Tuesday, December 20, 2005

The toe nails of Identity Elephant

I have over time learned that defining things has not been my strength and over time I have understood that most of us in Identity and Access space can run most of our professional life without have a industry standard definitions. But at the same time, I like to keep a glossary list handy which I attach to every project document and let it change as the client tries to make sense out of their environment.
After reading the Dave Kearns and Scott Lemon's thoughts, I was again reminded of the Identity elephants that seems to be in the room and how people are trying to find it. In that context I think I found that these two people are so close in their definition the way I understood them that I had to write about it. The idea in case of Scott is that Identity is "same as" while for Dave is "Identifying" (which for him somehow always leads to DNA, twins, etc, anyway this may be something for other blog). Now incase of an identification system, the identification means it needs to have information about the entity that it wants to "Identify". So, the process of "identification" for the system means that the representation of the "identity" in the system's memory is "same as" representation of the entity that system has received from the entity (through the authentication information/identifiable attributes). With regards to the other part of Scott's article that is about existance of "Observer", that ties in well with Dave's idea of "identify" that in order to get the "identifiable attribute" in the memory of the system, some one has to "observe" the entity and register its identifiable attributes and so this is an action that takes place before the identifiable attribute can be stored in memory.
So to summarize
  • Observer "observes" the identifiable attribute
  • Observer stores the identifiable attribute in Identification system's memory
  • Entity exposes its identifiable attribute(s) to Identification system
  • Identification System uses the identifiable attribute(s) stored in memory to check whether the Entity's identifiable attribute(s) is "same as" that stored in memory.
And thus we have identified the toe nails of identity elephant.

Sunday, December 18, 2005

Authentisoft Introduces IDX EAP

I am completely confused by this company's approach in the IAM space. I do not understand what their target market is and can only speculate that it will include small size business or may be a complete Java shop whose developer think this is a good "IAM" product. Take a look at the article (and the discussion ) that have come from Justen Stepka who works with the company. The product seems to be too little too late at first glance (atleast in IAM space) but then may be I donot understand the product and its complete feature set.

Internet Rebels

After watching the Google EPIC, I had a burst of "creative" thought (which is very rare let me tell you) about a futuristic novel based in 2015 about a renegade who is part of a network of people who run a parallel internet over P2P protocol. The idea being that once you develop protocols to index and search the P2P member site using distributed indexes you may be able to browse the net anonymously. But after reading these articles, it seems to me that something like above may become a reality rather than remaining a fiction in my head. But seriously guys is it good to reject a more structured way to generate internet content just because the format is being proposed by companies that are trying to make money out of people's content. May be I am being too naive.

Federation revisited

While going through some articles on the reports from Burton group on Identity Management, I ran into this article from Andre Durand. The basic point of contention was that Burton has predicted that Federation will not be separate product long term while the Patrick Harding contests that it will be a separate product. This point of view from PingID can be attributed to the fact that their flagship product is a federation server though they do provide other components like Token Service. But lets not go there and look at the argument. The basic point of the contention seems to be that the infrastructure needs a federation server to consume SAML assertion and generate internal SAML assertion that can be consumed by the internal infrastructure. But I am not sure whether that means that you have to setup a federation server the way described by them using this diagram. I see the work they describe more the job of a Token Service as I have opined earlier. (which I think is one of the good ways of implementing an Authenticaion web services) which will be used by infrastructure components to do the validation. I do not see the federation server becoming the point of entry in the infrastructure since there are much better products to do that job (like XML firewalls for web services and Web SSO products for the other browser based applications).
May be this is just the difference of level of technicality that we are at and Patrick Harding is trying to say the same thing as above and I am getting into the details.
Please also note that in case of browser based application most of the implementations that are taking place in this field are moving along the idea of Federation Server being the initial point of contact for SAML validation, setting up the session with existing Sign On products and then redirecting the browser to web application protected by the SSO product. Thus, the model provided by PingID makes sense for the initial part of the SAML validation but I am not sure when the third party applications will start shipping out with support for federation SSO (more specifically the Web SSOs and XML firewalls, some of which already support it) just like they have started supporting the concept of Single Sign On.

Saturday, December 10, 2005

FSSO - where are we?

With so many federated sign on specification out there, it was becoming really tough to keep track of them. The way I see, we can divide them in to community site initiated Identity URL based specs like SXIP (new addition), LID, OpenID, i-names(XRI) vs standard/large vendor initiated identity token based specs like SAML, WS-Federation and infocard.
Given that the community initiated specs based on URL based Identity have come together under YADIS (except SXIP and I am hoping they will join the party soon), where does that leave us with WS-*, SAML, Microsoft Infocard and Passel (with counter-signed and self-signed attributes). While the community based FSSO specs are consolidating, the businesses are rolling out services mostly using SAML to perform FSSO between the services that they are providing. We are still waiting for the Infocard and WS-Federation to pick steam. It seems that the infocard may be obsolete by the time it comes out if YADIS is accepted by the community (unless they find a way to coexist which I do not see at the moment given the love of SOAP on Infocard side and love of REST in the URL based identity) and SAML becomes the norm in the Business business community.
At this point one thing that is bothering me is complete lack of initiative from Yahoo, Google (more important) and ebay on the FSSO front. If these company "don't get it", the community based initiative may not succeed (unless somebody figures a way to integrate with them without their involvement). But the basic question is why should these companies "get it" i.e. what are they going to get out of this? Only benifits that I see for these portal companies is the ability to sign on more partners who would like to receive some sort of users' identity for better marketing purpose. So, the idea would be that as soon as you click on an advertisement, search item or any link to the partner site, the basic identity from these portal would flow to the partner site giving them the ability to customize the website based on the attributes like age, location, name, gender, etc. Obviously, this will extensively utilize anonymization techniques (like that part of SAML 2.0) to ensure that user information is not given out without his knowlege. At this point the game is getting very dynamic. A single new annoucement may change the way FSSO would grow over next few years which makes the whole game all the more interesting....

Saturday, December 03, 2005

What is identity - In words of Bulla Shah

I really like the way this this poem explores the basic question of "who am i" i.e. "what is identity". This poem was composed by Bulla Shah , a 17th century sufi poet, and used in a great song.
Bulla, who knows who I am?

Neither I am a believer (who stays) in a mosque
Nor do I indulge in actions of disbelief
Nor am I the pure one amongst the impure

Neither I exist in books of Vedh
Nor do I stay drunk
Nor do I remain stoned, rotting

Neither I am happy nor sad
Nor am I in the (argument of) Purity and Impurity
Neither I am (made) of water nor of earth

Nor am I fire nor air

Neither I am Arabic nor Lahori
Nor am I (resident of) the Indian City Nagaori
Nor Hindu nor Turk Peshaweri

Neither I found the secret of religion
Nor did understand Adam and Eve
Nor did I create a name for myself

From beginning to end, I tried to understand myself
I did not come to know of anyone else
I am not just another wise one

Bulla Shah, who is this standing?
Bulla, who knows who I am?

Neither I am Moses nor Pharoah
Neither I am awake nor asleep
Neither I am fire nor Air
Nor do I live among fools
Neither I am sitting nor am I in a tornado

Bulla Shah, who is this standing?

Thursday, December 01, 2005

Anti-suite Approach

This article talks about suite vs Anti-suite. Each of these approach have their own pros and cons and fit specific markets. Some factors that may determine it are
SMB (suite) vs Enterprise
Work with bleeding edge products vs conservative adoption
So, I do not think it would be appropriate to categorize any market whether it is network security or identity management as suite or anti-suite.

PingSTS Announced - Identity for Web Services

Given that the InfoCard is based on this service, need to setup a working environment to test this integration. Besides that I am bothered by lack of tokens types on the output side. Anyway, will write about it more once I get chance to do the testing.

Wednesday, November 30, 2005

Looking back to look forward: Thoughts on HP acquiring of Trustgenix

First Phase Provisioning
  • Access360
  • Business Layers
  • Waveset
  • BMC
Web Access Control
  • Oblix
  • Netegrity
  • Securant
  • DASCOM
  • Entegrity
Password Management
  • Courion
  • M-Tech
Meta-directory/Virtual Directory
  • iPlanet
  • Novell
  • Siemens
  • Zoomit
  • OctectString
  • RadiantLogic
Second Phase web services, federation, SOA
  • Trustgenix
  • PingIdentity
  • Sxip
  • SOA Software
  • Layer 7
  • Symlabs
Third Phase activity in applications, information governance, identity in the network, and role / privilege analysis
  • Eurikify
  • Bridgestream
  • Prodigen
  • TIzor
  • Consul
  • Virsa
Would be adding to the list when i get chance..

Wednesday, November 23, 2005

GRID: Globus Toolkit 4.0 - Authorization Model

The feature list is
  • Support for PDP Chaining
  • Policy Combination algorithm Supported: DENY overrides ALLOW (permit overrides can be simulated by having a MasterPDP which will then controll the other PIP &PDP - Will need to specify sequence of the PDP & PIP Separately)
  • Supports the concept of PIP which works as Interceptor (like PDP) but does not return decision. It instead returns data which can be used by PDP (More info needed on how)
  • ID that will be authorized is extracted from the credential used by client to contact the service.
  • A concept of Resource Owner is supported which can be extracted from "resource, service or container depending on availability in that order of precedence"
  • Authorization Schemes supported
    • self - Caller ID = Owner
    • gridmap - Caller ID part of pre-defined list. This sheme also supports user ID mapping to local user id (how does that help or can be leveraged??)
    • Identity - Caller ID = Specified ID
    • Host - Called's Host ID = specified Host ID. Host ID being a special form of certificate with a common name (CN) corresponding to a name obtained from DNS or some configured service name. (How does this get mapped to caller, is the caller id = host id or is host id like a computer certificate in the Windows system??)
    • SAML Call-out - PDP contacts a SAML Authz Service using request/response interface
    • userName - Caller ID = JAAS authenticated User (who is authenticating and how is that being passed to PDP?)
  • The development involves the following - Please note all the plugins have initialize and close function
    1. Implement the PDP interface - org.globus.wsrf.security.authorization.PDP :: boolean isPermitted(javax.security.auth.Subject,javax.xml.rpc.handler.MessageContext, javax.xml.namespace.QName operation). This interface also hase capability to get policynames and get/set policy (org.w3c.dom.Node)
    2. Reference the PDP from a security descriptor - Change $GLOBUS_LOCATION/etc/<service name>/security-config | <service name>-security-descriptor.xml add the <authz value="ascope:class name"/> where ascope is scope which is an authorization scheme "context" used to distinguish different authorization schemes with the same implementing class within the chain.
    3. Test the PDP - run client
    4. Implement the PIP interface - org.globus.wsrf.security.authorization.PIP :: collectAttributes(Subject subject,MessageContext ctx,QName operation)
    5. Reference the PIP from a security descriptor - <authz value="ascope:PIP_Class pdpscope:PDP_CLASS"/>
    6. Test the PIP - the order of execution of PIPs and PDPs depends on the order in which they were specified in the authorization chain configuration
    7. Communicate an attribute from PIP to PDP - e.g. - subject.getPublicCredentials().add(attribute); & subject.getPublicCredentials();
    8. Add a configuration to an interceptor - Use the service deployment descriptor to pass the data to PDPConfig used in initialize call. The D.D. is located in $GLOBUS_LOCATION/etc/<your_service> and <parameter name="ascope-attribute" value="notmanager"/> i.e. scope_name-attribute_name (Guess can not have hiphenated scope name??)
  • Next Steps -
    • Develop Attribute/Role-based Authorization - Proper representation of attributes need to be developed which can be transferred accross the PDPs
    • support for fine grained expression of "delegation of rights" =
    • pluggable authorization engines
    • lazy collection of attributes
    • caching of decision/attributes
    • and metadata about attributes/interceptors
  • Resources - GlobusTK 4.0 Release Manual, WS Authentication and Authorization documentation, GridShib (Globus Toolkit with Shibboleth), Community Authorization Service

Sunday, November 20, 2005

Linkmania

Links

Consentry LAN Controller

Another company in the "identity enabled network" space besides Identity Engines that I talked about earlier
Moral of the story seems to be that
  • Trusted Identity store (like LDAP) needs to be integrated with network
  • Application access policy must include Identity & Roles
  • Application Control beyond port.
Nothing new here. Besides looking at the product itself nothing new on the authentication side (seems to be similar things that other network product would support). But at the same time there are wide variety of applications that are supported "out-of-box" though I am not sure what we are going to achieve by simple performing an allow or deny at the application level since that is as good as port level access! (nothing more finegrained). The field of identity enabled network seems to be the next step in the growth of the identity. It would be interesting to see what other companies are working on.

Friday, November 11, 2005

Global Identity Body

I think we really need to see how the identity is managed in real world and may be that can help us figuring out how it may work in digital world. So we would need a passport like mechanism, which would assert very basic information about the person across the international boundary and that is where I think we may concentrate at these international conference (any thing beyond that would be equivalent to boiling the ocean). Then we would need trusted bodies for various context. For example the international transactions would need banks working as intermediatery (as used for trade by companies across international boundaries) and then you may have technical bodies like medical bodies who may vouch for their members in transactions. So, I agree with the basic idea that there would be large number of bodies and also think that there would be multiple protocols that would be developed for and by each of community as they need to share this information. I think the idea of having a single standard across the board is a dream.
We have to remember that the identity is not some thing like internet which was developed completely from scratch and hence the people who joined later accepted the work of the earlier groups. Neither is it like the desktop technologies which were accepted easily due to prevelance of single OS.
That's why we should not expect a single protocol or even "meta-identity" system to be accepted by the world because paradigms have changed or are changing in the digital world.

Identity/Reputation management with Opinity

What is a product like this going to buy me as a citizen of web? I can see their idea of a central repository of user reputation (something similar to Credit Reporting company). But all the big sites have their own repository and why would they want to share that. So, their basic approach would be to get the smaller websites to get to use this service. Now that is a big issue because why would most of these websites want to purchase a service they do not need. As soon as the customer pays via credit card, these people do not care about the reputation of the customer. So unless this system can help them
Lets take the model from customer point of view. Most people would like to get tangible benifits out of this before they would be ready to aggregate their identity information in one place. This could be in form of discount in online stores. In addition to that the reputation needs to be integrated with a identity engine that can build a central repository of their profile (which will include their blogs, comments on other websites for products, etc) across the web which can then be converted into his reputation (because without the "identity" you will not know who are the people talking about since there could be really large number of "John Doe" out there).
May be I am thinking too far into the future. At the moment, it could be more like something that gamers and others involved in online activities (like chat ) would use to aggregate and share their information out of box.

Identity Map

Good idea and summary of various type of information that is associated with the user i.e.
  • Names
  • Characteristics - Static and dynamic
  • Relationships - I am not sure whether Relationship should be separate from the role. I am assuming that any relationship with always have the roles automatically defined for all the participant of the relationship either implicitly or explicitly.
  • Roles - See the Relationship and that is why roles by them selves may not make sense. These have to be in a given context and the context being the relationship or community of which relationship is part of.
  • Locations
  • Experience - Experience would result in knowlege!! right? and so knowledge would be super set of experience and information that was gathered through experience of others (i.e. teaching, reading).
  • Knowledge -
  • Reputation
What do you say?

Identity Engines Delivers Platform for Network Ide?

So finally the company is out with the product. I have been hearing about this company for some time now. Any way seems like these guys are catering to the requirement of companies that want to control access to their network in much secured fashion. Most of these guys have need to perform the following functions
  • Sequestering the machine hooked to the environment unless validated (so it may not even be able to get a IP via dhcp)
  • the laptop would be checked for latest version of firewall, antivirus with the latest updates.
  • The user would need to authenticate to ensure that it gets access to the network.
  • (Not seen a lot though) if the user tries to access an application this access needs to be managed.
  • Auditing all these events with additional information for monitoring and analysis.
W.r.t. the third access requirement, I have seen most of the company already have something installed. For example web applications would have the Web SSO products. But most of the client server applications (which are not being fixed since they are not broken) are still out of the perview of the centralized solution. Now looking at the solution it seems to provide the
  • sequesting of machine - this is a tough nut to crack but I think combining with user authentication at switch level can achieve the same result.
  • user authentication - which is provided by most of the managed switches through support of 802.1x and RADIUS (I will be implementing something in next few days for my company and will have more to write about it at that time)
  • Application access control - I am not clear what is the mechanism implemented with regards to mapping the identity to a machine after machine has been authenticated. If it uses the IP address or mac address, then theoretically the battle is lost since these can be spoofed. So, would really be looking forward to get information on this.
  • Security Compliance - I did not see feature support for making sure machine is compliant before allowing it on network.
Something else that is bothering me is the possible requirement of provisioning the switches for sequestering new machine. I am not sure how comfortable the network guys would be with an system managing their boxes "automatically". I know that a lot of firewall and IPS do perform such operations but still it may be an interesting issue.

Thursday, November 10, 2005

Quick and dirty identity management

That is what tells me that we really need to develop a open source identity management interface for people to be able to do the basic
  • User CRUD
  • Password management (password reset)
  • User data management
  • and basic user provisioning to other products

Sunday, November 06, 2005

Friday, November 04, 2005

Vendor Installation News

I see a lot of releases on the vendor installations. This is an attempt to capture them on single page.

Wednesday, November 02, 2005

ID-entity Blog Launch - Lessons from IIW2005 [Li…

Seems like somebody else is also bothered by complete lack of discussion of Liberty/SAML in the Identity 2.0 world like me

The browser as the Virtual Directory GUI

I think most of the people will agree that the basic issue with the auto-form filling is storage and security of that storage. That is what makes the existing auto-fills a big no-no for "informed" users. So, till we have browsers that are developed with very good built-in data security through smartcard or encrypted USB support we can not go too far with the whole idea of identity storage on the client.
The client till that time will continue to make a good pitstop that will allow the end-user to controll what is going from the IDP/Identity Provider to Service Provider.

Internet Infrastructure Ignorance

There is an existing product that is built around the XRI. Besides that the basic issue of multi-identity and associated management w.r.t. End-user is something that the products and protocols have to manage.

Tuesday, November 01, 2005

Anonymous Identity

This is one of the worst reason I have heard against the anonymizers. Now why do I have to make myself known to the whole world if I donot have faith that the website that I access do not have adequate resources or will to protect my identity as is apparent from the way the big companies have failed us.
So these services will always fulfill a requirement in the world.

Monday, October 31, 2005

Purisma Launches Revolutionary Solution for Custom…

The basic concept seems to be similar to that developed by SRD that IBM purchased this year. This whole section of knowlege generation through correlation whether it is through desktop content or database content is something that would be interesting to watch. And the next step that would come in is who is allowed to see the information that is found this way.
So due to privacy issue it would be really tough to use these type of products across multiple channels of the companies. Before the companies really go ahead and start doing these corelations they will really need think a lot!

IdentityBridge Provides Protocol Translation to Li…

I donot get the business model for this i.e. what is the customer base for this product? The way I have seen not many people have purchased federated SSO products and the one that have expect the vendor to provide implementation of the two competing protocol and all the associated version. Now after purchasing a federation product why would you want to buy a protocol translating product.
Need to really understand the why do I need it!!

Saturday, October 29, 2005

Expedia Ensures Customer Security

Hmmm... is this the beginning of the adoption of SAML as federation protocol by corporatate websites. It would really help everybody if it really kicked off... But I am not sure how well the identity systems of the enterprises are to be able to go to the next step of federation. Guess if the service providers build it, they will come!!

Yet Another Decentralized Identity Interoperability System

Assumptions:
  • Open
  • Identity is in URL format (guess email is not enough?)
  • easy for developer
Profiles
Browser based Authentication:
  1. The service provider contact the IDP URL to get the capability and based on the authentication protocol chosen start the authentication - Now a few things here. First of all this means that SP needs to understand all the authentication protocols i.e. be it LID, OpenID or something else. Does not make a lot of sense but fine, lets continue.
  2. SP uses the "protocol supported way" to redirects user to IP which authenticates the user
  3. Profile exchange: Well if you need to get specific data about the user you need to ask for the Identity URL like IDURL?xpath=field that is needed&lid=SP's Identity
Now only thing is why do we need to have this new "federation" protocol when we already have it in Liberty and SAML. I guess it is all about the removal of SOAP and making the protocol simple. Other than that why sitdown and redo work that people have already done? Won't it make more sense to sit with the others and get a single way to get the same thing. The Liberty has already done the work. It seems the protocol needs to be enhanced just to make the user part of the existing standards and give them control over their data during profile transfer and linking. So guess let's wait and watch.

Friday, October 28, 2005

IIW2005: Attention Data as Identity

I love the idea that I can sell my web browser's bookmarks and history. How I wish I had not deleted my browser history.
But I guess Attention Date = Identity is too far-fetched. It could be more like a profile or persona but does that uniquely identifies me? Well guess that goes to what do you mean by identifies. If the identification is a "checksum" of my data then yes but other than that it resembles more like the way a corporation would like to see me i.e. a classification system.

Analytics and Web 2.0

Based on what I have seen the Identity in Web 2.0 is about > It is owned by User instead of corporation > Since it is owned it has to be managed by user which brings up the issue of what if user donot manage it actively > it is distributed by user which means user has to look at all the fine prints on what a company that is going to accept its data will do with it. Well I am not sure how different it is compare to now!! > All the work that the identity does is owned by user. guess it is no different than now unless we can build services which can make this process more secure and thus give the law and user more faith on the identity systems. Then the next step comes in of allowing users to sell its attention/web history to the analytics??

Identity as a Service

The identity as a service makes sense just like Credit card services. I have heard business plan around them almost a year back but did not hear anything after that. May be now is the time to search them out.

Tuesday, October 18, 2005

Identity in 2.0

Some summary!!

Beyond Java

So far the way I see it the language have come one after other i.e. machine code, assembly, 3gl structured languages and scripting language being the next stop. But this has not really caught on. To me this is due to the fact that most of the people see scripting language need to replace structured languages like Java, C, etc. May be better way to look at it is to see scripting languages built over structured language where the third party or OSS base components would expose hooks to write business logic using scripting language and business processes will be a configuration (like a workflow configuration) process rather than code development process. Even then I have not been able to solve how the frontend is going to integrate with this development model.

Case Study: Furthering Role-Based Access Enterpr…

Two obeservations 1. Now case studies are mostly from University which seems to be due to company's not going on record with the products that they have implemented. 2. TNT has interesting technology and looks goods as a way to take the identity to a level where it would be easier, probably faster and cheaper if this is based on standard so that cisco routers would be able to use the information and route stuff without any compatibility issue. 3. Another thing that bothers me is the IP stack changing technology which may be found intrusive by most of the people a. It is coming from a host firewall guys and it is free while the appliance costs some money b. This technology can support multiple domains and configurations (like vpn technology) Good technology to follow till a big company buys it and integrates and tests it well making the client free (the acrobat/plugin model). .

Monday, October 17, 2005

Ringtone Purchasing Round 2

I am not sure how can the third party deliver an application or service without information about the platform from which the ring tone request was sent (if that is not provided along with cell phone number but then I am just an Identity guy not a cell phone tech expert and do not know about the standard in this field). But I am bothered by cell phone company as “big brother” who own the medium, authentication technology, and the gateway to ecommerce over an unencrypted medium which makes them a very big owner of information on user physical identity, habit, social connections (guess phone usage given you a good idea). I am sure the silos within the company itself may be keeping this information distributed but as the integration of these identity silos are completed over time think of the information they have access to (if the ecommerce through cellphone takes off). So going back to your earlier article, this is probably the biggest difference between Apple iTunes and ring tone purchase model. In case of iTunes, the Apple is not in a good position to collect this kind of data and the transactions can not be correlated while in case of Cellphone the company can become quickly very powerful and start selling user’s habits and social contact info (without providing their personal information) to ring tone providers to allow them to better customize the ads etc on per-user basis. Is it good or bad will probably depend on what that information is used for!

Friday, October 14, 2005

Ringtone Purchases vs Legal Music Downloads

The basic difference between the two approach is that of Federation. Interesting thing to look at with regards to how future federations would work. An important issue that it brings out is that I would really want to understand how that mobile charging works (in terms of privacy and transaction). Does this system makes the identity provider i.e. your cell phone the single point that can use and sell your buying habits to the highest bidder (or all the bidders).

Bank hits back at phishing with security trial

Guess they never read this . But at the same time a start! Still the idea of transaction authentication is better than person authentication. A good food for thought w.r.t. my ideas around identity.

Jabber HTTP Authentication Protocol

Living in the Browser world we tend to forget that there is a big issue around cross-client federation. More on this later.

Tuesday, October 11, 2005

Experts give identity management advice

Points raised
  1. Process and System Integration are challenges
  2. "Identity Management is viewed to be responsibility of employees in charge of physical security" This is totally against all my experience in financial industry where the identity management is typically part of the Risk Management group and that co-ordinates with physical and HR to develop and implement identity management solutions. But at the same time HR is the golden data source in most of the place.
  3. "Get the background check process right" which is typically performed by HR during on-boarding process.
  4. "One ID across the organization" mostly a dream every body wants but nobody has (but there are instances where organization have been able to achieve it atleast for employees though not for customers.
  5. "Biometric is the key to solve duplication" but biometric can not be converted into identifier. It is used as authentication data but not as identifier.

Thursday, August 11, 2005

SSO Solution

I saw this query on one of user groups


We are looking to move to a SSO solution, but were wondering what everyone else is doing? we have 5K + employees that all need access to various platforms (Sun Solaris, VMS, AIX, SCO, HP-UX, Windows, Citrix, AD, Web, etc).

Is there some sort of app or some such thing that will do a cross-reference of userid's? Or do we even need to worry about that (the 8-character limitation on the Unix boxes)if we implement LDAP or AD?


and I thought that this reply should give a starting point to the complete domain of Identity Management for solving the issue.


Well my suggestion would be that you should consider the various approaches available to you and probably should implement something that suits your requirements. The various approaches available to you are

  1. Consolidation of Authentication repositories well this refers to the basic idea of setting up an enterprise directory which all the products can tie into for authentication purpose and to some extend authorization too. This would essentially mean that there is one id and password that has to be typed by people to login to all the integrated applications (which has its own pros and cons in terms of ease of usage vs security of systems)
  2. Consolidation of Authentication entry-point - Most of the web applications can be consolidated to use web single sign-on system which can be tied to directory server if needed. This would allow the applications that do not provide interface to integrate with LDAP for authentication to be tied together by off-loading the authentication and authorization to a single entry point (the SSO solution). This would also help build the starting point for federated sign-on infrastructure.
  3. Consolidation of Administration This is where the Identity Management solutions like SIM (look below for other possible products) can be set up to integrate with rest of the infrastructural components that can not be consolidated (for what ever reasons) to be provisioned through a single provisioning and administration system. Please note that implementation of Identity Management solution is a very complex undertaking and is very expensive in terms of licensing and in-house training and is not for faint hearted. In addition to that it comes with a lot of features (that may not even work properly or suit your needs) like approval workflow (to approve creation of new accounts), provisioning workflow, rules, password and account data synchronization and compliance management.
  4. Consolidation of Synchronization A lighter version of the Identity management product is the Meta-directory and Password synchronization products which can be used to synchronize the account (and password) information across multiple environments without the overhead of workflows, etc.
  5. Reduced Sign-On A set of products that run on client desktop and track the system that client is trying to access and automatically supply the password.

Monday, July 11, 2005

FIM and IP Based Authorization

In the world before the FIM, a lot of technologies were used to implement the federated single sign on. A very common way to allow corporate level access to services, was to allow all the users coming from a specific range of IP (usually the corporate proxy server of client) full access to the service without requiring authentication (though the identification may be implemented for personalization purpose). But with the development of FIM standards, does it make sense to continue to require the IP based authorization in addition to the FIM Sign On or does it give just an additional level of "security" at the cost of sacrificing convinience (people can only access the service from corporate network and not from outside unless VPNed to office)?

Tuesday, July 05, 2005

Biometrics: Some thoughts!!

After a quick read of thoughts on problems with biometrics , I was thinking how the accounts can be accessed after a person/owner has died. For example if a system is built that provides access solely on biometric authentication (without any escrow system in place), what would be the process to access those accounts after the owner has died. Does this mean that a biometric based security system can not be built without an escrow system in place.
Also, does it make sense from a liability point of view to become owner of biometric data. Just in case more stringent privacy laws come in to force and/or a precedence is set specifing the data owner can ask the data manager (enterprise that has the information about the owner) to pay for the damages caused by the loss of data, the biometric database would become a huge liability for any enterprise.
Thoughts??

Monday, July 04, 2005

Credential Mapping/Management, WS-Trust: Some use cases

The basic idea of Credential Mapping service is to provide necessary data to the service's client which will help client to identify with a specific security domain. Based on the security policy requirements of security domain, this authentication and identification data can take various forms like id/password, token (cert, kerberos ticket, etc.). This concept has been implemented in kerberos Ticket based authentication system, Global sign on (GSO), Credential Mapping Providers, Security Token Service and enterprise reduced sign on. In this article I will try to discuss why such a service is important as a separate independent service within an enterprise or for an end-user.
As discussed above, the credential mapping or token generation service (here after referred as security token service or STS), has been an important part of Authentication systems, Single Sign on integration, Legacy Application integration, and Federated Sign On. Due to the wide variety of the application that can actually use such a service, it would make sense to develop an infrastructure that provides solely this service. The other infrastructural components can integrate with STS using various interfaces (like WS-Trust, Kerberos TG Service, and so on). I will try to explain some additional use-cases / reasons why this service is important as a enterprise level service instead of being part of individual solution.
  • Federated Sign On: I assume that based on the IBM and PingID design descriptions, there is an understanding in the FSSO space that the STS is one of the ways to go. At the same time I have been thinking that STS is an important component that if separated, can help build a more secure federation system. The federation single sign on is key to other enterprises and services and thus comes with a very important responsibility of protecting it. So apart from the standard ways to protect, one of the idea that would make sense would be to ensure that the Federated SSO infrastructure can be broken in to separate components and managed separately to reduce the chance of external and internal misuse. In that case, the STS would be a good representative component that can be managed separately from the rest of the Federated SSO infrastructure.
  • Desktop Single Sign On: Well with the idea of user-centric sign on/identity management (aka. infocards) taking hold along with good deal of enterprise reduced sign on products already in place, the concept of desktop based single sign on solutions is well entrenched in the market. While the infocards is basically built on the idea of the WS-Trust from the bottom up and thus would require a STS service, the enterprise reduced sign on have not yet looked at this aspect of the market (or atleast I do not know of any such product). At the moment most enterprise reduced sign on products are built around the basic idea of password based sign on with a back end credential manager that manage the identity's password. These product in combination with password synchronization tools are giving a good ROI as identity management solution. This segment of IAM has been missing from the Federation Sign on discussions (like Liberty and SAML) and is very apparent in the profile descriptions which do not consider desktop based Identity provider as a possibility (though interpretation of such a solution is possible). I think as these two parts of IAM solution set need to come together. We should see the move of Enterprise Reduced sign on(Enterprise RSO) products to accept the concept of STS and the Federated SSO standards to acknowledge / define the desktop based signon profiles much better. This would mean that if Enterprise RSO need to grow it must try to break its solution in to desktop based application recognition technologies and token/password retrieval functionality with later being part of Enterprise/Personal STS infrastructure.
  • Personal Identity Providers: The idea of personal identity providers have not been a something that I have seen discussions about. This basically is built on the requirement that 80-90% of the web sites that persons access do not need personal information for security purpose but to provide more personalized service. In order to provide "persona" information to these websites, external Identity provider is an overkill. It would be worthwhile to develop a personal STS system (some thing similar to self signed certificates) that would be fully controlled by the user and will not depend on existance of public identity providers. I feel this is one of the basic reasons why the PKI never took off since there was no desire of the industry to provide an out of box experience to the users which would hep them get acclimatized to self signed certificate system and then gradually move to public certificate providers for premium services. This means that the STS system has to be built into every user terminal and tied to the user's session on that workstation. Another important facility provided by these personal identity provider systems is to have usable STS system even during Identity Providers downtime (due to either attack or being non-reachable due to network not being available or some usecases around providing identity to network centric identity systems) being a secured cache of claims. An important point to keep in mind is that personal identity provider should not be built in to a user centric solution like infocard because that makes them an easy target for the hackers. This service has to be externalized and standardized so that various implementation can compete with each other based on the user's desire of security and personalization (so for example there can be smart card based solution along side software based solutions).

One of the basic premise of this idea of separate STS is the deployment of a service that will become single point of attack for getting passwords and/or tokens. But I think, based on the acceptability of the single sign on technologies and proliferation of password databases, password synchronization technology, the STS service is very much acceptable as an Application/Database layer implementation (instead of living in DMZ) with in an enterprise.

Tuesday, May 31, 2005

Vendor List

Updated: November 12 2006

I am trying to come up with the list of vendors and associated products in the Identity and Access Management arena. Please note that this list is based on marketing/public information and my understanding of the terms which may not comply with any specific groups' definitions and/or requirements. This is by no means a complete list and will keep growing as I get more time to add them and find more companies (any help on that front will be really appreciated). Before we go further along, lets try to define what each of these product typically do so that my mode of classification may make sense or any flaw in my classfication will become apparant.

  • Identity Management/User Provisioning These products typically provide the facility of Workflow-based Identity provisioning, password reset, identity reconciliation/discovery, delegated identity administration and self-service features on wide variety of identity platforms (like LDAP, Unix, Windows, Mainframe, ERP, CRM and so on). In addition to that most of the product also provide ability to implement rule based compliance validation.
  • Single Sign On Typically these product allow users to authenticate in various ways (i.e. RADIUS, SPNEGO, form based, certificate, etc.) and then provide access to web application without request for another credential. In addition to that these product also provide basic access management/control over resources (web incase WebSSO).
  • Access Control and Enterprise Rights Management there are new breed of independent product that provide fine-grained access control. There seems to be some confusion in market on what constitutes access control. Most of the customers that I talk with understand the access control as a Policy Evaluation system that can be invoked by application to check whether a user has access to the data. But at the same time, some other vendors (which probably come from Data Encryption world) see access control more as Role/Rule based data decryption process. This to me sounds more like Enterprise Rights Management which is just a special case of access control where the enforcement approach is built into the system.
  • Reduced Sign On/Enterprise Sign On These are typically windows desktop agent based product that automatically fills user's ID and password in to an application (web, windows application or mainframe/terminal application) once accessed via desktop.
  • Federated Identity Management/SignOn Refers to products that provide full implementation of SAML 1.0, 1.1, Liberty Alliance and WS-Federation protocol/profile implementations. In addition to that some product also provide cross-domain Identity provisioning.
  • Strong Authentication Refers to products that provide authentication approaches better than password. This typically includes products like token, biometric and new approaches to strong authentication and anti-phishing solutions.
  • New Stuff Refers to new breed of products like identity appliances which are out there.
  • Network Access control Refers to products that allow control of network access based on user identity and optionally additional criteria like virus definition, application protocols, etc

Please feel free to provide your comments on the basic classification definition, product mis-classification, personal product preference or any thing relevant to this discussion.

 
Vendor User Provisioning Single Sign On/Access Control Federated Identity Management/Sign On Directory Others (Privacy, Compliance, Strong Authentication)
A10 IDSentrie 1000 Identity Appliance (UNIFIED IDENTITY MANAGER) IDSentrie 1000 Identity Appliance     IDSentrie 1000 Identity Appliance (Network Event Manager and Correlation)
ActivIdentity/ActivCard/Protocom         Smart card, USB Token, One Time Password, fingerprint (Strong Authentication)
Aladdin Enterprise Single Sign-On (SSO) with eToken (Reduced Sign On)       USB Token, OTP Token, Smart Card (Strong Authentication)
Apere (Product Data protected)   IMAG - Identity Managed Access Gateway (IDentity Appliance??, NAC??)     USB Token, OTP Token, Smart Card (Strong Authentication)
Applied Identity   Identiforce (NAC, Identity Appliance)      
Arcot         ArcotID (Software based PKI which protects the private key by Camouflage it)
ASG ASG-Entact ID™ for Enterprise Identity Management ASG-Focal Point™ for Enterprise Single Sign-On (Reduced Sign On)   ASG-RadiantOne™ for Enterprise Identity Integration (Virtual Directory)  
Authentify         Voice/Telephone Based registeration(Strong authentication using telephone)
Avatier Identity Management Service (Password reset, password policy enforcement, (de)provisioning, request)        
Aveksa         Aveksa (Compliance Automation)
Axalto         Smart Cards(Strong authentication)
Bayshore Networks   SingleKey (Appliance, Reverse Proxy based SSO, fine-grained Authorization-Not sure)      
BEA   AquaLogic Enterprise Security (Fine grained policy evaluation)      
Beta Systems SAM Jupiter (Workflow, Rules, Provisioning, Role Mining, password management, compliance, reconciliation ) SAM enterprise Single Sign-On (Reduced Sign On)      
BHOLD BHOLD Modeler, BHOLD Auditor, BHOLD User, Authentication, Authorization, Provisioning Manager and SSO Portal (Role Management)        
BMC CONTROL-SA/        
BNX         Unable to locate the company website bnx.com but it is in strong authentication.
Bridgestream Bridgestream (Role Membership and Role hierarchy management)        
Caymas   Identity Driven Access Gateway(NAC)      
Centrify DirectControl Suite (AD based Identity Management)        
Computer Associates ETrust Identity Manager (Provisioning, Self-service, workflow, password management) eTrust® SiteMinder® Federation Security Services, eTrust TransactionMinder eTrust Directory eTrust CA-Top Secret Security (Mainframe Security Administration)
Cisco   Cisco Clean Access/NAC Appliance(NAC)      
Citrix   Citrix Password Manager (Reduced Sign On)      
ConSentry Networks   NAC(NAC)      
Courion AccountCourier®(Provisioning), PasswordCourier(Password synchronization and reset), ProfileCourier®(Self service), Role Management (Role membership and hierarchy management)       CertificateCourier, Compliance Courier
Credentica (No known product)          
Digital Persona         DigitalPersona Pro (Strong Authentication - Fingerprint)
diamelle (Advertized as opensource. Can not find the location for the source) Identity Management Authentication Server    
e-Meta   Right Access (DRM/Enterprise Rights Management?)      
Encentuate   Encentuate TCI(Reduced Sign On with multiple authentication factor)      
EngiWeb Security (Italy) Profile Manager (Role Design and Management), Provisioning Module (Provisioning) Web Single Sign On (Web SSO)      
Entegrity   Entegrity Assure Access(DCE based Single Sign On)      
Entrust Sun Identity Manager Entrust GetAccess™ (Web SSO and access control), Passlogix v-GO Single Sign-On (Reduced Sign On)     Entrust USB Tokens, Entrust IdentityGuard™ (Strong Authentication)
EPOK Inc.   EPOK ISE System (Enterprise Right's Management and Access Control)      
Eurekify        
Evidian (Enatel)        
Fischer International Identity Management (Provisioning, Compliance, Password Management, Self-service)        
ForeScout   CounterACT (NAC)      
GemPlus         Smart Cards, OTP (Strong Authentication)
HID (Indala)         Smart Cards (Strong Authentication)
HP Select Identity Select Access Select Federation   Select Audit
IBM IBM Tivoli Identity Manager IBM Tivoli Federated Identity Manager IBM Tivoli Privacy Manager for e-business, IBM Tivoli Security Compliance Manager, IBM Tivoli Identity Manager (Built-in compliance), XML Security
IdentiPHI   IdentiPHI™ Enterprise Security Suite (Reduced Sign On), IdentiPHI™ EPM (Network Access Control)     CompliSoft(Compliance)
Identity Engines Ignition 3000E (Identity Appliance for Provisioning to switches??, RADIUS Sign On) Ignition 3000E (Network Access Control)      
Imanami SmartDL (Group Management), WebDir (Self-service tool for directory)       Directory Synchronization
Imprivata   OneSign Platform (Reduced Signon)      
i-Sprint   AccessMatrix USO (Reduced Signon), AccessMatrix™ Universal Authentication Server (Centralized Authentication Server, Token Management)      
Jericho Systems   Enterspace Security Suite (Fine-grained policy evaluation based access control)      
Juniper Networks   Unified Access Control(NAC)      
M-Tech ID-Synch (Provisioning), P-Synch(Password Synchronization, Reset), ID Certify (Account re-certification), ID-Access(Self-service Access Control), ID-Discover, ID-Telephony (Voice/Telephone based Password reset)         
MaXware Identity Center (Provisioning, workflow, password management, audit and monitoring), MaXware Data Synchronization Engine (Data Syncrhonization), MaXware ExpresSync(Lightweight Data Sync??)     MaXware Virtual Directory  
Microsoft Microsoft® Identity Integration Server 2003 Enterprise Edition (Synchronize Identity, user account provision, password management) Active Directory Federation Services (Federated SSO for Web Browser and Web Services - Part of Windows Server 2003 R2) Windows Server 2003 Active Directory, Strong Authentication for Microsoft Web Application and Microsoft Clients, Certificate Lifecycle Manager (from Alacris)
NetPro SecurityManager        
nCipher(Abridean) Provisor (Group Manager, Compliance Manager, Password Manager, User Manager), keyAuthority (PKI Management)       Secure APP for Peoplesoft (Access Control by Data encryption and policy enforcement), KeepSecure: SecureDB for column level database security (Access Control by Data encryption and policy enforcement), KeepSecure: SecureFS for File security (Access Control by Data encryption and policy enforcement) - More Information on supported policy model needed before classifing as access control product.
Novell Nsure Identity Manager (formerly DirXML) (Previously a Meta-directory product but Enhanced Provisioning Module provides approval workflow, delegated admin) SAML Extension for Novell iChain, Liberty identity provider for Novell eDirectory (Liberty 1.1) eDirectory®  
OMNIKEY         Smart Card (Smart Card & Object)
Oracle Oracle Identity Manager (Provisioning - Previously Thor Xellerate) Oracle COREid Access and Identity (WebSSO), Oracle Enterprise Single Sign-On Suite (Reduced Signon From Passlogix) Oracle COREid Federation Oracle Internet Directory, Oracle Virtual Directory  
PassGo Technologies Syncom, Resync, InSync (Password Synchronization and Management) SSO Plus (Reduced Sign On), Webthority (Web SSO?), SSO (Not sure?)     Defender Tokens(Strong Authentication), Software Tokens
Passlogix   V-Go SSO (Reduced Signon)      
Persistent Systems       enQuire Identity Server, enSure Synchronization Server (Meta-Directory)  
PingIdentity     PingFederate, PingTrust    
Prodigen Contouring Engine (Role Engineering and Enforcement Validation)        
Proginet SecurForce (Role-Based Provisioning and Delegation, Identity and Password Synchronization, Self-Service Password Reset and Registration), SecurPass (Password Management) SecurAccess (Reduced SSO?? Not sure)      
Quest Provision (AD based provisioning and PAssword Management)        
Radiant Logic Synchronization Services(MetaDirectory)     Virtual Directory Server  
RedHat       Red Hat Directory Server  
RSA   Federated Identity   RSA SecurID Authentication (Strong authentication using One Time Password, USB, Smart Card)
SafeStone AccessIT (PRovisioning, Audit and compliance)        
Secured Service Identiprise SecuredUser (Provisioning, Delegated Administration, User Self-service) Identiprise SecuredUser (Policy Server)   Identiprise SecuredUser (Virtual Directory)  
Securent   Securent Entitlement (Fine-grained access control)      
SecurIT R-Man (Role Management using Tivoli IDentity Manager)        
Siemens HiPath SIcurity DirX Identity (Self-service, Delegated Administration, Password Management, Provisioning) HiPath SIcurity DirX Access (Web SSO)     HiPath SIcurity DirX - LDAPv3, DSMLv2 and X.500 Directory Server (Directory Server), DirX Identity metadirectory (Meta-directory)
Sentillion Vergence Provisioning Manager Vergence Single Sign-on (Reduced SignOn)??     Vergence Strong Authentication (Strong Authentication?), Vergence Privacy Auditor (HIPPA Privacy??)
SUN Microsystems Sun Java System Identity Manager Sun Java System Access Manager(Federation SSO) Sun Java System Identity Auditor
Symantec (Bindview) Bit confused how identity integrates into this compliance.       Policy and Compliance Management (Define Policies), VULNERABILITY AND CONFIGURATION MANAGEMENT (Find holes on network and systems and apply Patches),
Symlabs     Federated Identity Access Manager (Federation) Virtual Directory Server (Symlabs)  
Trusted Network Technologies   Identity (Network Access control)      
Vaau Role Manager (Role Engineering and Management)       Identity Compliance (Compliance)
Veridicom         VKI (Strong Authentication - Finger print reader)
Vernier Networks   Edgewall series (NAC)      
Voelcker ActiveEntry (Provisioning, Self-service, password management)        
           
Open Solutions     Sun Open SSO, Java Open Single Sign-On, CoSign, CAS(Use case), Pubcookie (Web Single Sign On - No Access Control a.t.m.), Guanxi (Shibboleth) OpenLDAP Software, Penrose (Virtual Directory)  
Some companies in the "User-centric" Identity space Looking forward to your input on the subject especially on open-source. Sources

Sunday, April 03, 2005

Why do you not need a provisioning solution?

In this world of compliance driven provisioning implementation sometimes it may be worthwhile to really think about whether you need a provisioning solution in place. If the requirement is completly driven by the compliance, then how can provisioning solve the issue. Provisioning, most of the time, gives the idea that after implementation, company is going to create user accounts based on the Company's security standards and practices. But it does not provide by its very nature any way to stop rogue administrators from creating accounts, perform operations using that account and then deleting those accounts before the next reconciliation cycle. So it seems that from that point of view only feature that is of any benefit to the compliance driven implementation is provisioning product's ability to reconcile reosurce accounts (either real time or as scheduled task) in conjuction with a policy driven compliance enforcer (that most of the provisioning products are coming out with) which validates the information based on the defined policies.
If the requirement do surround the compliance then the implementation should completely be setup using audit log monitoring and alert products which then again goes to the idea that for that you do not need any provisioning product and instead a multitude of agent which have been installed as part of various security/monitoring initiatives in conjunction with existing BI/reporting products can be leaveraged for achieving the same result. With regards to that the idea would be to develop a good auditing infrastructure (which most of the products come built with) along with a good audit log aggregation and analysis system using some of the existing reporting and/or business intelligence products in the market. This may be better than implementation of provisioning products most of which are fairly new and immature in terms of these technologies.
Besides the incompatibility of compliance with provisioning products, another important aspect is its incompatability with the mordern 'SOA initiatives'. The SOA initiatives are based on the basic idea that access to a service is only through a very well defined interface accessible over well known protocol (like HTTP or Messaging Service). This allows the owner of the systems to create a very well defines interface as per business requirements instead of depending on interfaces provided by native products that they use. So going ahead the directory service group need not allow users to add, delete or modify entry directly into the LDAP. Instead they can provide a simple interface to do that then based on the internal directory structure, the interface will add the information into appropriate location. This allows the abstraction of the entire schema, tree structure and provides a more business centric view (vs technological view) of the service. As these SOA initiatives gain ground and start to grow (especially in this era of IT service outsourcing), it may not be a very crazy idea to stop using a technical interface (like APIs, LDAP protocol, etc) and start using the standards base interfaces (except when all the components are owned by single group or for performance/QOS considerations). In case such a world where the interface to these systems will be standard (to start of within company), the strength of the provisioning product in terms of adapter simply vanishes and we are left with an implementation that has a not so good workflow, rules engines and limited use of huge set of adapters which are not of much use.
Think about that!!

Sunday, March 20, 2005

Of Delegation and Tickets

It has been lingering in my mind for too long now but I was not sure whether the hypothesis had any base in reality or was it another arm chair thought. The idea deals with the two ways (I would love to use the word paradigm but will avoid doing so) in which the provisioning product interface have been designed.
Most of the products that I have seen started off with delegated administration in mind where a person (either manager or help desk) needs to perform operations on a single user based on the request that he/she receives out of band (verbally or by other electronically medium like email). The interfaces available to users were for self-service of personal attribute and/or password change . Besides that the idea was that there would be a only a subset of users that will perform the provisioning tasks.
Some how that was a underestimation of the processes already in place in most larger firms. Most of the large firms have a very well defined processes that can be initiated by any person in the firm by submitting either an edocument(like ticket) or a hard-document (signed by manager probably) to a ticket management system or help desk directly. The transition from the manual processes to ticket based system that mimic the manual process may be out of 1) respect for the existing process 2) resistance to and difficulties in setting up new processes 3) legacy of "automate everything" stage 4) any other. We have to understand that even though the existing process may not be the best way of doing things, it (which typically is very specific to a company) has withstood the test of time, laws and audits. At the same time end-user have a good understanding of the interface to the process. Overloading the end-user with understanding new glossary seems so unfair to them when they see the system as an enabler rather than end-all (which the provisioning team may see it as)
The request based system has its own advantages over delegated administration model. It provides an end-to-end tracking of the request generated by the end user in one place which greatly improves the QOS, responsibility and auditing tracking. Most of the delegration based access control that is currently in place is designed to give access to resource so that a help desk person from Germany should not be able to create accounts in US domain. I do not think the lack of provisioning technology was that big a factor to not moving to complete end-user based delegation model which is apparent from the lack of any in-house products at most of the places that I have worked at. Another reason for not moving to delegation based model could be that such a model does not support multiple changes being clubbed in some way for easy tracking and approval.
Now whether the implementation wants to go ahead with business process re-engineering or with implimenting the existing process, an important output of the requirement gathering process should be documentation of the existing process. Most of the time the end-to-end process is not well documented. Even if there are existing training material for help desks, the resource specific documentation (which is typically handled by resource administrators) is not well documented. This resource administration and management process is mostly passed verbally to next generation or is completely absent and relies on creating replica of the "referential" accounts based on the request from the person's manager. This is an audit and compliance nightmare. So understanding of the existing process can give a better understanding of potential holes in the process and may require handling of those issue (for example by setting up a synchronization in place or running weekly reports for access validation). Another important thing to consider after the documentation of the existing process is to consider what part of it can be optimized. At this moment I see that there would be lot of conflict between the vendor's architect and firms architect. The infrastructure at the firms have grown out of changing requirement at firm over 30 years (if the firm is that old and contains MainFrames). While at the same time, most of the product vendors assume a simple infrastructure when they are trying to develop the basic workflow. So, most of the time there would be a custom workflow required for the provisioning the accounts on those custom infrastructure. I was amazed to see the lack of this basic understanding in vendors and their suggestion that the infrasture be changed to fit into the product which would have required multi-million dollar investments.
At this point I am not very sure whether this is a generic principle that can be applied to any implementation or result of a few implementation that I have worked with. Need to do more investigation.