In my last post, we discussed how Burton Group, at their Catalyst Conference, put forward a vision where user access privileges are "pulled" at the time of use to the application or service the user wants to consume. I argued that for such a paradigm to work, entitlements and access information about users would need to be gathered and maintained across many identity stores, some from outside an enterprise, some hosted internally and others potentially within a cloud environment. I also argued that this will take more effort than it will return in value.
I also pointed out that the more realistic approach is to leverage processes and technologies that are already here now. Not everyone agrees with me. My Friend and fellow New Jerseyan Nishant Kaushik at Oracle has a well-thought opposing view available here. Just keep in mind, when studying his architectural design that it's held together with eight different standards and a number of open source projects. Many of these standards have not become widely adopted or accepted outside of Oracle and even compete with other well respected standards and projects. And, oh yeah, one of his boxes has a question mark affixed to it.
I happen to have an honest intellectual different opinion, and would rather not see enterprises cobble their identity infrastructures together with a little more than hope, bailing wire, and string. I maintain that enterprises need to build identity on a sustainable, scalable, identity and access management environment that is extensible enough to address potential future identity management models and standards as they arise.
Some say it's not possible and that is why we need to move to a pull model. I know it is. And I know customers doing it today with Novells Compliance Management Platform (CMP). It's achievable because CMP integrates identity and access information with security information and event management (SIEM) to provide not only real-time insight into security events across the enterprise, but real-time identity management workflow and policy enforcement as well.
For instance, because of CMP's tight identity integration with its built-in Sentinel SEIM technology, users are no longer tracked by an IP address or individual accounts, but by their identity – as that identity moves from system to system (Often referred to as User Activity Monitoring). Additionally, Sentinel intelligence can be sent back into the identity management system so that policy violations can be documented and remedied. That is, when Sentinel identifies something is awry, it can work in conjunction with identity manager to create workflows designed to provide the requested access or use identity manager to initiate an action such as to create, disable or delete accounts. This is all based on an action that’s been detected in the enterprise in real-time.
Consider the following example of a user attempting to use an application or service. This user has access to the SAP ERP system, but not the Accounts Receivables module needed to create a report. They don’t yet have approval to access AR within SAP.
If SAP is properly configured it will dispatch a security event detailing that the user is trying to access something they’re not entitled. That dispatch would be immediately captured by Sentinel. Sentinel contains an incident handling system so a pre-defined business process will dictate how to handle the user’s request. The reaction could very well include initiating the process to vet the user’s request against their role and security policy, and then use the IdM system to issue the formal workflow required to approve and provide access to the resource sought. Also, all steps in this process would be fully logged and auditable for compliance and security.
Another example is when a user tries to log into SAP and fails. Sentinel will work with Identity Manager to determine if they do, in fact, have an SAP account and failed at a legitimate log in. CMP can send the user an email directing him to recover his password using CMP’s Password Management system. The email may also tell the user that if he didn’t try to log in, then IT security should be notified so the incident can be investigated.
The appealing aspect of all of this is that it doesn’t require changes to any – and especially not all – of your applications as the pull model would demand. It doesn’t require a new infrastructure, nor standards that don’t yet exist or are not widely supported. Novell customers need only leverage the tools they already have in place. What is more, from an end user quality of experience perspective, it couldn’t be better. They merely go through their day, doing what they need to do, and the intelligent identity infrastructure will guide them through the processes they need – while IT management is notified of any incidents that need their attention.
Perhaps more important – in these regulatory and security conscience times – is the ability of this intelligent IdM infrastructure to enforce preventative controls. For instance, most organizations require access be approved by a specific process and in accordance with a user’s role. Companies also are careful to enforce segregation of duties to stay on the right side of corporate security policies and Sarbanes-Oxley. Unfortunately, these controls only work if users go through the IdM system.
What happens if an administrator circumvents the IdM system and gives users an otherwise forbidden level of access? Well, if a user is given new access rights to SAP, or new entitlements expanding existing access rights, that is a security event – and that new access status would be sent to Sentinel. That access could then be properly vetted for legitimacy. Now consider a more severe situation in which a segregation of duty violation is created by access granted outside of the IdM system. In such a case, Sentinel could initiate an immediate response, such as shutting down access to both the administrator (who enabled the SOD situation to be created) as well as the end user. The event could then be properly investigated.
None of these capabilities are years way, and none of them require changes to the infrastructure. They’re possible now, with off-the-shelf software that enables the creation of an intelligent identity infrastructure that is able to adjust to user requests at the time of access and understand the context of identity activities well enough to react in real time.
Follow Ben on Twitter at www.twitter.com/benatnovell