Discovering Identity

Here is a "wordle" of this blog. Thanks to Eve Maler for the tip.

Technorati Tags: Identity, Digital Identity, Identity Management, Wordle

@ 05:31 PM PDT    Permalink [ Comments [1] ]   Trackback Link

Like this post?

Can you even imagine going to a school that has no electricity and no playground equipment? I learned today 10,000 public schools in Ghana have no power source.

Please take a few moments and watch this short video about how a simple merry-go-round provides fun for Ghana school children while generating electricity to light their school room. It makes me awfully proud of my alma mater, BYU, where engineering students worked with Empower Playgrounds to design and install a power-generating merry-go-round in Essam, Ghana.

Just think of what opportunities await these kids if this will help them get access not only to electric lights, but computers and the mobile Internet!

Great stuff!

Technorati Tags: Ghana, BYU

@ 07:46 PM PDT    Permalink [ Comments [0] ]   Trackback Link

Like this post?

To complement the summaries of Catalyst Conference sessions I posted last night, I offer you my "Top Ten List" of major themes addressed in the conference, presented in David Lettman-esque reverse order, from the more mundane to the more futuristic or controversial:

10. The provisioning market is quite mature, with success predominating in most projects and real business value being captured. The focus is now on using best practices to ensure successful vendor selection and project implementation.

9. Federation technology is ready for prime time, particularly with recent improvements which ease implementation and use. Focus must be given to the business and relationship issues that enable use of federation.

8. Role management is becoming mainstream, with particular focus on enhancing provisioning and compliance auditing. Additional use of business roles to give visibility to business performance may emerge in the future. There is emerging demand for standards to enable exchange of roles between different Identity Systems.

7. Passwords are still the most widely used method of Authentication. Stronger authentication methods using biometrics and smart cards, have seen slow adoption. Strong Identity Assurance, including strong registration methods, is increasingly needed.

6. Effective management of privileged accounts, which represent a major risk area for enterprises is not effectively covered by existing Identity management systems. Additional work is needed to really address this gap.

5. Identity Services are emerging both as for "Identity as a Service" business model and as ways to access functionality in existing Identity products. Identity customers, particularly members of the Identity Services Working Group, are asking for standards to enable interoperability of Identity Services.

4. On some fronts, Attribute Based Access Control is favored over Role Based Access Control, such as in the federal government where uniform role definition cannot be reached across multiple agencies. Work will be need to more clearly define where each method, or a combination of methods should be used.

3. The chasm between user-driven Identity and enterprise Identity management may ultimately be bridged by leveraging elements of both disciplines.

2. "GRC" is a "four letter word." Because GRC is neither a market or distinct solution, using the GRC term tends to confuse the discussion of Governance, Risk Management and Compliance disciplines, which are distinct and valuable enterprise activities, all performed by different people.

1. The hot new buzzword is Relationships, which give context to Identities. A Relationship Object Model was proposed to be used as a basis for leveraging formally-defined relationships in Identity systems.

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, BurtonGroupCatalyst08

@ 09:39 AM PDT    Permalink [ Comments [0] ]   Trackback Link

Like this post?

Good intensions are not always realistic. I resolved last week when I attended the Burton Group Catalyst Conference that I would provide a detailed outline of each session I attended so my colleagues who were unable to attend would be able to get an in-depth view of the content I learned. I actually started out in fine fashion (Are We There Yet?, A New Era, Iceberg and Relationships), but quickly realized that it was taking me just as long to post details on each session as it was to attend the session in the first place. Alas, my ambitions had outstripped the time available to accomplish my task.

So, in abbreviated form, I have now provided a synopsis of each session I attended, summarizing the content into a few bullet points I though most relevant:

• Day 1 - Wednesday, June 25th
• Day 2 - Thursday, June 26th
• Day 3 - Friday, June 27th

If you would like to see more, please let me know and I'll send you a copy of my raw notes, or we can set up a time to discuss it on the phone.

Additionally, you may be interested in visiting my Catalyst Conference photo set on Flickr.

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, BurtonGroupCatalyst08

@ 10:43 PM PDT    Permalink [ Comments [2] ]   Trackback Link

Like this post?

My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Friday, June 27, 2008, are included below:

Anne Thomas Manes - The Business Value of Reusable Infrastructure Services

• The Infrastructure Services Model applies SOA principles to infrastructure (security, resource allocation, etc.). This model will yield consistency across traditional boundaries in an enterprise.
• The service model virtualizes infrastructure functions so developers can focus on writing business code and security functions can be separated externally from business functions within applications
• This model will allow infrastructure to become as pervasive and easy to use as the network, allowing policies to be defined centrally and propagated outward to multiple application environments.
• A lack of standards and conventions is impeding industry progress.
• Implementing an Infrastructure Services Model is currently technically difficult, but standards may emerge and vendors may eventually deliver solutions that ease the process.

Russ Reopell (The MITRE Corporation) - Security and Information Sharing in a SOA Environment: Using Policy Decisioning to Protect your Data

• Attribute-Based Access Control (ABAC) is being used rather than RBAC because the DoD is an enterprise of enterprises and agreement on role definition can't be reached across organizations.
• ABAC allows access to services based on policy rules which determine whether a subject can access resource.
• ABAC involves choosing attributes that can be used for authorization and defining rules on how to grant access based on those attributes.
• ABAC accommodates "unanticipated" users (e.g. no user accounts)
• Current pilot ABAC projects in the DoD address authorization, directory, credential validation services across multiple military service boundaries.

Barney Sene (Corporate VP & CTO, Ingram Micro) - Case Study: Infrastructure Services in an SOA Environment

• The major driver for this program was to enhance business agility to rapidly adjusts to changing markets.
• The biggest pain point was how application changes had broad effects because of the use of point to point interfaces between applications.
• The most challenging aspect of the program was getting people on board and supportive.
• They began by capturing business requirements and building services around a baseline set of highest priority requirements (e.g. address validation, credit card validation).
• An infrastructure services program is a journey over time. Ingram Micro is in the third year of the program.

Kevin Kampton - Making the Case of Interoperable Identity Services: A Community Perspective

• The Identity Services Working Group (ISWG) includes global organizations which investment in internal and external solutions.
• The objective of the group is to move the industry toward Service Oriented Identity (SOI).
• The Identity Services matrix produced by the working group shows that no one vendor covers all areas.
• Vendors are providing individually focused services, but lack of interoperability puts burden of integration on customers.
• Burton calls for vendors and standards groups to participate in the ISWG dialog.

Identity Services Roundtable: Customer Perspectives from the Identity Services Working Group
Panel participants:

• Gavin Illingworth (Bank of Montreal)
• Susan Staples-Holt (MassMutual Financial Group)
• Andrew Cameron (GM)
• Kevin Kampton (Burton Group)
• Chris Harvison (Scotiabank)

• Identity suites are not the complete answer. Vendors need to get out of a silo mentality. Just having identity services is not sufficient - they need to be the same across multiple vendors. Interoperability standards are needed.
• The real value of Identity Services is process optimization. Optimizing the process through Identity services also gives benefits of compliance.
• Federation is one area where technology has gone ahead of business. Federation is currently less of technology challenge and more of a business issue.
• A federated hub model with a third party broker introduces complexity because trust is no longer point to point and new trust relationships must be established.
• Banks have a chance to be Identity providers in larger network. They already have a good face to face registration process

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, BurtonGroupCatalyst08

@ 09:36 PM PDT    Permalink [ Comments [0] ]   Trackback Link

Like this post?

My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Thursday, June 26, 2008, are included below:

Bob Blakley: Governance, Risk and Compliance

• "GRC" is a four letter word. It is not a market or solution.
• Governance, Risk Management and Compliance are distinct activities, performed by different people.
• Governance works best when it acts as round trip management.
• Don't allow your risk management and compliance software be a substitute for risk management and compliance though
• Measure compliance on loss avoidance, not just liability avoidance.

Nick Leeson: Risk Management in the Real World

• Good risk management and good corporate governance doesn't automatically transfer from the classroom.
• In rapidly-expanding markets, not all controls are in place. Control mechanisms don't develop anywhere near as quickly as trading mechanisms.
• The interface between systems and human element is the key - need humans to interpret results shown by systems.
• The need for success creates a chasm between humans and systems. He was driven by a need for success and fear of failure.
• Each company's internal controls should be beyond reproach.

Jay Leek (Nokia, Inc.): Enterprise Risk Management - Seeing the Forest and the Trees

• Risk management is not just about security. It is a business requirement.
• Without identified owners for risk and assets, nothing is actionable.
• Data from multiple data sources must be collected, correlated and reconciled to better evaluate who owns the risks and what the risk posture is for the organization.
• Enterprises should work toward a unified Risk Management Program by consolidating existing data, turning data into risk information and effectively communicating risk information to multiple stakeholder organizations in their language.
• Risk management is not a destination. It is an ongoing process.

Ken Anderson, Trent Henry: The Tools Landscape for Orchestrating Risk and Compliance

• A unified view of risk and compliance at higher level in organization usually doesn't happen, because operational groups take care of themselves.
• Enterprise risk management is not so much a tool as a way to look at risk.
• Burton proposes a risk and compliance product pyramid with 1) a foundation of Identity Management, resources, people and process, 2) a middle layer of security compliance policy, orchestration controls and monitoriing and 3) a top layer of audit automation and risk data collection.
• A key issue is providing information executives need, when they need it.
• Dashboards man not provide the answers a CEO wants or needs. A phone call to a responsible subordinate is usually faster.

Randall Gamby: Creating "Security Embassies" in your Information Landscape

• Organization are struggling with a myriad of geographic regulatory and governing rules.
• The number of security policies has exploded to cope with expanded regulatory demands from multiple nations.
• A "Security Embassy" model favors centralized authority (enterprise-defined policy) and distributed execution (locally deployment).

Homan Farahmond: Going Global - Notes from the Field in Controlling Extended Enterprise

• Global enterprises struggle with compliance as they attempt to scale to address global complexity and globally build transparency and consistency.
• Creating a global controls structure must span cultural and language differences, must be implemented across geographical regions and encompass broadly different understanding of risk and policy.
• It is difficult to create a business case for global control program because budgets are regional.

Kevin Kampman, Ken Anderson: "Return on Organization" - Beyond RBAC

• Discussion of roles and RBAC require that IT leaders speak in the language of the executive, focusing on the impact of RBAC on the business.
• Discussion of roles should focus on efficiency, compliance, transparency and effectiveness of outcomes.
• Roles can give an executive view of the organization by giving visibility into what the organization is really doing.
• Addressing roles within a "Return on Organization" framework can show how roles can impact organizational effectiveness.
• Role management is a strategic enabler between business and technology. It isn't a project. It is a discipline.

Tim Weil (Booz Allen Hamilton): RBAC Implementation and Interoperability Standard (RIIS)

• The INCITIS CS1.1 standard addresses RBAC implementation and interoperability, including the abilty to exchange roles between systems.
• Role exchange and interoperability can be helpful for companies who grow through merger and acquisition and for the integration between components in a Identity Management product suite.
• Role based access control vs. attribute access control is sometimes a religious war. A blended approach may be necessary to meet some requirements.

Craig Cooper (IT Manager, Thrivent Financial): Implementing a Role Based Identity Management System

• Benefits they gained are improve controls and increased efficiencies.
• An unexpected benefit was that business was actively engaged with the IT project.
• Active executive sponsorship is the #1 critical success factor.
• The started role discovery and definition activities first, selecting high risk areas for roles. Then the Identity Management system was implemented in parallel with the Role Management .
• Be aware of dependencies and avoid interdependent IAM and RBAC activities at the same time.

Panel Discussion: Role Management and Provisioning - Co-existence or Convergence.
Panel Participants:

• Jim Duchame (Aveksa)
• Ron Rymon (Eurekify)
• Lori Rowland (Burton Group)
• Kevin Kampton (Burton Group)
• Nick Crown (Sun Microsystems0
• Darran Rolls (Sailpoint Technologies)
• Jeff Shukis (Oracle)

• Roles are a language that allows us to communicate in business terms about information access
• Roles are presently focused on enabling provisioning and access control, but may provide much broader value for the business
• Role management and provisioning can be successfully implemented in parallel. Initial emphasis on either depends on underlying business drivers and what infrastructure is in place.
• Policy management is not as mature as role management. Policy infrastructure needs to take advantage of role infrastructure.
• There is a convergence between role management and entitlement management.

Homand Farahmond, Lori Rowland: Provisioning - A Recipe for Success

• Key needs for a provisioning project include addressing needs of many stakeholders, high level sponsorship, reconciling isolated business policies, overarching governance framework and aligning different perspectives.
• Identity management resources are still scarce, expensive and have a high turnover rate.
• Plan that reengineering identity repositories to handle unique ID's takes a long time.
• Understand the relative benefits of virtual indentities vs. identity store. There are advantages and disadvantages in either approach.
• Vendors need skin in the game. Don't allow vendors to abandon you after the sale.

Matthew Costello (Solution Architect, Boeing): Selecting and Implementing a COTS-based IdM Solution at Boeing

• Governance and sponsorship are critical, even at the RFP and vendor selection phase.
• Recognize that the RFP is a project in and of itself, which will require a lot of work for your company and the vendors.
• Leverage the use cases you have defined for your enterprise in a POC.
• Focus on differences, not similarities between products - and implications on the enterprise.
• Vendor selection is only the first step - after procurement, the real work begins.

Technorati Tags: Identity, Digital Identity, Identity Management, Catalyst Conference, BurtonGroupCatalyst08