Talking Identity

PwC recently published the "Information Security Breaches Survey 2006" report, sponsored by the Department of Trade and Industry (DTI) in the UK. The 8th such survey is aimed at raising awareness among UK businesses of the risks they face in the internet age. Below are some highlights from my quick read through it, and some thoughts.

Identity Management:

• Staff misuse of information systems is the single largest source of incidents for large businesses. Overall though, the conventional picture that most security breaches are internal does not hold true. Internal breaches do, expectedly, prove to be far more costly.
• Especially interesting to me was the reports assessment that only 1% of UK companies have a comprehensive approach to Identity Management, with an overwhelming majority saying that there is no need to improve it. In an environment that is increasingly connected, mobile and open, and where practices like outsourcing and offshoring are becoming more commonplace, that is a serious problem of perspective. This indicates that we need to do a better job of making businesses aware of the risks they face and options they have.
• Surprisingly, most businesses still don't see the need for strong authentication. Businesses that have deployed strong auth have done so only for specific applications, instead of deploying enterprise wide.
• User ID and Password proliferation is rampant in large businesses. As a result, the security models are weaker, and the business more exposed. Only 1 in 4 businesses has deployed SSO.    
• The use of physical security measures is still weak, and usually limited to security of the premises. Rarely is the physical security system tied in to any kind of identity management system.
• Regular auditing of processes and access is increasing, especially in companies following an offshore model; even more so in businesses subject to Sarbanes-Oxley compliance.
• Electronic access requests not backed by automated user provisioning are more likely to experience unauthorised access.
• There is a growing awareness that I&AM is not just about technology, but also about how security is woven into the way we do business.

Other tidbits:

• The report states that the increased investment in security has dampened the growth in the number of security incidents. However the total cost of security incidents has gone up, with smaller businesses especially hard hit. Smaller businesses are reporting more incidents, while larger ones are reporting less.
• Many businesses have not achieved a security-aware culture, with security projects not prioritized high enough or focused on key risk areas.
• The report states that "there is a correlation between security expenditure and those firms that perform risk assessments." Any firm that does a risk assessment ends up spending  a bigger chunk of their IT budget on security than those who don't. Obviously firms are under-estimating their security needs and the types of threats that they are vulnerable to.

    
The survey makes for an interesting read, and provides good statistical numbers to back up its assessments. It is available on the web at: DTI Information Security Breaches Survey 2006. As always, feel free to share your thoughts with me.

In part 1 of this multi-post blog, I laid out what I believe are the various disciplines that make up a complete role management solution. In this post, I will tackle the more contentious discipline - that of role definition.

Fundamentally, two camps have evolved around different approaches to the problem of defining roles. There are those that believe in the bottom-up approach of identifying roles based on forensic mining of data, while there are others that swear by the top-down approach of engineering roles based on well-defined rules and criteria. Neither approach is incorrect, and the truth is that for a lot of enterprises, using a balanced combination of both probably offers the quickest path to defining a good set of roles. The key to picking the right balance is in knowing your enterprise.

Knowing your enterprise means having a good understanding of the documented business rules that exist in your enterprise, and having a handle on the cleanliness of the data that will be fed into any mining effort. Sounds simple, right? But too often role engineering projects fail because people think they know these rules empirically, whereas the reality often is that their knowledge of the rules has not stayed in lock step with the evolving enterprise, resulting in outdated results at the end of exercise. The same goes for data cleanliness. If the mining is going to be done based on analysis of access privileges, then any bad data (rogue accounts, orphan accounts, inappropriate privileges) will result in distortion of the roles identified, often resulting in creating roles with bad privileges. As the old saying goes, "garbage in, garbage out". A lot of our customers who are looking to embark on role mining projects have spent quite a bit of time (using provisioning, reconciliation and attestation mechanisms) cleaning up their access data in preparation of this effort. An interesting effort to undertake is measuring your readiness based on the above two factors.

Role mining is often viewed as a good analyst tool to give the role engineering project a kick start by identifying an initial set of easy roles. There is value, however, in using it in an ongoing manner, as the iterative run throughs can help in identifying outlier roles, special combination conditions, and further optimizations to the role definition. It can also become part of ongoing exception detection that is rolled into monitoring procedures. Mining can also help identify the patterns that will be translated into subscription rules for various roles.

The role engineering process can take these rules and privilege patterns, and create roles based on them. It can also allow customers to deterministically define roles that are more tightly aligned with business procedures than IT ones (which is what the mining process is more likely to reveal). Business rules are easily translated into subscription rules, and can be tied to privilege policies that are desired (as opposed to detected). A newer area of role management is the area of relationship/context based roles. These role decisions are not as deterministic and static in nature, and are less likely to be divined using a mining tool. However, they are much more likely to represent business roles that correctly reflect the state of your enterprise, and the context sensitive needs of your applications.

These roles, once engineered, can be fed back into the mining process to refine the pattern recognition, starting the whole process again, till a suitable equilibrium is reached. This is reflected in the flow below.


Click here for a larger view of the role definition process

Often, the needs of the enterprise will dictate which phase of the role definition flow you start with and put emphasize on. Role engineering definitely gets the call if the priority is to clean house. Conversely, role mining gets the call if the enterprise feels reasonably assured of the stability and correctness of their enterprise, and simply want to introduce automation and better manageability. How many times you iterate through the flow will end up being dictated by
your readiness factor (as described above). But, as stated before, adopting the flow is an invaluable tool in ensuring your enterprise IdM stays up-to-date with the evolution of your business.

Phil Becker has written an interesting series of articles about the top 5 fallacies which appear and reappear in identity discussions, technologies and deployments. It makes for pretty interesting reading, so check it out at the Digital ID World Blogs. I wanted to comment on fallacy #3: Centralized Management Means Centralized
Data.

In his article, Phil argues that current identity management projects preach centralization of identity data in an effort to gain centralized management and control. The fluid nature of identity, and the way in which its daily management is distributed (delegated) among different entities in an enterprise, means that centralization efforts will be doomed to suffer from ineffectiveness and failure since they are in essence at odds with the realities of the business.

I agree with Phil on this point when one considers centralization of identity data for operational purposes. However, I will draw a distinction between centralization and aggregation of identity data. Centralization tries to promote a reference model, fundamentally changing the operation of distributed enterprise. Aggregration is not as invasive, and is more an ETL operation aimed at creating a centralized view of the enterprise.

Aggregation of data is necessary when considered for specific type of management applications that need centralized infrastructure. Two big use cases very popular right now are driven by compliance needs - attestation (aka recertification), which I have touched upon in previous posts, and enterprise-wide SoD (separation of duties) enforcement.

A complex application like attestation cannot succeed in a virtualized environment. There are technical reasons for this - the ability to pull up the distributed data when needed in a form is not practical, no matter how advanced virtualization gets. There are also business reasons for this - attestation requires temporal integrity of the data, which cannot be guaranteed in a distributed environment. So data aggregation will occur. Enterprise-wide SoD, which crosses a lot of the boundaries that the distributed environment has, also requires some measure of aggregation in order to be practically achievable.

Phil says "The shift from a directory-centric view of identity management to a
provisioning-centric view of identity management is the first step down
this road". Provisioning systems provide a single, standardized mechanism by which the flow of identity data into the enterprise starts.

Burton Group's Catalyst Conference is one of the biggest technology events in North America, and is being held in San Francisco this week. If you care about Identity, it is one of the premier conferences to attend, because the conference usually fosters some really in-depth discussions into topics that are at the forefront of the Identity arena. This year, topics in the Identity and Privacy Strategies track will include talks around role management and user-centric identity, two topics that I am deeply interested in.

Having established itself as one of the leading IdM vendors, Oracle is planning on having a substantial presence at Catalyst. The message for this year is "Secured with Oracle", describing Oracle's commitment to providing a comprehensive set of enterprise security offerings to
meet the security and compliance needs of global organizations in various fields, whether it be IdM, SOA or Data Management. There will be some talks that highlight Oracle's leadership position. Jim McDonald, Manager of IT at Ingersoll Rand, will be giving a talk on "identity enabling a dealer portal" on Friday. Vipin Samar, VP of Database Security, is giving a talk entitled "Vendors, products and technologies in the control layer; making them fit" on Thursday.

On the evening of June 14^th from 6 pm to 9:30 pm, Oracle will be hosting a
large hospitality suite. The suite will hold 12 dedicated Oracle demo stations,
6 of those showcasing Identity Management solutions, 3 with SOA offerings and
another 3 for our database security offerings. In addition, the suite will also
have an Oracle Partner Pavilion showcasing some of the joint offerings that Oracle has developed with key partners. Hopefully we will be able to showcase the fact that Oracle's offerings,
along with those of our ecosystem of partners, offers the most
comprehensive set of security solutions.

I will of course be at the event, participating in the evolving discourse around Identity. If you are going to be there, look me up either at the sessions or at our hospitality suite, and we can chat about the identity market and where it (and we at Oracle) are headed.

One area that I have been paying a lot of attention to recently is the scaldingly hot area of user-centric identity. No other area in identity management is generating as much interest in the community. While this is extremely gratifying (because the ultimate goal is to make our lives better and more secure, and who doesn't want that?), I have been concerned about the lack of clarity regarding the impact that this emerging discipline will have on my particular problem domain - enterprise identity management.

In my experience trying to talk about this, I have mainly drawn a lot of academic responses, that I have had a lot of trouble translating into applied solutions in the reality I deal with daily at my job. Recently, however, a lot of good discussion has started to happen, which makes me feel that the time is right to initiate a dialogue on the subject.

Let me say at the very outset that it is my belief that user-centric identity will play an important part not just in enterprise identity management, but in the evolution of enterprise architecture itself. However, getting there will require a fundamental change to how enterprises not only manage identities, but also how they deploy and manage applications, security and infrastructure. It is this belief that I hope to validate by initiating this dialogue.

The Missing Link?
User-centric identity has primarily (and rightfully) evolved addressing the problems of identity in B2C scenarios. However, the unprecedented speed with which it has evolved means that some things may have been missed out. One aspect that is missing is the B2E (Business-to-Employee) equation. Assuming that B2E is simply an extension of the B2C problem is a simplification that can take the discussion in the wrong direction.

In a recent post titled "Enterprise and Individual Identity", Kim Cameron wrote:

...the future of the corporation will unfold largely in the virtual world. What will then be more important to a corporation that its relationships with its "consumers"? The lack of a reliable grid for dealing with the individual in the digital world is, in the big picture, the most urgent corporate identity issue of our time. That's one of the reasons I was led into the problem area.

The most important thing about the identity metasystem the way it creates a unified infrastructure reaching between the corporation (or organization) and the individual (aka consumer).

What are we going to have? One set of precepts that faces towards the inside of the corporation, and another completely different set that faces the outside? That doesn't compute, and my work on this blog applies to both sides of this boundary.

The whole evolution of business is towards a more open mesh of interconnecting organizations in which individual relationships are key. So empowering the individual within the organization will increasingly become the most important aspect of empowering the corporation. The dichotomy you propose is a false one...

Kim's post brings out some of the main challenges we face in trying to apply user-centric concepts to enterprise identity management. Those of us who have lived and breathed enterprise identity management for the last few years know that enterprise identity is a completely different beast from personal (or internet) identity. And while Kim's statement is true that the future of corporations will unfold in an increasingly connected virtual world, it is also true that most corporations are a world unto themselves within that virtual world. Within the enterprise, the different nature of enterprise identity challenges some of the solutions of scale that user-centric identity brings to the table.

The many layers of context that enterprise applications add to the identity of a user fundamentally changes to rules of the game. The precepts for the world inside the enterprise boundary will be different from that used for the world outside in that they will be extensions of the latter that cover far more advanced and far more complex situations.

This is the fundamental problem that I hope to work out over the coming weeks and months. Hopefully the conversations I have this week at Catalyst will help crystalize the solution. My feeling is that when we have the answer, we will have helped define "Enterprise Identity 2.0", which following the arguments outlined above, will be a highly developed extension of "Identity 2.0". I will be posting a lot more about this topic, and hope to hear back from all of you on this topic.

Kim is right when he says:

Reliable identity-based collaboration between individual users which also integrates with organizational identity will empower them both the users and the organizations. Making progress on this front is the most important single thing we can do right now to help the corporations we work for benefit from technology. That is the big picture.