Day two of the Catalyst Conference was also packed with good information.   Key points from sessions I attended are included below. 

Please let me know if you would like to discuss any of these topics.

Maximum Value for Minimum Investment: Getting the Most from Your IdM Infrastructure

Mark Diodati (Burton Group)

1. Mid tier vendors growing organically with integrated administration.
2. Just because one product in a suite fits your needs doesn’t guarantee that the other products in the suite fits your needs.
3. Microsoft typically not considered a full IdM vendor, but because Microsoft owns desktop and defacto workflow engine (Exchange) they have a strong potential.
4. Identity services may enable integration of multiple Identity silos – entitlement management, WAM, Provisioning, eSSO …
5. LDAP has emerged as the default protocol of Identity services – the center of the IdM universe.
6. Coexistence of AD, Sun DS, OID, etc., will be with us for a long time.
7. What next? Assess where you are. Play to your strengths. Invest in initiatives that deliver value quickly.
8. Align ERP and IdM stgrategies.

Identity Management: Making It Pay Off at Allstate Insurance

Eric Leighninger (Allstate Insurance)

1. Key goal: manage identities for people, applications and platforms, with digital personae for each.
2. Establish service catalog from which people can request services.
3. Make enterprise directory single source of record – although subordinate directories are used.
4. Built integrated Identity system that addresses internal and customer-facing needs.
5. Started within the enterprise – then worked outward to customers.
6. Identity-based encryption key mangement services will allow them to manage keys as efficiently as users.
7. Will need to consider virtual directory because identity repository environment is getting more complex.

Small Identity Management Project, Big Returns: One Bank’s ESSO Experience

Steven Craige (Bank of the West)

1. Justification for ESSO: reduce time and expense on password change.
2. Goal: single ID with single password.
3. At two year mark, password changes down 33% – all savings may not be attributable to ESSO.
4. ROI target: 48 months.
5. Difficult to get business groups to move apps to ESSO.
6. Getting senior management’s support is essential.
7. Decide what you want to achieve and what you can afford.
8. Chose ESSO as first step – other IdM projects may follow.

Leveraging Active Directory to Improve UNIX Identity Management

Mark Diodati (Burton Group)

1. Companies want centralized policy management of unix and windows systems via windows group policy
2. The market is converging for privileged account management, AD Bridge and Unix Security products
3. Explosive growth in this market is driven by heightened focus by auditors and demand for improving Unix security
4. Efficiency is a major driver: cost reduction, enhanced productivity, sign-on reduction
5. Can a robust IdM system be effectively deployed without securing the operating system first?

Case Study: Bridging the Gap between Active Directory and Non-Windows Systems and Servers

John Matthew (NBC Universal)

1. After failing SOX audits for Unix account management, they found that password policy was not enforced, poor account managment, poor change management and widespread use of resource accounts.
2. Considered off the shelf, open source or "roll your own" options.
3. They chose open source technology (Likewise) because the software was free, but they could buy support.
4. The Likewise product was augmented with a database to keep track of relevant data and scripting to automate repetive processes and wiki to report status.
5. Integrated with IdM system. Workflow manages AD to handle group membership for SOX compliance.
6. Small team (2 guys) did most of the implementation.

Using Identity Virtualization to Mitigate Risk at Sony Pictures Entertainment

Kunal Mittal (Sony Pictures)

1. Business drivers for Virtual Directory: single place to manage and report on Identities, improve data quality, reduce cost of providing Identity services and simplify integration with multiple systems.
2. Technical drivers: provide common view of identity data across different systems, support transition to SOA, offer Identity services to extend to enterprise and SaaS applications.
3. Privacy policy can be enforced at VDS level.
4. The system was implemented by a small team in less than four months.

See no Evil, Hear no Evil, Speak no Evil – Identity Governance

Chris Howard (Burton Group)

1. Tough year – economically, psychologically.
2. Companies are re-imagining their business models.
3. The corporate institution is profoundly dysfunctional in many ways, especially for society’s purposes, but also for capitalism.
4. The corporate institution is ripe for reinvention.
5. Simplification is a myth: large organizations are complex, IT systems are complex and transparency requires simplicity.
6. Simplicity is managed complexity.
7. Obfuscation is borne of complexity.  Some obfuscation is intentional, but most is unintentional. Obfuscation in IT is not a surprise.
8. Forces impacting enterprise IT Externalization (e.g. cloud, outsourcing), Democratization ( how I choose to work) and Consumerization (multiple devices and freedom of choice).
9. Remediating the existing IT environment doesn’t automatically reinvent the corporation.

The “3 Rs of IdM”: Roles, Risk and Regulatory Compliance

David Griffeth, VP Enterprise Identity Management – RBS Citizens Bank

1. Automated provisioning doesn’t equal Identity management
2. Main goals – definition and maintenance of roles and certification of access
3. Involve both system owners and department managers in role defintion
4. Value of roles: access certifications are simpler, compliance is easier, drastic reduction in risk, entire account lifecycle is properly controlled
5. Document roles to enable easy understanding

Making IdM Infrastructure More Transparent

Gerry Gebel (Burton Group)
Mike Rollings (Burton Group)

1. Governance is not possible without transparency.
2. An access and identity governance layer is emerging as distinct from the run time IdM infrastructure services layer.
3. Governance enables a closed loop, including: configure policy, assign privileges, monitor activity, certify environment, determine access.
4. Complexity is the enemy of transparency and friend of the status quo.
5. Several customers are still building their own provisioning systems, based on workflow systems already in place, to work the way their business works.
6. Use business intelligence tools to provide functionality and interface more in line with business person’s perspective.

Security and Governance as Competitive Advantage for SaaS

Tim Madewell (Innotas)

1. Governance is Visibility, Control, Reliability and Predictability.
2. Governance for operations is part of the service in the SaaS model.

Vendor Lightning Round – 2

Tom Smith, CEO – Conformity

1. SaaS management solution
2. centralized  administration, usage analytics and reporting, workflow and process integration

Venkat Raghavan, Director Product Management, Security, Risk and Compliance – IBM

1. IBM Tivoli Securty: delivering on IBM Secuirty Strategy
2. identity and access assurance, data and application security, security management for System z

Andy Han, VP & GM, Products – NextLabs

1. NextLabs product suite 4.5
2. data security in collaborative environments – protecting data on the move

Ulrich Lang, CEO – ObjectSecurity

1. application security policy automation
2. development tool suite add-on

Rohit Gupta, Sr. Director, Product Management – Oracle

1. Service-Oriented Security for Application developers
2. Oracle/Sun will be best IdM system in the world

Jackson Shaw, Quest

1. OneIdentitySolution
2. simplify identity infrastructure around AD

Dieter Shuler, Radiant Logic

1. VDS context edition
2. VDS is abstraction layer between inflexible data stores and appls that want to consume that data

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup

I have thoroughly enjoyed this week at the Burton Group Catalyst Conference in San Diego, California.  It has been good to take the pulse of the Identity Industry, re-connect with old friends and meet new people.  I would have enjoyed attending the Cloud Computing or Mobility tracks this year, but stayed with my old standby, the Identity track.  Key points I gleaned from the sessions I attended are included below.  If you would like to review my complete notes on any session or discuss any of these topics, please send me a comment.

Thanks for stopping by.

2009: Upheaval In The Identity Market

Bob Blakley (Burton Group)

1. The expanding identity universe is changing in three dimensions:
1. scale – moving both to small (SaaS, SMB) and massive (consumers, social networks)
2. control – moving from centralized to distributed (de-perimeterization, outsourcing)
3. focus – moving from business to individual
2. An infrastructure is evolving that will allow us to transform from being just an "account" in a system to being a "person" in a world where physical and virtual worlds are no longer distinct.

Identity Management: No Time Like the Present

Lori Rowland (Burton Group)
Bob Blakley (Burton Group)
Mark Diodati (Burton Group)
Gerry Gebel (Burton Group)
Ian Glazer (Burton Group)
Kevin Kampman (Burton Group)

1. Much more focus on efficiency, short ROI and accelerated time to value.
2. Strong market for IdM during tough economic times; pent up demand will probably fuel growth when economy recovers because organizations have discovered new requirements as they use IdM systems.
3. Oracle acquisition of Sun is strongly impacting the industry.
4. Oracle will probably not abandon the Sun user base.
5. Need to re-define or clarify IdM terms, such as provisioning, roles, entitlement managment and privilege user/account management.  These terms have grown to mean too many things or are ill-defined in the industry.
6. SPML is re-emerging as a potentially important standard.
7. Identity and access governance may emerge as an architectural layer distinct from provisioning and role management.
8. The uptake on role management is tremendous.
9. Federation will be default protocol for cloud computing.
10. Interoperability and integration continue to be large challenges.

Two Billionths of a Second after the Big Bang – Where Is Consumer Identity?

Michael Barrett (PayPal)

1. Many consumers have too many online identities to effectively manage.
2. Consumer Internet interactions are repetitive, frustrating and littered with outdated info.
3. Super scale: billions of Internet users; millions of relying parties.
4. Effective consumer-managed Internet Identity infrastructure is needed.
5. We don’t have a "network effect in action" for consumer Identity, and we need one.
6. The problem not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants.
7. A fourth role in the Internet Identity process may be the "assertion provider" or "attribute broker" (e.g. credit bureaus).
8. PayPal may be interested in being an IdP; other candidates include eBay, Google, Facebook, Microsoft.

The Identity Services Market

Bob Blakley (Burton Group)

1. The value proposition for cloud computing is not lower cost, but time to value.
2. Independent service vendors can provide slices of Identity functionality – customers design how they are packaged together.
3. The market is building with small firms offering discrete billable units in areas such as vetting, provisioning, logon, risk scoring and user experience augmentation.
4. Azigo and Kynetics are examples of enabling users to be "recognized", rather than "interrogated".
5. The "pay as you go" aspect of services will force people to explictly focus on business value, not just technology.

Externalizing Authorization in a large scale Software-as-a-Service Environment

Steve Merritt (Hoover’s, Inc.)

1. Hoover’s need was driven by complex needs for delivering business information to users, based on subscriptions.
2. Requirements included
1. fine grained control
2. flexible – different types of objects, apps
3. complex entitlements
4. dynamic groups
5. centralized administration
6. easy application integration – easy to use API or standard protocol
7. scalable
8. multitenant
9. integration with enterprise IdM solutions
3. Evaluated build vs. buy.
4. Selected Ccisco Enterprise Policy Manager (formerly Securent).
5. Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure.

The Age of  Identity Oracles

Mary Ruddy (Meristic, Inc.)
Ron Carpinella (Equifax)
Tom Oscherwitz (ID Analytics)
Rick Rubin (OneHealthPort)
Denise Tayloe (CEO, Privo)

1. "Identity Oracles" deliver value individual companies can’t provide for themselves.
2. Achieving critical mass and establishing defacto community standards are essential to adoption.
3. To build critical mass, it can be helpful to bring large group up to a low level of security, rather than a few people to high level of security.
4. These markets will see more government regulation unless the industry can demonstrate it can self-regulate.
5. Many solutions failed because they don’t walk line between assurance and usability.

Roles: The Real, the Imaginary, and the Broken

Kevin Kampman (Burton Group)

1. Speaking as voice from the customer, based on feedback from customers.
2. Vendor products tend to be focused on a particular aspect, but not the whole space.
3. Tools tend to be oriented toward technologists, not the business community.
4. Efficiency and compliance are still major drivers.
5. Governance of role management initiatives is essential – usually in concert with overall Identity Mangement governance.
6. Execution is a classic project management challenge: identify scope, manage priorities, establish metrics, recognize challenges.
7. Many people, from business and technology viewpoints, must work together effectively to achieve success.
8. Roles brings value to downstream processes like provisioning and entitlement management.
9. To start, pick well-understood domains, with fairly stable populations, where there is a real problem to be solved.
10. Quality data is critical – you must be able to rely on it.

Empower the Business with Identity Management

Robert Amos (NuStar Energy)

1. Funded project based on efficiency for HR department.
2. Managers and role owners must agree to new process.
3. Work with simple role structure first.

Role Management – Leveraging the Investment

Paul Rarey (Safeway, Inc)

1. Focus on highest value: using 25 roles addressed 60% of the problem.
2. Choose roles by focusing on high volume of people change and malleability of business process.
3. The identity warehouse, which holds trusted and aligned Identity data from multiple sources, provides the foundation.
4. Roles support more than RBAC; they support good decision making: is right person in the right place doing the right thing?

The Intersection of Roles and Entitlement Management

Kevin Kampman (Burton Group)
Alice Wang (Burton Group)

1. Assigning entitlements directly to users doesn’t scale, lacks flexibility, is not agile and increases compliance risk.
2. Policy: glue that binds roles to, or divorces roles from, entitlements.
3. XACML is a reference model for separating authorization processing out of application, but is not the only one.
4. Bottom line goal for entitlement management: control access efficiently, with clarity, in compliance with regulations.
5. Roles facilitate meaningful conversations between different consituencies.
6. Roles are off to the races … entitlement management is learning to walk.
7. How many roles are effective? It comes back to how many to manage effectively.
8. A role/rule based system is a good way to balance the problem of too many roles.

Role Management Evolution

Ed Coyne (SAIC, Veteran’s Health Administration)
Alan O’Connor (RTI International)
Paul Rarey (Safeway, Inc)
Robert Amos (NuStar Energy)
David Laurance (JPM Chase)
Kevin Kampman (Burton Group)

1. NIST is preparing to update a 2002 study on economic returns to IT and business from using role based access technologies and methods to look at where wins have occurred and economic benefit can be improved.
2. Roles can be used as organizing principle for defining, provisioning and interpreting user access and related information.
3. To effectively define roles, we must talk in the context of business process and workflow.
4. The term "role" has come to have several different meanings in different contexts.
5. Standards may be helpful for RBAC systems to interoperate.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup

• Happy Anniversary Sarbanes-Oxley
  (tags: Sarbanes-Oxley Sarbox SOX Compliance Identity IdentityManagement)

Tomorrow, July 30th, is the seventh anniversary of the day the Sarbanes-Oxley act took effect in the United States.

I recently undertook a project to create a white paper entitled, "Identity and Access Management: Enabling Sarbanes-Oxley Compliance", drawing heavily from earlier Sun white papers, plus adding additional material about best practices for Sarbox compliance.  The paper provides an up-to-date and more comprehensive treatment of the subject than we had available in existing Sun collateral.

So, in celebration of the Sarbox anniversary, and coinciding with the Burton Group Catalyst Conference I am attending this week, I present this white paper for your review.  It hasn’t yet found its way to the "official" Sun website where it will be shortly, but you can download a complete .pdf copy from this site.

It was heartening to note that I heard nothing at the Catalyst Conference that would challenge my selection of the most important best practices for using Identity and Access Managment Principles in securing Sarbox compliance.  Here is my recommend list of best practices:

1. Understand requirements.
2. Recognize IT’s critical role.
3. Understand the role of IAM.
4. Think program, not project.
5. Develop a strategy.
6. Establish a governance process.
7. Implement your strategy in phases.
8. Give real-time visibility.
9. Unify disparate compliance efforts.
10. Assess progress and adjust as necessary.

After you have a chance to read the paper, please let me know what you think.  I’d be happy to answer any questions or feedback you have.

Technorati Tags: Sarbanes-Oxley, Sarbox, SOX, Compliance, Identity, IdentityManagement

• Create An iPhone Document Scanner From Cardboard | Lifehacker Australia
  "You might need a scanner every so often, but they’re far too big for their occasional usefulness. If you’ve got an iPhone and some time to cut cardboard, you can ditch some paper and capture documents without the glass bed."
  (tags: iphone Scanner evernote)

• Dagwood Meets Twitter
  (tags: Blondie Dagwood Twitter SocialMedia)

Finally, in the 75th year of the Blondie comic strip, Dagwood is introduced to Twitter!  How’s that for staying current with the times?

Technorati Tags: Blondie, Dagwood, Twitter, SocialMedia

• NCHC | Facts About Healthcare – Health Insurance Costs
  Interesting statistics about the cost of healthcare and health insurance
  (tags: healthcare health reference)

• Pizza Hut iPhone App: Best Commercial App So Far? | Digital Buzz Blog
  cool pizza ordering app for iPhone
  (tags: iphone Pizza)

• U.S. National Debt Clock : Real Time
  really interesting view of how much debt is being incurred by the US
  (tags: Debt politics spending deficit Government Credit Economy)
• Celebrating 40 years on the moon!
  (tags: moon nasa flag space)