Posts Tagged ‘Identity’

Access Audit as a Service

December 4, 2008

NetVision announced our new Access Audit Managed Service offering today.   After years (more than a decade – in fact) of providing software tool sets to our customers we saw a distinct outcome in some customers.  This outcome is fairly common to Enterprise Software overall.  The problem outcome is under-utilization.

Frequently a compelling event such as an audit or a technology migration surfaced the need to measure something discrete.  And tools were bought.  And one of four ouctomes occurred:

1) Successful deployment, value is realized as expected or more (yeah for everyone!)

2) Never deployed.  Shame on everyone – vendors hate this probably more than the buyer hates it.

3) Deployed and well used but champion left the company.  And no subsequent champion stepped into his/her shoes so practices, methodology and value start a downhill slide

4) Deployed but for a very narrow, unsatisfying purpose.  The bloom is off the value “rose” pretty quickly.

Thus our impetus for SIMON (it simply stands for Simple Monitoring).  Our goal is to be able to deliver best practice as an outcome rather than as a capability.  Some of our customers prefer the DIY (do-it-yourself) strategy – that’s fine with us too.  But for those who cannot dedicate a methodology champion or who recognize the problem but perhaps not the breadth of the solution that is available, SIMON delivers the entire methodology and service management so that the customer can just consume the result.

Advertisements

Policing the Power of Identity – Security by and for Identity

December 3, 2007

I recently published a whitepaper entitled Policing the Power of Identity. It’s a vision (mine anyway) for the future use and success of identity in corporate computing. Use of identity gives us a “handle” to use in consistently assessing, analyzing, monitoring, etc. insiders. We developed multiple, fairly mature disciplines for dealing with “outsider” threats (firewall, IPS, anti-SPAM, anti-virus). We should have the same goal with protecting ourselves from insider threats – which are prevalent.

I could be accused by a reader of this whitepaper of giving the impression that I think identity is the problem. That’s not the case. But as corporate IT uses identity more exhaustively for all its good purposes then identity becomes a handy mechanism for identifying insider threat – both potential and realized. This process could most accurately be described as “Policing Computing Power BY (using) Identity”. But also, casually used, identity can create a false sense of security. And in such an imperfect-use scenario identity itself can be a problem (or more accurately, poor identity management can be a problem). In that case the process we prescribe is accurately described as “Policing the Power of Identity”. And such cases are exceedingly common if our IT customers and contacts are any indication.

Either way, our goal is never to attempt to cast identity itself as bad. But instead, to identify practices, tools and standards that use identity to provide better security and to improve identity management (aka security) practice. Along the way we believe that proof of compliance with regulations, policies or best practices will be a natural by-product of our efforts; at least in the area where identity is implicated.

If this sounds like an interesting line of discussion to follow, join the conversation or let me join yours. We’ve had a number of offline comments back on the premises in the whitepaper. I’ll add those to this blog in imminent posts.