[Log In] []

Exploring the science and magic of Identity and Access Management
Wednesday, June 19, 2024

Catalyst: Day 2 – June 26

Author: Mark Dixon
Tuesday, July 1, 2008
9:30 pm

My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Thursday, June 26, 2008, are
included below:

Bob Blakley: Governance, Risk and Compliance

  • “GRC” is a four letter word. It is not a market or solution.
  • Governance, Risk Management and Compliance are distinct activities, performed by different people.
  • Governance works best when it acts as round trip management.
  • Don’t allow your risk management and compliance software be a substitute for risk management and compliance though
  • Measure compliance on loss avoidance, not just liability avoidance.

Nick Leeson: Risk Management in the Real World

  • Good risk management and good corporate governance doesn’t automatically transfer from the classroom.
  • In rapidly-expanding markets, not all controls are in place. Control mechanisms don’t develop anywhere near as quickly as trading mechanisms.
  • The interface between systems and human element is the key – need humans to interpret results shown by systems.
  • The need for success creates a chasm between humans and systems. He was driven by a need for success and fear of failure.
  • Each company’s internal controls should be beyond reproach.

Jay Leek (Nokia, Inc.): Enterprise Risk Management – Seeing the Forest and the Trees

  • Risk management is not just about security. It is a business requirement.
  • Without identified owners for risk and assets, nothing is actionable.
  • Data from multiple data sources must be collected, correlated and reconciled to better evaluate who owns the risks and what the risk posture is for the organization.
  • Enterprises should work toward a unified Risk Management Program by consolidating existing data, turning data into risk information and effectively communicating risk information to multiple stakeholder organizations in their language.
  • Risk management is not a destination. It is an ongoing process.

Ken Anderson, Trent Henry: The Tools Landscape for Orchestrating Risk and Compliance

  • A unified view of risk and compliance at higher level in organization usually doesn’t happen, because operational groups take care of themselves.
  • Enterprise risk management is not so much a tool as a way to look at risk.
  • Burton proposes a risk and compliance product pyramid with 1) a foundation of Identity Management, resources, people and process, 2) a middle layer of security compliance policy, orchestration controls and monitoriing and 3) a top layer of audit automation and risk data collection.
  • A key issue is providing information executives need, when they need it.
  • Dashboards man not provide the answers a CEO wants or needs. A phone call to a responsible subordinate is usually faster.

Randall Gamby: Creating “Security Embassies” in your Information Landscape

  • Organization are struggling with a myriad of geographic regulatory and governing rules.
  • The number of security policies has exploded to cope with expanded regulatory demands from multiple nations.
  • A “Security Embassy” model favors centralized authority (enterprise-defined policy) and distributed execution (locally deployment).

Homan Farahmond: Going Global – Notes from the Field in Controlling Extended Enterprise

  • Global enterprises struggle with compliance as they attempt to scale to address global complexity and globally build transparency and consistency.
  • Creating a global controls structure must span cultural and language differences, must be implemented across geographical regions and encompass broadly different understanding of risk and policy.
  • It is difficult to create a business case for global control program because budgets are regional.

Kevin Kampman, Ken Anderson: “Return on Organization” – Beyond RBAC

  • Discussion of roles and RBAC require that IT leaders speak in the language of the executive, focusing on the impact of RBAC on the business.
  • Discussion of roles should focus on efficiency, compliance, transparency and effectiveness of outcomes.
  • Roles can give an executive view of the organization by giving visibility into what the organization is really doing.
  • Addressing roles within a “Return on Organization” framework can show how roles can impact organizational effectiveness.
  • Role management is a strategic enabler between business and technology. It isn’t a project. It is a discipline.

Tim Weil (Booz Allen Hamilton): RBAC Implementation and Interoperability Standard (RIIS)

  • The INCITIS CS1.1 standard addresses RBAC implementation and interoperability, including the abilty to exchange roles between systems.
  • Role exchange and interoperability can be helpful for companies who grow through merger and acquisition and for the integration between components in a Identity Management product suite.
  • Role based access control vs. attribute access control is sometimes a religious war. A blended approach may be necessary to meet some requirements.

Craig Cooper (IT Manager, Thrivent Financial): Implementing a Role Based Identity Management System

  • Benefits they gained are improve controls and increased efficiencies.
  • An unexpected benefit was that business was actively engaged with the IT project.
  • Active executive sponsorship is the #1 critical success factor.
  • The started role discovery and definition activities first, selecting high risk areas for roles. Then the Identity Management system was implemented in parallel with the Role Management .
  • Be aware of dependencies and avoid interdependent IAM and RBAC activities at the same time.

Panel Discussion: Role Management and Provisioning – Co-existence or Convergence.
Panel Participants:

  • Jim Duchame (Aveksa)
  • Ron Rymon (Eurekify)
  • Lori Rowland (Burton Group)
  • Kevin Kampton (Burton Group)
  • Nick Crown (Sun Microsystems0
  • Darran Rolls (Sailpoint Technologies)
  • Jeff Shukis (Oracle)


  • Roles are a language that allows us to communicate in business terms about information access
  • Roles are presently focused on enabling provisioning and access control, but may provide much broader value for the business
  • Role management and provisioning can be successfully implemented in parallel. Initial emphasis on either depends on underlying business drivers and what infrastructure is in place.
  • Policy management is not as mature as role management. Policy infrastructure needs to take advantage of role infrastructure.
  • There is a convergence between role management and entitlement management.

Homand Farahmond, Lori Rowland: Provisioning – A Recipe for Success

  • Key needs for a provisioning project include addressing needs of many stakeholders, high level sponsorship, reconciling isolated business policies, overarching governance framework and aligning different perspectives.
  • Identity management resources are still scarce, expensive and have a high turnover rate.
  • Plan that reengineering identity repositories to handle unique ID’s takes a long time.
  • Understand the relative benefits of virtual indentities vs. identity store. There are advantages and disadvantages in either approach.
  • Vendors need skin in the game. Don’t allow vendors to abandon you after the sale.

Matthew Costello (Solution Architect, Boeing): Selecting and Implementing a COTS-based IdM Solution at Boeing

  • Governance and sponsorship are critical, even at the RFP and vendor selection phase.
  • Recognize that the RFP is a project in and of itself, which will require a lot of work for your company and the vendors.
  • Leverage the use cases you have defined for your enterprise in a POC.
  • Focus on differences, not similarities between products – and implications on the enterprise.
  • Vendor selection is only the first step – after procurement, the real work begins.

Technorati Tags: ,

Comments Off on Catalyst: Day 2 – June 26 . Permalink . Trackback URL

Comments are closed.

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.