3rd day this week I’m attending a conference at the Hilton, this being one of those sit down breakfast events. The first speaker, Danny Ilic, did a fantastic presentation on why IAM is becoming important, and why IAM is not a 30 day project. I must say given the numbers and timeframe he mentioned it seems as if my implementation has gone pretty well so far, but there’s always more work to be done.

Patrick Mclaughlin presented Oracle’s vision of end-to-end security, or “here’s the Oracle products to use to implement a security architecture in your company”. Good presentation, and as expected, a lot of Oracle promotion in there.

Although both presenters were good, especially Danny, I still left the event feeling robbed. I expected to hear why I should drop every single other IAM product suite and use Oracle’s because of the following ground breaking product features you’ll ONLY find in the Oracle tools. Instead I heard the same basic conceptual principles of IAM and why I need to do it and how I should go about it – aboslutely nothing mentioned about Oracle’s IAM features and benefits.

Given that there is still so much confusion in the IAM space Oracle clearly meant to educate and influence potential customers as to the need to roll out an IAM project as opposed to doing a full blown promotion of their IAM suite. Perhaps that’s why they supplied a CD filled with white papers and demos along with the addicitive mints…

• US laws being introduced that assigns responsibility to companies in the event of data theft. One of the trends stemming from this would be keeping a reduced identity footprint.
• RBAC is becoming quite the trend. This is clearly an abstraction layer aimed at providing greater agility in an Identity and access management system. To me this loosely translates to entitlements in Novell speak – something I’ve built in from day 1.

One topic I was ‘introduced’ to today that has been lingering in my mind for the last while and which was perfectly brought to life today was the concept of end-to-end architecture. My primary interest being using security events from your authentication systems (a user swiping their access card at the building entrance) and using these as triggers to disable the specific user’s accounts until that user enters the building again.

This is very fine grained access control utilizing the IDM infrastructure but delivering very concrete benefits. Combining physical access control with your digital access control systems provides the complete end-to-end solution which eliminates the majority of potential security breaches (e.g. hijacking an unlocked PC when the user leaves their desk)

Another very interesting discussion today was using the IDM synchronization engine to administer business specific attributes which you won’t traditionally find in the classic IDM attribute set. Personally I’ve refused this practice as users are very quick to request something like this once they realize the efficiencies of a successful IDM implementation. I believe you’ll have to decide for yourself how far you want to go given your existing business application solution, but once your security events become input and triggers for business events then the line becomes very gray indeed.

There were quite a few delegates from Africa at the conference, and it was extremely interesting to hear the challenges faced by these private companies and government IT departments. Of particular interest was a discussion of the Botswana government, who also doubles as an ISP for all government institutions (schools included). You can only imagine how complicated the solution becomes with implementing identity and access management across such a distributed model.

It was obvious from today that a lot of people and companies are talking about doing IDM, but there are very few instances where a company has walked a 2 -3 year path with IDM and are willing to share the lessons learned. I had a few discussions with people who are investigating IDM and it’s clearly a chaotic landscape of new jargon and massive infrastructure which very few newcomers have managed to get their heads around. I’d guess that there are probably only just over a handful proper IDM solutions in South Africa at this point in time, but it’s growing and people are waking up to the need they all have but just didn’t quite know – yet…