tag:blogger.com,1999:blog-134654552024-03-12T20:10:59.330-04:00Ash's Identity Management RantingsIdentity Management, Access ManagementAshraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.comBlogger126125tag:blogger.com,1999:blog-13465455.post-42897745841233657492013-02-07T10:00:00.000-05:002013-02-07T10:00:00.314-05:00Should CMOs Fund the Next Generation of Identity Management?<br />
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<i>(Cross posted at blog.identropy.com)</i></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
What does marketing have to do with cloud Identity Management? Quite a bit, it seems. Last week, HMV (a European retailer) <a href="http://www.forbes.com/sites/susanadams/2013/02/01/dont-fire-an-employee-and-leave-them-in-charge-of-the-corporate-twitter-account/" style="color: #1caaec; outline: none; text-decoration: initial;" target="_self" title="laid off 190 employees">laid off 190 employees</a>. Among those being let go included Poppy Rose, the HMV "Community Manager" who happened to be in charge of their twitter account. The result? See for yourself...</div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<img alt="Screen shot 2013 02 04 at 11.28.54 AM" border="0" class="alignLeft" height="261" id="img-1359999302512" src="http://blog.identropy.com/Portals/40850/images/Screen%20shot%202013-02-04%20at%2011.28.54%20AM.png" style="border: 0px solid rgb(204, 204, 204); margin: 0px 15px 5px 0px; padding: 2px;" width="320" /></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
Over 60,000 followers had a front row seat to the entire process. Poppy, to her credit, did nothing illegal. In fact, she claims to have cooperated throughout the process:<br />
<br /></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px; padding-left: 30px;">
<em>“Just to set something straight, I did not ‘hijack’ the hmv twitter account. I actually assumed sole responsibility of Twitter & Facebook over two years ago, as an intern. When asked (this afternoon), I gladly provided the password to head office. I also set another member of staff up as a manager on Facebook, and removed myself from the admin list. I didn’t resist any requests to cooperate.”</em></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<br />
To add insult to injury, even after she was fired, she still had access. In fact, she had to direct HMV on how to revoke her access (over twitter, once again, for the world to see):</div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px; padding-left: 30px;">
<em><br /></em>
<em>“<a data-ls-seen="1" href="https://twitter.com/hmvtweets" style="color: #1caaec; outline: none; text-decoration: initial;">@hmvtweets</a> you need to go to ‘settings’ and revoke my account access as an admin. I’m still able to switch between accounts.”</em></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<br />
So if it isn't already abundantly clear why your CMO should foot the bill for your cloud identity management endeavor, here it is spelled out:</div>
<h1 style="background-color: white; color: #222222; font-family: Helvetica; font-size: 26px; font-weight: normal; line-height: 29px; margin: 8px 0px 15px; padding: 0px;">
</h1>
<h2>
Brand Management</h2>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
One of the CMO's responsibilities is to uphold the firm's brand in the public eye. And few things are more embarassing than having your social media posts run amok by an intern. CMO's can avoid that by instituting the proper access controls for their social media apps, as advised by Susan Adams in the <a href="http://www.forbes.com/sites/susanadams/2013/02/01/dont-fire-an-employee-and-leave-them-in-charge-of-the-corporate-twitter-account/" style="color: #1caaec; outline: none; text-decoration: initial;" target="_blank" title="Forbe's article">Forbe's article</a>:<br />
<br /></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px; padding-left: 30px;">
<em>"The rather obvious lesson for employers in all of this: Take control of your social media accounts, change the passwords, and restrict access before you let go of the employees who run those accounts."</em></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<br />
As noted by Nishant Kaushik earlier this week while commenting on the <a href="http://blog.identropy.com/IAM-blog/bid/93908/The-Dilemma-of-the-OAuth-Token-Collector" style="color: #1caaec; outline: none; text-decoration: initial;" target="_blank" title="Twitter hack that impacted 250k users">Twitter hack that impacted 250k users</a>, a simple password change may not be sufficient. In today's world of linked application access capabilities (where Twitter grants access to other apps), explicit revocation of access to the appropriate applications within Twitter may also be required to comprehensively terminate a user's access.</div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
An Identity Management solution that integrates with Facebook and Twitter could have been used to revoke Poppy's access to those account in a timely fashion. Of course (as mentioned above), there should be a sufficiently deep level of integration with the applications in order to comprehensively revoke the access. In fact, the CMO should work alongside the CSO to drive the appropriate access policies that identifies those applications that have high sensitivity (read 'high damage potential'), and automates the process of suspending access to those accounts as soon as the specific person is considered for termination.</div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
The point is, leaving all of this to manual processes puts your brand at risk.</div>
<h1 style="background-color: white; color: #222222; font-family: Helvetica; font-size: 26px; font-weight: normal; line-height: 29px; margin: 8px 0px 15px; padding: 0px;">
</h1>
<h2>
CMO's Will Outspend CIOs on IT...</h2>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
According to Gartner, by 2017, <a href="http://my.gartner.com/portal/server.pt?open=512&objID=202&mode=2&PageID=5553&ref=webinar-rss&resId=1871515" style="color: #1caaec; outline: none; text-decoration: initial;" target="_blank" title="the CMO will spend more on IT than the CIO">the CMO will spend more on IT than the CIO</a>. Most of the software spend will be on SaaS. That means that the CMO's exposure to the Poppy Roses of the world will only increase over time. </div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
An Identity Management product that is pre-integrated to the CMO's most precious SaaS applications can ensure that access is duly revoked before brand damage is inflicted. The appropriate identity management system should have the flexibility to integrate with both cloud applications, as well as the company's corporate HR application, to automate the termination process.</div>
<h1 style="background-color: white; color: #222222; font-family: Helvetica; font-size: 26px; font-weight: normal; line-height: 29px; margin: 8px 0px 15px; padding: 0px;">
</h1>
<h2>
Can "Marketing Apps" be the new "SOX App"?</h2>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
Anyone who has been in the identity space knows that traditionally, regulatory compliance pressures have driven much of the corporate identity management spend. Non-compliance can lead to financial penalties and brand damage in the public eye, especially if that non-compliance was made public. </div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<span style="font-size: 13px;"><strong>The scary reality is that with the changing face of IT, "breaches" like the one described above can actually cause more damage than being non-compliant. They can lead to consumers fleeing your brand, which directly impacts a company's numbers and longevity.</strong> </span></div>
<div style="background-color: white; color: #222222; font-family: Helvetica; font-size: 14px; line-height: 22px;">
<span style="font-size: 13px;">It's for this reason, we believe that CMOs and CIOs should </span><a href="http://www.theatlantic.com/sponsored/ibm-power-team/archive/2012/08/the-cmo-and-cio-power-team-fostering-a-culture-of-collaboration/261315/" style="color: #1caaec; outline: none; text-decoration: initial;" target="_blank" title="will naturally begin working more closely together">begin working more closely together</a> to start treating Marketing Applications with the sensitivity they deserve. Perhaps then, the Identity Management industry can start creating awareness regarding the value of the corporate brand to drive identity management adoption, instead of solely relying on the stick of the auditor.</div>
Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-43460252938864683582012-02-02T00:12:00.005-05:002012-02-02T00:22:28.612-05:00Identropy Reviews Cutting Identity Management Operating CostsIdentropy will be hosting a webinar with our friends at IDC entitled "Reducing your IDM Operating Costs Using IDaaS" in a couple of weeks (Tuesday, Feb 14). <a href="http://blog.talkingidentity.com">Nishant</a> from Identropy and <a href="http://www.idc.com/getdoc.jsp?containerId=PRF000168">Sally Hudson</a> from IDC will be presenting. Hope you can join us! You can read the abstract below, and <a href="https://www2.gotomeeting.com/register/720418882">register here</a>...<div><br /></div><div><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; "></span><blockquote><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">Would you like to reduce your IDM Operations costs by 50%, while still proving that the IDM program is meeting its goal? </span><br /><br /><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">Is your IT team overburdened with IDM operational support in response to a constant stream of patches and updates that were never budgeted for? </span><br /><br /><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">Do they lack the bandwidth to get to strategic new tasks in an ever-evolving, increasingly important IDM program? </span><br /><br /><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">Do they lack the time or subject matter expertise to enhance your IDM solution in response to changing organizational needs and business objectives? </span><br /><br /><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">If so, this webinar is for you. </span><br /><br /><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; ">The successful deployment of an Identity Management (IDM) infrastructure is only the first step of a continuous journey. Join Identropy and IDC for a webinar on how Identity Management-as-a-Service can help overcome the challenges of successfully and cost-effectively running an IAM program. During this webinar, guest speaker Sally Hudson, Research Director within IDC's Security Products and Services group, will discuss why many of these projects fail and what operational areas need to be accounted for to help bridge the divide between project-go-live and long-term success. Nishant Kaushik, Chief Architect at Identropy, will discuss how their SCUID Operations offering has helped many customers address their operational concerns and yield long-term and increasing value from their IDM investment.</span></blockquote><span style="color: rgb(0, 0, 0); font-family: arial, verdana, helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(247, 247, 247); display: inline !important; float: none; "></span></div>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-51125869460400505832010-08-22T17:32:00.004-04:002010-08-22T17:43:08.383-04:00Regarding a Potential Way Forward for SPML<span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Some of you might have followed the conversation in the blogosphere regarding SPML a few months back. If interested, get up to speed by reading the posts below:</span></span><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div><div><span class="Apple-style-span" style="line-height: 18px; "><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">- Mark Diodati, Burton Group: </span></span><a href="http://identityblog.burtongroup.com/bgidps/2010/02/spml-is-on-life-support-.html" target="_blank"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">SPML Is On Life Support</span></span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br />- Ingrid Melve, Feide: </span></span><a href="http://identitynetworks.wordpress.com/2010/02/11/provisioning-will-spml-emerge/" target="_blank"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">Provisioning, Will SPML emerge?</span></span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br />- Nishant Kaushik: </span></span><a href="http://blog.talkingidentity.com/2010/02/spml-under-the-spotlight-again.html" target="_blank"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">Oracle: SPML Under The Spotlight Again?</span></span></span></a><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br />- Jeff Bohren, Identity guru: </span></span><a href="http://idlogger.wordpress.com/2010/02/12/whither-spml-or-wither-spml/" target="_blank"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">Whither SPML or Wither SPML?</span></span></span></a></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">- Jackson Shaw, Quest: </span></span><a href="http://jacksonshaw.blogspot.com/2010/02/spml-not-dead-yet.html"><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="color:#000000;"><span class="Apple-style-span" style="font-size: small;">SPML - Not Dead Yet!</span></span></span></a></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: small;">Last month, I had the opportunity to join a discussion with some really smart folks regarding the future of the SPML standard at the SPML SIG (Special Interest Group) at the Burton Group in San Diego. Anyhow, Mark Diodati led the session and recently published some of the conversation points discussed at the SIG. Take a look </span><a href="http://blogs.gartner.com/mark-diodati/2010/08/20/consensus-on-the-future-of-standards-based-provisioning-and-spml"><span class="Apple-style-span" style="font-size: small;">here</span></a><span class="Apple-style-span" style="font-size: small;">.</span></span></div><div><br /></div>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-31720425992804778422010-07-18T22:21:00.003-04:002010-07-18T22:41:53.052-04:00IAM Failures...Product or Services?Jackson Shaw put up a few interesting posts last week regarding IAM Project Failures. The <a href="http://jacksonshaw.blogspot.com/2010/07/i-have-nothing-to-show-after-spending.html">first</a> was a company that sank $7M into an IAM Initiative that never took off. The <a href="http://jacksonshaw.blogspot.com/2010/07/iam-exam-results-so-far-9.html">second</a> was an informal survey of 9 IAM projects (6 used Sun, 3 used Novell). Jackson concludes:<br /><br /><blockquote>This was a great illustration to me of how far our little industry segment needs to improve. None of these customers were trying to do anything fancy. They had fancy plans originally but they were failing on basic provisioning or password management and were never able to progress further. It also further reinforced my view that there’s a great opportunity for a solution that doesn’t require a couple of busloads of consultants to get it (and keep it) running. A solution that delivers immediate value. A solution that customers are happy to have. A solution that is my dream</blockquote><br /><br />The question that I'd like to pose is, where does the cause of the failure lie? Is it a lack of IAM product capabilities or IAM services?<br /><br />In my take, IAM products have evolved (and continue to evolve) quite rapidly. Due to my profession, I am present when customers are shown IAM products from vendors and even when they get to test-drive them. Some of the stuff out there now is downright impressive...from visual drag-n-drop workflow capabilities to wizard-like setup of connectors, all in all, the innovation I've seen on the product side is impressive. Furthermore, most IAM project failures that I've seen occur are rarely due to the lack of a product feature.<br /><br />I think the problem lies in the services side of the IAM house. I suppose that statement is a confession of sorts, since that's the industry I've lived in for the past however long. Anyhow, the IAM services game is anything but impressive. To pull from one of Brad Feld's quotes, IAM services companies typically win deals because 'they suck less' than the next guy. Definitely nothing to be proud of! The services models are pretty much stagnant with limited innovation over the past decade. Every consulting firm has roughly the same implementation model (discovery, design, implement, test, blah blah blah). Replace those words using a thesaurus and you have the next System Integrator's methodology. That's why I believe there needs to be a <a href="http://www.identropy.com/blog/bid/29428/Approaches-to-IDaaS-for-Enterprise-Identity-Management">shift in the IAM services paradigm</a>.<div><br /></div><div>What's your take? What's the culprit? IAM Product or Services?<br /><br /><br /><br /><br /><br /></div>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com4tag:blogger.com,1999:blog-13465455.post-82627090942082937792010-04-14T06:45:00.004-04:002010-04-14T06:50:30.581-04:00On Developing a Deprovisioning PolicyAn interesting discussion emerged out of a <a href="http://identropy.com/blog/bid/31993/3-Insights-on-Developing-a-Deprovisioning-Policy">blog entry</a> over at the Identropy blog on developing a Deprovisioning Policy.<br /><br />I've reproduced both the contents of the blog and the comments section (which is probably more interesting than the article) below. Enjoy!<br /><br />----<br /><br /><p>Identity Management technology can be tricky. But in most instances, it's not the technology that trips up an implementation. It's the policy development (or lack thereof) that causes the heartache.</p><h4><img src="http://identropy.com/Portals/40850/images/you_re_fired.jpg" mce_src="/Portals/40850/images/you_re_fired.jpg" alt="" title="" align="right" border="0" height="274" hspace="" vspace="" width="262" /></h4> <p>Deprovisioning Policy is typically more complex than a simple policy that states that when HR says a person is terminated, the identity system terminates the user's access to all systems. Here are a few things to consider when developing your Deprovisioning Policy. </p><h4>1. Deprovisioning Policy (Technical View)</h4> <p>The technical view of a deprovisioning policy is concerned with what the identity system should do once we know that the user should be deprovisioned for each target system.</p><ul><li>Should the user's account be hard deleted or just disabled?</li><li>If disabled, how is that done? (Move the AD account to a disabled users OU, place the row into an archive table, etc.)</li><li>How long should disabled users be kept in the system? </li><li>What should happen to the person's shares, mailbox, etc.?<br /></li></ul> <h4>2. Deprovisioning Policy (Business Process View)</h4><p>The business process view of a deprovisioning policy addresses the states that should trigger a deprovisioning action. Here are a few questions to ask your policy team:</p><ul><li>How do we calculate the actual last day a person should have access? Is there an effective date that can be used? Is HR using that field properly?<br /></li><li>How should 'leaves of absence' be handled?</li><li>What should happen if a person wants to use his/her vacation days directly before retirement? What if the person may still provide off-site help during this time period and therefore needs access? </li><li>How should sabbaticals be handled?</li><li>Should a user's current access be terminated in a department transfer? What if they still need their old access for some time?<br /></li><li>How should unused sick days be taken into consideration?</li></ul><h4>3. Take Compliance Policy into Consideration</h4><p>Besides the business process view of the policy, sometimes existing regulatory compliance rules may have an adverse impact on an otherwise sensible policy. For example, definitions of 'termination', 'employee job role change' and 'leave of absence' will directly impact the overall policy and should be taken into consideration. </p>By thinking through these issues, an effective Deprovisioning Policy can be put together prior to implementing an IAM solution.<br /><br />----<br /><br /><span style="font-weight: bold;">Comments:</span><br /><br />Hi Ash, my suggestion (as always with IAM related decisions) is to start from the business view and try to stay out from the temptation to start analyzing the event from a technical standpoint. <br /> <br />Using business as starting point can be very helpful for example in fragmented, complex or very dynamic environments where could be very hard to find a common agreement on the right behavior to follow and where, probably, it can give you also a longer-term solution. <br /> <br />What do you think? <br /> <div class="comment-info">Posted @ Tuesday, April 13, 2010 7:10 AM by <a href="http://www.mayeronline.it/www/archives/category/identity-and-access-management/" rel="nofollow">Luca</a> </div> <!-- END div.comment --><div class="comment-body"> <a name="comment57680"></a> Hi Luca, <br /> <br />Interesting point. <br /> <br />From a policy standpoint, both sides (biz process view and tech view) have to be defined. And although the business process view (i.e. defining the states of the user should trigger a decommissioning of the user's access) is critical, the policy would simply be incomplete without the tech view. <br /> <br />From a dependency standpoint, I really don't see that one piece of this is dependent on the other...(although I'm still thinking through it). It's almost as if both sides of the policy can be developed independently. <br /> <br />Thoughts? <div class="comment-info">Posted @ Tuesday, April 13, 2010 11:13 AM by Ash Motiwala </div> </div><!-- END div.comment --><div class="comment-body"> <a name="comment57708"></a> Ash, for sure both sides (biz process view and tech view) have to be defined. My suggestion is to avoid developing them independently and where possible to start from the business view and requirements and understand how those requirements can be fulfilled from the technical standpoint. <br /> <br />My idea is based on two main assumptions: <br /> <br />1) Technology should support business and so we should start from it and try to define the best suitable tech solution. So, is it possible to keep them independent? <br /> <br />2) Deriving technical view from business view allows to have more stable policies because in my (very very short) experience I’ve saw more stability on the business requirement than that on the technical one. Technical side of policies could be more fragmented, detailed and sometimes system dependent and for this reason more subject to modifications when changes happen in the technical infrastructure (mergers, new systems, etc.). In my opinion, this approach allows to keep unchanged business view and most of the decisions related to the tech view. <br /> <br />Are, in your opinion, my assumptions valid? <br /> <div class="comment-info">Posted @ Wednesday, April 14, 2010 2:47 AM by <a href="http://www.mayeronline.it/www/archives/category/identity-and-access-management/" rel="nofollow">Luca</a> </div> </div><!-- END div.comment --><div class="comment-body"> <a name="comment57713"></a> Hi Luca, <br /> <br />I'd agree in general that business process development should happen before technical analysis, (as I've mentioned in other articles <a href="http://www.identropy.com/blog/bid/9217/Identity-Management-Workshop-Critical-Ingredients">here</a>). <br /> <br />In order to think through this, I posed myself the following: should the following 2 questions (1 business process oriented, the other technically oriented - as defined in the article) be answered in a specific order? <br /> <br />1. Should a leave of absence translate to termination of access? <br />2. What should happen to a person's shared folder contents once terminated? <br /> <br />Thinking through this, the 1st question should be posed to the business process owner - whose answer will provide context to the technical owner to answer his part of the question...since a leave of absence (as a state) will probably have a direct impact on how long to hold on to a person's mailbox or shares. And will probably have a different impact on a person who was terminated for cause. <br /> <br />So yes...I agree. Thanks for the insight, Luca! <div class="comment-info">Posted @ Wednesday, April 14, 2010 5:42 AM by Ash Motiwala </div> </div>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-35971136654940256462010-02-26T11:39:00.003-05:002010-02-26T11:46:56.981-05:00Sorry MIIS, It's Not You, It's MeHere's some geek humor. A buddy of mine sent me an old email correspondence I had with him back in 2006 (back when ILM, I mean FIM, was MIIS). I was doing my best to get him going on the training path on the product, and this is what he wrote me after doing MIIS dirty:<br /><br /><blockquote>Now if you'll excuse me I have to go speak to MIIS. I think it's mad at me cuz I haven't touched it for so long (it's starting to feel that I think it's ugly). It's my fault actually, I met someone named Tivoli at a party and we really hit it off. You know when you have that connection instantly? Anyway, since then MIIS and I haven't been speaking much outside of the daily niceties a couple stuck in a rut routinely exchange. Both of us know it's a facade, but we maintain it, almost mockingly, for the sake of the little Management Agents we have running around. To make them Disconnectors now, would be devastating to business continuity. </blockquote>As a side note, he still doesn't know MIIS/ILM/FIM. "If-you-don't-know-me-by-now..." :)<br /><span style="color:#888888;"><br /><br /><br /><br /></span>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-65259008980076681662010-01-11T14:20:00.003-05:002010-01-11T14:27:30.374-05:00Series on Developing an Identity Management RoadmapI've recently been involved in putting together a <a href="http://www.identropy.com/blog/?Tag=Identity+Management+Roadmap">blog series</a> on developing an Identity Management roadmap. It's a 3 part series over at the <a href="http://www.identropy.com/blog">Identropy blog</a>. Part 3 is a bit long for my taste, but has a lot of great content I'm sure you'll benefit from if you are involved in identity management strategy development for an organization.<br /><br /><a href="http://www.identropy.com/blog/bid/28635/On-Developing-an-Identity-Management-Roadmap-Part-I">Part 1</a> is an intro to what an identity management roadmap is, who needs one, who doesn't and why.<br /><a href="http://www.identropy.com/blog/bid/28945/On-Developing-an-Identity-Management-Roadmap-Part-II">Part 2</a> is about the prerequisites to developing a roadmap.<br /><a href="http://www.identropy.com/blog/bid/29576/On-Developing-an-Identity-Management-Roadmap-Part-III">Part 3</a> is the meat & potatoes of how to develop one.<br /><br />We've left some room for input and discussion. Chime in!Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com2tag:blogger.com,1999:blog-13465455.post-56060823861235855382009-11-12T21:15:00.004-05:002009-11-12T22:15:36.163-05:00Man*ged *dentity Serv*ces, Trademarked!<span style="color: rgb(0, 0, 0);">I received the following email today from our friends at <a href="http://www.fischerinternational.com/">Fischer</a>:</span><br /><br /><p style="color: rgb(0, 0, 0);" class="MsoNormal"><u><span style="font-size:10pt;"><a href="http://identityman.blogspot.com/2009/01/another-entry-into-idm-managed-services.html" target="_blank"></a></span></u></p><blockquote style="color: rgb(0, 0, 0);font-family:courier new;"><p class="MsoNormal"><u><span style="font-size:10pt;"><a href="http://identityman.blogspot.com/2009/01/another-entry-into-idm-managed-services.html" target="_blank">http://identityman.blogspot.<wbr>com/2009/01/another-entry-<wbr>into-idm-managed-services.html</a></span></u></p> <p class="MsoNormal"> <span style="font-size:10pt;">Dear </span>Ashraf Motiwala,</p> We note that one of your recent articles used the phrase "Managed Identity Services" This phrase is a trademark owned by our company and is also the subject of a U.S. trademark application examined and approved by the U.S. Trademark Office. When you use the phrase in your articles, please place the "R" superscript after the trademark, and please make a reference in your articles that "Managed Identity Service®" is a trademark owned by Fischer International Identity, LLC. In addition, you should use the trademark as an adjective, not as a noun. These steps will help us continue to protect our trademark rights and also allow you to properly refer to it in your various articles.<br /><br />Thank you for your support and proper usage of our trademarks. If you have any questions, please feel free to contact us.</blockquote><span style="color: rgb(71, 75, 78);"><span style="color: rgb(0, 0, 0);"><br />I see. It's all about trademarks (and grammar). For some reason, I thought it was about innovation and making the (identity) world a better place.<br /><br />Anyhow, I wonder if they are going after <a href="http://www.citi.com/transactionservices/home/managed_identity/index.jsp">Citi</a>, <a href="http://www.arcot.com/partners/digital_identity/partner_citi.html">Arcot</a>, <a href="http://www.business-standard.com/india/news/rs-35-crore-lossculprit/25014/on">Wipro</a>, and <a href="http://www-935.ibm.com/services/us/index.wss/offering/iss/a1030826">IBM</a>. Wait, they barked at my <span style="font-style: italic;">blog</span>...so I also wonder if they also went after <a href="http://blog.ianyip.com/2008/09/managed-identity-services-survey_19.html">Ian Yip</a>, <a href="http://www.kuppingercole.com/articles/fg_covisint_290908">Felix Gaehtgens</a>, <a href="http://360tek.blogspot.com/2008/10/ians-managed-identity-services-survey.html">Matt Flynn</a>, <a href="http://blog.talkingidentity.com/tag/managed-identity-services">Nishant Kaushik</a> and <a href="http://blogs.forrester.com/srm/2007/08/are-we-ready-fo.html">Jonathan Penn</a>. Anyone else get an email? or should I feel honored that they are singling me out because of the 6 readers who read my blog?<br /><br />C'mon Fischer, you guys should really let the trademark go. The term belongs to the industry. Remember, trademarks don't buy marketshare.</span></span><span style="color: rgb(71, 75, 78);"><br /><br /> </span><span style=";font-family:";font-size:10pt;" ><br /><br /></span>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com4tag:blogger.com,1999:blog-13465455.post-83990782799721445462009-09-02T01:29:00.004-04:002009-09-02T11:21:23.719-04:00Identity Services, SaaS, and Another Matt<a href="http://community.ca.com/members/Matthew-Gardiner.aspx">Matt Gardiner</a> over at the CA blog makes <a href="http://community.ca.com/blogs/iam/archive/2009/08/31/can-identity-services-be-provided-via-saas.aspx">some interest points</a> regarding identity services and SaaS. (I'm a new reader of Matt's blog, and want to personally thank him for adding yet <a href="http://360tek.blogspot.com/">another Matt</a> to the <a href="http://idm-thoughtplace.blogspot.com/">list</a> of <a href="http://mathamlin.com/speak/">identity bloggers</a> I have to keep up with. What's up with identity bloggers and the name 'Matt' anyhoo?)<br /><br />Matt questions the value/feasibility of providing identity services in a Software-as-a-Service format, since there's a difference between apps and infrastructure. Infrastructure, he argues, must be "appropriately integrated into the enterprise premises and processes". He continues to argue that identity services in a SaaS format can't ignore on-premise apps in favor of identities in the cloud, and mentions the traditional concerns around "outsourcing" compliance and security.<br /><br />Ironically, I had an interesting conversation just yesterday with an industry colleague regarding the exact issues mentioned by Matt, where he presented some new emerging paradigms in the 'Identity as a Service' world, including what he dubbed "Enterprise Looking In" and "Enterprise Looking Out" (more on this in future posts). Here are a few questions/direction for the conversation (more questions than direction)...<br /><br /><ul><li>Let's nail down the definition of 'identity services'. If not for the industry at large, at least for this conversation at hand. In my opinion, a lot hinges on that.</li><li>Is the notion of 'Identity Services' in a SaaS format an either-or paradigm for on- and off-premise apps? </li><li>Can <a href="http://www.identropy.com/Products/ic2">technology</a> help blur the internal vs. external line? Does this lead to a new category of infrastructure?</li></ul>Matt does acknowledge that he sees the opportunity for some areas of identity to be outsourced. Perhaps this conversation could help clarify what areas in specific...Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-90686168340824257232009-06-26T10:24:00.004-04:002009-06-26T10:36:43.221-04:00On SaaS ProvisioningJackson Shaw posted <a href="http://jacksonshaw.blogspot.com/2009/06/enterprise-class-saas-provisioning.html">some of his thoughts</a> today on enterprise-class SaaS provisioning...<br /><blockquote><br />"If you consider an SaaS application as "just another application" you will understand that your end-user identities still must be managed in that SaaS application...We have a standard called "<a href="http://en.wikipedia.org/wiki/SPML">Services Provisioning Markup Language</a>" (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I'll bet they do not! What do you do then? I've met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning - via some hairbrained interface because the vendor doesn't support SPML - and it only adds to the organization's identity management complexity."</blockquote><br />I have to agree. The real pain point here is the connectivity into SaaS apps, and the lack of standards there. Ian had talked about this in a <a href="http://identityblog.burtongroup.com/bgidps/2009/01/down-with-federated-provisioning.html">previous post</a>. Recreating a workflow engine, role management, delegation, etc. in the cloud seems to just create redundancy for these capabilities, especially for organizations that have already dropped a few dollars to deploy an IdM solution on premise. Why would I drop my existing investment here? (Perhaps there is a compelling case, but I just don't see it.) I would much rather find a solution that proxies the SPML requests from my existing provisioning solution that handles all the complexities (or "hairbrained interfaces") for the SaaS apps on the backend! More on this soon...Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-2934025475579742892009-05-30T19:02:00.004-04:002009-05-30T19:06:40.005-04:00DIY: Identity Management Project Scoping Exercise-<br /><br /><a href="http://www.identropy.com/blog/bid/20250/Identity-Management-Project-Scoping-Part-I">Identity Management Project Scoping, Part I</a><br /><br /><a href="http://www.identropy.com/blog/bid/20593/Identity-Management-Project-Scoping-Part-II">Identity Management Project Scoping, Part II</a><br /><br />-Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-71845601317923047202009-04-28T19:45:00.010-04:002009-04-29T07:26:19.833-04:00FUD Swings Both WaysSalesmen are an interesting bunch. They have to drink the company kool-aid to enable them to sell with conviction. But what happens when a salesperson starts to waver in that conviction? What happens when they start losing their religion? Fear-based selling! Easy peasy!<br /><br />Since I noticed that my last post on <a href="http://identityman.blogspot.com/2009/04/story-about-vendor-selection-and-fud.html">FUD based selling and Vendor Selection</a> was being used to spread more FUD (with Oracle being the victim this time), I decided to do my part to rid the world of keep-the-client-ignorant tactics and try to put the facts out there. It's interesting how fear always finds a home ("they're too small!" vs "they're too big!")...anyhow, here goes:<br /><br /><ul><li>In a <a href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1354267,00.html?track=sy160#">solid article by techtarget</a>, Jonathan Penn points out that customers have no need to panic today, and that Oracle will have the resources to support both product lines for a while, noting that it has continued to support the ERP products of both PeopleSoft and JD Edwards following its 2005 acquisition of PeopleSoft.<br /></li><li>Instead of spreading fear, let's spread facts - namely regarding Oracle's track record with acquisitions. Siebel hasn't gone away. Also, Oracle now supports multiple app servers with the BEA acquisition. (Someone else may want to chime in on this since I'm not an expert, but remember: facts over fear!)</li><li>Anectodal evidence: a casual conversation with a VP at a financial firm uncovered that in the past years, Oracle has acquired nearly all of their major systems, effectively turning them into an Oracle shop. The result? Fear and mayhem? Not really. In fact, Oracle offered up a free inventory analysis from Oracle Consulting to guide the client to maximize their existing software investment and determine how they might benefit from updates resulting in tighter integration between systems (although the client stated he would have opted for a deal on maintenance).</li></ul>That's my $.02, and I hope it moves the conversation away from fear and closer to the facts. And although I know I didn't cover all the facts and I welcome folks to chime in with their side, the point should NOT be boutique vs. large vendor, large vs. small, red vs. twitter blue, but simply the product's capabilities to "<a href="http://www.networkworld.com/newsletters/dir/2009/042709id2.html">scratch your itch</a>", as Dave Kearns put it. Remember this, young salesman: Sell your product, not fear, for FUD is the path to the dark side. FUD leads to anger. Anger leads to hate. Hate leads to suffering.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-6461965539504356812009-04-21T08:39:00.004-04:002009-04-21T08:56:38.900-04:00A Story About Vendor Selection and FUDThe shocking (at least to me) story of <a href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1354267,00.html?track=sy160">Oracle acquiring Sun</a> yesterday made me think about an experience I had helping a client in the vendor selection process late last year.<br /><br />The client was seeking an identity solution, and with our help, reduced the vendors to Sun, another large vendor and a small boutique vendor. After their demos/POCs, the vendor scoring matrix we helped them put together showed that the boutique vendor actually ended up with the highest score.<br /><br />After some great FUD work from the sales folk, the client decided to add a new metric in the matrix for <span style="font-style: italic;">Company Viability</span>. All of a sudden, Sun came out on top...and the solution was purchased and implemented. The whole reason the boutique vendor lost out was because of fear and the likeliness of acquisition or failure, etc. <br /><br />A few months later...Sun is on the block, and finally inks a deal. Now I'm hearing that the client is worried about the direction of the Sun product line post-acquisition, because of the heavy overlap between the Sun and Oracle product lines. (And also worried about what Oracle will do to Sun's open source initiatives.)<br /><br />Now the smaller vendors are having their say (and they should). Here is an interesting perspective from a <a href="http://www.networkworld.com/news/2009/042009-oracle-sun-identity-management.html?page=2">Network World article</a>:<br /><blockquote><br />"Figuring out what stays, what goes, and integrating the remaining pieces is going to be an enormous task that will undoubtedly create consequences for deployed customers," says Andre Duran, CEO of Ping Identity, which develops identity federation software. "This is yet one more reason companies should consider standards-based, loosely coupled approaches, as it insulates them from the potential for single vendor lock-in, which is occurring irrespective of how they are selecting their vendors."<br />...<br />Blakley says as the deal closes, Oracle management likely won't address identity until the more compelling <a href="http://www.networkworld.com/news/2009/042109-oracle-mysql.html">strategies</a>, such as the database, are worked out. "So there will be a period where not much happens and it is business as usual."<br /></blockquote>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com3tag:blogger.com,1999:blog-13465455.post-23632291413124444872009-04-14T07:07:00.003-04:002009-04-14T07:21:56.637-04:00Virtual Directory WhitepaperOracle just put out an <a href="http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/ovd-sharepoint-wp-v3.pdf">interesting whitepaper</a> on how to use their virtual directory product with Sharepoint. A few interesting scenarios:<br /><ul><li>Allow users to authenticate to SharePoint with Windows credentials but control access based on job codes maintained in a HR database (without having to sync!)</li><li>Allow a SharePoint workspace to be used by two different business units who each maintain their own AD domain</li></ul>On another note...sharepoint has been getting a lot of attention from the identity folks, hasn't it? Microsoft was promising a new "Identity Portal" in ILM 2, until they blew their release date by A YEAR(!!). Courion's been marketing <a href="http://www.courion.com/products/compliance-manager-sharepoint.html">their solution</a> for Sharepoint as well, which is basically an attestation/segregation of duties play. Bitkoo has their <a href="http://www.bitkoo.com/products-keystone-sp.php">fine grained authorization management stuff</a> for Sharepoint.<br /><br />I wonder why the trend? Hmmm....<br />Well, here's a <a href="http://www.cmswire.com/cms/enterprise-cms/sharepoints-no-slouch-earns-microsoft-1-billion-002263.php">billion</a> reasons.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-76661650988936618062009-04-08T10:08:00.008-04:002009-05-30T19:09:12.266-04:00Some Process Re-engineering Principles for Identity Management Projects (part 1)I'm in the early stages of working with <a href="http://cloudfabric.blogspot.com/">a colleague</a> on a whitepaper on guidelines for business process re-engineering for provisioning projects, and thought I'd share some of our thoughts to see if I could get some feedback. (If we use anyone's feedback, we'll make sure we reference you.)<br /><br />1. The first point is to put some parameters around the re-engineering effort. The most common mistake that IDM focused re-engineering efforts make is to overdo it. Once a current state process diagram is put together (preferably in <a href="http://www.bpmn.org/">BPMN</a>) - many consultants find way too much to optimize, usually because of complaints from the customer. It's important to keep your scope in mind, otherwise the project can quickly turn into a much larger endeavor than you (and the client) had previously anticipated. <span style="font-weight: bold;"> It's important to focus primary re-engineering efforts on areas that can positively impact identity data.</span> It may be tempting to re-engineer an inefficient interviewing sub-process of the onboarding process, but will most likely not impact your identity data either way. Furthermore, provioning platforms were not created to solve that problem (more on this later). On the other hand, re-engineering a self-registration process to prevent duplicate accounts will have a significant impact on your identity data. The lesson: pick your process re-engineering battles wisely.<br /><br />Thoughts?<br /><br />(to be continued...)Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com2tag:blogger.com,1999:blog-13465455.post-28780445829495526292009-04-01T09:20:00.005-04:002009-04-01T09:32:32.607-04:00Pottery Making, Iterations and Identity ManagementI'm a big fan of iterations in identity management implementations. The reason is pretty simple: you can't learn from lessons until you try. (You could learn from consulting firms, but not about <span style="font-style: italic;">your</span> environment.) Which means that you don't get really good at delivering identity management until the 3rd or 4th time. (So take that 9 month project and break it down into smaller 3 month projects!)<br /><br />Anyhow, here is the pottery making connection. It's a parable a co-worker forwarded to me from <a href="http://www.amazon.com/exec/obidos/ASIN/0961454733/lifeclever-20?tag=lifeclever-20">Art and Fear</a>:<br /><blockquote> The ceramics teacher announced on opening day that he was dividing the class into two groups. All those on the left side of the studio, he said, would be graded solely on the quantity of work they produced, all those on the right solely on its quality.<br /><br /> His procedure was simple: on the final day of class he would bring in his bathroom scales and weigh the work of the “quantity” group: fifty pound of pots rated an “A”, forty pounds a “B”, and so on. Those being graded on “quality”, however, needed to produce only one pot—albeit a perfect one—to get an “A”.<br /><br /> Well, came grading time and a curious fact emerged: the works of highest quality were all produced by the group being graded for quantity. It seems that while the “quantity” group was busily churning out piles of work—and learning from their mistakes—the “quality” group had sat theorizing about perfection, and in the end had little more to show for their efforts than grandiose theories and a pile of dead clay.<br /><br /></blockquote><span style="font-weight: bold;">The lesson</span>: Take on a small, well-defined, low-risk phase 1. Learn lessons. Take on a small, well-defined phase 2. Lather, rinse, repeat.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-58771927296135047932009-03-05T10:01:00.003-05:002009-03-05T10:13:55.290-05:00Nation's First CIO Has IdM Background<a href="http://www.govexec.com/story_page.cfm?articleid=42197&dcn=todaysnews">President Obama named Vivek Kundra</a> as the nation's first CIO today. An interesting tidbit caught my eye.<br /><blockquote>Kundra also worked as vice president of marketing for Evincible Software, which provided electronic signatures and <span style="font-style: italic;">identity management</span> for financial services companies and the Defense Department.</blockquote>Evincible was acquired by Exostar back in 2004. On their site...<br /><blockquote><br />In 2004, Exostar acquired Evincible, a leader in PKI and digital signature technologies and best practices. The acquisition brought both proprietary technologies and leading subject matter experts into the Exostar organization, enabling us to deliver technology, policy and best practices leadership in the areas of PKI, federated identity management and physical and logical assess. </blockquote>It's going to be interesting to see how his background in identity might influence what's happening in the federal IT space, and current initiatives (that seem to be lagging) to federate gov agencies. Hopefully, he takes identity farther than <a href="http://hspd12.usda.gov/">HSPD-12</a> did.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-87371909971644440722009-02-14T12:24:00.003-05:002009-02-14T12:39:23.296-05:00Where is the Motivation for Deprovisioning?A <a href="http://vquill.com/2009/02/self-service-de-provisioning.html">series</a> <a href="http://eternallyoptimistic.com/2009/02/05/federated-de-provisioning/">of</a> <a href="http://idlogger.wordpress.com/2009/02/07/janus-versus-vulcan-in-federated-provisioning/">blog</a> <a href="http://www.tuesdaynight.org/2009/02/05/will-the-real-federated-provisioning-please-stand-up.html">posts</a> on self-service deprovisioning in the federation world got me thinking about a simpler, albeit very real, problem with the "traditional" deprovisioning process in a company.<br /><br />Most companies that have an IdM system have 2 ways to deprovision users:<br /><ol><li>Emergency Termination Workflow (where a manager logs on to the deprovisioning workflow, and kicks off the termination process that disables accounts across the board)</li><li>Automated Terminations (where the IdM system keys off of HR or Payroll or some authoritative store that provides the user's status and termination date which in turn automatically disables accounts)</li></ol>The problem I've seen most companies face is with the second workflow because data is entered in late. So why not put a workflow together for self-service deprovisioning?<br /><br />The only problem with this approach is the lack of motivation for an end-user to run through the workflow. Perhaps there is an approach to tie the completion of this workflow to some interest for the end user that will motivate him/her to run through it. Some ideas...<br /><br /><ul><li>Severence Pay</li><li>COBRA Enrollment</li><li>Continued Communications (to enter in personal e-mail address?)</li><li>An iPhone? (seems to work for other things)</li></ul><br />I bet that this approach would solve some of the data-timeliness issues. What do you think?Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com2tag:blogger.com,1999:blog-13465455.post-12763903661934743272009-02-12T21:03:00.003-05:002009-02-12T21:17:10.454-05:00More on VDS and CacheMark Wilcox put up <a href="http://blogs.oracle.com/mwilcox/2009/01/responding_to_virtual_director.html">a post</a> responding to <a href="http://identityman.blogspot.com/2008/12/virtual-directories-and-persistent.html">my previous queries</a> about the virtues of persistent cache and virtual directories. The bottom line of my post was around performance, so Mark gives some figures for <a href="http://www.oracle.com/technology/products/id_mgmt/ovds/index.html">OVD</a>:<br /><br /><blockquote>The overhead is absolutely minimal - it's generally around 2-5 milliseconds. And worst I've ever seen is around 50 milliseconds (remember that's still only 5/100s of a second). This includes doing a join of data.<br /></blockquote>Are Symlabs, Radiant Logic and other vendors seeing the same results? Perhaps, a <a href="http://www.coreblox.com/">skilled SI</a> may want to chime in? If so, then why does anyone use a persistent cache? Anyone?<br /><br />Also, Blink Technologies put the following comment on my previous post:<br /><br /><blockquote>I thought the whole point of the cache is to lighten the load against the system as a whole. It's a compromise of data freshness for performance. Plus the entire point of a cache is to "cache" frequently used data, of course depending on the algorithm used (LRU, MRU, etc.). I also assume that the cache is adjustable and can have specific timeouts for freshness. I think for a highly trafficked directory this is a great trade-off.</blockquote>Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com6tag:blogger.com,1999:blog-13465455.post-22383311495647096682009-02-10T14:09:00.004-05:002009-02-10T14:17:41.814-05:00Funding Doc Templates From VC = Saving $$$Brad Feld just <a href="http://www.feld.com/wp/archives/2009/02/techstars-model-seed-funding-documents.html">posted</a> a set of 5 docs entitled "Model Seed Funding Documents" that I really wished I had a few years ago. (It has a term sheet and subscription agreement!)<br /><br />Anyone who is going through a seed round should/must go read Brad's blog thoroughly <span style="font-style: italic;">before</span> speaking with attorneys. Educating yourself on your time rather than the attorney's could save you a ton of money. I wish all VCs were this helpful.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-71121652670690769152009-02-10T06:44:00.003-05:002009-02-10T06:56:27.426-05:00Deprovision. We're in a Recession!Hot off the <a href="http://www.theglobeandmail.com/servlet/story/RTGAM.20090209.wrevenue09/BNStory/National/?page=rss&id=RTGAM.20090209.wrevenue09">Canadian Press</a>:<br /><blockquote>The Canada Revenue Agency has issued at least $3-million in paycheques to people who don't work there, says a new audit.<br />"Overpayments generally occur when employees leave the agency and through errors or omissions their pay is not stopped on time," says the internal report.</blockquote>I often hear something like this from identity management workshop participants: "I wonder how much payroll gives away for free because of a broken deprovisioning process."<br /><br />Me too.<br /><br />Here's a quick example I saw last week. The daily inactivation report that gets sent out to all admins from HR contains an "entry date" that is weeks, sometimes months, passed the "effective date". How's that for an ROI analysis for your next identity project?Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1tag:blogger.com,1999:blog-13465455.post-32874245975220479802009-01-31T13:47:00.004-05:002009-01-31T14:04:26.918-05:00Another Entry into the IdM Managed Services SpaceI just read an interesting <a href="http://www.solutions-daily.com/dsp_getNewsDetails.cfm?CID=548&ids=148">press release</a> this morning from <a href="http://www.watsonscs.com/index.htm">Watson <span class="blsp-spelling-error" id="SPELLING_ERROR_0">SCS</span></a>, an IBM Identity Management SI. They've announced an off-premise managed service offering offering called Identity Management On Demand, bolstering the following:<br /><blockquote>implementation of a simple Identity Management program can be executed in twelve weeks – about half as long as the quickest deployment of a customized solution.</blockquote>I have special interest in this area. (Last week, <a href="http://www.identropy.com/"><span class="blsp-spelling-error" id="SPELLING_ERROR_1">Identropy</span></a> announced the <a href="http://money.aol.com/news/articles/_a/identropy-expands-their-managed-identity/rfid177099041">expansion of its off-premise managed identity services offering (<span class="blsp-spelling-error" id="SPELLING_ERROR_2">iMIS</span>)</a> by adding support for <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Novell</span> Identity Manager.) What's interesting about Watson SCS's play is that they're opting to offer a fully managed service, hosted off-site. A few days ago, I was speaking to a colleague at another integrator who recently pulled the plug on their off-site offering, for <a href="http://identityman.blogspot.com/2008/07/idaas-identity-services-saas-ish.html">reasons I've already discussed</a>.<br /><br />Anyhow, it's great to hear more offerings in this space. It validates what we've been hearing from our clients: <span style="font-style: italic;">Why is this stuff so painful to implement and manage?</span><br /><br />Welcome to the party, Watson <span class="blsp-spelling-error" id="SPELLING_ERROR_4">SCS</span>...looking forward to seeing you out in the field.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com5tag:blogger.com,1999:blog-13465455.post-82869624613570141952009-01-06T09:41:00.004-05:002009-01-06T10:01:22.298-05:00On Identity POCs - From a Vendor's PerspectiveI pinged<a href="http://joes-viewpoint.blogspot.com/"> Joe (Nobody?)</a> on Twitter last week regarding Identity Management POCs. Joe put up a lengthy <a href="http://joes-viewpoint.blogspot.com/2009/01/iam-thoughts.html">post on his blog</a> regarding some of his thoughts from the perspective of the vendor (so it seems). It's always great to get thoughts on the topic from another vantage point...some great points, with my $.02 in-line:<br /><br /><blockquote>"a POC is that they are a dangerous sales activity used against a vendor rather than for it (I used to be a customer and did just that)"</blockquote>I've witnessed that before. So Joe, how do we make sure the POC stays on the right track?<br /><blockquote><br />"But a POC is should not be a repeat of a demo in a customer's environment. On the flip side, a POC should not be an installation exercise based on the customer's demands.<br />A POC should be a onsite installation to show at a minimum, key use cases for the defined phase 1 and 2. Self service, HR feeds, provisioning into the key systems and de-provisioning for exmaple. Which means Phase 1 and 2 should be defined prior. How do you know what to show if the customer doesn't know where they are going?"</blockquote><br />Use cases. I like. Tell me more...<br /><br /><blockquote>"Prove the concept. Prove the process. Prove the business improvements and solving of business needs rather than proving when you hit this button this technical thing happens."<br /></blockquote>Completely with you.<br /><br /><blockquote>"Don't prove installation, don't prove configuration, don't prove how many components it takes to do it. "<br /></blockquote>Hmm....not so sure about this one. A POC should prove business use cases <span style="font-style: italic;">as well as</span> allow the technical team understand how it works in order to judge integration efforts and supportability...no?<br /><blockquote>"Another reason why POCs are often an embarrassing cluster is the customer's environment. I generally require, based on the customer's hardware, that I have sterile servers, patched specifically, nothing else on them and require the pre-req software installed on them before I walk in the door...What GPOs are set that is locking down a service and takes you 2 days to find it. Regardless on the cause, any delay is bad impression on you and the product."<br /></blockquote>Fantastic point. I've seen POCs blow up because of a misconfigured DC, DNS problems, etc. And the vendors end up spending time troubleshooting environment problems rather than working on the actual POC.<br /><br /><blockquote>"If, as a vendor, you drive the use case creation with the customer you will show your knowledge and leadership. You will have a controlled flow from start to finish they will make you look successful and show the customer their needs. Your time will be shorter and cost less for you. The success rate will be higher. You miss these things, the customer will push you into a hole of broken knowledge. We are the experts, not them."<br /></blockquote><br />Well said, Joe. Nobody.Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com0tag:blogger.com,1999:blog-13465455.post-58835151602917576992008-12-30T11:52:00.003-05:002008-12-30T12:03:21.755-05:00Poor Man's DeprovisioningIn this economy, I've been repeatedly pinged by clients on how to maximize their investment in their existing Identity Management software investment. In other words "I want to do all this stuff, but I don't want to buy more software, and barely buy any services."<br /><br />So here is an idea that came from a conversation with one of our engineers. This is for clients that own a Password Management solution only, but want to be able to deprovision users. They could create a workflow to change the password to all target systems to a random password that no one knows. In effect, the user would be locked out of all accounts. A small program could be written to call the workflow's SPML interface (assuming it has one) based on a feed from Payroll or HR as well for a nightly process. No new software, barely any services, but an effective deprovision of accounts.<br /><br />I'm noodling if this would pass an audit, but I doubt it would since the account is still active. But it would work, it would leverage the clients investment in connectors built for all target systems, and could be accomplished in no time.<br /><br />I think it's the best thing since sliced bread, but I'm sure I'll find a new favorite tomorrow. Would this work?Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com11tag:blogger.com,1999:blog-13465455.post-54526114031135785552008-12-25T10:26:00.001-05:002008-12-25T10:27:49.067-05:00Identity, Holidays, and a Little Marketing<a href="http://www.novell.com/img/flash/play.php?media=http://cdn.novell.com/cached/video/bs_08/flv/north_pole_enterprises.flv">Fun</a>.<br />Enjoy!Ashraf Motiwalahttp://www.blogger.com/profile/06659523320698728171noreply@blogger.com1