- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
Roles are not necessary for governance, risk, compliance and entitlement (GRCE) management, just as roads aren't necessary in order to drive cars. And just as it would be foolish to consider driving from, say, San Francisco to New York without using roads so too would it be foolish to consider implementing GRCE management without roles. I was reminded of this when a press release crossed my desk a couple of weeks ago.
The release touted an agreement for CA to resell Eurikify’s Enterprise Role Manager which, according to the document, was a good thing for CA’s customers because: “One of the most complex and time-consuming aspects of identity management (Compare Identity Management products) deployments is getting the corporate roles defined within the system. Manually defining hundreds of roles with thousands of users assigned to them is a time intensive project and today’s business regulations demand more. Eurikify’s can help with the role management and role mining needs, while CA delivers a leading identity management solution to automate smart user provisioning and audit duties.” Remove some of the hyperbole, and that’s what I’ve been saying, right?
Eurikify founder Ron Rymon goes even farther. At the recent European Identity Conference, he told the audience that you cannot run provisioning, nor GRCE, without clear models and, by models, he meant well defined (“modeled”) roles. He went so far as to say that roles and compliance (Compare Network Auditing and Compliance products) are “intertwined” and “you cannot have one without the other.”
He ended up his talk by trying to show where we are vis-à-vis roles at this point in time by listing those things which no longer apply and what should replace them. Sort of a “what’s hot” and “what’s not” for roles in mid 2008. His list includes:
What’s not:
• IAM projects without a clear business case and careful planning.
• Role modeling at “business level” only, based on preconceptions, whether or not they fit.
• Delegation of role modeling to the business through nice interfaces.
• Lets start with few roles covering most obvious 10% of access.
• Delegation of compliance to the business through dumb certification.
• Separate solutions for certification vs. role modeling (vs.) IT controls vs. privileges cleanup.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Rss FeedRss Feed
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (3)
A journey..By tuomoks on June 6, 2008, 8:23 pmI agree "... recognize that Governance, Risk and Compliance for Identity is a journey." It's a long time since identity and role were used in corporations except...
Reply | Read entire comment
Roles & Governance By DarranRolls on June 6, 2008, 4:19 pmDave, Having served on the same panel at Kuppinger Cole EIC, I thought I’d add a few thoughts to Ron’s. Certainly, roles are a critical component of Identity GRC,...
Reply | Read entire comment
Why don't you agree?By Anonymous on June 2, 2008, 10:27 amCan you expand on "I don't agree 100%" ?
Reply | Read entire comment
View all comments