In a recent twitter conversation with Andre Koot, he suggested that we needed innovation in both Identity Management and Access Management.  He referred me to his blog, entitled “Let’s Kill the IAM Acroynm.”  Andre suggested:

Identity Management is a process for managing the lifecycle of identities … Access Control is a whole different ballgame …

After reading his blog, it occurred to me that he and I defined those two terms a bit differently.  I promised Andre that I would blog about it.

The diagram below shows how we at Oracle talk about the broad area of Identity and Access Management – encompassing three general areas:

1. Identity Governance is about making sure the right people are granted the right access rights and making sure the wrong ones aren’t
2. Access Management is about enforcing those access rights, within specified policy, when users attempt to access a desire application or system
3. Directory Services provides ways to control where identity information about users and accessed rights are stored.

Does this provide the right demarcation between the various functional areas?  It seems to resonate well with our customers, and provides a valuable model to aid communications.  I’d be happy to hear any feedback you have.

By the way, this diagram is more effective as a PowerPoint build slide.  Let me know and I’d be happy to send you a copy.

I enjoyed reading Martin Kuppinger’s response to Ian Glazer’s challenge, “Killing Identity Management in Order to Save it.” I tend to align with Martin’s conclusion as a pragmatic approach:

I do not believe in disruptiveness. I believe in approaches that build on existing investments. IAM has to change, no doubt about that. But there will still be a lot of “old school” IAM together with the “new school” parts. Time and time again it has been proven that change without a migration path is an invitation to disaster. Embrace and extend is the classical migration methodology for classical technical transformative strategies.

There is no question that we need continued innovation in Identity and Access Management.  There are new business problems to conquer, new size requirements to scale, new user expectations to master.  But let’s recognize that current systems have also conquered many problems and achieved beneficial levels of effectiveness. Let’s not throw the baby out with the bathwater.

This week’s Oracle Information InDepth Security newsletter, “Inside Out Edition,” featured comments from Vadim Lander, Oracle’s chief identity architect on key trends that will shape identity management in 2013 and beyond. The trends he described are:

1. Mobility Is Gaining Momentum
2. Identity Management as a Service Is Emerging
3. A Trend Towards Portable Identity
4. Authentication Services Are Evolving
5. Organizations Continue to Move from Silos to Centralized Systems

I was particularly intrigued by his comments on portable identity:

I expect Oracle customers using Oracle applications via SaaS will increasingly use their Oracle Cloud identity as the identity for a chunk of their user populations, rather than trying to maintain multiple identities in their on-premises system.  Since Oracle is already maintaining a cloud identity for every Oracle Cloud user, that identity is portable as far as the user is concerned. Even if users leave the organization, their Oracle identity can still belong to them as they change jobs. Just as your Google or Facebook identity can provide portability, your Oracle identity may be able to provide the equivalent in a business context.

Oracle as businss IdP?  Intriguing thought.

Arbiter:

• a person empowered to decide matters at issue; judge; umpire
• a person who has the sole or absolute power of judging or determining.

When I read the recent Computerworld article, “Facebook: The new arbiter of enterprise identity” this morning. I didn’t quite know what Arbiter meant, so I looked it up.

Robert Mitchell commenced his article by stating:

Today Facebook knows your identity. Tomorrow Facebook may very well be your identity. Before long, enterprise identity and access management may key off of social media identities rather than remaining an island unto itself. Are you prepared? That’s the message that Gartner analyst Earl Perkins passed on to attendees at the Gartner Symposium/ITxpo conference last month.

I know I’m not ready, and highly doubt my employer is ready to cede “absolute power of judging or determining” to Facebook or any other independent entity.  We have a long way to go before any corporation in its right mind would trust Facebook or any other popular social media site to authoritatively vouch for the identities of their employees.

I agree with Jackson Shaw’s observation in his comment to the article:

… until there is some sort of formalized identity verification done around Facebook it will be difficult for an enterprise to simply accept a Facebook credential. Is that Facebook user really me? Also, what about stronger password policies (length of password, change period, complexity, use of strong two-factor authentication) and better security generally for Facebook? There needs to be more enterprise security built into Facebook before it can ever be used by an enterprise.

So, let’s wait and see.  I think it will be a long time before Facebook or any other identity provider supplants the core identity management infrastructure of major enterprises.  Complement, certainly.  Replace?  It will take a while.

This afternoon, I received word that Veriphyr, a provider of SaaS Identity and Access Intelligence services, announced the results of new survey on Protected Health Information (PHI) privacy breaches. According to the report,

More than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months. …

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

Some interesting statistics:

Top breaches in the past 12 months by type:

• Snooping into medical records of fellow employees (35%)
• Snooping into records of friends and relatives (27%)
• Loss /theft of physical records (25%)
• Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was detected in:

• One to three days (30%)
• One week (12%)
• Two to four weeks (17%)

Once a breach was detected, it was resolved in:

• One to three days (16%)
• One week (18%)
• Two to Four weeks (25%)

79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI

52% stated they did not have adequate tools for monitoring inappropriate access to PHI

The report’s conclusion was not surprising:

Respondents who indicated strong satisfaction with their monitoring tools also tended to report fewer breaches of PHI and faster resolution times. The reverse is also true: respondents who indicated dissatisfaction with their monitoring tools tended to report more breaches and longer resolution times.

In an Oracle webcast on September 20th, Scott Bonnell, Sr. Director of Product Management, Oracle, and Naresh Persaud, Director of Product Marketing, Oracle, will explore how the Oracle identity platform can mobilize stalled deployments, allowing customers to accelerate identity projects.

This complimentary Webcast will show how the Oracle identity platform can:

1. Mobilize and complete your identity management project
2. Coexist with or replace your existing identity management point solution
3. Reduce security risk and improve regulatory compliance

On September 22nd, I will give two presentations at the Oracle Security Solutions Forum held at the W Hotel in Scottsdale, Arizona:

• Identity Management 11g: A Giant Leap in Identity Management
• Addressing Access Governance with Oracle Identity Analytics 11g

If you plan to be in Arizona on the 22nd, please drop by and join us!

Do you lapse into the “Audit Eye” trance when facing a tough audit?

Oracle Identity Analytics can help … really!

During the past three weeks, I have interacted with three major customers, in industries as diverse as transportation, apparel and entertainment, that had one thing clearly in common – each saw Identity and Access Management as a fundamental, critical enabler for new business models each company is pursuing.  It is all about knowing who your customers are individually, and interacting with them in a highly personalized, tailored way, in the context of their choosing.

Today I sat through a presentation that depicted IAM in the traditional context, as something that would improve compliance, increase operational efficiency and enhance security.  While these drivers are still valid, I couldn’t help but contrast those two views.

On one hand, IAM is considered to be very defensive in nature, necessary but burdensome.  On the other hand is an innovative vision that IAM is first and foremost a proactive, offensive weapon and business enabler, secondarily a protective shield.

Can you tell where I’d rather play?

I always enjoy learning about a new Identity Management blog. Today, please joining me in welcoming Chad Russell, an Oracle colleague and good friend who hails from the great state of Arkansas, into the blogsphere.  He recently launched a new Identity Management blog, “Brave New Identity – Identity Happenings from the Field.”  His last four posts are both relevant and interesting:

• 3 Hot Trends in IDM (Part 1 of 3)
• Why Provisioning Is Really An Authorization Problem
• Auditing the Cloud
• Amazon boosts IdM offering for cloud

I’m particularly looking forward to learning what Hot Trends 2 and 3 are.

You can also follow Chad on Twitter at @chadrussell_idm.

By the way, the young man up in the corner is Chad’s son, proclaiming, “Love the site, Pops!“