This post is the seventh in a series of eleven posts I am writing about key trends in the Identity Management industry.

Government regulations have been enacted to address problems problems with fraud, governance, security and privacy arising in various industries.  For example, the Sarbanes-Oxley Act of 2002 (Sarbox) was intended to make corporate governance practices more transparent and to improve investor confidence. It addressed financial control and financial reporting issues raised by the corporate financial scandals, focusing primarily on two major areas: corporate governance and financial disclosure.

Government regulations tend to become more complex and far-reaching over time.  For example, to address the challenges of security and privacy, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to establish national standards for use of health care records. HIPAA provided a foundation upon which multiple regulations have been based to address issues with the administration and protection of sensitive medical records information.

Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), also known as the Health Information Technology for Economic and Clinical Health Act (HITECH) includes a section that expands the reach of HIPAA by introducing the first federally mandated data breach notification requirement and extending HIPAA privacy and security liability to business associates of "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions on behalf of individuals).

The current trend to more extensive government regulation of industry will likely continue or escalate, placing additional burden on enterprises to comply with increasingly complex compliance mandates.

A second source for industry regulations comes from industry itself.  For example, the Payment Card Industry (PCI) Data Security Standard (DSS) is a global security standard for safeguarding sensitive credit card data.  This standard was established by PCI Security Standards Council, an organization founded by industry leading enterprises: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

Identity and Access Management (IAM) is a critical enabler for compliance with government and industry regulations.  For example, Sarbox requirements for fraud reduction, policy enforcement, risk assessment and compliance auditing are supported directly by IAM technology and methods. By streamlining the management of user identities and access rights, automating enforcement of segregation of duties policies, and automating time-consuming audits and reports, IAM solutions can help support strong security policies across the enterprise while reducing the overall cost of compliance.

Similarly, IAM technology and processes, which control user access to data, applications, networks and other resources, can directly support HIPAA/HITECH requirements for privacy, security, auditing and notification.

Recommendations:

Practical experience in the field gained as many enterprises have implemented IAM systems to support compliance efforts has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance.  The following list of best practices will be explored in more detail in a subsequent blog post:

1. Understand regulatory requirements that apply to your enterprise.

2. Recognize IT’s critical role in the compliance process.

3. Understand the role of IAM in supporting compliance.

4. Think of compliance as a long-term program, not a single project.

5. Establish compliance policies. principles should be documented as a foundation upon which to build policies, practices and strategies.

6. Develop a business-driven, risk-based, and technology-enabled compliance strategy.

7. Collaborate with your business partners and associates.

8. Establish a governance process.

9. Implement your strategy in phases.

10. Follow established standards.

11. Give real-time visibility into compliance status, progress and risks.

12. Unify disparate compliance efforts.

13. Assess progress and adjust as necessary.

Can you believe it?  The original iPod was unveiled eight years ago today!  Little did we realize what a dynamic industry upheaval was launched that day.

Our oldest grandson also turned eight years old a few days ago.  He should always be able to remember when the iPod was launched.  When he is an old guy like me, he’ll be able to authoritatively tell his grandkids, “I grew up with the iPod!”

By the way, the photo is a stark reminder that age has affected Steve Jobs much differently than the music distribution revolution he helped lead.

This post is the sixth in a series of eleven posts I am writing about important trends in the Identity Management industry.

Identity Federation refers to the “technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration.” (Wikipedia – Federated Identity)

At the present time, Identity Federation technology has been well-proved is in production in many enterprises and government agencies.  As the most broadly deployed standard for enabling cross-domain federation, SAML is well supported by a wide array of software vendors.  Several successful business models have emerged to support federation technology, and implementation of this technology is becoming less complex.  This growth in adoption will most likely continue, both within and beyond enterprise boundaries.

For several vertical markets, such as health care, the need for broad, integrated networks comprised of many interrelated enterprises (e.g. National Health Information Network) is accelerating the demand for federation deployment.

However, business challenges associated with federation are often more difficult to address than technology challenges and continue to be the primary impediment to broader adoption of this technology.  Unless understandable and enforceable trust relationships exist between business entities, the technology to support such trust relationships is meaningless.  Just like technology standards have emerged to enable the technical side of federation, I expect that more standardized legal agreements will be developed to simplify the establishment of legal trust relationships.

As cloud computing gains momentum as an alternative or complementary means to deploy systems and applications, federation can be a key technology to enable integration between various cloud systems or components.  Discussion of how employ federation in cloud systems has led to interesting statements such as proposed by Symplified, Inc., at the recent Digital ID World Conference: “Federation is Dead. Long Live the Federation Fabric.”

The essence of Symplified’s argument is that using Identity Federation for point-to-point system integration is too complex and expensive.  Therefore a web or fabric of federation is needed to simplify and extend current federation models.  I expect that we will see “Federated Service Bus” technology to emerge to address this need, much like Enterprise Service Bus technology is currently employed to simplify complex integration challenges within enterprise systems.

Recommendations:

To determine how you should address Identity Federation, consider questions such as these:

• Where have you already employed Federation?
• Where can federation simplify integration within your enterprise?
• Where would Federation enable more business value for your customers and your partners?
• Which of these relationships is highest priority for you?
• What trust relationships have you already established with other enterprises? 
• What must you do to establish new trust relationships?

Granted, it was a lower-division course …

Thanks to F-Minus for today’s humor!

It is always enjoyable to read advice from those in the trenches of Identity management implementation.  As a recent guest blogger on the Identigral blog,  Tom Ebner outlined and explained ten best practice rules he learned while living the “Identity Management Lifestyle:”

• Rule #1. Understand the problem and the opportunity
• Rule #2. Assess the quality of the identity data
• Rule #3. Create a strategic technical vision
• Rule #4. Get (and keep) an executive sponsor
• Rule #5. Build a great team
• Rule #6. Add great partners to your team
• Rule #7. Create a strategic technical architecture
• Rule #8. Deliver something valuable to the business
• Rule #9. Manage your risk
• Rule #10. Understand and communicate “What does success look like?”

Thanks, Tom, for excellent advice.  May your continued work in this lifestyle earn you the yacht and Rolls Royce your colleague talked about!

(You’ll have to read Tom’s article to catch the significance of that last statement.)

This post is the fifth in a series of eleven posts I am writing about trends in the Identity Management industry.  

The use of roles for identity provisioning and audit compliance has seen growing acceptance in production systems.  Enterprises are getting more value in both operational efficiency and streamlining compliance efforts by leveraging business  roles.  Role management can support compliance efforts even if full automated provisioning is not in place. 

Experience has shown that using a fairly modest number of roles relative to the size of the user population is most effective, rather than engineering and trying to maintain a large number of roles to take care of all circumstances.  A blend of role- and rule-based provisioning appears to strike the right balance.

As roles are implemented, good governance methods are essential to oversee the entire role management life cycle, just as governance over the complete Identity management life cycle in needed.  The governance structure over both life cycles should be closely integrated.

Some companies are finding a broader use of roles than realized at first.  Roles may have been first engineered to drive role-based access control and compliance enforcement, but can also be used for such things are evaluating organization and infrastructure effectiveness.

Attribute-based access control (ABAC) is emerging as a possible alternative to role-based access control (RBAC), particularly for large, complex organizations such as government entities.  This has led some people to predict that ABAC will replace RBAC.  However, if we consider that roles are really a form of attributes attached to Identities, we could predict that the two methods will converge – with the best approach being a balance that leverages roles where appropriate, and attribute-driven rules where that approach makes sense.

Recommendations:

Consider questions such as the following:

1. Where can roles be leveraged to improve the effectiveness of your Identity provisioning and compliance system?
2. What is the right balance for your organization in the number of roles and the rules that complement the roles?
3. How can you effectively govern both the Identity life cycle and role life cycle in your organization?
4. Are there ways you can leverage the role infrastructure you have adopted in other ways besides RBAC and compliance?
5. Can emerging methods such as ABAC bring further efficiencies to your operation?

By the way, the stack of hats shown above served to represent different roles or personae a person may possess in a tongue-in-cheek blog post I posted earlier this year: Have a Token: ID Hats and Personae.   I liked Dave Kearn’s perceptive comment to that blog: “Good analogy Mark, but I’m afraid that those of us who understand the phrase ‘to wear different hats’ are getting grayer, plumper and more forgetful every day! People just don’t wear a good homburg, Stetson or Panama any more….”

This post is the fourth in a series of eleven posts I am writing about important trends in the Identity Management industry.

When you present identity credentials to log into an enterprise system or online Internet site, are you really whom you claim to be?  Do your credentials represent the “real you?”

I published one of my favorite blog posts, entitled “OpenID Credibility: Harry and Bess Truman,” back in June, 2007.  A brief excerpt:

I visited MyOpenID.com and was issued an identifier for Harry Truman: http://harrytruman.openid.com. No validation, no verification of Harry’s real Identity. I just plugged in President Harry Truman’s birthday and home town. I did use my own personal email address, but it wasn’t even validated at the time.

Armed with my new bogus identifier, I marched over to Jyte.com and made a couple of claims: The Buck Stops Here and I Love Bess.

Interestingly enough, the Jyte.com links still work!

This little exercise, where I wasn’t really THE Harry Truman, illustrates the need for Identity Assurance to validate whether my identity credentials really represents who I really am. Identity Assurance can be described as “a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential.”

With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising.  Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.

The Liberty Alliance Identity Assurance Framework defines four progressive levels of assurance, depending on confidence in the asserted identity’s validity, as shown in the following table from the Liberty Identity Assurance Framework document.

By comparing the assurance level against the potential impact of authentication errors, we get a clear picture of how the wide spectrum of online access transactions require substantially different levels of Identity assurance.

My impersonating the late Harry Truman requires minimal assurance because the potential impact for the transactions I conducted is minor.  However, at the other end of the spectrum, identity credentials used to conduct high value financial transactions protected by civil or criminal statute are probably worthy of far more stringent Identity Assurance screening.

So, who is responsible to issue high level credentials?  Should it be the government, who is responsible for issuing validated credentials like birth certificates, passports and drivers licenses?  Should it be private enterprise?   It depends on the two factors illustrated above: Assurance Level and Potential Impact.

Recommendations:

Consider these questions for your specific cases:

1. What level of assurance do you require to match the risk (potential impact) to the cost and complexity of issuing identity credentials?
2. What different levels may be appropriate for different applications or systems for which you are responsible?
3. What sources of validation are appropriate to assure that the identity credentials you issue are valid?
4. What should the role of government or private enterprise have in Identity assurance?

By the way, I still think Harry and Bess look good together.  What do you think?

During the second and third weeks of November, I will have the distinct pleasure of accompanying Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, in a series of three CIO Roundtables in New York, San Francisco and Washington, DC, and two CIO breakfast seminars in Toronto and Vancouver, Canada. 

Sponsored by Sun and moderated by CIO Magazine executives, these events will address the topic, “Identity Management – Pathway To Enterprise Agility”,  providing excellent forums to discuss such pertinent questions as:

1. How does strategic Identity Management contribute to business growth and not merely fulfill technology “need to do” requirements?
2. What Identity Management steps should you take to enhance business effectiveness?
3. How can good security governance is be good business?
4. Is your Identity Management system tuned for emerging marketplace requirements?
5. How does Identity Management address cloud computing?
6. How is Identity Management is enabling enterprises to capitalize – and not merely cope with – these realities?

To read more information about specific locations, including registration information, you can download .pdf fliers for each event:

1. Washington, DC – November 10th
2. New York, NY – November 11th
3. San Francisco, CA – November 12th
4. Vancouver, BC – November 13th
5. Toronto, ON – November 17th

Thanks! Hope to see you there.

This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.

One might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy.  Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park.  Similarly, simple Identity Management authorization allows access to all functions within an application.

However, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities.  For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format.   The definition and enforcement of this fine-grained authorization would be externalized from the application itself.

At the present time, fine grained authorization is desirable but difficult to implement.  It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy. 

Much is being discussed about policy management standards (e.g. XACML).  Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.

Recommendations:

As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:

1. Which of your applications could benefit most from fine-grained authorization?
2. How would externalizing policy management and enforcement streamline your applications?
3. How could standards such as XACML improve the management of security and access control policies in you organization?

Dare we think that Twitter might actually improve our quality of life?  Just ask Dilbert.