Saturday, February 04, 2012

F*** it, I'm lighting 100 candles - Entitlement Management 2012

Photo credit: Alessandro Silipo
One of the most widely read series of posts on my blog relate to entitlement management (part 1, part 2). In fact, do a search on Google for "entitlement management" and part 1 appears on the first page of search results (albeit below the fold). Don't read them yet. You'll get tired and won't come back to continue reading this :-)

I wrote those posts over 2 years ago to stir the pot. They served their purpose and garnered some great discussion with a few luminaries in this space (including esteemed analysts from Gartner and Forrester).

At the time, I argued that the term "entitlement management" was typically used to refer to fine-grained access management or real-time, attribute-based, authorisation enforcement (e.g. as per the products offered by IBM, Oracle, Axiomatics and BiTKOO (now part of Quest Software)). But on the flip side, I did acknowledge (in part 2) that there were other ways to define it:
  1. The processes and solutions around gathering, interpreting, and cleansing entitlements.
  2. User-managed (or user-centric) entitlement management.
Point number 2 is a topic best left for another day, especially as it involves discussions around online services (see UMA for more info).

The first point however, is what we now commonly refer to as access governance (e.g. SailPoint, Aveksa). Some use "identity intelligence" (thanks to the analysts), but in my opinion, identity intelligence is a broader term that also includes data analytics and Security Information and Event Management (SIEM). However, "manage user entitlements" is another commonly used term in access governance discussions. In fact, it is used so often that I'm starting to find when anyone talks about entitlement management, more often than not, they mean managing user entitlements for access governance purposes.

Back in 2009 (when I wrote the posts referenced above), I was convinced that real-time, attribute-based, fine-grained authorisation enforcement would take off. IBM and Oracle certainly thought so too. I have yet to come across a security architect who doesn't think it's a good idea. I still think it's a great idea. But in the world of Information Security, just because something is a good idea does not make it compelling. Compelling; aye, there's the rub. If I had to distil security spending decisions down to one word, it would be: "compelling". In a recent presentation I gave, I said:
"Sexy technology doesn't sell security. Interesting technology doesn't sell security. But give someone a compelling reason, and they'll buy a security solution."
That statement sums up why entitlement management has evolved to be more about access governance than fine-grained access management.

Trying to sell someone on the fine-grained access management story is an almost impossible, thankless task. If any of you have ever had to sell a provisioning solution without out-of-the-box adapters (or agents, or drivers, depending on which vendor's solution you are familiar with), multiply that pain by a factor of 100 and you might start to get close to the challenges faced with selling a fine-grained access management solution. It's like saying: "please buy our power station, but you have to figure out how to build the light bulbs yourself after ripping out the ceiling to install wires and by the way, there are 1000 ways you can build light bulbs using 1000 different sockets into the wiring with each bulb running at a different wattage".

Access governance initiatives on the other hand, are almost always driven by regulatory compliance requirements. This makes access governance initiatives compelling. It is also why SailPoint and Aveksa are doing so well.

To be successful at selling fine-grained access management solutions, you have to go to customers with a pre-built set of light bulbs and only focus on the ones with wiring compatible with your set of light bulbs. It's why BiTKOO does well in Microsoft SharePoint environments.

Essentially, access governance solutions are much less intrusive, much easier to integrate and are supported by compelling reasons to buy.

As reliant as we are on electricity nowadays, if we were told we had to rip our ceiling out, install wiring ourselves and build our own light bulbs, most of us would say:
"F@#$ it, I'm lighting 100 candles."

Friday, February 03, 2012

Book Review - Grouped

I've never done a book review, and I don't plan on making it a habit. But this one is worth a mention given many of us have to do some level of marketing, even if it's not officially in our job description. And in today's Facebook/Twitter centric world, marketing's changed a lot from the good old days.

Grouped, by Paul Adams is an easy, interesting, worthwhile read. It has the distinction of being the very first e-book I've ever bought. Essentially, it talks about the social web and how people are influenced in today's constantly connected world. You'll feel smarter after reading it, but you don't need a PhD to understand it. Paul's done a great job of distilling and simplifying copious amounts of PhD-worthy research for the masses.

If what you do relates to marketing in any way, you'll appreciate the ideas Paul puts forward. Even if you're not, you'll learn enough to make it worth your while and it'll make you see many things in a different light. For example, where you may not have realised an online interaction is actually influencing your behaviour in the past, you'll sure as hell notice once you've finished the book. Our emotions and subconscious play a much bigger part in our seemingly logical decisions than we realise.

The best ideas are the ones that are easy to understand and seem obvious, except they didn't occur to you until now. For example, the fact we work hard to conform to social norms, observe how others react to understand what is acceptable thus shaping our behaviour seems obvious. But we don't consciously realise that's how we tend to behave. We apparently also communicate with the same 5 to 10 people most of the time, but it's not something I realised until I thought about it. I'm not doing the content justice in my paraphrasing, so you're better off reading the book than trying to gain any useful insights here.

The book is well researched, has a nice selection of case studies and examples, and best of all, doesn't take long to read. I should point out a lot of the examples are from Paul's experiences at Facebook, but I don't think he means for the book to be a big advertisement for the Facebook platform. He simply used the relevant data he had access to given his position at the company.

Then again, the fact I'm being positive about this book could be because we generally don't want to appear to be negative in public, especially when doing so in a non-anonymous manner. Perhaps I've been Jedi Mind Tricked into this way of thinking by Mr Adams.