mrtopf's page two

Raw scribbling for posts on http://mrtopf.de/blog

« Back to blog

Viewed
times
About Me

Podcaster, Python programmer, Open Source and Open Standards advocate, Data Portability Board Member, co-founder of http://comlounge.net

 

EIC2010 – 5 Quick Wins to Leverage Your Existing Identity Infrastructure Through Convergence (Martin Kuppinger)

Dsc_0061

Why to look at Quick Win potential?

  • Pressure on IT budgets
  • Missing creditibility of IT to deliver on IT projects – success has to be visible
  • Politics
  • Small steps are better to control

There might be a price to pay:

Pro: Less Risk, Smaller projects, smaller investments

Contra: Risk of Strategic non-alignment (e.g. data leak protection via blocking USB keys.. not really dealing with the problem but the symptoms), Interfaces and Integration (complexity of single system is high with low number of provisioning system, integration complexity is high with many systems but the single system then is easy. Where to find the right poinz?)

1. Add Access Governance

  • Approach: Focus on attestation and recertification
  • Value: Improved Auditing, Risk Mitigation
  • Strategy: Full access, Governance, integrated Enterprise/IT GRC
  • Risk: Too IT-Focused

2. Add PAM (Privileged Access Management)

  • Approach: Deploy a PAM solution
  • Value: Risk Mitigation, Policy Compliance
  • Strategy: Beyond PAM to “integrated PAM”, PAM as part of “informatino security”
  • Risk: Non-integrated solution, point solution which leaves too many leaks

3. Virtualize Identites (virtual directory services)

  • Approach: Build a virtual identity infrastructure by deploying Virtual Directory Services
  • Value: Standardized Security, reduced cost (one API to program against), Risk Mitigation, Policy Compliance (esp. with german data protection laws)
  • Strategy: Next-gen Authz concepts (Beyond RBAC to AbAC),Application Security Infrastructure (no hard-coded security anymore)
  • Risk: Acceptance

4. Re-use Strong Authentication by Intrudicing Versatility

  • Approach: Implement versatile authenticatoin technology (I can plugin any auth system also per use case)
  • Value: Re-use of expensive string AuthN (purchase, operations – somebody has lost his token etc.), Risk Mitigation
  • Strategy: Standardized AuthN and AuthZ layers – AuthN/AuthZ strategy, physcial/logical cnovergence
  • Risk: Politics (too many players), market maturity

5. Consider distributed approaches

  • Approach: Use more than one provisioning (you need more flexible systems. Not rip and replace but easier integration)
  • Value: Reduced complexity
  • Strategy: GRC as control and policy layer for multiple provisioning implementations
  • Risk: Integration, Consistent Policies

 

more Quick Wins:

  • Organizational Optimization (Focus on the defined break-point between IAM and system-level management. Ensure consistency of operational management)
  • Convergence  (Data Governance and Access Governance, Physical and Logical, …)
  • Avoidance of Misinvestments (Build a strategy)

 

Discussion

Is it really easy to implement?

Depends on the alternatives, some stuff is relatively easy to implement as it sits on top. Of course it’s not plug and play.

Posted