- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
Roles are not necessary for governance, risk, compliance and entitlement (GRCE) management, just as roads aren't necessary in order to drive cars. And just as it would be foolish to consider driving from, say, San Francisco to New York without using roads so too would it be foolish to consider implementing GRCE management without roles. I was reminded of this when a press release crossed my desk a couple of weeks ago.
The release touted an agreement for CA to resell Eurikify’s Enterprise Role Manager which, according to the document, was a good thing for CA’s customers because: “One of the most complex and time-consuming aspects of identity management (Compare Identity Management products) deployments is getting the corporate roles defined within the system. Manually defining hundreds of roles with thousands of users assigned to them is a time intensive project and today’s business regulations demand more. Eurikify’s can help with the role management and role mining needs, while CA delivers a leading identity management solution to automate smart user provisioning and audit duties.” Remove some of the hyperbole, and that’s what I’ve been saying, right?
Eurikify founder Ron Rymon goes even farther. At the recent European Identity Conference, he told the audience that you cannot run provisioning, nor GRCE, without clear models and, by models, he meant well defined (“modeled”) roles. He went so far as to say that roles and compliance (Compare Network Auditing and Compliance products) are “intertwined” and “you cannot have one without the other.”
He ended up his talk by trying to show where we are vis-à-vis roles at this point in time by listing those things which no longer apply and what should replace them. Sort of a “what’s hot” and “what’s not” for roles in mid 2008. His list includes:
What’s not:
• IAM projects without a clear business case and careful planning.
• Role modeling at “business level” only, based on preconceptions, whether or not they fit.
• Delegation of role modeling to the business through nice interfaces.
• Lets start with few roles covering most obvious 10% of access.
• Delegation of compliance to the business through dumb certification.
• Separate solutions for certification vs. role modeling (vs.) IT controls vs. privileges cleanup.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
The Leader in Network Knowledge
Comments (3)
A journey..By tuomoks on June 6, 2008, 8:23 pmI agree "... recognize that Governance, Risk and Compliance for Identity is a journey." It's a long time since identity and role were used in corporations except...
Reply | Read entire comment
Roles & Governance By DarranRolls on June 6, 2008, 4:19 pmDave, Having served on the same panel at Kuppinger Cole EIC, I thought I’d add a few thoughts to Ron’s. Certainly, roles are a critical component of Identity GRC,...
Reply | Read entire comment
Why don't you agree?By Anonymous on June 2, 2008, 10:27 amCan you expand on "I don't agree 100%" ?
Reply | Read entire comment
View all comments