Page

A 5-step

approach to

managing

Identity &

Access

Management

Steve Tout

July 2013

V002

Is now the time to hire a Director of IAM for your organization?

Page

“THE PACE OF ENTERPRISE CHANGE IS AFFECTING HOW SECURITY AND

RISK PROS ENGAGE WITH THE DEVELOPERS, USERS, AND BUSINESS

STAKEHOLDERS THEY SERVE. YOU CAN’T SLOW THE PACE, SO YOU NEED

AN IAM APPROACH THAT WITHSTANDS EXTREME HETEROGENEITY IN

YOUR BUSINESS INFRASTRUCTURE SO THAT YOU CAN SUPPORT

INCREASED COMPETITIVENESS WITH SUPERIOR SECURITY.”

Eve Maler - Principal Analyst serving Security & Risk Professionals, Forrester

Report: Navigate The Future Of Identity And Access Management

Page

I coined the phrase “Managing IdM In Uncertain Times” for an assessment of Identity & Access

Management I wrote for VMware in 2009. To me, it means running lean while minimizing

risk to the business by ensuring higher levels of customer privacy and information

assurance; operating efficiently while seeking ways to improve ROI and reduce costs

through a holistic view of the IAM (Identity & Access Management) program.

This paper identifies five key challenges we face today in IAM and the mindset required to

achieve extraordinary success.

Integrate Governance, Risk & Compliance – Most companies start out with an IAM program to

improve manageability and streamline development by utilizing SSO and centralized administration.

After some time, there can be significant gaps between GRC and Identity & Access Management that

should be addressed for improved security and higher levels of assurance.

Create organizational alignment – IdM is not fundamentally a development problem. It is not

exclusively a security issue just as it is not intended to rest solely on the shoulders of operations.

Create alignment of resources to avoid entropy from paralyzing the organization.

Evolve the architecture – Technology changes quickly, but organizations often do not adapt as fast to

the challenges. Creating and using an IAM reference architecture and 3-year roadmap will keep

everyone focused on what matters, drive out redundancies, minimize risk and reduce TCO.

Rethink the platform – Most companies have a significant investment in an IAM platform that is

based on an outdated model for web access management. In rethinking the platform strategy,

superior security and increased business competitiveness should top the list of priorities.

Renew operational focus – An organization cannot move towards more efficient computing models

like the cloud, reduce OpEx costs, increase operational efficiency or improve security without making

some hard investment decisions.

Manage This

Page

1. Integrate Governance, Risk & Compliance

A GRC program provides critical controls and processes for any business. Governance aligns IT and the

business and ensures continuing and consistent business value out of the IAM program. Supporting

operational GRC within IT requires an integrated set of processes and solutions that should provide

on-going and closed-loop monitoring, access certification, analytics, logging and alerting.

At a minimum, an integrated GRC program should be able to answer the following questions:

Are you comfortable with data tampering or a customer/employee data breach due to compliant

solutions not being consistently applied across the organization?

Are you comfortable with a disgruntled employee who has recently been terminated exploiting known

vulnerabilities in our data and services without your knowledge?

Are you comfortable with the knowledge that security audits and dashboard reporting systems could

have incomplete data, giving false confidence?

Are you comfortable with not knowing about partner/employee data being breached at SFDC and

finding out about it days later?

With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable

entrusting Salesforce as the system-of-record for identity & authentication data for more than 400M

partner users?

Are you comfortable with knowing that policy audit and lifecycle management practices are not being

followed, creating vulnerabilities exposed to the outside world?

Are you comfortable with the knowledge that there are inadequate and vulnerable authorization

models in place as more of our compute goes to SaaS and Mobile platforms?

Are you comfortable with developers and admins accessing production outside of authorized window or with network admins or security engineers sniffing traffic unnoticed?

How do you feel about preparing your scorecard in context of how VMware ranks in each of these categories?

The best response to the GRC challenges we face is to create better risk awareness and to drive

convergence of security, GRC, IAM, SIEM and Big Data tools that do more inspection and that can

correlate third-party intelligence. As a result, we achieve a more scalable and efficient model for

threat management, security and identity management than before possible.

Be Secure

Page

Figure 1: Enterprise GRC should align and integrate more seamlessly and synergistically.

Integrated GRC

Page

2. Create organizational alignment

Without a leader whose sole focus is IAM & security concerns there will continue to be gaps in

accountability and a constant feeling of under-achievement. (E.g. a feeling that we can and should be

doing more!) Without a clear separation of duties, management and team members alike can spread

themselves too thin as well as develop myopic vision from a too heavy emphasis on execution at the

expense of valid strategy, architecture, planning and organization.

With proper organizational structure, there will be excellent visibility both up and across the

organization utilizing Joel Garfinkle’s PVI model for executive success. The barriers to collaboration

must be demolished and a more effective approach to problem solving adopted for the greater good

of the business, our shareholders value and customer privacy and security.

Having one or more IAM veterans at the Director level reporting into a VP of Security or Operations

will result in better visibility, streamlined accountability and reporting structure, improved

collaboration in defining and executing IAM projects and significantly improved ability to deliver on

the 3-year roadmap. As an industry benchmark, other companies in Silicon Valley have formed teams

dedicated to this discipline, and VMware may learn from them as it continues to grow.

EBay - dedicated security & fraud division of over 80 people

Electronic Arts - security team responsible for internal and online assets with 20 people

BMC Software - internal security/compliance team of 5 experts and 3 directors of IAM

Be Focused

Page

3. Evolve the architecture

The requirements for Next-Gen Identity & Access Management are clear. Security, as well as IAM,

must respond to growing business demands with solutions to address the need for scale, cloud,

mobility and standards. IAM should not be viewed as merely a platform for providing security, SSO

and provisioning solutions, but as a rich data source for delivering insights from big data and analytics

platform that can spur increased conversion rates, improved customer engagement and satisfaction.

IAM must continue to evolve as an enterprise shared service and continue to expand the scope of

capabilities by driving adoption of next generation technologies to meet the needs of mobile and

cloud-driven workforce – and the customers they serve. The IAM architecture must evolve to easily

integrate with cloud applications, federate with partners, support multi-factor authentication and

enrich authorization and access policies.

With a focus on developing future-proof, standards based solutions, the following simple strategic

roadmap demonstrates how one might deliver a Next-Generation IAM ecosystem.

• Performance optimization

• Multi-tenant scale & management (E.g. SDLC instances)

• Elastic managementScale

• Identity bridge for SaaS

• Identity provider for IaaS/PaaS (E.g. vCHS, SFDC)

• Hybrid cloud managementCloud

• Mobile REST SDK

• Mobile enterprise (BYOD, MDM, MAM, and EMM)

• Mobile IAM toolkit (SDK, Gateway)Mobile

• Common frameworks & reusable code libraries

• SAML, SCIM, OAuth and OpenID Connect

• Common STS

• Cloud AuthZ

Standards/API

Be Elastic

Page

4. Rethink the platform

The wisdom or insanity of ripping and replacing an enterprise IAM system such as the Oracle IdM Suite

cannot be rationalized without diving into the details of how the product is being used or without

examining Oracle’s roadmap and upgrade options and evaluating the alternatives out there.

Web Access Management software is a mature category and has reached commodity status. As

enterprise software goes, we should value it for what it is and pay accordingly. Oracle Access

Manager has enjoyed a good run for over thirteen years but it is built on a bit outdated model that

hinges on domain-centric policy management and an agent based architecture.

There are alternative solutions that can provide equal - if not better - capabilities, for a fraction of the

price. (Think open-source here) Based on experts and executives I have spoken with, potential

savings in the range of 15% - 40% year over year looks to be possible. Also one must factor in the

costs associated with migrating from 10g to 11g including architecture, infrastructure, operations,

training and pro services just to name a few.

In rethinking the platform, one really needs to understand the drivers and the rationale:

Are you comfortable knowing that only a fraction of the solution capabilities are used?

Are you comfortable with using it less as more of your applications turn to SaaS model, and yet you are

still paying the same as you were before?

Are you comfortable with the costs to replace existing IAM growing exponentially year by year as the

enterprise becomes more heavily invested in its use?

Though Oracle Access Manager has proven to be very stable and predictable, it has remained

relatively static as well, without realizing any security, performance or functionality advancements

made since 2010.

Then a fully rationalized architecture and quantitative analysis of expected TCO will yield insights into

the financial model and help to identify potentially significant cost savings. At the same time, the

world continues to adopt SaaS and BYOD thus the need for a modern, secure and scalable IAM

platform cannot be underscored enough times.

Be Open

Page

5. Renew operational focus

"Unless you change how you are, you will always have what you've got." - Jim Rohn

Achieving success with next generation of security and IAM infrastructure will not happen as the result

of big bang upgrades. Much depends on understanding how new solutions impact existing

applications, how new requirements impact architecture and how new systems and capabilities can be

deployed within VMware’s cloud operating model. Success will be measured by the ease with which

solutions achieve the most common coexistence and migration scenarios as well as the ability to

realize value from the 3-year roadmap.

Additionally, success could not be possible without training Sr. Managers and Tech Leads in

Operations on how to monitor, maintain and support the new systems and processes that will be

implemented as a result of executing against the 3-year roadmap.

Installing a Leader or Director of IAM will add significant advantages in achieving success and for

effectively managing all of the challenges mentioned in this paper. He or she would provide guidance

to the Operations group while executing on the 3-year roadmap, such as:

Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud,

mobile enterprise and how to support the use cases

Guidance about how authentication, authorization, account provisioning and governance works in the

web services world

Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem,

SaaS and mobile applications for privacy assurance and risk management

Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment

for operational efficiency and scale

Integration of IAM and SIEM systems to improve user/role management, enable real-time risk and audit

capabilities for threat and compliance management and prevent APTs

Now is as good a time as ever to re-think VMware’s IAM platform and strategy to potentially realize

cost savings of 15-40% and that would bring about the opportunity to modernize the platform with

advanced technologies such as Identity Analytics, Big Data and Integrated GRC for superior security

and competitive edge.

Be Adaptable

Page

Additional reading and list of references

Do You Need An Identity Officer? http://blogs.kuppingercole.com/kearns/2013/07/02/do-you-need-an-identity-officer

Leadership, not Process, is the Keystone of Innovation http://www.innovationexcellence.com/blog/2013/07/13/leadership-not-process-is-the-keystone-of-innovation

Moving Towards Proactive & Holistic Security http://blog.identropy.com/IAM-blog/bid/47519/Moving-Towards-Proactive-and-Holistic-Security

The Impact of Total Cost of Ownership in IAM Investment Decisions http://www.novell.com/docrep/2010/11/rencana_novell_iam_tco_report_methodology.pdf

ITIL V3 and IAM Governance: the PBR Model http://blog.identropy.com/IAM-blog/bid/62180/ITIL-V3-and-IAM-Governance-the-PBR-Model

The PVI Model http://www.garfinkleexecutivecoaching.com/downloads/getting-ahead/The-PVI-Model.pdf

Dismantling Your Legacy Identity Management http://www.stevetout.com/oracle-idm/dismantling-your-legacy-identity-management

Forrester Research: Navigate the Future of Identity and Access Management http://www.forrester.com/Navigate+The+Future+Of+Identity+And+Access+Management/fulltext/-/E-RES61625

Be Curious