Axioms for Identity Management E046 2024 12 03 A Bit of Security for December 3, 2024
To make an art into a science, we need to establish core principles (axioms) that can serve as a foundation for a logical assessment of the art’s components. Let’s give this a try for identity management.
When I began covering identity management at Gartner, I realized that there were two problems which were symmetrical. The first problem was the user perspective, having so many different logons to a multitude of services. This was called the Single Sign on (SSO) problem. The reason this was a hard problem to solve was that each user came from a slightly different platform, and accessed a wildly different set of applications to get their job done. Very few applications even considered providing an API for user authentication beyond simple enrollment. It took years before software standards groups developed standard APIs. Every attempt to create a general SSO tool failed, as the effort for each platform was proportionately large compared with the value to the customer. If I as a user saved a few seconds logging on, it was a fool’s errand to aggregate all those miniscule increments and say to Global XYZ Corp that by saving 30 seconds per user per day across your 200,000 employees, you’ll realize 8,250 person-years of savings … nope, not really. When you measure small savings you need to round down. Ultimately nobody would buy SSO because although everyone gets a tiny benefit from it, nobody wants to take the budget hit to pay for it.
WebSSO, asking the user to sign in through a web page rather than directly, had some success for a time. The big four companies that offered it all got acquired within a few years – Dascom went to IBM, Encommerce went to Entrust, Securant went to RSA, and Netegrity went to Computer Associates.
That’s one side of the story. The other side, the mirror image, is the problem that the security administrator has. While he has never met me, he sees a bunch of permission requests linking something like my userid to a set of applications, and knows that when something happens in my career, like when I move into a new role, retire, quit, get fired or laid off, etc., that something will have to happen to all those permissions. He has the consolidated user administration problem. A solution to that problem at least has a market.
The three criteria for a product to be viable are that 1. The problem is pervasive, 2. It is urgent. 3. Ther is someone willing to pay to solve it. The SSO problem was pervasive, hardly urgent in most cases, and there was no buyer. The Consolidated User Admin problem is pervasive, urgent, and there is an organization willing to pay to solve it. Note the symmetry. One user looks across a field of application access methods and permissions; and, from the other side of the mirror, one administrator – who can’t see the user at all – sees a large set of access methods and permissions that have to move in step.
Transforming that insight into a product gives us the whole identity governance domain. Beyond managing ids, we need to enforce separation of duties rules, manage transitions smoothly with little interruption, preserve controls over resource access and deal with exceptions. These are key issues as important as managing money, inventory, and intellectual property. Knowing there is a conceptual symmetry underlying these tasks makes deploying solutions possible, rational, verifiable, and practical. Consider how much more easily AI would be if we had some such underlying axioms to guide its fit with your enterprise’s business architecture.
That’s our Bit of Security for Monday, December 3, 2024. I’m William Malik. Be safe!
Axioms for Identity Management E046 2024 12 03
A Bit of Security for December 3, 2024
To make an art into a science, we need to understand core principles. Here’s one for identity management Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #IdM #identitymanagement #IAM #softwareengineering #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
