Archive | IAM RSS for this section
June 13, 2014  

IAM Use Cases, why is “retainer” always missing?

I keep getting surprised about the 3 standard user cases everyone talks about; joiner, mover, leaver (JML). Everyone in the IAM sphere seems to have the same idea. Try and do a quick google search and you will find many many descriptions around the 3 areas. Just take the below.

It seems that joiner, mover, leaver is the foundation… or is it?

In my world it is a bid more diverse than that, especially if you also look into the time consumption within each use case. What I am trying to tell you is that usually an important and time consuming use case is missing – the retain use case

From my point of view the following use cases are needed by everyone looking into an identity & access management solution.

  1. Joiner – How new people joining your organization are granted accesses
  2. Retainer – The illegitimate child, covering especially governance activities
  3. Mover – When people move around inside your organization
  4. Leaver – How to handle people leaving the organization

The retain use case

In my world retainment of employees needs to be a separate use case area in any IAM solution. All other areas covers when something changes for the people in the organization; when they are hired, changes position inside the organization or leaves. But what happens when nothing changes for the employee?

Nothing, right?

But what if the same person has the same job over a 10 years period. Does nothing actually change for that employee? Just think what you were working on 10 years ago, not the same as today right? But if no attributes are changed for a person it is not a given that the IAM solution will capture the employees development. Hence the retainment use case becomes relevant.

What should be included in the retainment use case?

When talking about the retainment use case, I suggest that you at least evaluate the following use cases.

  • Periodic certification of accesses and SoD violations
  • Periodic certification of job role content
  • Employee development without attribute changes
June 2, 2014  

IAM temperature check by Deloitte

maximum-service-temperature_largeBased on 19 current IAM projects around the globe Deloitte Australia create a temperature check on the IAM market. It’s not a very comprehensive report, but it gives a good indication of how the IAM market and the current projects are dealing with the growing challenges of identity and access management.

I can 3 see three important conclusions from the report.

  1. Even though many organizations are trying to involve the line of business IAM remains an IT challenge. Especially the CISO has IAM within his domain of responsibility. Just as interesting IT is also the main area for funding the IAM projects
  2. IAM is still a matter of getting users on to the system, governance around e.g. SoD is only true for about 50% of the IAM projects
  3. When looking at the software solutions we are still looking at a very diverse landscape. No supplier really has a tight hold on the clients. The study shows that all of the main IAM suppliers all have more or less the same number of projects

http://www2.deloitte.com/dk/da/pages/risk/articles/Temperaturmaaling-paa-Identity-Access-Management-omraadet.html

March 31, 2014  

Oracle and IAM

Last week I have had the pleasure of participating in the Oracle partner forum for Identity Management in Berlin. A number of exiting solutions and roadmaps where presented. It was very impressive to see the full IAM package that Oracle has put together.

Of course some topics were more interesting than others. Especially mobile security and Internet of Things in an IAM perspective was interesting.

On the mobile site Oracle has with the acquisition of Bitzer Mobile, gotten a good approach to mobile security, incl. app control. Their approach differs from the normal VPN approach, where the entire phone is locked down, with this solution you build an app tunnel, to secure only the cooperate apps. So you can now continue using Facebook or LinkedIn, without those apps gaining access to your cooperate data. It looks and sounds very interesting and I am hoping soon to see it live.

Link to Oracle Mobile security site:
http://www.oracle.com/us/products/middleware/identity-management/mobile-security/overview/index.html

 

The other new thing and definitely a buzz word that we will hear a lot more of in the coming years is Internet of Things or IoT.

So what is IoT. Well the definitions I have heard is that a large number of devices (or things) will be coordinating and talking together over the internet, thereby adding new functions and added value for the consumer. For example when you are driving in your car, the cars ahead of you can warn you of traffic jams etc.

By 2020 it is expected that 50 billion devices will be talking together

So the question is now, how do we build end-to-end security to ensure that only the relevant people get access to only my information? Well, one thing is to have tight control with your IAM scope, why not leverage IAM to build a secure end-to-end solution? Some of the technology already exists, but I am sure that we have only seen the start of clever access management IoT solutions.

So if IAM can successfully position itself in this new sphere, IAM will stay a central player and future build on the importance for years to come. In any case, it is going to be very interesting – at least for a security nerd – to see solutions on IoT.