Catalyst: Day 2 – June 26
My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Thursday, June 26, 2008, are
included below:
Bob Blakley: Governance, Risk and Compliance
- “GRC” is a four letter word. It is not a market or solution.
- Governance, Risk Management and Compliance are distinct activities, performed by different people.
- Governance works best when it acts as round trip management.
- Don’t allow your risk management and compliance software be a substitute for risk management and compliance though
- Measure compliance on loss avoidance, not just liability avoidance.
Nick Leeson: Risk Management in the Real World
- Good risk management and good corporate governance doesn’t automatically transfer from the classroom.
- In rapidly-expanding markets, not all controls are in place. Control mechanisms don’t develop anywhere near as quickly as trading mechanisms.
- The interface between systems and human element is the key – need humans to interpret results shown by systems.
- The need for success creates a chasm between humans and systems. He was driven by a need for success and fear of failure.
- Each company’s internal controls should be beyond reproach.
Jay Leek (Nokia, Inc.): Enterprise Risk Management – Seeing the Forest and the Trees
- Risk management is not just about security. It is a business requirement.
- Without identified owners for risk and assets, nothing is actionable.
- Data from multiple data sources must be collected, correlated and reconciled to better evaluate who owns the risks and what the risk posture is for the organization.
- Enterprises should work toward a unified Risk Management Program by consolidating existing data, turning data into risk information and effectively communicating risk information to multiple stakeholder organizations in their language.
- Risk management is not a destination. It is an ongoing process.
Ken Anderson, Trent Henry: The Tools Landscape for Orchestrating Risk and Compliance
- A unified view of risk and compliance at higher level in organization usually doesn’t happen, because operational groups take care of themselves.
- Enterprise risk management is not so much a tool as a way to look at risk.
- Burton proposes a risk and compliance product pyramid with 1) a foundation of Identity Management, resources, people and process, 2) a middle layer of security compliance policy, orchestration controls and monitoriing and 3) a top layer of audit automation and risk data collection.
- A key issue is providing information executives need, when they need it.
- Dashboards man not provide the answers a CEO wants or needs. A phone call to a responsible subordinate is usually faster.
Randall Gamby: Creating “Security Embassies” in your Information Landscape
- Organization are struggling with a myriad of geographic regulatory and governing rules.
- The number of security policies has exploded to cope with expanded regulatory demands from multiple nations.
- A “Security Embassy” model favors centralized authority (enterprise-defined policy) and distributed execution (locally deployment).
Homan Farahmond: Going Global – Notes from the Field in Controlling Extended Enterprise
- Global enterprises struggle with compliance as they attempt to scale to address global complexity and globally build transparency and consistency.
- Creating a global controls structure must span cultural and language differences, must be implemented across geographical regions and encompass broadly different understanding of risk and policy.
- It is difficult to create a business case for global control program because budgets are regional.
Kevin Kampman, Ken Anderson: “Return on Organization” – Beyond RBAC
- Discussion of roles and RBAC require that IT leaders speak in the language of the executive, focusing on the impact of RBAC on the business.
- Discussion of roles should focus on efficiency, compliance, transparency and effectiveness of outcomes.
- Roles can give an executive view of the organization by giving visibility into what the organization is really doing.
- Addressing roles within a “Return on Organization” framework can show how roles can impact organizational effectiveness.
- Role management is a strategic enabler between business and technology. It isn’t a project. It is a discipline.
Tim Weil (Booz Allen Hamilton): RBAC Implementation and Interoperability Standard (RIIS)
- The INCITIS CS1.1 standard addresses RBAC implementation and interoperability, including the abilty to exchange roles between systems.
- Role exchange and interoperability can be helpful for companies who grow through merger and acquisition and for the integration between components in a Identity Management product suite.
- Role based access control vs. attribute access control is sometimes a religious war. A blended approach may be necessary to meet some requirements.
Craig Cooper (IT Manager, Thrivent Financial): Implementing a Role Based Identity Management System
- Benefits they gained are improve controls and increased efficiencies.
- An unexpected benefit was that business was actively engaged with the IT project.
- Active executive sponsorship is the #1 critical success factor.
- The started role discovery and definition activities first, selecting high risk areas for roles. Then the Identity Management system was implemented in parallel with the Role Management .
- Be aware of dependencies and avoid interdependent IAM and RBAC activities at the same time.
Panel Discussion: Role Management and Provisioning – Co-existence or Convergence.
Panel Participants:
- Jim Duchame (Aveksa)
- Ron Rymon (Eurekify)
- Lori Rowland (Burton Group)
- Kevin Kampton (Burton Group)
- Nick Crown (Sun Microsystems0
- Darran Rolls (Sailpoint Technologies)
- Jeff Shukis (Oracle)
Discussion:
- Roles are a language that allows us to communicate in business terms about information access
- Roles are presently focused on enabling provisioning and access control, but may provide much broader value for the business
- Role management and provisioning can be successfully implemented in parallel. Initial emphasis on either depends on underlying business drivers and what infrastructure is in place.
- Policy management is not as mature as role management. Policy infrastructure needs to take advantage of role infrastructure.
- There is a convergence between role management and entitlement management.
Homand Farahmond, Lori Rowland: Provisioning – A Recipe for Success
- Key needs for a provisioning project include addressing needs of many stakeholders, high level sponsorship, reconciling isolated business policies, overarching governance framework and aligning different perspectives.
- Identity management resources are still scarce, expensive and have a high turnover rate.
- Plan that reengineering identity repositories to handle unique ID’s takes a long time.
- Understand the relative benefits of virtual indentities vs. identity store. There are advantages and disadvantages in either approach.
- Vendors need skin in the game. Don’t allow vendors to abandon you after the sale.
Matthew Costello (Solution Architect, Boeing): Selecting and Implementing a COTS-based IdM Solution at Boeing
- Governance and sponsorship are critical, even at the RFP and vendor selection phase.
- Recognize that the RFP is a project in and of itself, which will require a lot of work for your company and the vendors.
- Leverage the use cases you have defined for your enterprise in a POC.
- Focus on differences, not similarities between products – and implications on the enterprise.
- Vendor selection is only the first step – after procurement, the real work begins.
Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
BurtonGroupCatalyst08