Blog

IAM Assets Often Overlooked in the Enterprise

Share

 

After reading very interesting posts by Earl Perkins at Gartner, an article from Deloitte on financial institutions making Identity and Access Management (IAM) their #1 priority, and my friend Nishant Kaushik's recent series on Federated Provisioning and the Cloud, which is brilliant and thought provoking (nicely done Nishant); I felt compelled to chime in.

Having drunk the identity assurance cool-aid for way too long, I can't help but think about IAM in terms of risk and assurance levels, the yin-yang balance sort-of-speak. So, before thinking about automating and deploying technology, I wonder what kind of risk is being mitigated and what kind of investment is warranted to provide the right level of assurance. In reaching equilibrium, one will inevitably follow the path of maximum value at the lowest cost possible.

So, with that thought in mind, I have been considering "lazy" assets that often exist in the Enterprise. They have significant potential in helping organizations derive higher levels of assurance, without significantly increasing cost, and can also add greater value to IAM initiatives.

Notwithstanding the great thoughts of Earl and Nishant, here are three examples of such assets, and my attempt to illustrate their use in real life.

User Activity Logs

I referred to this in prior blogs dealing with the topic of identity activity monitoring. The point here is to think about how one could utilize information collected from system or application logs, particularly if they contain traces of identity that can be used to link activity to a human being.

With the maturity and pervasiveness that SIEM technologies have nowadays in the Enterprise, deriving value from correlating and reporting on data (whether near real-time or historically) is relatively simple and inexpensive. This information can prove crucial in increasing visibility into day-to-day risks such as insider threads, segregation of duty violations, detecting terminated accounts activity, and other undesirable scenarios that would normally go under the radar of traditional IAM infrastructures.

We see this as a clear trend that is here to stay. More and more customers in different industry verticals (from energy to financial services) are gravitating toward identity activity monitoring as an important part of their IAM initiative. And based on our insight, the benefits make for a great business case.

Employee Identity Proofing (ala US Form I-9)

I touched on this point within the context of a two-part blog posting regarding identity assurance in everyday life. In the US, the Employment Eligibility Verification Form I-9, constitutes a great identity proofing mechanism, yielding (for the most part) an Assurance Level 4 (AL4) compliant verified identity in accordance to the Kantara Initiative Identity Assurance Framework (as well as NIST SP 800-63).

I realize that this statement is a controversial one since many would argue that the form I-9 verification process is inconsistently followed and audited. This inconsistency was a precursor to the work being led by NASPO, specifically by Graham Whitehead. However, many organizations enrich their employment verification process with "know-your-employee" checks that help them meet high-risk mitigation and compliance requirements. This is particularly true in regulated industries such as financial services, healthcare, pharmaceutical, and aerospace and defense. Hence, I argue that this high-quality identity proofing constitutes a valuable asset to the organization.

For instance, this proofed identity could be leveraged in some instances to issue AL4 credentials. Examples include credentials issued within federations such as CertiPath in the aerospace and defense industry, SAFE-BioPharma in the bio-pharmaceutical industry, or by other credential issuing authorities cross-certified with the Federal Public Key Infrastructure (FPKI) Policy Authority.

There are multiple benefits that an organization can derive from using these credentials, whether within its firewall or outside it. For example, in the biopharmaceutical industry, paperless R&D is achievable by leveraging legally accepted digital signatures that comply with the SAFE-BioPharma standard. These signatures are accepted by the FDA for eSubmissions, by the US Patent Office, and within the EU as legally accepted in conformance with the Electronic Signature Directive (1999/93/EC). Therefore, significant value can be derived from the use of these credentials, which can be issued by leveraging the high-quality-identity-proofing asset the organization had to perform anyway.

Similar examples can be found in various industry verticals, such as the KYC (Know-Your-Customer) standard in banking, which conforms to the US PATRIOT Act requirements. Hence, if one can verify that the identity of an individual is that of a DDA account holder, this could be evidence of an antecedent high-quality identity proofing, which can be leveraged to issue a high-assurance credential. This could be an effective and scalable approach to proofing the identity of non-employees (i.e., contractors, vendors, suppliers). In this case, the organization could leverage the fact that an individual has a DDA account as a lazy asset (created by banks) to streamline and increase the assurance of the identities of non-employees with whom it interacts.

Employee and Non-Employee Data

Another approach to minimizing risks and increasing identity assurance in the Enterprise is leveraging existing data about active or departed individuals, whether employees or non-employees. The idea here is to leverage information that has already been captured and used about individuals to mitigate risks at the point of entry (i.e., on-boarding, registration).

I was introduced to this concept in 2007, through what is known as NORA (Non-Obvious Relationship Awareness). This technology mines data resources to determine relationships between people. As Tim O'Reilly explained, it has applicability in various real-life scenarios. I later had the chance to meet Jeff Jonas at a presentation on the topic of identity resolution. I was really amazed by the power and applicability of this approach. It leverages existing data assets that organizations may already have (but may not be leveraging in this way), to detect potentially risky individuals based on known data traces that indicate high risk.

Rumor has it that NORA was the technology used to catch the MIT Blackjack Team. For those who don't know them, they're a group of students and alumni from the Massachusetts Institute of Technology, Harvard Business School, Harvard University and other leading colleges that used card-counting techniques and more sophisticated strategies to beat casinos at blackjack worldwide. This was the inspiration for the movie "21".  Some believe this approach is being leveraged by intelligence agencies worldwide in fighting terrorism and organized crime.

NORA or NORA-like technology has matured and is available today, allowing organizations to easily determine who to let in and who to be weary about. Scenarios that immediately come to mind include re-hires, employee-to-contractor moves and vice-versa. Organizations can look back in history to determine if the same individual (or someone closely related) performed fraud, was fired for cause, or had some sort of "unpleasant" departure. At a minimum, having the ability to detect and handle these cases as exceptions could significantly help the organization mitigate possible risks by leveraging information assets it already has.

These are just three, poorly digested examples of how "lazy" assets that most organizations already possess can be leveraged to derive more value in IAM today, at a nominal cost. This approach can prove beneficial given the budget-constrained, fraud-riddled times we live in.

I am most interested in your comments.

Advantages of a Hybrid Co-Sourced IDaaS Model

Share

 

Earlier this year, I published a blog article entitled Approaches to Identity-as-a-Service (IDaaS) for Enterprise Identity Management.  In this article, I will focus on the advantages of one of the approaches discussed: co-sourced IDaaS (a.k.a.  identity management co-sourcing), and, more specifically, the 3 model or "Hybrid: on-premise and in the cloud".

Motivation

So, why focus on this hybrid co-sourced IDaaS model?  I predict this model will become the de facto approach to Identity and Access Management (IAM) in the future (in two years or so).  Here's why:

1. It provides an approach that is more palatable to the organization. It doesn't take everything to the cloud, or turns everything to a Managed Identity Service Provider (MISP). Rather, the organization will have options for how many, and which services, can be migrated to the cloud. This will resonate better with risk, security and compliance officers, who may have some reservations about the migration. It gives them time to get more comfortable with the MISP.
2. The model allows for more flexible integrations with internal identity assets, such as Active Directory or HR databases, which might not even be exposed to the cloud due to risk concerns. Having an on-premise footprint alleviates these concerns, and provides for an enforcement point in which data can be filtered, secured and transmitted with the appropriate level of risk mitigation. Likewise, this approach avoids the undesirable side effect of exchanging data files (typically via batch), which then increases the risk of data being leaked. The on-premise footprint (or appliance) can implement a message-driven data exchange model with the internal Identity repository and with the cloud-based Identity service.
3. From a connectivity standpoint, the on-premise footprint (i.e., the appliance) provides secure communication with the Identity service through the public or private cloud. It may provide caching and queuing to increase the reliability and responsiveness of the service and build high-availability and load-balancing logic, making it easy to determine with which Identity service to connect (provided the Identity service is deployed in a highly-available and hot-swap disaster recovery architecture).
4. Architected properly, it allows the MISP to scale its managed service model by being able to funnel existing and new services that can be offered to the same client by leveraging the existing architecture. In other words, adding a role management service onto an existing user provisioning service would not require deploying another appliance or opening new ports in the organization's network to be able to provide the service. The on-premise appliance would be able to syndicate these services transparently. This translates to less overhead for the organization (no additional burden on IT or the auditors) and for the MISP (no additional appliances and re-architecting needed)
5. It still achieves the goal of simplifying and reducing the IT footprint that the organization would need to deploy and maintain.

The Business Side

From the organization's standpoint, the co-sourced IDaaS model, in general, can alleviate the need for:

• selecting, purchasing, and depreciating IAM technology
• building, maintaining, and operating the IAM infrastructure
• customizing and integrating various products
• staffing, training, and retaining personnel to manage the IAM environment.

All this immediately translates to cost savings.

The MISP is responsible for building, integrating, deploying, and operating the Identity service that suits the organization's requirements.  This approach will reduce upfront costs (not needing to procure hardware and software, and their respective maintenance annuity), which are now blended as part of the managed service "lease."  Likewise, by not having to recruit, train, and retain specialized staff to operate the environment, the model expedites deployment timelines and reduces operational costs and risks to the organization.

In this approach, the MISP is involved in the delivery of the IAM solution, which is then governed by established parameters and service standards (i.e., SLAs).  Whether it's hosted on premises or outsourced (in the "cloud"), in the end, the organization sees immediate and measureable value for the services they purchase-in a predictable and simpler manner.

For the MISP, the need to reduce the implementation timeline and create the capability of a repeatable model forces it to streamline the deployment process and ensure that it is done with such quality that its' operation after deployment requires minimal involvement.  In the end, these elements accelerate time-to-value.  In a past blog post, I discussed time-to-value as one of the key points to consider in any IAM initiative.  It is a metric that is often overlooked - everything being equal you should look to shorten time-to-value for the organization. 

The MISP will be motivated to shorten and streamline implementation so clients can consume its Identity service(s) much more quickly. Clients will also be able to scale operation and profit from the MISP's efficiency. This distinct synergy in the co-sourced IDaaS model is worth noting: both parties, the organization and the MISP, are motivated to reduce the time it takes to be up and running.  This is why we believe that this deployment model will succeed, as it aligns more closely with the interests of the parties involved.  Moreover, the need to shorten the implementation timeline and create the capability of a repeatable model forces the MISP to streamline the deployment process and ensure that it is done with such quality that its operation after deployment requires minimal involvement.

The charts to the left compares, at a very high level, a typical flow of value and cost that occur in a timeline between the two models,  and illustrate why the co-sourced IDaaS model will exhibit a shorter time-to-value.

Furthermore, for current IAM initiatives, there is no longer room for soft ROI; hard dollar is king. Organizations need to think about how to measure value and ROI from IAM.  We see that in a co-sourced IDaaS model these metrics can be easily tracked and gauged at any given point in time.

Organizations can also benefit from implementing charge backs from IT to other internal organizations to effectively determine TCO, and possibly ROI, and from shifting their expenditure from capital to operation expense.

In the end, from a business standpoint, the MISP and the organization engage in a long-term contractual relationship, jointly committed to successfully operating an environment with tight controls on scope and complexity.  The net result is that the client measures value immediately and continues to see value on an ongoing basis, through relatively simpler and more transparent metrics.

I hope these points are thought provoking. Your comments are most welcome.

Identity Management Cost Savings Quantified

Share

 

IT managers and executives alike are seeking ways to not only cut costs but also to improve their business proceses. Replacing manual steps with automation can reduce time lost by administrators and employees alike.

Just think about the ammount of time tech support spends on changing passwords, or the ammount of time it takes an administrator to provision (create new accounts) for newly hired employees across multiple target systems. How about determining what accounts and permissions a new hire should get? That's right all of these things can be automated based on business rules. Not only is this really efficient, but it's a serious money saver. 

The following is a typical cost savings example for an organizationwith 10,000 users:

 Source 

How Deprovisioning Could Save you Millions

Share

 

The Canada Revenue Agency has issued at least $3-million in paycheques to people who don't work there, says a new audit.  "Overpayments generally occur when employees leave the agency and through errors or omissions their pay is not stopped on time," says the internal report.

If the Canada Revenue Agency had an automated deprovisioning process in place that would automatically and appropriately remove/disable access to all systems and applications, these losses could have been avoided. 

How much is your organization losing every year due to a broken deprovisioning process?