Hitachi ID Systems Blogs

An amusing graphic that everyone could benefit from:

(click on link to see the picture)

Does your organization do business in Europe? Sell any products or services to EU citizens?

If so, you’ll want to watch developments regarding a refresh to the EU privacy directive. There is a proposal to turn it into a uniform regulation (at least it will be the same in all 27 countries!) but also to make it quite onerous (100 pages of text?), to make compliance more onerous and to make incidents where privacy was compromised very expensive.

Read more here:

Official page with the proposal

Discussion of the changes

My take is that compliance will get quite expensive.

– Idan

Just read this:

windowsteamblog.com

Looks like Microsoft is going to use Windows Update to push out a “patch” that finally drives a nail into the coffin of IE6/IE7. Hooray! The world will be a better place with that ancient piece of junk gone. Just think of all the HTML and CSS hacks that we can all retire.

It used to be that nobody in their right mind would connect mission critical SCADA systems to the Internet. That was certainly the “accepted best practice” many years ago when I used to do pen tests.

It seems that some people these days place convenience over security, and the result is predictable: hacked SCADA systems and disruption to physical infrastructure.

Attack on City Water Station Destroys Pump

Given the fun the Iranians have been having with Stuxnet, you’d think people would be smarter than that…

I just came home from San Diego, where I was at Gartner’s Identity and Access Management conference.

A good event, actually. Lots of smart people in one place, all passionate about identity and access management and sharing their real-world experiences.

One session that really struck a chord for me was Ian Glazer’s talk titled “Developing a Business-Centric Identity and Access Management Strategy.” This may seem self-serving, but it struck a chord because a lot of what he was saying was so closely aligned with what we’ve been doing here at Hitachi ID for some time.

For example, he proposes an incremental approach to identity management projects, which we also recommend. I think that’s pretty widely accepted these days. “Boil the ocean” never worked for anyone, in IT or other disciplines.

More importantly, he offers a nice, practical way to help organizations figure out how to break down their monolithic identity management objectives into bite-sized pieces. Basically get your stake-holders to sit down together and fill in a worksheet with the following columns:

• Constituent:
• Kind
• Source of truth
• Opportunity for life cycle automation
• Life cycle event
• Target system:
• Name
• Value
• Fulfillment volume

This is very similar to what we already do in workshops that we hold with customers before starting an engagement. Our terminology is slightly different, but basically it boils down to:

• User community (e.g., US employees or EU contractors, etc.
• Data source (e.g., HR, contractor database, manager input, etc.
• Data quality and timeliness (e.g., is HR providing data early enough to trigger automation?
• Change type (e.g., hire, move, fire, etc.)
• Volume (e.g., how often does this change happen?
• Application (e.g., where does the organization want to create, modify or delete access?
• Impact (e.g., how important is it to get these changes made quickly?

Do you see the similarity? It’s almost identical! Gotta love it when different practitioners arrive at the same solution.

We work with customers to collect this information and prioritize. Ian structures this stuff in a table and each row is a potential deliverable, organized into a priority sequence. Nice and clear!

But there’s more! Ian was promoting the value of an “entitlement catalog.” I’ve been convinced for some time that it’s important to assign human-legible descriptions, help links and meta data to groups, accounts, roles and other resources assigned to users. The list of these objects and their meta data are exactly Ian’s entitlement catalog.

Enough similarity? No! Ian also gives a nice and clear model of manual vs. automatic processes. He structures it as follows:

• Lifecycle Events
• Access Policy Management
• Fulfillmente
• Identity repository
• Entitlement catalog

This maps 1:1 to our own terminology:

• Requests portal (a.k.a. manual input of lifecycle events).
• Automatic administration engine (a.k.a. automatic input of lifecycle events from an HR feed or similar).
• Approvals workflow (a.k.a. manual access policy).
• SoD and other automated policy checks (a.k.a. automatic access policy).
• Transaction manager and connectors (a.k.a. automatic fulfillment).
• Implementers workflow (a.k.a. manual fulfillment).
• Profile attributes (a.k.a. identity repository).
• Resource attributes (a.k.a. entitlement catalog).

Man. A love-fest with Ian Glazer?

Well, that would be just a bit too weird, so I have to disagree with him on at least one thing!

Ian suggests that “Access Governance” should be decoupled from “Identity Administration.”

I agree with the need for almost all the functions in both of these buckets, but these two sets of features share so much data (remember the identity repository and entitlement catalog? policy stores? change history?). Whenever two products share a ton of data the natural question to ask is: “are they really two products, or just multiple features in the same product?” I think these features should actually live in a single product for just this reason. Plus customers expect connectors with their “governance” user interface and portal. Customers expect a usable request portal, approvals process and access certification with their connectors. I think customer expectations are reasonable.

That’s why our Identity Manager includes:

• Auto-discovery of identity and entitlement data on the applications where it already exists.
• Connectors to create, modify and delete users and entitlements.
• Automation to create workflow requests as a consequence of detected changes.
• A web portal for users to access one-anothers’ profiles and submit workflow requests interactively.
• Policy engines for things like SoD checks and approvals routing.
• Roles for simplified entitlement definitions.
• Workflow processes to invite human beings to implement approved changes.
• Workflow processes and screens to invite human beings to review and certify or remediate entitlements.
• Reports and dashboards to monitor all of that.

How is this different from Ian’s model? It’s all in a single product, with a single back-end database, a single UI and a uniform set of processes. I think the market will follow us in this integrated direction. The decoupling between “access governance” and “user provisioning” should be conceptual, not technical.

Just in time for Halloween and definitely worth a read:

Dark reading.

https://www.grc.com/haystack.htm

I noticed an advertisement in an in-flight magazine yesterday. It was for an HP tablet. I checked the magazine - it was dated September. Just think: this ad was purchased by HP very recently, and in the very short time between advertising purchase and when I picked up the magazine, HP dumped its inventory for $100/unit and killed off the whole division.

The dichotomy between normal time-lines for print advertising and the pace at which IT companies are forced to make and execute on major, strategic decisions couldn’t have been more clearly illustrated.

Amazing.

I had the pleasure of upgrading the OS on my laptop the other day. And I use the term pleasure very loosely, because I had to move around about 150GB or data - so much fun.

Anyways, I was not surprised to see that the most recent patchlevel of VMWare Workstation 6.5.x didn’t want to install on my new OS. That’s been my experience with VMWare over the past few years - doesn’t work out of the box on Ubuntu. Insert grumbling noises.

A google search didn’t turn up anything, and it was a weekend job, so I just left it.

Good thing too - turns out that while nobody has published a patch to VMWare Workstation 6.5.5 for a 64-bit install of Ubuntu 11.04, one of the guys at work had already done the work. He asked to remain slightly anonymous - but I’ll share his initials - JN. Nice work JN.

So in case you are reading this and wanting to install VMWare Workstation 6.5.5 on Ubuntu 11.04 64-bit, please try this patch:

hitachi-id.com/largedocs/patches/vmware655onUbuntuNatty.zip

And everyone say thank you to JN for making it (a) work and (b) easy.

– Idan

I just got a demo from our engineers of an integration they completed for a higher-ed customer. The customer is using a prominent ERP for higher ed and needed to send onboarding and deactivation requests, in real time, to our identity manager. This was to be done using an SPML gateway.

The demo went great - the web services gateway does, indeed, send messages to our system to provision and deactivate students, faculty and staff in real time. Everything works nicely, especially once our guys and the customer’s team worked through crashes in the J2EE app server hosting the software that sends messages to our system.

Did I mention that J2EE sucks and major J2EE servers are crashy junk? Lets leave that for another day.

Just one hitch: when I had a look at the message format, I discovered that while the message envelope was indeed SPML, the message body was not. Indeed, the message body was clear and human-legible, something nobody would accuse SPML of. There are plenty of sample SPML messages out there (google for SPML example if you’re curious) but the key point is that they are nasty, overburdened XML not suitable for human eyes.

Our friendly higher-ed ERP vendor clearly wanted (a) to be seen as a leader adopting standard protocols, such as SPML and (b) to deliver a developer-friendly, legible web service. (a) and (b) are not compatible, so they seem to have found a sneaky way to do both - use the header from SPML but send nice content in the body.

Nice.

We had to write a bit of custom code to parse the message body, but hey - it wasn’t anything like the spaghetti required to parse real SPML, so no complaints.

This is the first time we’ve ever had an actual, honest-to-goodness use case for SPML at a living customer - not a demo for an analyst firm or trade show, so I thought we’d get to exercise more of the standard. I guessed wrong.

SPML *could* be used to manage security in an app, but I’ve yet to meet an app that supports inbound SPML instead of a proprietary API.

SPML *could* be used to notify a user provisioning system of events in a system of record (as happened in our deployment here), in real time, but I’ve yet to meet an application that does that using actual SPML message bodies.

I guess SPML is so ugly that a bunch of cloud vendors invented a simpler alternative - SCIM (simplecloud.info/). I don’t think there is anything particularly “cloud” about SCIM - it’s just that the people pushing it are SaaS vendors and the word “cloud” is sexy these days.

Hopefully SCIM succeeds where SPML failed - perhaps by having a clear schema and simple syntax that humans can read unaided.

Here’s to hoping.

– Idan