IBM Tivoli on Identity and Access Management: When Physical and Logical IDs Meet

| 0 Comments | 0 TrackBacks
JoeAnthony.jpgAs research for an upcoming in-depth look at the convergence of physical and logical identity and access management, Security Squared's Sharon J. Watson spoke with Joe Anthony (pictured), program director of identity and applications security management, IBM Tivoli, on May 8.  

IBM's Tivoli line of service management software includes a suite of identity management products designed to help enterprises manage their users' access to IT applications and data for efficiency, security and compliance reasons. IDC has ranked IBM the global leader in logical identity and access management solutions since 2005.

We talked with Anthony, who's based in Austin, Texas, about whether and how he sees logical/physical identity convergence occurring. What follows are edited excerpts from our conversation:



On tapping a single, authoritative data source for establishing enterprise identities:

We've had the ability to do it for probably about five years now. I'm definitely seeing an increased level of interest, but it's definitely still a minority of businesses that have taken the time to try to integrate that....As [customers] do [enterprise single sign-on] projects...where [employees] sign in once and get access to all the different applications, at that point, when they have a single point of entry into the applications, they sometimes step back and say I really need a second factor, and when they pick the second factor, they may choose an active or passive RFID badge that is also the badge to get into the building.

On barriers and drivers to implementing converged physical/logical identities:

It's still a very cost-conscious economy and with the current pressure on the economics of different projects, they're still holding back. But...as people are thinking about locking down their intellectual capital, locking down their customer records, they're realizing they are exposed by not trying to better integrate some of these technologies.

I haven't seen it driven as much out of the risk side. I am seeing some of the CIOs trying to force some better convergence among their own teams. And as some of the physical security devices are getting attached to the IP network and they can communicate over the IP network to both the logical system as well as the physical, you're seeing a greater of level of interest in trying to merge those systems.

On the architecture of a single logical/physical identity

So a very typical architectural flow would be: a new person is going to come into the company, whether full time employee or contractor...they would go ahead and be put in the HR system...that would generate a feed over to the user provisioning system to say here's a new employee, a shipping clerk, here are the three applications they should get access to and here are the two buildings they should get access to.

With that information, the user provisioning system may push out information into the directory to say: here are the three applications associated with this user, here are the attributes of the types of things they should access in that application...and it could push the information over to the card management system to say here are the two buildings this employee's badge should let them into.

On the importance of regularly reviewing what users are doing with data:

....As part of the overall closed loop, the thing you'll often want to get a view of is what are people doing with those entitlements so you can do some risk management and overall closed loop identity and access management. It's one thing to understand an employee has access to customer records; you would like a view to understand is one employee looking at 5,000 customer records a day while all their peers, with the same job code, are only looking at 500 customers records a day...

At that point, the manager may look at that and say I either need to promote this person because they're so productive, or [ask] is this a case where they're selling customer records and I need to fire them? Just based on the information alone, there's not enough to indicate which of the two activities might be appropriate. But it is an indicator for the manager to go investigate it. Looking at customer records is within the job scope, but this seems outside the normal bounds.

On creating policies and roles

You get into normal separation of duty challenges, which if [an application] is within an ERP system, those are pretty straightforward to do. If it's in SAP, you know the difference between a check approver vs. a check requester, those are standard roles within the ERP system, so they're easy to do.

When you get into applications outside the ERP system where it's not known ahead of time what are the possible conflicts, then you need to apply intelligence by the local business units and build those into the user provisioning rules or into the post usage rules as you go about looking at the data collection....when you do that post analysis of usage, you'll look for conflicts...you do need to look at actual usage.

We see a number of customers who, as they sit down and try to think what the rules should be, they will sometimes just go ahead and implement the products that will do the data collection and analysis and deploy [the application] with no rules. They just say, collect the data, let us see what it is, then we'll look at it and see what makes sense. They may not know ahead of time, depending on what their current IT tracking systems are like, exactly how many customer records every employee is looking at. So they may run it for a month or two just to get a feel for the low and high range that could be considered the normal three sigma variation.  Then after that, they go ahead and put in some rules based on those variations.

On utilizing identity and access management reports for productivity reasons:

Another major reason to go look at what people are doing is that it may be in their job scope but you may see very erratic behavior and it's not necessarily malicious behavior that can cause you problems....Based on some of the patterns, you might be able to say this person just isn't doing this according to our standards, so let's take some corrective actions before something bad does occur. So people shouldn't assume this is good only for malicious behavior.

Another thing we do, we'll tie it to the regulations. So if something comes up, like a SOX violation...there are a lot of auditors who don't know what that means. Just telling an auditor they have a SOX violation and the section code might not mean much of anything. So the ability to drill down and get some helpful insight as to why that's a violation of SOX and even take them to the regulation to let them read it so they can get some understanding is a nice educational process.

On how/whether logical and physical security experts work together in the identity management realm:

...In a lot of organizations, the identity management team is very closely associated with the application security and the database security people, so they'll have a lot of the logical security team...very close together organizationally. The physical security will quite often be somewhat separate...but as a lot of the physical security backbone is becoming IP-centric, you're starting to get them pulled in closer into the same areas of the organization and it's there that we start seeing some more commonality across the teams.

On the kinds of value the physical security databases and appliances can offer the logical identity management system:

You'll get into businesses that are very concerned about where people are accessing the information from...you can go ahead and leverage some of the physical attributes so you can detect, is the employee in the office and if they are we'll let them look at all the customer records, views of everything...but if this is a doctor accessing from home and we can detect that based on the IP address of where the request is coming from...we're going to restrict the amount of information a person can see in those situations.

So you can take advantage of the network information that's available as part of the request for information and use it in the authentication/authorization decision process.

On whether IT identity management specialists use data from physical access control systems:

It really depends on the organization. If the organization treats everything as silos, they probably won't do anything with the data. But if the organization is really looking at how to best leverage that information and be more secure, more responsive to audits, they'd view that as, hey here's another great source of information....It really depends on how much the CIO is driving the organization to get better synergies across his silo teams.

I'm seeing an increased level of interest around the enterprise SSO...as a very good example of where I'm starting to see more of that come together this year.

On the importance of the "second factor" as physical and logical identities converge:

It becomes very, very important you ensure you really know who the person is. Having two factors is very good. Technically you could have it such that someone swipes the badge and that's the only credential they need, but you wouldn't want to do that obviously because if someone drops their badge, then their identity is just getting walked around by someone else. So you always have a second factor, a PIN or a password or something.

On the proliferation of "second factor" authentication technologies and methods:

I see a wide number of options for customers and I haven't seen a convergence down to this one technology, this one vendor, is going to win. So we end up integrating with a lot of different vendors as a result.

You'll also see that will vary by sector, like healthcare, there's a lot usage of badges there...it'll also vary by geography: we see different vendors in Europe than we do in the US.  It's a market that's been around a long time, but there are still an awful lot of competitors. I think we'll see some nice evolutions in price points as well as types of technology people can leverage.

# # #

Query: Who is leading identity management efforts in your enterprise? Are the capabilities of physical security systems included in IAM discussions?
JoeAnthony.jpgAs research for an upcoming in-depth look at the convergence of physical and logical identity and access management, Security Squared's Sharon J. Watson spoke with Joe Anthony (pictured), program director of identity and applications security management, IBM Tivoli, on May 8.  

IBM's Tivoli line of service management software includes a suite of identity management products designed to help enterprises manage their users' access to IT applications and data for efficiency, security and compliance reasons. IDC has ranked IBM the global leader in logical identity and access management solutions since 2005.

We talked with Anthony, who's based in Austin, Texas, about whether and how he sees logical/physical identity convergence occurring. What follows are edited excerpts from our conversation:



On tapping a single, authoritative data source for establishing enterprise identities:

We've had the ability to do it for probably about five years now. I'm definitely seeing an increased level of interest, but it's definitely still a minority of businesses that have taken the time to try to integrate that....As [customers] do [enterprise single sign-on] projects...where [employees] sign in once and get access to all the different applications, at that point, when they have a single point of entry into the applications, they sometimes step back and say I really need a second factor, and when they pick the second factor, they may choose an active or passive RFID badge that is also the badge to get into the building.

On barriers and drivers to implementing converged physical/logical identities:

It's still a very cost-conscious economy and with the current pressure on the economics of different projects, they're still holding back. But...as people are thinking about locking down their intellectual capital, locking down their customer records, they're realizing they are exposed by not trying to better integrate some of these technologies.

I haven't seen it driven as much out of the risk side. I am seeing some of the CIOs trying to force some better convergence among their own teams. And as some of the physical security devices are getting attached to the IP network and they can communicate over the IP network to both the logical system as well as the physical, you're seeing a greater of level of interest in trying to merge those systems.

On the architecture of a single logical/physical identity

So a very typical architectural flow would be: a new person is going to come into the company, whether full time employee or contractor...they would go ahead and be put in the HR system...that would generate a feed over to the user provisioning system to say here's a new employee, a shipping clerk, here are the three applications they should get access to and here are the two buildings they should get access to.

With that information, the user provisioning system may push out information into the directory to say: here are the three applications associated with this user, here are the attributes of the types of things they should access in that application...and it could push the information over to the card management system to say here are the two buildings this employee's badge should let them into.

On the importance of regularly reviewing what users are doing with data:

....As part of the overall closed loop, the thing you'll often want to get a view of is what are people doing with those entitlements so you can do some risk management and overall closed loop identity and access management. It's one thing to understand an employee has access to customer records; you would like a view to understand is one employee looking at 5,000 customer records a day while all their peers, with the same job code, are only looking at 500 customers records a day...

At that point, the manager may look at that and say I either need to promote this person because they're so productive, or [ask] is this a case where they're selling customer records and I need to fire them? Just based on the information alone, there's not enough to indicate which of the two activities might be appropriate. But it is an indicator for the manager to go investigate it. Looking at customer records is within the job scope, but this seems outside the normal bounds.

On creating policies and roles

You get into normal separation of duty challenges, which if [an application] is within an ERP system, those are pretty straightforward to do. If it's in SAP, you know the difference between a check approver vs. a check requester, those are standard roles within the ERP system, so they're easy to do.

When you get into applications outside the ERP system where it's not known ahead of time what are the possible conflicts, then you need to apply intelligence by the local business units and build those into the user provisioning rules or into the post usage rules as you go about looking at the data collection....when you do that post analysis of usage, you'll look for conflicts...you do need to look at actual usage.

We see a number of customers who, as they sit down and try to think what the rules should be, they will sometimes just go ahead and implement the products that will do the data collection and analysis and deploy [the application] with no rules. They just say, collect the data, let us see what it is, then we'll look at it and see what makes sense. They may not know ahead of time, depending on what their current IT tracking systems are like, exactly how many customer records every employee is looking at. So they may run it for a month or two just to get a feel for the low and high range that could be considered the normal three sigma variation.  Then after that, they go ahead and put in some rules based on those variations.

On utilizing identity and access management reports for productivity reasons:

Another major reason to go look at what people are doing is that it may be in their job scope but you may see very erratic behavior and it's not necessarily malicious behavior that can cause you problems....Based on some of the patterns, you might be able to say this person just isn't doing this according to our standards, so let's take some corrective actions before something bad does occur. So people shouldn't assume this is good only for malicious behavior.

Another thing we do, we'll tie it to the regulations. So if something comes up, like a SOX violation...there are a lot of auditors who don't know what that means. Just telling an auditor they have a SOX violation and the section code might not mean much of anything. So the ability to drill down and get some helpful insight as to why that's a violation of SOX and even take them to the regulation to let them read it so they can get some understanding is a nice educational process.

On how/whether logical and physical security experts work together in the identity management realm:

...In a lot of organizations, the identity management team is very closely associated with the application security and the database security people, so they'll have a lot of the logical security team...very close together organizationally. The physical security will quite often be somewhat separate...but as a lot of the physical security backbone is becoming IP-centric, you're starting to get them pulled in closer into the same areas of the organization and it's there that we start seeing some more commonality across the teams.

On the kinds of value the physical security databases and appliances can offer the logical identity management system:

You'll get into businesses that are very concerned about where people are accessing the information from...you can go ahead and leverage some of the physical attributes so you can detect, is the employee in the office and if they are we'll let them look at all the customer records, views of everything...but if this is a doctor accessing from home and we can detect that based on the IP address of where the request is coming from...we're going to restrict the amount of information a person can see in those situations.

So you can take advantage of the network information that's available as part of the request for information and use it in the authentication/authorization decision process.

On whether IT identity management specialists use data from physical access control systems:

It really depends on the organization. If the organization treats everything as silos, they probably won't do anything with the data. But if the organization is really looking at how to best leverage that information and be more secure, more responsive to audits, they'd view that as, hey here's another great source of information....It really depends on how much the CIO is driving the organization to get better synergies across his silo teams.

I'm seeing an increased level of interest around the enterprise SSO...as a very good example of where I'm starting to see more of that come together this year.

On the importance of the "second factor" as physical and logical identities converge:

It becomes very, very important you ensure you really know who the person is. Having two factors is very good. Technically you could have it such that someone swipes the badge and that's the only credential they need, but you wouldn't want to do that obviously because if someone drops their badge, then their identity is just getting walked around by someone else. So you always have a second factor, a PIN or a password or something.

On the proliferation of "second factor" authentication technologies and methods:

I see a wide number of options for customers and I haven't seen a convergence down to this one technology, this one vendor, is going to win. So we end up integrating with a lot of different vendors as a result.

You'll also see that will vary by sector, like healthcare, there's a lot usage of badges there...it'll also vary by geography: we see different vendors in Europe than we do in the US.  It's a market that's been around a long time, but there are still an awful lot of competitors. I think we'll see some nice evolutions in price points as well as types of technology people can leverage.

# # #

Query: Who is leading identity management efforts in your enterprise? Are the capabilities of physical security systems included in IAM discussions?

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/39

Leave a comment