Can you expand on "I don't agree 100%" ?
Latest security headlines from Network World:
Privacy feature in IE8 leaks private data
Watch Out! Firing IT Workers Can Cost You
European court won't stop UK hacker's extradition to US
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Roles & Governance
Dave,
Having served on the same panel at Kuppinger Cole EIC, I thought I’d add a few thoughts to Ron’s. Certainly, roles are a critical component of Identity GRC, but it’s not true to say that you can’t achieve Governance Risk or Compliance without a completed role model being in place. I would argue that the role model is a very important member of a family of controls needed to achieve sustainable identity governance. An effective governance model for identity needs to include role management, access certifications, policy enforcement, activity monitoring and risk analysis.
I agree that it’s important to recognize that Governance, Risk and Compliance for Identity is a journey. Sure, you want to be on the fastest road possible, but sometimes there are required detours to meet business needs, security concerns and compliance directives. That’s why I believe that saying all you need for compliance is roles is like saying the only one way to get from LA to New York is by driving that freeway. The reality is there are many options, even if you do now have to pay an extra $15 for your bag :-). The best way to get there always depends on specific circumstances, needs, timing and resources. Every role project, every enterprise GRC deployment and potentially every client, has very different challenges that need to be addressed through the development of that role model. As a vendor in the roles space, I’m obviously glad to see the industry at large now addressing roles more strategically. I am, however, a little concerned by the notion that roles are being seen as a quick-fix for every failing identity management project. That feels like a flight to New York that’s likely to land in Wichita Falls due to a failed customer expectation on the left wing.
Gee, it must analogy Friday :-)
Darran Rolls (CTO SailPoint)
A journey..
I agree "... recognize that Governance, Risk and Compliance for Identity is a journey."
It's a long time since identity and role were used in corporations except on paper and even that is a big maybe! The reason may be technical, on 70's, when it was hot and commonly(?) used, the role and identity management were centralized and much easier, then came the PC time, no central control of anything?
The journey always(?) started with HR because they were the keepers of roles and identities connected to those roles. Fortunately, because they were already handling sensitive information, it was an easy road to negotiate, they easily understood that there could be a need to control and manage other sensitive information and actions based on a role. Maybe it also made the rest of the road easier, HR can be a powerful companion on a trip but (usually) doesn't want to say how you drive so the implementation (driving) is easier without "the backseat driver". Some other departments / organizations are not always as easy, like IT itself or accounting or .. but HR on your side gives some weight. Risk and Compliance were like calling back from journey to your top management and lawyers checking that you are going to the right direction, telling that the roads have changed ahead or maybe telling that the journey have to go through certain places before it can continue.
The benefits were great, the roles could be managed, added, deleted, updated, merged, saved for future use, etc with identities same way managed, added, deleted, ... with "one" key stroke. Because the roles were bound to every action and information in IT, to configure a new, to delete an old, etc was most of the time just seconds and didn't always have to be real time, they could be planned a long time ahead because every role, identity and change could be timed. There was a log to see what, where, when and by whom was done, when anyone was allowed the access and to what, when the access rights were changed or deleted, etc. This made the IT (and other) planning and management so much easier, safer, economical, ... that I can't even describe it. (And changed my life back from 24x7 to (almost) normal working hours!)
Now, of course, once the road is mapped comes the question who controls and manages it - but politics in corporate life is another story in another time as interesting it can be..