Monday, October 16, 2006


How XACML fixes lies told about identity management and enables SoX compliance...

Since industry analysts are negligent in telling the story on XACML and how it may enable compliance to Sarbanes Oxley, I figured I would...

There are tons of bloggers from Sun (Pat Patterson, Sara Gates, Don Bowen all come to mind) and Oracle telling the story of how their wonderful products can help enterprises with the problem space of identity management. Sure, many enterprises have no handle or even the ability to report from a centralized perspective who comes and goes from their enterprises.

Prior to my current employer, I consulted for Fortune enterprises such as Bank of America (Back when it was Shawmut), Aetna, First USA, and others. I suspect that my test IDs that were used for production checkout probably still work. The main problem is that prior to systems in this space, all provisioning was done in a local context. Enterprises that still behave in this manner should move forward with whatever story you hear told from industry analysts with the understanding that they aren't telling the whole story.

It is reasonable for auditors to expect an enterprise to have a handle on basic identity. What if the auditors in the future started asking enterprises to start producing reports not only on who, but who can do what from a central perspective? Most shops will be in trouble because the who can do what goes well beyond basic identity and in many cases even goes beyond the basics of role based engineering and tools such as Eurikify, Vaau and others.

So, if you think about the problem for a minute, you may realize that the problem of reporting on authorization from a centralized perspective is harder than it sounds. For one, I suspect your enterprise architecture team is spending too much time drawing executive cartoons Powerpoint explaining the latest management by magazine while allowing your software development team to continue embedding authorization logic into the code. I defy you to find the magic bullet to apply centralized reporting to this problem.

Of course, you probably also have some boneheads who pontificate the repeat after me, buy-vs-build blah blah blah and instead let software vendors and their chosen insulting firm partners help you embed it into each and every product your enterprise owns in a proprietary manner. I suspect if you are the normal Fortune enterprise, you may have at least 500 (if you are lucky) distinct IT products in which they have all done it to you.

Maybe, you should wake up and figure out how to procure software that allows for compliance to be built in? Maybe if you start asking vendors to comply to industry standards it may be easier to solve for this problem later so as to avoid knowing how to do it to hundreds of products all with their own special twists? Maybe if you have courage, you might even consider asking vendors to put XACML into their product and hold up payment if they don't.

I have been quoted as saying that most forms of security don't translate into competitive advantage and therefore tend to share my thoughts. Maybe in this situation, for enterprises that don't ask demand more from their vendors and industry analysts may end up with future inflexible IT architectures that will cost then a ton to fix which translates into show me da money...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?