Exploring the science and magic of Identity and Access Management
What this power is I cannot say. I only know that it exists, and it becomes available only when a man is in that state of mind in which he knows precisely what he wants and is fully determined not to quit until he finds it. — Alexander Graham Bell
In our recent CIO Roundtable tour, a question about Identity and Access Management that emerged in every session was, “where do I go from here?” It is one thing to talk about the theory of IAM; it is quite another thing to actually implement it in your enterprise.
My advice to the Roundtable participants and to you is this, “IAM is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project. Take stock of where you are now, set objectives for where you want to be in the future, and execute your strategy in stages.”
Think program, not project. HIPAA/HITECH compliance is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.
The step-by-step process depicted above doesn’t fit everyone. It only serves to illustrate the need to for defining your IAM journey as a series of phases subdivided into measureable steps. Our experience has shown that those enterprises who follow this basic process usually succeed, while those who attempt to do much all at once, or focus on one small tactical project, often fail to realize the benefits of a well-executed IAM strategy.
Happy trails! (I couldn’t resist that last comment, even though the “happy trails” comment in my previous post dealt with airline travel, not IAM journeys.)
I read a disturbing article by Dan Schwab of Fox Chicago News this morning entitled “Probe: ID rules lax at Chicago airports.” Perhaps the fact that I will board my 13th flight segment in two and a half weeks this afternoon fueled my interest in the article, which reported “a Fox Chicago News investigation discovered a major loophole at TSA checkpoints at O’Hare and Midway.”
During the past two months, Fox flew multiple employees – male, female, black, white, and Muslim – to different destinations around the country on different airlines.
The only requirement: They were not allowed to bring a photo ID. No passport. No driver’s license.
On every occasion, these Fox employees were allowed through security without a hitch as long as they showed that the name on their boarding pass matched the name on a couple of credit cards, according to Fox Chicago News.
Credit cards for identification? What happened to the requirement of a photo ID? This shows a remarkable lack of TSA compliance with recommended policy:
The federal Sept. 11 Commission’s final report included 10 pages that focused solely on the issue of terrorism and identity fraud. The report states: “Travel documents are as important as weapons. Fraud is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are.” …
By checking credit cards rather than a photo ID, TSA simply was following its own rules, which vaguely state that passengers without an acceptable ID will have to provide “information” to verify their identity, according to Fox Chicago News.
I’m not a big fan of the TSA. To me, it is at best a huge, bumbling bureaucracy, and at worst, a huge, oppressive police force. I really don’t feel safer because of them. However, regardless of my feelings, this is a clear example about how poorly executed identity policy can lead to easily exploited security breaches, even as a false aura of safety is provided for the law-abiding majority, who obediently shed shoes and jackets, empty pockets and briefcases, and subject themselves to humiliating searches while many obvious loopholes remain.
Just one example … next time you go through the TSA screening process, notice how closely (or not) airport employees’ ID badges are examined.
PS. The Dave Granlund cartoon reminds me of the time I brought exercise weights with me on a trip. My luggage was manually searched every time – on each of four flight segments that week. I now keep those dastardly weights safely at home with my horribly dangerous one-inch pocket knife. Bitter? Nah!
Ten years ago, while employed by Oracle, I worked on a project where we tried to convince the large North American telcos to act as Application Service Providers (ASP) and host Oracle applications for their customers. We proposed that the combination of existing telco data centers, network connectivity, business customer base and billing infrastructure provided an ideal foundation for such services. At that time, we didn’t get much traction with the telcos, but Oracle went ahead and launched their own ASP service, now known as "Oracle On Demand.”
Now, as Sun awaits acquisition by Oracle, it is interesting to see telco participation in what we now term “Cloud Computing.” On Monday, AT&T announced “Synaptic Compute as a Service(SM), its latest innovative global cloud-based service, designed to give companies of all sizes simple on-demand access to scalable computing capacity.” Ironically, the press release was entitled, “AT&T Unveils Network-Based ‘On Demand’ Computing for Companies of All Sizes.” I’m not sure what Oracle might think of AT&T’s use of the “On Demand” term.
AT&T is working closely with Sun to use the Sun Cloud Open Cloud Platform, Sun Cloud APIs, cloud reference architecture and design expertise to create an environment to make it easy for developers to build and deploy value-added services.
"Sun is committed to helping our customers and partners deliver public and private clouds that are cost effective, open and interoperable," said Dave Douglas, senior vice president, Cloud Computing, Sun Microsystems. "AT&T’s network and operational excellence coupled with Sun’s Open Cloud Platform and Sun Cloud APIs delivers a revolutionary cloud offering. We’re excited to be working with AT&T to bring an enterprise-class, highly scalable offering that delivers choice and flexibility to market."
The trend towards cloud computing marches on. I think we will see more telco participation in this market. We have long accepted utility telephony services from telecom operators. Offering computing utility services is a logical next step.
The white paper I mentioned several days ago, Identity and Access Management – Enabling HIPAA/HITECH Compliance, is now hot off the press and ready for download. Thanks to all the great people at Sun Microsystems that contributed to this project and made it a reality. Hopefully, the paper will be beneficial to those who are facing the challenges of how to comply with the increasing regulations surrounding management of healthcare data and information systems.
The paper’s abstract reads:
As healthcare organizations and vendors become more reliant on digital information technology, complying with increasing regulatory requirements presents a range of challenges. This paper explores the requirements that these organizations face, best practices for implementing identity management systems that help ensure compliance, and how Sun’s pragmatic approach to identity management simplifies the technology environment.
The table of contents:
Healthcare Information Technology Challenges
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Impact of HIPAA, HITECH and Related Regulations
The Role of IAM in HIPAA/HITECH Compliance
Sun IAM Product Introduction
Best Practices for the IAM/Compliance Journey
How to Get Started with HIPAA/HITECH and IAM
The Sun IAM Workshop
Please let me know if you have any questions or would like to discuss the content in more detail.
It was nice to see a short piece covering the CIO Frankly Speaking Breakfast event in Toronto yesterday, where Michelle Dennedy and I fielded questions about Identity Management and Cloud Computing from John Pickett of IT World Canada. I particularly liked the statement made by Michelle, “Identities are now being realized as the true assets for the organization.”
About a month ago, I received an invitation to join a new LinkedIn group, “Canadiam – IAM in Canada,” hosted by Mike Waddingham, whom I had never met in person. Mike had recently launched a new blog of the same name, and formed the LinkedIn group to complement his blog. Mike asserted:
"Identity and Access Management in Canada is different. American identity issues are complicated by their obsession with national security. British data and privacy laws are decidedly different than ours. Identity and Access Management (IAM) implementations vary greatly from country to country. We need a ‘conversation’ about IAM in Canada. Canadiam is that conversation.”
The call for a Canadian IAM conversation is certainly timely, and I think the blog/group name is great, reminiscent of the legendary Molson Beer commercial, "I am Canadian", which Mike embedded within the maiden post on the Canadiam blog and I include here for your enjoyment.
Back in 2000 when this commercial was first released, I was employed with Oracle and doing quite a bit of work in Canada, so watching it again brought back fond memories of choice experiences I have had with great friends north of the border.
Fast forward to yesterday morning. I had arrived in Vancouver to participate as a panelist in the CIO Magazine / Sun Microsystems breakfast event, “Identity Management – Pathway to Enterprise Agility.” Before joining my colleagues at the event, I took a moment to post a short message on the Canadiam LinkedIn group that I was in town and would participate in a similar event in Toronto next Tuesday.
We had a great session, moderated by John Pickett, VP & Community Advocate at IT World Canada. Michelle Dennedy and I fielded questions about Identity Management, Privacy, Security and Cloud computing from John and members of the audience. After the session, a man from the rear of the room, who had offered several insightful comments and excellent questions, came forward to introduce himself. It was none other than Mike Waddingham himself! I hadn’t recognized him from his LinkedIn photo and certainly didn’t expect him to be in attendance. I had assumed he lived in the Toronto area. But Mike had travelled to Vancouver from his home base in Edmonton to attend the event.
I never cease to be amazed at the surprise personal encounters I have at almost professional gathering I attend, where I meet people in person for the first time after connecting previously on line. The magic of online interaction, while valuable and delightful in and of itself, always seems to be amplified by face-to-face interaction.
So, Mike and all you Canadiams, thanks for the privilege of being numbered among you as an honorary Canadian. Thanks for giving me another treasured “social networking moment.” I look forward to participating further in the Canadian IAM discussion.
It’s after 11pm in my San Francisco hotel room, where I arrived after a successful meeting in New York City, a transcontinental flight and late dinner. But I can’t go to sleep without sharing a wonderful video pointed out to me by Twitter acquaintance Mame Hampton (@momthebom).
Thanks to all the wonderful soldiers and veterans who have done so much and are continuing to serve so well to keep us free!
And thank you, Mame, for sharing this wonderful message with us.