Wednesday, October 24, 2007

Oracle integrates Bharosa

I spoke about having a to blog list of things back in August. One of the things on that list was some thoughts on the Oracle acquisition of Bharosa. In light of Oracle announcing a few days ago that they had completed the integration, I thought now would be a good time to cross the item off my list.

First of all, the product name. It's now called Oracle Adaptive Access Manager (OAAM). They've kept to the boring naming convention that seems to be the norm in the Enterprise Identity and Access Management (IDM) industry (with an exception which I talked about here).

Oracle also acquired Bridgestream recently (I wrote about that here). As I've said previously, couple that with the Bharosa acquisition and this gives Oracle 2 products in their suite that the other major vendors do not have the capability to match.

I've spoken with many a customer who has commented on the fact that it would be great if web access management solutions provided some protection against fraudulent activity. This used to occur on a monthly basis, so it's something that the market has been asking for (which is exactly why Bharosa filled a need). The large vendor answer used to be "well, just hook the audit logs of the access management product to a security event management product and write in some rules for alerting". To be truthful, this answer was crap. Unfortunately, it was the only answer that could be given without being kicked out of the room.

With the Bharosa acquisition, Oracle filled this need and added much needed and very useful capability into their suite. Sure, OAAM gives Oracle additional features around authentication. But the most important thing is that it monitors and reacts to potentially risky or fraudulent behaviour in real time. For example, a user could have access to perform certain actions or access certain parts of a web application, but if they exhibit risky behaviour leading up to the sensitive transaction, they can either be challenged further or be denied access completely. This is extremely powerful and can be a preventative measure which stops fraud dead in its tracks instead of only allowing for follow up analysis after an incident, assuming someone even noticed in the first place. This is true dynamic authorisation based on behaviour rather than traditional "yes/no" authorisation decisions that are so prevalent in the access management technologies today.

There will of course be times where the technology gets it wrong and prevents legitimate users from doing things. This will no doubt cause some pain on the user's part and subsequently on the service provider's part (e.g. customer satisfaction issues). But this is a lot better than allowing fraudulent activity to occur and then telling the user about it after the fact. In the case of banks, the costs are usually absorbed (although they are not necessarily required to - they just do it to keep their customers happy). In other cases, the user has to wear the loss. Ask someone if they would rather be denied access as opposed to losing their money and 99% of the time, they'll pick the "deny access" option. Of course, there are trade offs. If they get denied too often, then they go somewhere else. It's a balance and this is where getting the rules and policies correct are critical. You want to be able to protect against fraudulent activity without getting in the way of business. This should be the mantra of all security departments. DO NOT get in the way of business while keeping things secure. The best security technologies are business enablers, NOT business inhibitors. It's how one gets the balance correct that will go a long way towards measuring the success of a security department and subsequently the IT department.

What I'm about to say may sound familiar to those that read my Oracle and Bridgestream post.

Having OAAM gives Oracle an additional dimension to the way they can perform access controls and access management in their Identity and Access Management deployments. It also puts them ahead of their competition in terms of feature/function comparisons. So from a technical marketing standpoint, they are ahead and may win some deals this way. I mention this because it's only going to help if someone REALLY wants this type of functionality. It possibly also makes Oracle more favourable when analysts do their quadrants and charts.

But the main thing to keep in mind is that most software sales are not made based on feature/function comparisons. They are only useful in tenders (RFIs, RFTs, RFPs) to allow vendors to answer "yes" to more questions. Having something extra will generally not win a deal. NOT having something that is mandatory however, can lose a deal. That's all Oracle have done. Bought insurance against losing a bid. From a technical and IDM suite perspective however, it's a good move. It's also great to have the capabilities in place if you're implementing it in your environment. Whether it actually works as prescribed however, I don't know. I've never implemented Bharosa. Time will tell.

Saturday, October 13, 2007

Symantec going DLP?

I go and talk about Vontu and the next thing I read is that there's a rumour flying around about an acquisition. If InfoWorld is right, it will be announced next week that Symantec is acquiring Vontu.

No I don't have any inside information. I don't work for Vontu. I know some have been wondering (based on some of the search referrals that have been coming through - although no one's actually piped up and asked me directly). I wasn't exactly full of praise about Vontu in my last post was I? I didn't think so.

So assuming this moves ahead, we'll have 3 BIG Vendors in the DLP space. McAfee, EMC (they acquired Tablus earlier this year and rolled it into their RSA division) and Symantec.

Looks like DLP's going mainstream very quickly, which is obviously good for the industry and organisations looking at a DLP solution.

Friday, October 12, 2007

DLP vendor race

I'm still in a data security mood, so those of you in the identity world can tune out this time round if you like...or if you want to broaden your horizons, read on :)

Remember when I said to implement a proper data leakage prevention (DLP) solution you need an agent on the endpoint? If you're new to the blog or if you're one of the lazy ones and don't bother reading my posts that go for longer than 2 paragraphs (you know who you are), go read about what I said here (this post somehow managed to get a mention on the Network Sentry blog at IT Business Edge - I don't know how).

Now that you're back, let's get to the point. Vontu are one of the main vendors that always get a mention when you talk DLP, but they've always only had a network based solution. What that meant was that they could only watch data flowing on the network and prevent it from leaving. Once a laptop leaves the corporate network, data could easily escape and no one would be the wiser. This is the main reason you need an agent. An autonomous one that doesn't need to be connected to the network to enforce security policies for information.

As I said, there have typically been 2 types of DLP vendors. Network centric ones, and endpoint centric ones. It seems Vontu agrees with what I said because they've realised they need to be at the endpoint to really get serious about being a DLP solution. In doing so, they are the first (that I know of) to take a serious stab at doing both.

They announced earlier this month that they now have an endpoint agent. I took a look at the functionality and while useful, is still quite a way behind what some of the other endpoint DLP vendors can do in terms of functionality. In other words, they're playing catch-up. The advantage they have is that if an organisation wants to go with a network centric approach (I don't really know why they would - although these tend to be cheaper) with some coverage on the endpoint (but not a lot) then they can go with Vontu.

Where Vontu may win out in the short term is in the marketing stakes. Organisation that are easily sold based on Powerpoint slides may be convinced that Vontu is the way to go. My money's on Vontu going out and saying "we're the only ones that cover all the bases for DLP because we do the network aspects and we cover the endpoint". It's very difficult to sell on feature function unless a customer really has specific requirements that one vendor can meet better than the other. And even then, the only way to prove it is in a bake-off, because everyone's going to say "yes" to most requirements.

I have no doubt Vontu will continue to add functionality to all their products. This can only be good for competition in the high profile space that's come to be known as DLP. The question is how fast can they run? Will they catch up in the endpoint game (unlikely unless they double the size of their development team because they've now got more products to work on)? What about the other vendors? How fast are they running? Do they care that Vontu are in the endpoint DLP space now (rhetorical question)?

Of course I'm just stating the obvious. In any new area of enterprise software, almost all the major players are small to mid-size companies/start-ups. It's usually the ones that run the fastest that will win out in the end. Not always, but it sure helps.

Thursday, October 11, 2007

McAfee acquires SafeBoot

McAfee announced earlier this week that they were acquiring SafeBoot for $350 million USD. It's actually a good move, despite what I'm about to say.

It's almost like the McAfee product strategy people have been going through the PCI-DSS standards and acquiring technology to address gaps in their portfolio so they can sell a portfolio that "solves" all of a customer's PCI issues (or so they say):
  1. They've had their Anti-virus and Anti-spyware solutions for a long time.
  2. They acquired Onigma at the end of 2006 for its data leakage/loss prevention/protection (DLP) capabilities. They also just updated the DLP product with functionality to catch up with its competitors somewhat (although they're still behind in functionality).
  3. They've got network access control software.
  4. They've got a so called policy engine.
  5. And now they've just shored up their encryption capabilities with the SafeBoot acquisition.

The gaps left are:
  1. Firewall - but McAfee will probably say they've got that covered with their intrusion prevention solutions working in conjunction with their network access control solution.
  2. System passwords and restricting access to information. In other words, Identity and Access Management.
  3. Testing and monitoring all accesses to resources and data. Again, more Identity and Access Management - although McAfee will also claim their DLP product working with their network access control product and their policy engine gives them the tick in the box here.
It all looks very nice on a marketing slide of course. They still have to integrate all this technology. The technical integration of acquired products takes time and they usually don't play nicely with each other until the N+2 or N+3 release post acquisition.

Another thing. Their list of products is growing. If they aren't careful, they'll end up like Tivoli's portfolio from a few years ago, where half the products overlapped in functionality with the other half and very few of them worked nicely together. Tivoli have since fixed that, but it took a few years.

YouTube for documents pose risk to data security

The YouTube problem faced by content producers (e.g. television networks, record companies) has largely been a non-issue for most organisations. It's a big problem for them however. Articles all over the place going on about the billions of dollars in revenue being lost because it's easy for people to post and watch things on YouTube. Some have given up and embraced YouTube as a place to promote their artists. For example, RCA Records has a YouTube channel where you can watch all their latest music videos...and many old ones too.

The thing about YouTube is that it makes things you want to watch really easy to find. Just search for it. That's the real power (that and they were first to market and are now owned by Google, but these facts don't help with what I'm trying to say). It's a lot easier than asking your friends via email, instant messaging or social networking sites if they have certain files. YouTube also doesn't limit your "search network" to just your friends. You can search for videos posted by millions of people you don't know and will likely never meet.

Peer-to-peer networks, although related to the problem at hand are another issue altogether. They expose the same types of issues, but they are not as big of problem as one might think when it comes to corporate networks once you compare it to what I'm about to outline. Allow me to explain.

In a corporate environment, it's relatively easy to control the network traffic and applications that your users are running. With the right tools in place, you can prevent users from installing and running peer-to-peer applications or block the relevant network connections required for these things to function. This is a MUST. Imagine the whole peer-to-peer network workwide potentially being able to search for proprietary and sensitive information that is held on your corporate network. Users aren't trying to be malicious most of the time, but they aren't security people either. So they inadvertently leave great big holes in your organisation.

Imagine KFC's list of 11 secret herbs and spices being hosted on a KFC server somewhere and having that exposed to a peer-to-peer network! They probably wouldn't go out of business, but someone would put a serious dent in their revenue if they got their hands on it. Or if you're a retailer and one of your employees accidentally leaves a file full of customer financial details unencrypted and sitting on a folder that the peer-to-peer software can access. Great, big, giant hole that is going to cost the organisation lots and lots and lots and lots of money, not to mention the intangibles that cannot be measured in dollars (e.g. customer confidence, damage to the corporate brand). I think you get the idea. Peer-to-peer network on corporate network = bad idea. So lock that down.

Back to YouTube. But it doesn't host documents you say. Yep. True. Which is why YouTube is not really a problem for those of us not in the music, television and movie industries. What happens if there was a YouTube for documents? Quasi YouTube-like repositories have always existed. They're called online file servers. But they only store stuff...and most of the time this is not public. It's just there for the user to store their own stuff. And even if they someone allowed documents to be made public, they weren't very easily found. So they're not really YouTube for documents. Even so, you should probably be blocking users from uploading sensitive files to these sites. The risk profile isn't quite as high however, because of the lack of decent search capabilities. You put decent search capabilities and the power of tagging next to a document only type of site, and you get YouTube for documents.

I bring this up because of late, there have been quite a few start-ups doing just this. One of the early ones was Scribd. They actually market themselves as YouTube for documents. Recently I've also come across docstoc. They pretty much do the same thing. And to a lesser extent there are also sites that are essentially an online desktop/bulletin board for you to throw things on there. Photos, notes, music, videos...and documents. These can also be made public. I'm not sure if their search capabilities are decent, but they are there. Recent examples are Stixy and WIXI (as an aside, who the heck comes up with these names! They sound like something my little 5 year old cousin could have come up with).

So now we all have the same problem as the content providers that despise everything that YouTube represents...except corporations have more to lose. Why? Because it can potentially cost billions. That's right. BILLIONS. In fines from losing customer information, for not being PCI compliant, for not passing the many many audits organisations are subjected to nowadays and so on. And there's also the potential billions that could be lost if your "11 secret herbs and spices" gets out there.

Where previously the most convenient way for your data to leave via the network was through email (or even web-mail), it can now be hosted on multiple, searchable, document sharing websites. When you email a sensitive document out to a list of people, the speed that this document can proliferate is only as fast as the recipients can press the forward button. Even then, you're limited to their address books. This spread is exponential by the way, so it's by no means a non-issue. But it's still slower than having the sensitive document immediately available to a whole community of users! It's like aggregating all your contacts, the contacts of your contacts, the contacts of their contacts' contacts and so on (try saying that quickly) and blasting the document to all of them at once.

I've got an account on both Scribd and docstoc. I don't really use them at the moment. I just wanted to check them out. My first few searches on each already produced documents that I'm not so sure the companies they relate to want out there. But hey, they're freely available. You just need to sign up!

So how do you stop this? While you can conceivably and justifiably block most peer-to-peer applications, you can hardly block users from using the Internet! Sure, you can block Scribd, but then docstoc comes along. Then you block docstoc, and another competitor comes along. It may never stop. The same can be said about peer-to-peer clients, but it's a heck of a lot harder to build a new peer-to-peer client than it is to build a new document sharing website. Blocking specific sites or applications is only a temporary fix. There'll always be the next site or application that comes along.

The key is to protect the information and control the many ways it can leave and under what circumstances. There's obviously the whole issue of information identification and classification as the up-front step. But that's for another day :)

Just be aware of the escalated risks YouTube for document-like sites pose to your corporate data. They make the information much more readily accessible and data loss and leakage will happen a heck of a lot more quickly than it has in the past.

Wednesday, October 10, 2007

It's not about the iPhone - it's about the data

No really, it's not. Just bear with me for a couple of paragraphs (unless you fall asleep before you get past the iPhone bits).

I was walking along Regent Street in London over the weekend with a friend and dropped by the Apple Store. He wanted to buy a case for his laptop...not a Mac incidentally. That's becoming common though. Traditionally non-Apple users wanting to buy Apple branded (or inspired) accessories because they just look better than everything else out there. Some like me even decide they want an actual Mac, which is why I have a MacBook Pro. I'd never previously been a Mac user...such is the power of the Mac brand. The products have become fashion accessories, not pieces of technology.

This trip to the Apple Store over the weekend convinced me that never will this be more true than when the iPhone is released here in the UK on November the 9th (actually this will likely be true regardless of where the iPhone is released - except maybe in China where they'll have fake ones out before the release date). The release in the US has already seen unparalleled enthusiasm with the thing being sold out all over the place. The Blogosphere was noisy to the point of being tedious (including A-list blogger Robert Scoble who was first in line at the store to buy the thing and won't stop talking about it - just go to his blog and search for iPhone and you'll see what I mean). I actually ignored my Google Reader items that had the word "iPhone" in it for about 2 weeks.

The thing that actually prompted me to start thinking about this was the queue at the Apple Store. It was unusually long. I'd been there before and there are ALWAYS queues, but this one went out the door and round the corner! There was also a huddled mass around one particular section of the store. I was curious so I went to take a look. A couple of polite nudges, pushes an "excuse me please" grunts later, I emerged only to find they were huddled around the display/demo showcase for the new iPod touch. I don't know why Apple released this thing, but once again they proved they know their market. The iPod touch is pretty much an iPhone but without the phone. It even looks exactly like an iPhone. I then walked along the long queue to see what everyone was buying. You guessed it. They were buying the iPod touch. I guess they don't want the iPhone. Or maybe they want both...which is entirely possible with Apple fanatics. But if the demand for something like the iPod touch is so huge, you can bet the queues for the iPhone will be even longer. Most people will wait for the iPhone rather than buying the iPhone with no phone (aka iPod touch). So this suggests that the demand for the iPhone will far outweigh the huge queue I saw. I could of course have guessed from the reaction in the US, but this is the UK and things don't always work the same way here :)

Even being tied into the O2 network will not be enough to deter people, as observed in the US with AT&T being the exclusive network provider. So why is this the case? Because it is the best looking thing out there and can potentially replace all the devices you have. Your phone, your iPod (itself already achieving cult status and has a huge market share over its competitors), your PDA and your computer. In fact, as it evolves, it WILL replace your computer. As web-based technologies and applications become the norm (and believe me, Generation Y prefer using a web application to a fat Windows client, unless it's a computer game) there will be little need for laptops, except for poor sods like me who have to because I need to give solution demos to customers - I wish I could demo stuff on the iPhone. And that's exactly my point. Unless you need the processing power or a laptop (or desktop) or a decent sized screen, there is no real need for one. And as the iPhone evolves, it'll get to the point where it can power most applications (AJAX-intensive web ones or clients built for the iPhone) and there'll just be docking stations with keyboards and monitors to plug into your iPhone (or whatever mobile device you have). That's a little way off though.

I should also note that the iPod touch, being an iPhone without the phone, also exhibits these characteristics (it even has Wi-Fi capabilities). Whereas the iPod (and its variants) are just glorified USB disks that play music and video.

Don't get me wrong. We'll never do away with the desktop, servers or laptops. We just won't need to use them nearly as often. I get by most days without using my laptop. I just type away on my BlackBerry (and all the rest of you I see in airports, trains...and meetings do exactly the same thing). I could do so much more on a device like an iPhone though. It's an always-connected computer with the capability to interact with web applications much more seamlessly than the phones, BlackBerry and PDA devices of today. The crucial thing about a device like the iPhone is that I can actually use it for things other than email. My Blackberry is pretty useless for anything other than phone calls, SMS messages and emails. I can't view or edit any documents on it because it's just impractical. There are also a limited number of applications I can install on it...and most web-sites don't work properly.

Which means what exactly? It means you can view and manipulate information on an iPhone! This includes critical corporate data that really should be controlled. I know companies are only just starting to figure out how to control data access, movement and usage within their corporate environments and mitigate the risks of data loss and leakage (I see enough organisations about this to be able to make this statement with some level of authority), but the days of putting blinkers on and ignoring non-desktop environments as "just another fad" are going to kick you in the butt if CIOs, CISOs and Security Managers do nothing about it. Not just organisations, but all of us. Guess where all our personal, private information is held...YES, in the uncontrolled hands of the institutions out there that we deal with. Your bank. Your insurance company. Your local council. Your utility providers. Any retailer you've ever bought anything from. The car rental company. The airlines. The hotels. The list is endless, but I think you get the picture.

Why is this actually a problem? Peripheral devices used to simply be able to store data and allow you to cart it off somewhere else. There are levels of control you can place around these USB storage devices, ranging from draconian (e.g. you CANNOT use USB devices) to more elegant solutions that can determine what approved USB devices are and control data movements to and from these USB devices based on the information being moved (e.g. if the information contains personal information, encrypt the data before writing it onto the USB). Once information is on there however, nothing can be done to it until the USB is plugged back into something that can read it. If it's encrypted, it's safe because only an authorised device or machine can read it. If not, it's all garbage. Like I said, hordes of people have iPods and MP3 players but these are just USB devices. Again with the right tools, you can ensure people only load music and video files onto these devices. Or if not, the policies that govern USB usage will at least also apply to iPods and MP3 players.

Of course, I'm assuming that your organisation actually has a USB policy and enforces it. Having one and not enforcing it is pretty stupid. Being draconian about it is also not the smartest thing to do because you're disabling employees from doing legitimate work, but at least it closes off that risk for data to leave the organisation. The key is to practice a level of fine grained control over USB usage and to enable your employees to work more efficiently but within auditable, controllable security guidelines and policies. USB device control is actually very easy, if you have the right controls in place. What's not so easy is the issue around peripheral devices that are smarter than a USB drive.

Until now, the security guys have practiced the "hear no evil, see no evil, speak no evil" policy when it comes to PDAs, mobile phones, BlackBerry devices and the like. We haven't had as many issues here because as I said earlier, very few of us actually use these things to do useful work (except email - although it's debatable whether that's useful most of the time), let alone try to view and edit documents and work with data because it's impractical. There are of course people that do use these devices exactly for this purpose. Organisations just don't know about it...or pretend to not know about it because it's too difficult to figure out and the benefits gained compared to the perceived risks it presents don't keep the executives up at night. The exposure to data leakage and security this presents however, is relative minuscule compared to the iPhone age that is upon us. Or as some have been known to say, a fly on an elephant's bottom (the iPhone is the elephant).

  • Problem number 1: The iPhone (and devices like it - every competitor is going to want a piece of this market) puts a pocket sized, functionally useful computer in the user's pocket.
  • Problem number 2: Every executive is going to want one - and we know how difficult it is to enforce security policies on executives - imagine the risk it's going to pose when they insist on using their iPhone for work and connect it to the corporate environment. And I dare you to try telling them they are NOT allowed to use it for work.
  • Problem number 3: Apple's products are much more prevalent in the demographic that is going to make up the bulk of the workforce in the not too distant future - Generation Y. And they will all want an iPhone or at the very least, an iPod touch.

What this suggests is a dramatic increase in the usage of pocket sized, mobile, always connected to the Internet devices within the enterprise. What was once devices made up of functionally crippled PDAs, phones and BlackBerry devices is going to become a network full of mobile-mini computers that fit in your pocket.

If you think the network perimeter is non-existent in enterprises today, it's going to be even more non-existent when iPhones start popping up all over the place in you enterprise. And when they do (and going based on the launch in the US, it's going to be a huge spike rather than a gradual curve), don't get caught with your pants down.

Think trying to control data leakage and information access within a corporate environment is tough? Try taking down your firewalls and Intrusion Detection Systems. Because this is what the iPhone is going to do to your corporate network if you're not careful. Let's not forget that someone could also walk away with the equivalent of a laptop or desktop and not be noticed because the thing is in their pocket!

Ignore the iPhone and devices like it at your peril. For organisations, it presents a huge headache. For software vendors and system integrators, it's a business opportunity. Of course, it would help if Apple opened up the iPhone's APIs instead of forcing people to hack at it to write applications for it. Until then, I suggest you take a look at your data control and access policies. If an iPhone is plugged in, it may not be such a good idea to let sensitive information get to least not until someone out there gives you a valid solution.

Data security and leakage prevention is a much bigger issue than just USB device control and locking down iPhone access to the corporate environment. But when given a large problem, what does one do? Tackle the biggest one first. I'm not saying the iPhone problem is going to be everyone's largest issue or exposure, but it's not going to go away either.

Did someone say iPhone security agent? No I'm not selling one. I'm pointing out that I have yet to see one. Who is going to step up to the plate?

Saturday, October 06, 2007

Espresso anyone?

I was beginning to think that people in the Enterprise Identity Management industry responsible for product names weren't creative. Look at all the names of the products. Anything that does provisioning is called "Identity Manager". Anything that does web access control is called "Access Manager". Anything that does simplified sign on (aka single sign on) is called SSO. I know the rationale behind it all. It makes things clear. But it's boring.

I just came across Sentillion's new single sign on product called expreSSO. I'm not qualified to comment on how good it is functionally, but for once it's a name that catches your attention. It's smart, creative and conveys the right message. The name immediately implies that it does SSO, is lightweight and easy to deploy. And yes I'm fully aware it' s not spelled the same as that tiny cup of coffee. It just sounds the same.

Of course, if you are not a fan of a good cup of espresso coffee, you'll say it tastes awful, is unsatisfactory and leaves a bitter taste in your mouth (which perfectly describes many Identity Management deployments out there). I for one am a fan of a good cup of espresso. So I like it. The name that is.

Which makes me wonder why IBM Tivoli didn't come up with this for their SSO product? FYI, it's called "IBM Tivoli Access Manager for Enterprise Single Sign-On", or ESSO for short. Then their sales and technical sales people (I used to be one) could roll into customers and offer up TIM TAMs and a cup of expreSSO. In "IBM speak", TIM = Tivoli Identity Manager and TAM = Tivoli Access Manager.

For those that are staring at the screen with a bewildered look, Tim Tams are a popular chocolate biscuit (cookie for the Americans reading this) in Australia made by Arnotts and are a quintessential part of Aussie culture. I used to cart packets (I did a whole carton once) of Tim Tams to the US and hand them out to anyone in Tivoli-land that wanted one. I think some of the TIM development team (hi guys) still have the packets stuck to the side of their work cubicles.

So maybe only Australian customers would have understood the reference and appreciated this. But it would have been a nice ice breaker.

Friday, October 05, 2007

Oracle and Bridgestream

This news is about a month old, but in case you've been in a cave for the past month (like I have, well not a cave but I've been in China so that's close enough) and don't know, Oracle bought Bridgestream. Now that's 2 things they have on the competition. The Bharosa and Bridgestream acquisitions give them 2 things their major competitors (IBM, Sun, CA, BMC, Novell) don't have.

Role management is a bit of an ambiguous term. It means different things to different people. In the software world, this usually refers to some sort role mining, automation and discovery. There are a few vendors out there doing this (Bridgestream was one, Eurekify is another) and they end up calling their offering role management because it helps automate the whole process of figuring out what the heck an organisation's roles should look like and who should be in these roles.

This all sounds good in theory, but role management in the form I've just described has not exactly taken off. It's one of those things that people keep saying they need to do. Except all they end up doing is sticking a bunch of roles they think will work into their provisioning systems and waiting to see what needs changing later on. Of course, by then it's too late and they have to re-do all the roles. As always, they pay an exorbitant amount of money to a consulting firm (I'm looking at you Accenture and Deloitte, and perhaps IBM too) to do the work.

It's also been a victim of priorities and security maturity levels in organisations. Most are not at the stage where they are ready to look at role mining and automation. Provisioning and access controls are usually the first things that get implemented, then some sort of audit, compliance and reporting capabilities are tagged on to feed off phase 1. Role management ends up being the nice to have...and by then there's no money, no time and no resources available. So we get into the near enough is good enough syndrome.

Yes I know proper role management helps with proper segregation of duties and also keeps auditors happy. But role management as a single discipline does not solve the whole issue. It needs to be used in conjunction with all the other Identity Management capabilities that typically get implemented. The role management/mining vendors have also suffered from being too low on the food chain and not being tied into a major vendor to be dragged along as part of the sale. It's also usually too difficult to integrate into whatever Identity Management software solution an organisation is implementing and becomes another moving part that is usually one of the first things to get thrown away...or at best pushed to phase 5. I've yet to see organisations get past phase 2 or 3 in the space of a few years. Phase 5 will show up...eventually.

And this is where Oracle have just placed themselves in the driver's seat. By buying Bridgestream, they've got another selling point over their competitors. And when organisations do indeed get to that phase 5 (or whatever), guess what...Oracle's going to ride in on their white horse and say they have a tightly integrated solution that has been tested and kicked around in production. I'm sure a few of their customers will want to be early adopters. Oracle will throw in a bunch of financial incentives to ensure that happens. It's the smart thing to do.

And when Oracle's doing this, whoever buys Eurikify (SAP, are you listening? You want to get in the Identity game get ahead - also makes perfect sense if you want to link it all nicely into R/3 and NetWeaver) will be left behind (although they'll still be ahead of the others that are just sitting there hoping sales will fall into their laps while their Identity Management technologies lag behind the competition).

And at some stage, someone's going to realise that just sucking in all your roles (and users) in from HR into your provisioning system only does half the job. Operational roles (stuff that is useful for day-to-day use) are not usually representative of what you find in HR. It helps to have an automated way to figure out what the operational roles really are. It's not going to be easy, and putting in a tool won't be a no brainer, but if it's integrated nicely into the provisioning system it certainly helps cut out a lot of the work...and takes business away from consulting firms that roll out whole teams of fresh graduates (who know nothing) to implement your enterprise security infrastructure for you. Scary isn't it. But we know that's what they do.

The Bridgestream acquisition isn't a huge game breaker. It's just Oracle buying insurance for the future. They may get a few deals here and there because a customer happens to think the world of role management/mining. But it's a smart strategic move.

They're fleshing out their capabilities nicely in the game we know as Enterprise Identity Management. I don't know what the other vendors are doing. For their sake, I hope they're not sitting there in blissful ignorance thinking their market share will not get eaten up by Oracle.

Back in London

No I haven't stopped blogging. I'm just knee deep in work and trying to catch up on news.

I got back to London about a week ago and have had nothing but end-to-end customer meetings since. Another weekend is coming up so I'll try to be up to date on the world by then.