One of the big questions in modern Identity and Access Management continues to be: “Is it better to choose individual point solutions and integrate them in my enterprise, or should I choose a complete IAM platform?

I recently learned of an intriguing Research Brief published by the Aberdeen Group, entitled, “IAM Integrated: Analyzing the ‘Platform’ versus ‘Point Solution’ Approach.” Aberdeen’s conclusion:

Based on more than 160 respondents from its Managing Identities and Access study (February 2011), Aberdeen’s analysis of 32 enterprises which have adopted the vendor-integrated (Platform) approach to identity and access management, and 39 organizations which have adopted the enterprise- integrated (Point Solution) approach, showed that the vendor-integrated approach correlates with the realization of significant advantages.

The most significant advantages realized by organizations adopting the Platform approach to Identity and Access Management, as compared to those adopting the Point Solution approach, include:

• Increased end-user productivity
• Reduced risk
• Increased agility
• Enhanced security and compliance
• Reduced total cost

Aberdeen’s research also confirmed the merits of a pragmatic “Crawl, Walk, Run” approach as the basic template for successful enterprise-wide initiatives involving Identity and Access Management, similar to what I have been recommending for years.

• Adopt a primary strategic focus.
• Put someone in charge.
• Prioritize security control objectives as a function of requirements for risk, audit and compliance.
• Establish consistent policies for end-user identities and end-user access to enterprise resources.
• Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions.
• Standardize audit, analysis and reporting for IAM projects.
• Evaluate and select IAM solutions.

On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”

The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:

1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
3. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.

The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.

I have long thought the PCI DSS specification to be a good example of how an industry regulates itself.  The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.

When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.

These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

Congratulations to my good friend Alan Norquist, whose company Veriphyr was named a “Cool Vendor in Identity and Access Management” by in a recent Gartner report.  Veriphyr offers an on-demand SaaS service that “analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.” 

I received Alan’s email informing me of this recognition earlier today – ironically just two days after I posted an article about the business benefits of Identity and Access Intelligence.  Here is Veriphyr’s definition of Identity and Access Intelligence:

Identity and access intelligence (IAI) is a new category of SaaS application that uses advanced data analytics to mine identity, rights, and activity data for intelligence that is useful not only for IT operations, but also for broader business operations. What is new about IAI is its focus on the needs of the business manager, who typically has the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and how much resource utilization is appropriate. IAI informs the identity and access management process (IAM) in a way that provides rapid value to business managers and generates the buy-in from business stakeholders that is needed for a successful project implementation.

I predict that this segment of the Identity and Access Management market will grow rapidly, as enterprises seek to gain actionable intelligence from their growing mountains of available Identity and Access data.

I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.

I was pleased to receive the following notice from Oracle product management in my email box this week:

Hi All,

As you might know, the transition of Corporate Single Sign-On (Intranet and Extranet) to Oracle Access Manager-11g is complete and the first production deployment of OAM 11g with a multi-million user population is now live. Starting Fri, Apr 1st, 2011, OAM-11g is now taking 100% of authentication load from extranet web properties of Oracle without any incident. All customers that access any Oracle service over the extranet like www.oracle.com, OTN, MOS, ARU etc. are now authenticated with Oracle Access Manager 11g.

It makes me feel good to know that we actually use our own products – even the latest version!

The key statistics for the Extranet deployment are actually quite impressive:

• Total user population: 12 M
• Avg daily authentication load so far: 350K users
• Expected peak daily authentication load: 800K users (around special events like Open World)
• Avg authentication latency: 120 milliseconds
• Avg CPU usage: under 5%

Other Highlights:

• This is the first production deployment of OAM-11 with a multi-million user population.
• Like the intranet roll-out, this transition to OAM-11 was done with zero downtime. 
• The gradual/phased ramp-up to 100% load allowed PDIT and dev team to triage problems and fix them before they impacted wider populations.

By the way, I’m not disclosing any secrets.  We were told we could spread this information around!  So have a piece of “virtual” chocolate cake with Fido and me.

Tomorrow, Tuesday, April 11th, at 11am PST, Oracle is presenting a live webcast, Automating User Provisioning – A User’s Perspective, featuring Jim Moran,  CISO of Educational Testing Service (ETS) where he discusses ETS’s implementation of Oracle Identity Manager and their cloud deployment plans.

I always enjoy hearing people talk about their experiences in implementing software.  We can learn much from real experiences.