IdM Journal

HOME EVENTS RESOURCES NEWSLETTERS IDENTORATI ABOUT

A Journal of
Identity Management

Departments

Home
Events
Resources
Identorati
Newsletters

Dave Kearns'
IdM Newsletter
from Network World

User provisioning: right access to the right people

Provisioning's efficacy is not limited to employees; it can be used to manage access to business systems for contractors, partners and customers

Last issue we touched on a new definition for identity. Today I'd like to present the definitive view of the first, both historically as well as in the context of adding identity and access management (IAM) to your organization. User provisioning has been called the "killer app" for identity management. It started us down the road to IdM over a dozen years ago. In fact, we almost take it for granted today. But what does it involve, what does it imply, and why does it matter?

Ian Glazer and Kevin Kampman of the Burton Group (now part of Gartner) issued a paper just before Christmas called "Roles and User Provisioning", which unfortunately is behind a paywall. But if you're a Burton (or, presumably a Gartner) client you should have access to it. I don't want to get into roles just now (we'll eventually get back to that subject, though, as we continue to review the fundamentals). But Glazer and Kampman present provisioning in a succinct, yet complete, definition that goes like this:

"Ensuring that the right people get access to the right business resources at the right time, provisioning is the enterprise plumbing that promotes productivity and reduces enterprise risk.

Provisioning primarily occurs at three critical points in an employee's relationship with the enterprise: when the employee joins, changes jobs within, and leaves the enterprise. In the first of these, known as onboarding, provisioning sets up employees with access to business systems that have capabilities appropriate to each employee's job function. It is imperative that an employee starts on Day One with all of the business resources needed to be productive. Delays in receiving access means lost productivity. When an employee transfers from one role to another within the enterprise, provisioning removes access to business systems that is no longer needed -- thus reducing the risk that the employee will be able to use that access inappropriately -- while doling out new access the employee needs to be productive. Finally, when an employee leaves the enterprise, provisioning removes all access, thus reducing the risk that the employee can access business systems after separating from the enterprise.

Provisioning's efficacy is not limited to just employees; it can be used to provide and manage access to business systems for contractors, partners and even customers. A well-run provisioning process takes the manual effort and guesswork out of granting the right access to the right people."

And, really, that's it in a nutshell: granting the right access to the right people. Make sure your processes have all three parts: on-boarding, transforming (or moving) and de-provisioning. From a security standpoint, the latter two are more important than the first.

Join me when I talk about provisioning in a Webinar next Tuesday.

Subscribe to this and other newsletters.

The 'game' of identity

A look back at an early identity-based application

Back in the day when personal computers where starting to become commonplace, the various machines (Commodore VIC-20, Atari, TRS-80, Apple I and others) each had its own operating system. Software could only run on one machine, which meant there were few choices and high prices. But what they all had was built-in BASIC, the programming language. Most had a BASIC interpreter, but the IBM PC came with a BASIC compiler (showing, I guess, that it was intended for bigger and better things).

It struck me the other day that it was back then, on my old VIC-20, that I first encountered an identity-based application. It was a game, written in BASIC that had to be typed in to the computer called "Animal." The game (and you can see the code here) purported to be a "guessing" game where the computer guessed the name of an animal you were thinking of. It did this by asking a series of yes/no questions and following a decision tree to an endpoint. Then it would ask, for example: "Are you thinking of an elephant?" If you answered "No" it would ask what animal you were thinking of (say, a camel) and what question would differentiate it from an elephant ("It lives in the dessert"). It thus built up a series of attributes which -- taken together -- identified a particular animal.

That's not so very different from how we identify people.

It's been a while, so it might be a good time to try -- once again -- to define "identity". What follows is my thinking, but as always, I'd like to hear what you have to say.

An "identity" is a description of a thing. That is, a list of descriptors, or "attributes," one or more of which (when grouped together) constitute a unique identifier for that entity within a given domain. The descriptors may be subjective (name, favorite music, religion and so on) or objective (sex, race, ability to dance, fingerprint and so on). Objective identifiers can be tested for, subjective ones cannot. A disinterested third party, for example, could pick out "everyone with black hair" from a lineup, but could not pick out "everyone who preferred cats to dogs."

Subjective identifiers (which includes account numbers, usernames, passwords and so on) can be vouched for by third-party identity providers, the basis for so-called user-centric identity schemes. Objective identifiers might be used by those identity providers as a way to validate an entity's identity.

That doesn't seem particularly deep, overly simple or lacking in any major way. But, if I'm headed down the wrong path, please enlighten me!

PRESS RELEASES
NEWS OPINION

Latest Headlines
Monday, Feb 8

Another Way to Support Access Compliance
Bob Craig, Courion
Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail. more

How much security do we need?
Martin Kuppinger
My colleague Jörg Resch blogged today about the ignorance regarding layered security approaches. Yes, there is no absolute security. Security is something which is tightly related to risk. Given that we can’t have the perfect security, especially not with people using systems, it’s always about the balance between the security-imposed risk and the cost of risk mitigation. more

IAM can be used in many ways, claims expert
Steven Gaskill, ihotdesk
The group suggested that a firm's web proxy can also act as a security awareness tool, by redirecting users to an internal page which explains why a certain website is blocked, rather than just denying their access. more

Lieberman Software and Heritage Global Solutions Partner to Deliver Privileged Identity Management Solutions
EON
Privileged identities are accounts such as administrator and root accounts that hold elevated permission to access files, install programs, and change configuration settings. These accounts exist on nearly every server and desktop operating system, business application, database, Web service, and network appliance in an enterprise. more

Gemalto buys mobile authentication firm Valimo
Reuters
French smart card maker Gemalto (GTO.PA) has acquired Finnish mobile authentication startup Valimo Wireless, tapping into the surging market for mobile financial services. more

Some still don’t get it!
Bavo Deridder
Then they kind of messed up. For my convenience and to make sure I would be able to use their shiny new site to buy lots of international train tickets they included my password. Yes, you read that right, they mailed me my password. Without me asking for it. more

If you have the same problem for a long time, maybe it is a fact not a problem…
Shlomi Dinoor
A quick recap: Problem – weak passwords = hacking made easy Root cause – us, the (lazy) users Solution – replace us, the (lazy) users Problem solved, moving on! more

Identification through “Social Pattern Recognition”
Joerg Resch
The combination of memberships to different groups seems to be nearly as unique as a fingerprint. According to a paper they published (their server is overloaded at the moment, you may need to try again later), this kind of identification through pattern recognition works with most large social networks, like Xing, Linkedin, Facebook etc. more

AuthenTec Inc. dismisses rival's merger bid; alleges patent infringement
Richard Burnett, Orlando Sentinel
AuthenTec, which makes fingerprint-recognition systems for consumer electronics, called the overture by UPEK Inc. "a highly dilutive and speculative transaction" that is not in the best interests of its shareholders. more

All NHIN identity management is local
# Lorraine Fernandes
But while the NPI supports Medicare and Medicaid payments, it does not address broader provider identity management challenges that will become more critical as health information exchange (HIE) evolves and the nationwide health information network (NHIN) begins to spreads its roots. more

SPML Is On Life Support ….
Mark Diodati
The primary goal of SPML is provisioning without the use of proprietary connectors. The reality is that SPML is not currently viable for building useful, standards-based provisioning services because it is too complex and places too much of a performance burden on the connector. more

A Project Manager’s Take on Initiating an Identity Management Program
Clint Finch, Identropy
Ideally, my life as a PM of an IAM project starts where the IAM workshop leaves off. I am handed the organized findings of the workshop that include business drivers, use cases/general requirements, a high level architecture and Identity Management roadmap. My first order of business is always challenging: to orchestrate interview sessions with client stakeholders in order to create an RTM, or Requirements Traceability Matrix. more

Federated identity graphic (SAML, OpenID, WS-*, more…)
Jonathan Sander
Every major identity project I’ve come upon in the last 6 months has had a “federation” component. Some are looking to ease bringing in new users via M&A. Some are thinking about people visiting their public websites. The only thing they all seem to have in common is they are all very confused about their options. more

Expanding on the Oracle-Sun IdM Strategy
Nishant Kaushik.
Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. more

Internet Banking-Related Security Suit – A Case of Man Bites Dog
Matthew Gardiner
While I certainly can't pretend to sit in judgment on this particular case, since likely only some facts are on the table, the case provides a good framework to discuss the key issue of what is a commercially reasonable level of security and who is primarily responsible for online security. more

The risk of costs
Martin Kuppinger
That is why Risk Management should be a standard and central element in management, as well for business as IT. more

Sun IDM is dead
Jackson Shaw
We (Oracle) won. We (Oracle) are the strategic choice. In order not to cause panic we’re going to say that we’re going to continue to invest in the Sun product line. If you were an employee your new title would be “Director, Special Projects”. more

How to Keep Mobile Cloud Data Safe
Brian T. Horowitz, Enterprise IT Planet
To combat loss or theft, you need multifactor authentication on the mobile device. Two- or three-factor authentication is important, agreed Barber. In addition to a username and password, a third piece of information — often a challenge question — is required for a particular device. This is a one-time process per device, he said. This extra step in the authentication process helps guard against phishing attacks. more

Jericho Systems Selected to Provide Attribute-Based Access Control (ABAC) Solution for U.S. Army
Business Wire
Jericho Systems Corporation...today announced that it has been selected by the Army’s Service-Oriented Architecture Foundation (SOAF) to provide a long-term ABAC solution for production services across Army operational units. more

Considerations for an Identity Management Initiative in 2010
Frank Villavicencio, identropy
It is clear that identity and access management systems are, more than ever, critical parts of any IT infrastructure. Organizations will always need to grant application and system access to those who need it and eventually remove that access once it is no longer needed. This is a recession-proved observation. more

CertiPath Launches Trusted PACS Service
PRNewswire
Government agencies, transportation portals and many private sector companies are between a rock and hard place: required to meet stringent security mandates -- such as HSPD-12 -- but constrained by expertise, resources and time. more

idOnDemand, ChosenSecurity partner
SecureIDNews
The two companies have developed the SmartID. The combination allows for a complete solution for enterprises. more

Oracle and Sun– the Acquisition is Done. What’s Next for IAM?
Earl Perkins
Let’s review again just what this may mean for the IAM industry, as time has passed since the first announcements in April 2009 and the market continues to evolve. Now that this acquisition is all but a certainty, what does this mean for IAM choices? more

Access Management: How To Authenticate Users
David Ting, Business Computing World
Securing the firewall was previously top of the CISO agenda, but today, securing internal access to applications by employees is equally important. Internal and external regulations exist to protect personal data and restrict employee access to information. As a result, staff are often required to input multiple passwords a number of times each day. more

Microsoft, Novell collaborate on LDAP access to SharePoint
David Worthington, SD Times
The solution, which will ship in March, adds a service component to Novell's Access Manager identity management system to federate identities to SharePoint, said Joshua Dorfman, Novell's senior director of global partner marketing. more