{"id":1214,"date":"2012-06-13T09:57:32","date_gmt":"2012-06-13T17:57:32","guid":{"rendered":"\/?p=1214"},"modified":"2012-06-14T00:14:28","modified_gmt":"2012-06-14T08:14:28","slug":"governance-is-key","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1214","title":{"rendered":"Governance is key"},"content":{"rendered":"<p>I want\u00a0to return to <a href=\"http:\/\/blog.talkingidentity.com\/2012\/06\/how-do-governance-controls-fit-into-idmaas.html\">Nishant&#39;s concerns <\/a>with the way I&#39;ve presented IdMaaS:<\/p>\n<blockquote><p>What I was surprised to find missing from Kim\u2019s and Craig\u2019s discussion about IdMaaS were the <strong>governance controls<\/strong> one needs in identity management (and therefore IdMaaS) \u2013 like approval workflows, access request and access recertification. In other words, those crucial business tools in identity management that have led many analysts and vendors (including me) to repeat on stage many, many times that \u201cIdentity Management is about process, not technology\u201d. And this is the part that makes identity management, and therefore IdMaaS, really hard, as I alluded to in my talk about \u2018<a href=\"http:\/\/bit.ly\/8XWmrl\" target=\"_blank\">Access Provisioning in a Services World<\/a>\u2018 at Catalyst a couple of years ago.<\/p><\/blockquote>\n<p>Let me begin by saying <em>I agree completely with Nishant about the importance of governance<\/em>.\u00a0 In fact, in <a href=\"\/?p=1205\">my first blog <\/a>about IdMaaS I highlighted two fundamental aspects of IdMaaS and digital identity being:<\/p>\n<ul>\n<li style=\"padding-left: 30px;\">confidential auditing; and<\/li>\n<li style=\"padding-left: 30px;\">assurance of compliance.<\/li>\n<\/ul>\n<p>I also agree with him on the urgent requirement for &#8220;approval workflows, access request and access recertification.&#8221;\u00a0 I believe we need identity and access process control.<\/p>\n<p>I&#39;m therefore surprised about the confusion on whether or not I think governance is important, but I&#39;m glad to get\u00a0this cleared up right at the beginning.<\/p>\n<p>Let me explain what I had in mind as a way to achieve some depth in\u00a0this discussion.\u00a0\u00a0It seemed to me we need to\u00a0decompose\u00a0the overall service capabilities,\u00a0rather than trying\u00a0to discuss &#8220;everything simultaneously&#8221;.\u00a0\u00a0I started by\u00a0trying to talk about the IdM models that have led us to the current point in time,\u00a0in order\u00a0to set\u00a0the stage for\u00a0the exploration of\u00a0the new emerging model of\u00a0\u00a0Identity Management as a Service and its capabilities, as illustrated\u00a0in this graphic:\u00a0<\/p>\n<table border=\"0\" align=\"center\">\n<tbody><img style=\"vertical-align: baseline;\" src=\"\/wp-content\/images\/2012\/06\/IdMAAS_Capabilities.jpg\" alt=\"\" \/><\/tbody>\n<caption><em>Composable capabilities of IdMaaS<\/em><\/caption>\n<\/table>\n<p>Now\u00a0my\u00a0point here is not to argue that\u00a0this\u00a0 graphic captures all the needed IdMaaS capabilities &#8211; it&#39;s\u00a0very much\u00a0a work in progress.\u00a0\u00a0It is simply that,\u00a0when you look at\u00a0the whole landscape,\u00a0you see\u00a0there are a number of areas that warrant real discussion in depth&#8230;\u00a0\u00a0My conclusion was that we will\u00a0only succeed at this\u00a0by\u00a0looking at\u00a0things <em>one at a time.<\/em><\/p>\n<p>The point can be made, and perhaps this is what Nishant\u00a0was saying, that governance\u00a0applies to everything.\u00a0 I accept that this is true, but\u00a0governance still can be factored out for purposes of discussion.\u00a0 I think\u00a0we&#39;ll achieve more\u00a0clarity if that&#39;s what we do.\u00a0 For one thing, it means we can dive more deeply into governance itself.<\/p>\n<p>Let me know if this decompositional approach seems wrong-headed and we should just have a free-for-all where we discuss everything as it relates to everything else.\u00a0 I agree that this can be interesting too.<\/p>\n<p>That said, I want to take up some of the points Nishant makes\u00a0when talking\u00a0about governance in the Domain Identity Model.<\/p>\n<p style=\"padding-left: 30px;\">In&#8230; \u00a0\u2018<a href=\"http:\/\/ow.ly\/bmvLq\" target=\"_blank\">Identity management before the cloud (part one)<\/a>\u2018, Kim says \u201cIn the domain paradigm identity management was thought to be the CRUD and little more.\u201d. But that is not true. What made identity management so hard and expensive was the need to supplement the CRUD features with a governance layer that included policy and process to manage over the entirety of the identity management infrastructure. The responsibility for this was early on thrust upon the provisioning products like <em>Thor Xellerate<\/em> and <em>Waveset<\/em>, and later on spawned more specialized handling in IAG products like <em>Sailpoint<\/em> and <em>Aveksa<\/em>. Kim alludes to these when he says \u201cA category of Identity Management integration products arose \u2026 often brittle point products and tools that could only be deployed at high cost by skilled specialists\u201d. That\u2019s accurate, but not because they were pointless or overhead or overkill. These products were difficult to deploy and needed customization because it wasn\u2019t well understood how to introduce the controls needed in IAM in a manner that was practical and usable. And it was always assumed that every customer would demand unique business processes, so the approach was a toolkit approach rather than a solution approach.<\/p>\n<p>Reading this, I hold even more strongly than before to\u00a0the statement that the Domain Model was about CRUD and absolute control by\u00a0The Domain.\u00a0\u00a0 The\u00a0fact that\u00a0businesses <em>required<\/em> governance is historically true but doesn&#39;t change\u00a0the way\u00a0Domains were conceptualized, built and sold <em>by everyone in the industry<\/em>.\u00a0 So I agree with Nishant about the importance of governance but don&#39;t think this changes the essence of what domains actually were.<\/p>\n<p>For a\u00a0at least several\u00a0decades\u00a0computer governance was provided\u00a0as\u00a0an outcome\u00a0of\u00a0security analysts\u00a0configuring domain based systems to implement\u00a0a variety\u00a0of well-known techniques (physical security, separation of duties, multiple approvers and the like) in order to\u00a0satisfy business objectives and comply with normative standards prevalent in the industries and national\u00a0or geographical jurisdictions.\u00a0<\/p>\n<p>I&#39;m sure many of us\u00a0witnessed the calisthenics of colleagues in banks and\u00a0financial institutions, who, as security officers,\u00a0figured out how to use mainframes and LANS in both their nascent and more evolved forms to be effective at this.\u00a0 I know I used to marvel at some of what they accomplished.\u00a0<\/p>\n<p>We are\u00a0talking about a time when\u00a0governance wasn&#39;t <span style=\"line-height: 115%; font-family: \">synonymous <\/span>with government regulation. Governance\u00a0was more or less orthogonal to the way products were built by the industry.\u00a0\u00a0Domain products could be used in ways that accorded with\u00a0asset protection\u00a0requirements if the right expertise was present to set the systems up to achieve these ends.\u00a0 And on a pessimistic note, has so much really changed in this regard since then?<\/p>\n<p>Many\u00a0of the provisioning concepts that appeared in products like Waveset and Xellerate appeared earlier in products like ZOOMIT VIA and\u00a0Metamerge.\u00a0 But those, like Waveset, Xellerate and Aveksa\u00a0were actually, in my view, \u00a0&#8220;post-domain&#8221; products\u00a0that attempted a holistic solution working across product boundaries.\u00a0\u00a0<\/p>\n<p>Still, while being post-domain in some ways (e.g. meta), \u00a0they\u00a0continued to\u00a0require\u00a0extensive manual\u00a0intervention by\u00a0security experts to coax\u00a0&#8220;compliant&#8221; behaviors out of them, and this intervention was embodied in detailed configurations and scripts dependent on the behaviors of underlying products.\u00a0 This\u00a0meant they were often fragile:\u00a0 if the underlying products were upgraded,\u00a0for example, they might no longer be compatible with the framework intended to manage them.\u00a0<\/p>\n<p>Nishant goes on to say,<\/p>\n<blockquote><p>And an IdMaaS architecture as alluded to by Kim and illustrated by Craig in <a href=\"http:\/\/bit.ly\/KdRjgV\" target=\"_blank\">this diagram<\/a> just makes the solving of this problem more difficult and even more critical due to the zero trust environment. Since the identities have not been created and are not controlled by the organization that needs to make the access decisions, approval and review controls become even more important because they\u2019re all the enterprise has. The ability to de-provision access based on events or manual intervention becomes a crucial component of access lifecycle management. These are the safety measures the organization needs to put in place for security and compliance.<\/p><\/blockquote>\n<p>I agree the ability to de-provision is key and in fact it is key to what we\u00a0will be\u00a0delivering.\u00a0 On the other hand,\u00a0Nishant&#39;s\u00a0conclusion that &#8220;the [IdMaaS] architecture.. must make the solving of this problem more difficult&#8230; due to the zero trust environment&#8221; is I think absolutely unfounded.\u00a0 As I will show when we go through the requirements for IdMaaS, Trust Frameworks are a necessity, and I know of few Trust Frameworks that are based on &#8220;zero trust&#8221;.\u00a0<\/p>\n<p>There is\u00a0a bit\u00a0too much flailing at\u00a0paper tigers\u00a0for me to take all of this apart in a single post. \u00a0Let&#39;s take a deep breath and delve systematically both into requirements and the\u00a0details of what is being proposed in WAzAD.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#39;m surprised about the confusion on this, but glad to get it cleared up right at the beginning.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,86,87],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1214"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1214"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1214\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}