Skip to main content


Showing posts from 2009

What's In a Name?

IT access and governance projects in recent years have tended to be technical in their nature.  This is not a particularly surprising, or indeed negative comment.  Many access related initiatives have been driven around provisioning (automating the C(reate) R(ead) U(pdate) D(elete) process for joiners and leavers) or focussing on S(ingle) S(ign) O(n) initiatives to help reduce password mis-management.

The procurement of such solutions normally involves a product component and the obligatory services component.  The product selection has generally been done using scoring matrices, technical comparisons, bench marking and functionality matching.  The services part is generally done on an agreed set of deliverables, man days, costings and project frameworks.  All fine and dandy.  In a technical land, a spade is a spade as the saying goes.  Can your product talk over LDAP?  Does it have an SPML API?  Can I connect to a database using JDBC?  Can it be load balanced?  Are passwords encrypte…

Beyond RBAC?

Kuppinger Cole recently had a discussion covering the potential boundaries of standard RBAC and if there are any potential next steps.  The talk focused on why RBAC projects fail and what are the main limitations of a static RBAC implementation. 

Most projects tend to fall foul of the main RBAC confusions:  What is the role supposed to represent?  A user? A job function? A set of entitlements?  In some cases the role will represent all of these things, but to different people.

One of the common scenarios we have seen during our deployments, tends to be the concept of role explosion.  The rapid increase in the number of entitlement carrying roles that attempts to match every possible access scenario within the organization.  In addition every department, area or even user adds to the concept of role exceptions where new and unique roles need to be created to match a particularly different set of entitlements or scenarios.

(Rock and) Role Explosion??

A lot of the underlying confusion m…

Automating Bad Process Doesn't Make It Effective

I was recently presenting to a customer who is about to embark on an RBAC and Role Management project.  They knew the technical features they wanted to implement but their main concern was focussed more on the underlying business process.

An RBAC project can cover multiple areas of a business, not just he IT Security and Administration teams.  Obviously there are technical aspects, features and metrics that need either automating or consolidating.  These can include:

#    Automatic creation of a role object (including the entitlements a role should have)
#    Automatic association of users to role objects
#    Automatic reportin of role objects, user entitlements, user exceptions
#    Automatic recertification of user entitlements and role entitlements
#    Automatic Audit analysis like Separation of Duty or compliance policies

This list is obviously non-exhaustive but gives an idea of the sorts of tasks that a piece of software can be used to automate and a manual process.

In additio…

IDM09 Conference London

At the start of the week I attended the IDM09 Conference in the Docklands in London. This relatively new one day event was host to several key security, identity and access control vendors and partners as well as delegates from the private and public sector. Most delegates held positions in leadership, architecture or implementation positions related to security or audit.The attendance was fair considering the time of year and the ongoing economic uncertainty and credit issues facing many finance related organisations - the very companies that most security solutions are aimed at. The vendor sponsorship list contained the standard big name players including Sun and Oracle as well as developing vendors such as Aveksa, Courion and the Benelux based Bhold. The consultancy partner and SI space was also well attended with the likes of DNS, Infinitum and Oxford Computer Group sponsoring and presenting.Due to the event being only the single day the agenda was quite compact with the idea …