Friday, December 15, 2006
Even More thoughts on Federated Authorization...
Let's say that I am CISO of Bank of America and I want to satisfy two different requirements of my enterprise. The first requirement is that our auditors want to have our enterprise create an attestation process whereby periodically we certify not only that folks are still employees by their bosses, but we also want them to attest to the fact that they only have access to the right applications as part of the process. From a rationalization perspective, the CTO has figured out that they can save costs by eliminating identity stores and getting all enterprise applications to consolidate on Active Directory.
Before, the identity management system used to take a feed from the HR system and automatically provision to each application based on role as they all had their own identity store. However as CISO, I have established a policy by which all BPM vendors that I use within my enterprise such as Intalio, Lombardi and Pega along with my ECM vendors such as Filenet and Documentum will no longer be on my approved vendors list unless they eliminate their own identity stores and start binding directly to Active Directory.
In this situation, consolidation may remove the potential for me to say from a central perspective which applications can folks access as they now all directly bind. As CISO, I have done a wonderful job of at least encouraging Intalio, Pega, Lombardi, Documentum, Filenet, ServiceMix, Sonic and Capeclear to all implement an XACML PEP so that I have a standards based way of expressing authorization but this begs the question of what are the responsibilities of the identity management platform to consume it?
The CTO also has a strategy for moving the entire enterprise to a role-based portal whereby a user has access not only to the portal in its entirety but may or may not have discrete access to specific portlets some of which may be deemed as SoX controls? Of course the auditors upon hearing of this strategy would not only like to know from a centralized perspective irrespective of the migration to a consolidated identity store that the user is still an employee and that they have access to the portal at large but want managers to attest to access to specific functionality within the portal. What should the CTO be thinking about?
Like most CISO's I also practice Management by Magazine and read a wonderful article on how Logical and Physical Security are Converging and understood how identity between IT systems that run the business and the access used by the physical security folks work also asked the question of whether the notion of entitlements within an application can also be federated so that I can not only centrally define which specific portlets a particular role can access but also which particular floors of building a person can access. So how do I converge all of these thoughts?
One of the enterprise architects who work for the CTO noticed that the identity management platform exposed its own notion of workflow and was curious about whether they could perform rationalization by using one of their existing BPM engines which will provide them with additional functionality. They considered the thought that maybe if a person had to execute an NDA or other contract to gain access, that the legal folks once agreeing to the agreement could not only provision credentials for the individual but also take care of other business processes as part of a larger workflow. Should the CTO tell their business customers that identity management really won't help with business efficiencies and is strictly a compliance-oriented story at this time?
This enterprise architect has been savage in reading the blog of Phil Gilbert who is an advocate of BPEL and wondered whether there should exist a standard that merges BPEL with Identity and more importantly which vendor would champion this notion in the industry? Should the CTO work with Microsoft, Sun, Oracle or rely on the open source community to figure out the answer?