  The identity was created both in SIM and SRM automatically whilst role provisioning rules in SRM were simultaneoulsy checked to find a list of roles suitable for my new employee.  Roles were automatically assigned and sent seamlessly back to SIM for provisioning. 

The presentation was well received and hopefully gave an insight into how organisations can attempt to focus on longer term compliance goals with an integrated one vendor solution rather than having smaller scale disjointed efforts.

Over the last few months we have seen the global economic downturn develop into what might have been a small scale issue affecting the sub-prime mortgage lending in the United States, to a full blow global slowdown with the potential for 18-24 months of stagnated world growth.  All major capitalist economies are impacted as well as the likes of China and Russia who have plundered heavily in 'western' currencies, stocks and assets.  The result?  Well, major financial organisations have been the worst hit and it is well documented the numerous mergers, redundancies and down sizing operations that are now taking place both in the US and the UK and EMEA.

What does this mean?  Well obviously for those companies involved, a great deal of pain, soul searching and tough decision making in the short term as well as the distress, anger and worry for the employee's impacted by redundancy.  However, the organisations need to continue functioning and providing the services to their customer base the same as before.  They also still need to adhere to the stringent identity compliance regulations that were in place before the major issues of the last 12 months.  If anything, the regulations will now start to be even more robust requiring organisations in the financial trading and lending arena to prove not only do they have the business processes in place that reflect prudent economic management, but also the information security controls that allow those processes to be upheld.

Either way, this can lead to major opportunities for identity compliance and cleanup.  Once an organisation has decided on an employee cull, the user accounts, email addresses and ACL's will need to be deprovisioned and tidied.  Sun's Identity Compliance Manager -  http://www.sun.com/software/products/icmgr/index.xml  - is the market leading solution for this where orphaned and obsolete identity data can easily be identified and cleaned.

So, whilst the economic downturn will impact organisations due to the lack of spending on new technology and services, compliance technology is often seen to be 'recession proof' in its ability to create a niche clean up opportunity to help organisations streamline and build again.

Yesterday CA announced that it had signed a definitive agreement to purchase role and compliance outfit Eurekify.  http://www.ca.com/us/press/release.aspx?cid=192039.

 The Israeli based outfit has been in roles market for several years as a niche player having had partner relationships with IBM and CA.  As per some of the industry commentary over the last 12 months, we're starting to see the acquisition of what were niche players in the roles and compliance landscape.  As identity management matures to a level where provisionining, data and password synchronization become the norm and accepted standard for large scale organisations, we're now seeing the need for key differentiators in the identity mangement space.  Roles are that key differentiator.  Sun's acquisition of Vaau back in February 08 (http://www.sun.com/software/products/rolemanager/index.xml) gave us the lead with respect to offering an integrated solution for identity mangagement as well as role definition and identity compliance.  The rest of the market place now seems to be catching up which will prove interesting competition in the months ahead.