It’s Ian’s first post on the Burton Group blog that’s generated some rapid fire responses in the Identity Management blogosphere (which is a very good thing!).

Ian airs his concern over the statement from potential Identity Management customers, “I’m not ready to do roles, so I won’t attempt user provisioning.”

*sigh* (make the jump for my rant)

I read that statement and had to ask myself — “what year is this?” Seriously… Shame on us sales folks. Shame on us consultants. Shame on the vendors. Is this what customers truly believe? That there’s no value from user provisioning without roles?

Jeff Bohren gets it right when he says that in the very least there is one role — “Employed.”  Seriously.

When I go into a customer environment and they seem overwhelmed by the (purported) complexity of user provisioning, screaming “where do we start?” I simply ask them — “how does your organization know when to start mailing you a paycheck?” and “how does your org know when to stop mailing you a paycheck?” It’s my Prego sauce theory: “It’s in there!” (in the organization, that is). That discussion helps moves the project forward.

Even if we need to build manual input-based workflow components, we can eliminate the often lost paper process and empower users to request access for themselves instead of calling IT Security or the Help Desk.

Dave Kearns makes some solid points in his response that most organizations are doing some kind of task-flow provisioning (most likely related on organizational responsibilities) already, even if they don’t call it “provisioning” or even have it automated through technology. He’s right to point out that organizations can benefit from role development downstream of an earlier provisioning project. IBM/Tivoli has been pitching this as a maturity model for provisioning software (TIM) for years.

In talking to Role Management/Discovery vendors (versus provisioning), one in particular sees demand specifically for their product outside of provisioning tools, with customers who don’t already have SIM, TIM, OIM, NIM, etc.

That’s a fascinating statement. Roles without a user provisioning tool.

We all need to do a better job talking to our customers about where they will gain the most value and where to start in a truly white-space environment. But I think it’s safe to say that everyone could benefit from user provisioning tools. (or maybe that’s just the former TIM Evangelist in me talking…)

What have you seen?  Do you know customers who are adopting RBAC without user provisioning?  Comment below, I’m interested!  Especially if they see user provisioning as a “later-stage” activity.

But after all this, I’m left with the feeling that while there are some excellent (and obvious) synergies to a combined role-management and user-provisioning strategy, they are not mutually exclusive nor predicated on one or the other.  If a customer wants (and needs) role discovery and management, without user provisioning, we can dive right in and get to work — instead of trying to convince them they need user-provisioning first.

I think the whole community is in agreement that we should by no means allow them to delay starting a user provisioning project just because they think they need roles first…

With all this talk of roles, I’m getting hungry for the other kind of rolls! Thanks to Sharps for sending us this funny story about Crescent Rolls. Enjoy…

The usual concern here is for corporate assets: The “ex” employee can still be logging in and looking at data after he’s gone to work for your competitor.  We have many examples where automation has exposed and eliminated this back-door.

But what about you and your personal liability? If you leave a company, and your ID stays behind, and stays active, are you liable if it’s used for bad purposes? Personally, if I were doing something “prohibited” I’d much rather be using an ID belonging to a departed employee or contractor.

As a consultant, I deal with this issue a lot. On multiple occasions, I have returned to a client months or years after leaving, and discovered that my old accounts IDs and passwords were still valid!  So, my current policy is to send the company an email, (receipt requested) telling them that I am leaving, and formally request that they de-provision the accounts. If I could put the account in a shredder myself, I would. If only there WERE a virtual account shredder I could use!

Typically, I receive what are known as “privileged” accounts.  My “heebie jeebie” meter goes way up, whenever I get one of these accounts, and it pegs the meter when I leave a gig.  Someone else, using this account, in essence in my name, can do tremendous damage, and I’d have a very hard time proving it wasn’t me.

So, what do you do to make sure your accounts die when you leave?

And remember… only 2 days left in the IronKey Giveaway!!!  </shameless_plug>  Just click here for more info on the contest…  Thanks to all who have commented thus far!

Just a reminder — we’re giving away a FREE 1GB IronKey Personal USB thumbdrive ($80 value). Really a cool device — check out the geeky specs.

You need to enter before noon, on July 1st. Just make sure to read our “Personal Metadirectory for Passwords” article, and leave a comment there with your response to our questions for a chance to win!

And don’t forget to tell your friends!

The recent issues between RIM and India bring Smart Phone security under the microscope. RIM offers “secure” email and text messaging. It’s secure because it is encrypted, and because it routes through RIM servers. RIM holds the encryption keys. India doesn’t like that, and it wanted RIM to make the keys available to the Indian government, so that the government could decrypt and read the messages.

To my knowledge this type of encrypted messaging is currently a RIM exclusive. No other cell handset supplier offers this service. And, it’s one of the main reasons corporations are comfortable sending their internal mail to BlackBerrys, and not to the generic phone.

I assume that in the US, at least, the government doesn’t have RIMs encryption keys. Further, RIM might decrypt particular traffic in response to a search warrant, but that warrant would be the extent of the activity.

So, if you are in India and you have a BlackBerry and you are concerned about message security, what can you do? (Likewise, if you are in the USA, and you are paranoid security conscious, what options do you have?) Make the jump…

Well your options are good, but limited. If you use BES, and your organization (or hosting partner) supports it, you are in luck. RIM now offers FREE S/MIME support. That means you can use your own encryption keys. If you only have BIS, S/MIME isn’t an option. A third party encryption solution is required.

A Texas company (and LiveBolt partner), Media Sourcery, specializes in secure distribution and collection of confidential information. They offer a secure smart phone application (Mobile Data Messenger) that currently works with XML form data. The application will allow you to send or receive encrypted traffic entered into a form (the form can look just like an email message, with to, from and body fields) to another Data Messenger user (or system) for retrieval (or processing).

I spoke with Media Sourcery, and they said their upcoming version offers bi-directional, confidential data exchange, does not require forms, and would work with any file type you care to send. They currently have the ability to send encrypted photos (taken by the BlackBerry camera). The newest BB OS includes viewers for .doc and .ppt files, so the capability becomes immediately more useful.

The other good thing about a third party solution like that of Media Sourcery (which is Java based) is that it will work on other smart phones (think Nokia, which has 40% of the market for smart phones). Nokia currently has no secure messaging capability, as far as we know. PGP for Mobile devices only supports Windows Mobile and Blackberry. A good third party security solution will support your organization’s broad mix of endpoints, and make them all secure.

Here’s to hoping that RIM doesn’t give away the keys to the kingdom. But if they do, we have a few options for securing our mobile email — we just have to do it ourselves.

Here are my requirements:

1. is highly secure, using accepted standards (i.e. - PKI, DES, etc)
2. works on/across multiple platforms (PC, Mac, Linux, BlackBerry)
3. synchronizes across multiple instances/platforms (as automatically as possible)
4. easy to access/use (i.e. - retrieve and use a credential, without too many hoops)

KeePass meets all those criteria, but the interface isn’t great.

I asked some friends and posted to a newslist. Answers came back including:

• KeePass
• vim -x
• Other encrypted text files (ex. Word doc, plus external encryption)
• Use a regular thumb drive with TrueCrypt
• Use a secure/encrypted thumb drive, like the Ironkey

This got me thinking along related lines.

Personal Meta-Directories

1. We all have these. Outlook, Notes, Thunderbird all have our email address books. We have our cell phone address book. We probably have a paper address book for holiday cards. Your spouse, children, boss and peers also have theirs.

2. Why don’t we keep our “Passwords” in the Address Book? Obviously because it’s not secure. Passwords should be expanded to include any required credentials (certificates, tokens, keys, etc.). But companies keep our credentials in corporate directories. Why shouldn’t individuals keep theirs in their own personal directory?

3. The KeePass is a file store with some directory-like characteristics. But it’s no real metadirectory. The address books I have are not real directories either. And in any case, many meta-directories have poor security.

But, wouldn’t it be nice to have a metadirectory with all your access credentials, as well as all your contact data? This is essentially all the data necessary to set up and negotiate the various types of communication channels you personally need and use.

What do you use?

We at LiveBolt would like to know what YOU, the reader, use for securing your “bits.”

We’ll select a user at random on July 1st from the comments below and send them a new IronKey Personal, 1GB Secure (not to mention waterproof) USB Flash Drive, by IronKey. (To the winner: we just ask that you write back and let us know what you think of it!)

To enter the contest, just reply with a comment to this post (before noon CDT on 7/1) and include your answers to the following questions:

1) How do you manage your passwords?

2) What software/hardware/methods do you use?

3) What would be your idea of a killer-app for personal “attribute” management?

Comments will be locked at noon CDT on 7/1 so we can pick a winner. Make sure to include your email address in your comment so we can contact you if you’re a winner. Good luck!!!

Edit: 1 entry per email address and/or IP address, duplicate entries will be disqualified.

Tim Russert, who grew up 3 blocks from my father, moderator of NBC’s “Meet The Press” has passed on much too early. This is truly a tragic loss — to Buffalo, to politics, to family & friends. The odd thing about today’s electronic/media/technological-age is that our DVR has Russert’s (unknowingly) last episode, and the following tribute episode with Tom Brokaw.

It can be easy to forget that behind the bits and bytes of technology, there are real human beings. Either an audit log, or a digital video recording — many of these moments are actions by people. It caused me to interrupt the scheduled delete/rotation and instead, those two episodes are tagged, “save until I delete.”

A former mentor and boss passed away at a much too young age, just a few years back, similarly sudden and tragic. At work, his technology accounts were immediately deleted and in some cases, suspended. Many at work called this step callous and insensitive. But the sad truth is there are elements out there ready, and willing to take advantage. And in Identity Management, we are sometimes on the front lines of technology response when there’s a human tragedy. It’s not callous — it’s about security.

I can only say that when we work with bulk files, HR data feeds, ACLs and workflows we take just a moment to remember — it’s not just line numbers or data elements — its human beings.

We take an even larger step towards needing IdM at home when said “Internet connectivity kit” doesn’t require a username or password for remote logins.  Nor does it perform input validation when changing factory parameters.  We even have Bugtraq and Security Focus vuln posts.

To be fair, we are talking about a coffee machine here, so IdM might be overkill.  But if I paid Amazon $1800 for a coffee machine, I wouldn’t want some script kiddie shooting coffee beans at me from across the room, or worse yet — giving me a flat white, when I clearly pressed long black.

I can hear it now…

“Yes, IBM?  Can I get a Tivoli Access Manager license for 2 users?  My wife and I are going to use TAMeb for our coffee machine…”

Source: CrunchGear

Last week, I flew to Chicago for a meeting. My wife also had a meeting in Chicago at the same time, so we flew together. My meeting went fine. Hers did not. Why? Because the speaker for the breakfast she was hosting (250 people registered) didn’t arrive. Weather was the stated issue. The speaker’s flight was cancelled, and 8 hours of waiting at the airport couldn’t get her a seat on a new plane. The flights were all too full. Essentially, there is no slack in the airline system, so “slack” shifts to the edges, to the passengers.

Now, as a business owner, I can no longer expect missing a meeting due to a travel glitch to be an exceptional event. Now I have to view it as a likely possibility. And that changes my thinking. It’s still okay to travel for a week or more of work. If I’m a day late on that schedule, I can make it up.  But, I can’t plan a trip for a two hour meeting, with any expectation that I can get there and back reliably.  The only reasonable response is to cease that type of travel, because now it’s both expensive, and very risky.

Alternatives exist. Video conferencing and Web conferencing work. I’m installing a new video conference setup in August (in new offices).  We calculate the payback time at just three trips to London for a team of two.  At that rate it will have paid for itself by the end of this year.  Web conferencing is even cheaper.

When your costs go up, your service goes down, and your reliability sinks, your customers will find alternatives. In the case of the airlines, that is already happening.

FYI, I’ve put in my time traveling. I have well over 2 million air miles. From 1996 to 2006 I logged an average of over 200 hotel nights a year. I stopped tracking at 3,000 takeoffs.

Then in December of 2006 I changed jobs and got off the road. I didn’t get on a commercial flight until last week. That was an 18 month break. Honestly, the trip wasn’t bad. For one thing it was short (overnight). I got direct flights. I got upgrades based on past history. We left on time and arrived on time.  Staff (American Airlines) were businesslike.

Just lucky, I guess.

I’m getting old and crotchety. Apparently I’m not alone. CNN reports that 100,000 people a day are choosing NOT to fly, because of the “inconvenience” involved. That’s 41 million flights a year. ( http://www.cnn.com/2008/TRAVEL/05/30/airtravel.decline.ap/index.html )

We all started flying, commercially, 70 years ago because it was “convenient”; expensive, but convenient. Safety was poor, but convenient was more important. Over time, due in large part to the FAA, safety improved. It actually improved to the point that flying is now the safest method of travel available on the planet.

For at least some of us (some 100,000 people a day) driving has now become more convenient than flying — even though it is frequently slower (for trips over 4 hours), it is more work (you have to drive yourself), more dangerous, and potentially more expensive. For at least some of us, there is now TOO MUCH security. I’m a “security guy” and for me Air Travel now has too much of a good thing.

When the FAA was trying to make air travel safe they focused on certain types of “threats,” primarily mechanical failure, pilot failure, and air traffic control (ATC) to direct traffic, and implemented systems to reduce the occurrence of catastrophic failures in those areas to minuscule numbers. For better or worse, they didn’t focus much on “bombers” or “hijackers,” with some exceptions. For example, you used to have “flight insurance” - really “crash life insurance” counters at every airport selling policies. In the bad old days, bombers were known to put a bomb in the luggage, their spouse on the plane, and buy a policy on the spouse on the way out of the airport. Removing the on-site insurance sellers removed some of the positive incentive.

For many years (up until Sept. 11, 2001), the standard procedure for dealing with a hijacking was to negotiate. This negotiating approach, sometimes lead to armed rescues, but it generally produced low loss of life.

Then, the threat changed. And it changed both the vectors of “likelihood” and of “size of damage.” Using packed airliners as missiles changes the game.

The US government responded with the TSA, now part of Homeland Security. Please note that the FAA is NOT involved any longer in this aspect of airline safety, with some minor exceptions (stronger cockpit doors being one). Whether you like it or not, in the US, the TSA is now responsible for airline security. Personally, I’m one of those who believe the TSA is mostly Security Theater (coined by Bruce Schneier — Beyond Fear: Thinking Sensibly About Security in an Uncertain World.), rather than real security. TSA will disagree and point to mountains of confiscated “weapons” and to the absence of successful hijackings.

What gets overlooked is the cost/benefit ratio. One of the basic tenets of information security is not to spend a $1 million dollars protecting a $1,000 asset. The direct and indirect costs of the TSA are ridiculously out of proportion to the benefit.

Another tenet is that you have to balance security and user convenience. If you make it too inconvenient, users will avoid or subvert your security. If they can’t subvert it, they’ll simply avoid it, whether it is requiring a log-in to post a blog comment, or getting “wanded” to board a plane.

People are willing to pay for convenience. If you inconvenience your customers, they WILL avoid you. TSA is inconvenience on a massive scale, and it could well kill the airline industry as we know it.

People expect, and SHOULD expect a certain level of respect. Respect for their person, respect for their time, respect for their property, respect for their privacy and respect for their psyche. Current TSA security theater dis-respects people on all five counts.