by Kevin Kampman | March 29, 2013 | Comments Off
This week, I encountered a rare situation. As I was leaving a local restaurant, I passed by a bank. In the driveway, an older lady was sitting in her late model high-dollar land yacht. She motioned me to the driver’s window. “Is there a depository in front of the bank?” she asked. I walked over to the bank and determined that there was an operational drop box there. I then asked her if she’d like me to put something in it. She said yes, handed me a thick envelope, thanked me and drove away. As I walked over to drop it in the depository, it occurred to me that she must have come from another place and time, or that I just looked honest. I was especially concerned as this is an area where lots of panhandlers shadow nearby ATM machines. She didn’t even look back.
Also this week, the Ohio Attorney General, Mike Dewine, was featured in a newspaper article about income tax fraud, and how to prevent it. The article talked a lot about incident statistics and the means employed by criminals to access accounts. Mostly, it’s the use of Social Security numbers to identify filers. In fact, there were no recommendations on how one might avoid having your account compromised. While it seems that the government is onto these fraudulent activities, it leaves the taxpayer in a bit of a quandary. Like my encounter in front of the bank, it appears that the government is just too trusting. However, if the government issues a refund to the wrong person, it’s the proper person’s responsibility to identify and make the situation right.
We live in a world where criminals exploit what’s normal. We operate in the mode where no one would file for a refund if they weren’t entitled to it, and of course the nice stranger will make your deposit for you. Changing expectations is an important element of security, but knowing who you are dealing with is also an imperative. Imagine if you were able to walk into a bank and make a withdrawal without proving that you owned an account, or use a credit card without providing some validating information. As our technology makes access simpler and more efficient, so must our ability to manage the entire consumer context. This is a matter of balancing identity to assets, reevaluating and replacing the identification concepts designed for another era. Otherwise, institutions behind the curve are inadvertently colluding with criminals. These situations are not the fault of the consumer; they shouldn’t bear the brunt of inattention, indifference or incompetence.
Category: Uncategorized Tags:
by Kevin Kampman | October 16, 2012 | Comments Off
In September of this year, I changed hats from an analyst and returned to my prior role as a consultant. Gartner consulting offers a much deeper set of capabilities and resources than our small team at Burton Group, and it became very attractive to me to join this competent and effective team of people. I’ll be helping to manage the security and risk team operations as well as performing in a delivery role.
One of the biggest changes from my prior consulting life is represented by the types of engagements Gartner is performing. In the past, most everything revolved around identity. Now, however, we are seeing a broadened interest in
Security – Commercial and government organizations are aggressively confronting security and privacy challenges by conducting comparative analyses of their enterprise with respect to industry and peers. These engagements are conducted on enterprise, state, and even larger scales. Interest and attention is being directed at protection of control and manufacturing systems, as well as top to bottom assessments of the network and application infrastructure.
Identity Management – Identity still reigns supreme given Gartner’s heritage; its scope has expanded to address cloud and external identity. Community federation scenarios, social and user managed identity, and consumer-oriented solutions are prompting organizations to reconsider the effectiveness of their existing identity infrastructure.
Mobility – Along with the socialization of identity, the need for mobility strategies is becoming important as new apps and capabilities that are tightly integrated with customers and associates are adopted by the business. This is a key area for mutual cooperation and oversight as adoption and integration of multiple computing platforms increases.
The good news is that Gartner has kept pace with growth. Our methodologies leverage our reference architecture framework which provides the best of our analyst and consulting capabilities. The opportunity to work closely with, and benefit Gartner’s clients, is one I welcome.
Category: Uncategorized Tags:
by Kevin Kampman | May 4, 2012 | Comments Off
To prepare for my Catalyst roles and entitlement workshop, I thought it might be worthwhile to see how far the idea of something-based access controls (*-BAC) had progressed. It has been awhile since I have looked at role initiatives, although my inquiries tell me that interest in roles is still healthy. Roles have become an element of an identity and access governance initiative, and today are hardly spoken of in the abstract.
Roles are also high on the list of search terms, but there are some noteworthy contenders. Attributes are getting traction, policy is an up and comer, and even temporal-based access controls are getting attention. An intriguing approach to dynamically rewrite policy statements based on parameters is also emerging.
All of the continuing examination of methods to manage access is revealing. Clearly, we haven’t nailed down the right way to do this, and we may have to come to grips with the fact that there will be lots of ways. Maybe we should elevate the discussion to something called context or relationship based access control.
For any object, a set of conditions should be met to provide access such as time, attribute, role, etc. it seems we need a more flexible way to characterize all of the conditions that need to be met for access to be granted. Not attributes about the object itself but what you need to bring to the party to play.
One of the goals of entitlement management is to understand the conditions under which access should be granted. A lot of the focus in the *-BAC world is what attributes IT can provide to represent these conditions. It might make more sense to describe the conditions needed to characterize access. This will provide guidance for what techniques an organization needs to develop for to fill in the question of what type of *-BAC in needed, instead of going off on tangents to explore what kinds of *-BACs can be developed.
One of access control’s biggest challenges is that it has often been an academic exercise. Maybe we can move the discussion forward by thinking about what is needed, not just what is possible.
Category: Uncategorized Tags:
by Kevin Kampman | April 19, 2012 | Comments Off
Last week I had the opportunity to conduct an identity management workshop with a large educational institution. 20 people attended, evenly distributed between IT and business operations, with some large constituencies notably absent. Let’s call them employees and customers. For as long as I’ve been doing identity management, this distribution is fairly typical. Identity management is seen a technical endeavor, after all (not!).
The vendor and the future role of the enterprise directory provided the impetus for the workshop. The directory is the core repository for authentication and identity information, and is the coordination point for provisioning events. This is a common scenario in many organizations, and is particularly challenging where the information integration tools and processes have been developed in-house. Years of policies and procedures are embedded in the directory and its surrounding applications.
The embedded nature of identity management doesn’t stop with the directory, however. One of the goals of the workshop was to identify where the institution could make improvements to its current provisioning situation. Many of the participants had never been in the same room together, let alone examine barriers and roadblocks in their provisioning processes. The participants are so used to living with their identity problems that they become blind to possibilities. The workshop changed all that.
It was revealing to hear about interdependencies between different systems, and how the lack of a common attribute could initiate a “deadly embrace” in the provisioning process. Days and perhaps weeks could be cut out of the provisioning timeline by rethinking these inter- and intra-system processes and dependencies, without spending anything on new technology. In some cases, the problem is right before our eyes.
What often holds organizations back is a lack of communication, coordination, recognition and empowerment. The key to exposing opportunities is the encouragement of healthy skepticism, personal interactions and the desire to make things better. It’s not enough to say that identity governance or a new and improved directory is the answer. By themselves, they may just color in the grey areas. What is most important, and beneficial, is the organizational imperative to expose challenges for what they are, and to remove embedded and obvious barriers to efficiency and effectiveness. The lower price tag and immediate improvements indicate the benefits an ongoing identity management program can accomplish. Under the right circumstances, the grey actually looks good.
Category: Uncategorized Tags:
by Kevin Kampman | July 1, 2011 | Comments Off
Likewise Software has sold its Active Directory (AD) Bridge assets Likewise Open and Likewise Enterprise, to BeyondTrust, in order to focus its attention on the identity and storage software markets. The move by Likewise leaves the market with four main competitors: BeyondTrust, CA, Centrify, and Quest Software. The Likewise AD Bridge portfolio is competitive and has reached a level of maturity that offers BeyondTrust the opportunity to build out the features of its own offerings. The surprise move by Likewise raises two questions:
Is the AD Bridge market reaching customer saturation?
Not yet. The Likewise AD Bridge portfolio was full-featured and competitive. The introductory growth channel, open software offerings followed by enterprise support and licensing, has been adopted by Centrify and Quest, while BeyondTrust and CA have each leveraged their security strengths. Additional development and growth is coming in the OEM and embedded markets, and in the privileged account management space (note CA’s entry to the market, as well as BeyondTrust’s historical strength). However, Likewise saw a larger opportunity in the storage market and used the sale of the AD Bridge assets to accelerate future development there. Likewise’s identity management heritage will serve its interests well from a resource management perspective.
Will AD Bridge offerings remain a niche, or become a springboard for newer capabilities?
AD Bridge extends the reach of directory services to simplify and normalize authentication and authorization into the Unix arena. AD Bridge also influences Privileged Account Management capabilities, and puts BeyondTrust in a very good position to leverage the strengths of its current offerings and expand them with the broader portfolio. This may influence vendors like Centrify to expand and enhance their management capabilities. Another opportunity is to extend authentication, authorization, and management to cloud-based resources. This is something that Likewise is poised to exploit, with or without its AD-related offerings.
Don’t expect a tsunami of change to disrupt the AD Bridge market; do expect the remaining vendors to bolster their offerings. BeyondTrust’s presence and strengths in security and virtualization management will be augmented with the addition of its newly acquired PowerBroker Identity Services to its portfolio. And, the competitive motions are emerging, with Centrify’s announcement of a trade in/up plan for Likewise customers.
Join our IT Professionals analysts at the Gartner Catalyst Conference to learn about how this and other trends in directory services capabilities are influencing identity integration and resource management.
Category: Uncategorized Tags:
by Kevin Kampman | August 23, 2010 | Comments Off
Those of you who attended Catalyst in San Diego in 2009 may remember the lively panel on Role Management’s Evolution. The participants included Edward Coyne of SAIC, representing InterNational Committee for Information Technology Standards (INCITS), David Laurance of JPMC, Alan O’Connor of RTI, Robert Amos of NuStar Energy LP, and Paul Rarey of Safeway. The panel provided a candid perspective on the adoption of role management in organizations; details of the panel discussion were published in the blog “Role” World Challenges.
In the course of the conversation, Alan O’Connor identified that the National Institute of Standards and Technology (NIST), the government sponsor for the role-based access control (RBAC) standard (ANSI INCITS 359-2004), will be soliciting real-world investment information on the implementation and benefits of role management. The purpose of this effort, ultimately, is to justify new government funding for the refinement of the RBAC standard, and also to provide organizations with information that can be used to demonstrate value in their own situations.
The survey was finally launched in August 2010. Sponsored by NIST, this solicitation, entitled “The Economics of Access Control,” covers access control strategies and lifecycles, user provisioning, and compliance activities. The survey is located at http://accesscontrolsurvey.rti.org. The results will be published by the end of 2010 and contributors will receive a copy of the report. This is a perfect opportunity to provide your input and perceptions about RBAC and related activities and to shape the standards activities in the future.
Category: Uncategorized Tags: RBAC Roles
by Kevin Kampman | July 12, 2010 | Comments Off
Anyone who’s heard Johnny Cash’s hit single One Piece at a Time smiles at the story of how a Detroit line worker built his Cadillac by smuggling parts out of the plant, one by one, until he had enough components to assemble a complete car. It’s an OK approach, if you aren’t too concerned about how things look in the end. This message of this ballad is well known to those of us in identity management, and to software vendors in general. No matter how thorough the suite, it’s generally a set of piece parts.
When it comes to that part about how things look in the end, you realize that no matter how many pieces and parts you acquire and put together, what you come up with really isn’t finished, and may never be. Quest Software, like many firms, has a history of related acquisitions, but has been challenged to put a polished appearance and integrated identity management functionality in place, in comparison to its larger competitors. The acquisition of Völcker changes all that.
Berlin-based Völcker has a solid, tightly coupled identity management solution called ActiveEntry. ActiveEntry has its foundation in Microsoft technology, but provides integration and provisioning functionality across the breadth of enterprise platforms. It addresses the needs of business users, administration, and compliance purposes, and its “Time Machine” functionality provides what-if analytics to assess the impact of change and to review historical information.
ActiveEntry, in conjunction with Quest’s identity management offerings, will provide a more complete portfolio of capabilities, in particular for role management, policy, and compliance; in effect, a balanced solution that meets needs of both business and administrative communities. Viewed with Microsoft’s recent release of Forefront Identity Manager 2010, Quest has made a strategic acquisition that places it squarely in front of the challenges that FIM adopters need to address. The breadth of Quest’s Microsoft integration and management portfolio, combined with the functionality of ActiveEntry will provide clients with a framework of components to address their IdM needs. The immediate challenge for Quest will be to organize the pieces so that they all move in the same direction.
Category: Uncategorized Tags:
by Kevin Kampman | June 29, 2010 | Comments Off
Last summer, the Clear / TSA Registered Traveler (RT) program was terminated. The premise of the Clear program was that frequent travelers willing to go through a government background check would pay for that service, in return for the convenience of a shorter trip through airport security. Apparently, about 200,000 people fit this profile and subscribed to the service. However, this was not a sufficient population to make Clear profitable, in spite of attempts to address the needs of frequent travelers such as office space for mobile workers and Father’s Day neckties. Abruptly, Clear ceased operations.
As part of its program, Clear issued a TSA-vetted smartcard that contained biometric information and a photograph of the registered traveler. Clear’s owner, Verified Identity Pass, Inc., also maintained a database of this information that was the subject of some intensive legal scrutiny and privacy concerns as to its disposition. As it turns out, that data has been preserved and will be transferred on an opt-out basis to a new company: Alclear, LLC.
In a message last week to its Clear members, Verified Identity Pass indicated that members who choose to opt-out by completing a form to that effect will have their existing records destroyed. For those willing to have their memberships revived, Alclear will restart the service and credit the time remaining on their subscription. This turns out to be a reasonable resolution, one that provides closure about the handling of sensitive personal and biometric data.
Whether or not the registered traveler business is viable or adds value and convenience remains to be seen. Clear is an example of a domestic public/private travel initiative. Another is the U.S. Customs and Border Protection (CBP) Global Online Enrollment System (GOES) for international travelers. CBP-GOES supports several trusted traveler programs including Global Entry, FAST, NEXUS, and SENTRI. As yet, TSA and CBP programs aren’t interoperable. The data for one doesn’t transfer to the other.
Imagine an international trip where you carry your passport for international destinations, your GOES credential for US customs, and your Clear card to reenter the airport for your domestic flight home. What starts to add up is the thickness of your wallet, the potential for exposure of sensitive information, and the hundreds of dollars paid for the privilege. Not to mention that these programs don’t eliminate the need for physical screenings.
One has to question whether the least common denominator for travel security isn’t sufficient for everyone, or if advance screening provides an advantage. Some airports offer expedited screening for frequent travelers, which reduces the benefit of TSA-cleared credentials. It will take time just to retrain screeners to recognize them as legitimate IDs. Alclear certainly faces an uphill battle to make its Clear program viable, but at least we now have control over the disposition of our data.
Category: Uncategorized Tags: Clear, Frequent Traveler Programs, Privacy