Sunday, April 5, 2009

Identity Management: Another Perspective

During the last 3-4 years, Identity Management appears as the next big thing in the Information Security arena: know your users, what they do, what resources they can access, how, when and why.... Quite interesting as a concept, taking into account the really fast pace organizations adopt new systems and maintain access control operation.

Based on the cornerstone of RBAC, IdM seems both as the strategic and tactical solution on user's management (not mentioning federation issues).

I am heavily involved into delivering an RFP response for a major institution on the region, cooperating with one of the main IdM vendors of the Gartner Group. I've got a 12 year experience in dealing with NASDAQ companies when it comes to respond to RFPs, so I'm always somewhat familiar with their internal procedures, and the heavy effort I must put to organize chaos. I've also have some experience in IdM projects, having participated myself in the biggest installation ever in the region, so this project is not something out of space to me.

At the end of the day, it all comes down to 5 elements: business benefits, technology, project management, products and services. These elements are what the customers evaluate. So by having a good vendor at your side, being able to present a straightforward solution with a corresponding methodology and justify your costs is the key to deliver a good response to an RFP (I leave budget aside...).

As told before, I cooperated with a Gartner Group leader in IdM, a really huge (really..) company. And here is my story, that provides a fairly good explanation of how IdM concept was originally perceived..

Setting up meetings to discuss the RFP was a real pain: 6 different representatives, from 6 different depts with -unclear to me but strongly defined- chinese walls to prevent them from looking each other. After the japanese habbit of collecting business cards, started to discuss on the deliverables that would compile our response the funny game begun. Pricing for licenses are finalized by the Senor Account Manager of Technology/Financial Institutions and Healtcare only after services are finalized by the Manager of Consulting Services for Authentication/Technology Practice, EMEA, service are on the other hand are defined only after the Technology Operations and IdM Architect Team have agreed with the VP of Sales on Strategic Accounts Management and described by the Manager of Consutling Operations for Technology. A mess... Direct channels for communications are forbidden on the other hand, since it may violate the vendor policy.. All in all, we ended up without being able to compile a proper response.

I guess that the idea of IdM was originally perceived by a poor junior HR guy in one of these kind of vendor that had the task of depicting their organization chart in an A3 paper, playing the game of "who is who" in a company.

My point: I don't believe in IdM, I never did. I don't believe in projects that do not solve a problem but are aiming to transfer the problem somewhere else. I do not believe in overestimated hypes that cannot justify their reason of existence. I do not believe in complicated technologies that miss their target, which is actually managing subjects peforming access control operations on objects - and this is what IdM does not do.

My proposition: 3Ps - people, policies, procedures. Revisit the basics, allelujah !