Archive for September, 2012

IAM as the foundation to IT Chargeback?

September 26, 2012 Leave a comment

Some minutes ago I read an article from Joe McKendrick on ZDNet, headlined “Why private cloud services need to be market-priced”. Joe is just bringing up the fact, that organizations need to have their private cloud solutions priced internally to bring the cost back to their end-users and their business to provide a some numbers like for public cloud services.

He’s coming up with the following result out of surveys:

But that also means six out of 10 private cloud organizations don’t really have a way of connecting private cloud usage with specific users or departments.

So how to bridge that gap? Why not by Identity and Access Management? Having an Identity and Access Management Solution brings you into the situation of having the connection between specific users, their departments and the usage of not only cloud services. IAM should know employees user accounts in all connected systems, without taking care if those are classic systems like Active Directory, Exchange, private or public cloud systems or in the best case various file systems.

So the next step would be to calculate reasonable prices for all those services based on their typical overall cost. This is an complex process, but I’ve seen organizations going this way years before, while deploying the IT Chargeback module of my favorite IAM solution (former ActiveEntry, now Quest One Identity Manager) into their infrastructure.

So what I’ve seen in those organizations, where the process of finding reasonable prices for

  • Active Directory User Accounts
  • Exchange Mailboxes
  • a dedicated amount of mailbox size or home drive size
  • SAP User Accounts
  • dedicated IT services requested by using an access request portal

as well as the process of integrating those prices into the IAM solution and the Access Request Portal being the shopping window of the IT department towards the business.

So this could be easily extended to cloud services, public as well private ones, if they are connected to the IAM solution by direct or indirect provisioning or just the knowledge of the existence of user accounts, entitlements or resources in there.

What could be the output of that?

The output could be monthly “bill” to departments or cost-centers displaying their IT cost in the last billing period to bring the cost of IT back into the mind of business. The effect that I’ve seen in organizations having their IAM solution also being their IT Chargeback baseline was amazing: Cost-Center managers where taking notice of those bills and checking if it’s really necessary to have 35 employees in their department having access to really expensive services without having the need to. This enabled them to unsubscribe those services for dedicated users to save money on their budget. But this might have saved money also on the IT budget, for a smaller license package or whatever. So it was a win-win-situation for both sides: the IT department delivering IT services as an internal service provider and the end-users and departments while being service subscribers. And it’s also a good way to justify IT budgets transparent through organizations.

Categories: Cloud, IAM, IT Chargeback, Strategy

eIDClientCore–an open API to the new German electronic ID

September 18, 2012 Leave a comment

The new founded BeID-LAB (Berlin electronic ID laboratory) has published the eIDClientCore, as open API to the new German electronic ID (ePA). The API is acting as middleware between an eID-Provider and the card reader, communicating with the ID.

The API implements parts of the eCARD-API, being an foundation for the eCard strategy of the German government containing projects like eGK (electronic health insurance card), ePA (electronic ID), ePass (electronic passport), ELSTER (electronic tax declaration) and the already buried ELENA (electronic income confirmation).

The eIDClientCore is available as an C/C++ library, currently needing libxpat, libgcrypt and an PCSC driver handling the communication to an card reader.

Use cases for this API might be:

  • two-factor / multi-factor authentication for different web- or cloud services
  • implementation of further eGovernment projects
  • identity-proofing in eGovernment

With the complete source code of the API being available under an open license, this might help to find security issues but also opens up the possibility of exploiting those security issues with code knowledge.

My personal opinion on that: I’m still a bit concerned about the strategy to bring everything into digital abstractions, especially sovereign documents like and ID or an passport. The more I’m concerned about that, the more I’m happy about the chance to have a look inside.

Categories: Identity, Privacy, Security

Germany to ban surveillance software exports to totalitarian regimes

September 18, 2012 Leave a comment

As ZDNet reports today, the German foreign minister Guido Westerwelle made an announcement to ban exports of surveillance software to totalitarian regimes and states.

By using the words “These regimes should not get the technical instruments to spy on their own citizens” he’s telling something more critical: while it’s not ok for an totalitarian regime like Syria to have surveillance software to spy on their own citizens, it seems like he’s pretty ok with the fact that countries like Germany itself are using surveillance software to spy on their citizens. At the moment this software is (officially) only used for special purposes in crime investigation, but there were even inappropriate software in use in Germany itself. For more insight on that just have a look on the hashtag #0zapftis.

Categories: Privacy, Security

Does HR matter?

September 14, 2012 Leave a comment

Since I’m doing projects around IDM and IAM, there have been lot of conversations with HR guys and the role of their HR application within the project. In nearly every project someone out of the team of architects, consultants or engineers has to explain their importance. Not only once, not only twice… Sometimes you can tell them the fact a dozen times.

So why does HR matter in an IDM or IAM project? Simple answer: they are the authoritative source for HR information, driving provisioning processes, defining hierarchies (managers, direct reports, …) and delivering necessary attributes from the perspective of Identity Management.

Just an recent example to deep-dive in:
Situation as-is is an IT environment in change. There’s an groupware system in place currently and an foundation laid out, to rollout Active Directory as an central directory system. (There might be a murmur like “groupware but no directory system?”. Yeah, it is what it is. Even in 2012 some organizations does not have an directory system in place, using still local user accounts and host-files. Scary imagination, isn’t it?) The internal structure of the group ware system as well as the approach for the Active Directory are driven by locations. This means that there is an OU structure representing locations. From an Identity Management standpoint it’s pretty clear what to do: the location an employee is dedicated to will drive the provisioning target in the groupware system as well as in the upcoming Active Directory. There are other approaches as well to drive provisioning targets (just to name some of them):

  • departments
  • cost centers
  • business roles

So far so good. Now let’s have a look on the HR side: our IAM system is getting data from two different HR systems, containing different categories of employees. A third source of information is an HR originated location feed, giving us information about existing locations and their hierarchy. So we configured those imports to get the data into the IAM system, preparing the data for an afterward provisioning process. Just analyzing the data was kind of horrible:

  • we found overlapping data within data sources, which should have been completely disjunctive
  • within some ten thousands of HR records we had some thousands, where our IAM system was not able to determine an location from the previously reconciled location feed
  • we found multiple valid HR records per employee without any attribute to determine which record is the most recent one

It might turn out to be the worst HR integration I’ve ever worked on after recognizing that the HR data was even inconsistent within itself. While analyzing the source data (because I couldn’t believe that it’s that worse than I saw the result in our IAM system), I found out that there are even employees located in locations, which are not existing within the location feed. So I raised my concerns about the internal integrity of the data itself.

The story is still going on. I’m looking forward to the next update on the data and / or the conversation.

But it shows: HR matters. The quality of HR data is the key to data quality within your IT systems. Or to bring it to an simple conclusion: garbage in, garbage out.

Categories: IAM, IDM

Discussing IDM Migration Strategies

September 13, 2012 Leave a comment

Days ago I was reading a discussion around Sun IDM Migration Strategies with different approaches. First of all there was an approach named “Migration by Objects” as an Bottom-Up approach. This strategy is attempting to migrate Objects within Sun IDM into the new IDM platform. The next approach I read about was named “Migration by Use Cases” as an Top-Down approach. This meant to migrate Use Cases from Sun IDM into the new IDM platform. Then there was a mixture of both named “Hybrid Migration”, discovering Use Cases by analyzing Objects and / or Implementation. The fourth approach mentioned in this discussion was IMHO something very similar than the “Hybrid Migration” approach, but in this case invented by another company for another target IDM platform.

The fact that hit me while reading those approaches was that it seems like the only way to get rid of Sun IDM is actually really “migrating” Objects or Use Cases or both in different flavors from Sun IDM to another IDM platform. That’s not all from my perspective.

The approach which is completely left out in this discussion is the approach of implementing IDM from scratch. After years of operating an IDM solution like Sun IDM, companies might have realized new needs, new requirements, new systems. Sometimes it makes total sense to invest into a complete new analysis of the situation as-is, finding gaps between the existing implementation and current expectations. I don’t say that this is not possible by using Top-Down, Bottom-Up or hybrid migration approaches. It’s more about the question: does it make sense to migrate at least one single Object or one single Use Case from A to B without looking on the current needs? Even companies running Sun IDM or whatever IDM / IAM solution in the world in these days should have a roadmap on how to increase the value out of their IDM strategy. And strategies are not only about staying with one single solution or one single approach. Strategies have to be redefined to face business needs, technology and the technical development.

But it’s interesting to see that there is still that much interest in migrating existing Sun IDM installations after the Sun acquisition by Oracle at the beginning of 2010 was named the dead of Sun IDM.

Categories: IDM, Migration, Strategy

An example for the need of Access Control and Governance

September 13, 2012 Leave a comment

There was an article on ZDNet yesterday, saying that the Scottish Borders Council was fined £250,000 for dumped pension records.

So what was happened: The Scottish Borders Council hired a third party to digitize pension records of former employees. (Hopefully) After digitizing those records would have been shredded if everything would have going well. But it didn’t. The records were dumped in an recycle bin like old newspapers. A citizen found those documents and informed the Police, which secured the documents and all contained data (as the article says there were salary and bank account data included within those records).

So in this case there were major faults done by the Scottish Borders Council:

  1. It seems like there were no agreement or part of the contract how the records would kept or shredded after digitizing them. So no one within the Scottish Borders Council was taking care if and how the records were handled or destroyed.
  2. While passing the records to a third party, the Scottish Borders Council still is legally responsible for all contained personal data within those records according to the Data Protection Act. This would have meant that there would have been a tracking of the records handling, digitalization and shredding or handing them back to the Scottish Borders Control Council for an separate process of destroying the records.
    Both issues are showing the lack of Access Control and Governance over those records. There was no check, if those records are still existing or if they are destroyed. With the responsibility according to the Data Protection Act, the Scottish Borders Council would have needed at least a certified proof of the data handling, process of digitalization as well as the process of handing those records back or shredding them in an appropriate way instead of just dumping them into a recycling bin. Within IT systems we would name that an complete Audit Trail, in the best case peppered with access recertification to ensure, that it’s ok that someone has access to somewhat.

So with the potential exposure of personal data to identity fraud £250,000 (currently a bit more that $400,000 or 310,000 €) those faults are pretty expensive in comparison to the minimal impact of avoiding them.

Starting my Blog

September 13, 2012 Leave a comment

Hello World, hello Community.

Since years I’m following other IAM specialists and their blogs, tweets, mentions, …. During all this time i was thinking about starting my own blog on IAM or not. So today i did it. I started my blog. Why? I was running over some discussions on LinkedIn gathering my interest while having my complete own thoughts on that. So I was weighing about answering those discussion on LinkedIn or just spreading my thoughts on an Blog. Maybe someone is taking them as an inspiration, maybe not. So I’ll see how this is going in the next weeks, months and maybe years.

Categories: Blog