Netweaver IdM Connector Development Kit

In the middle of September SAP began its push for certified solutions to increase the number of connectors for NW IdM.  This is the latest “integration scenario.”  Sometimes I think that SAP sets the standard for clunky phrases and naming conventions.  They are looking for partners and developers to increase the number of connectors.  The best part of this is that you get to pay for the privilege of improving their product.

And there is an additional “ONE TIME OFFER” from SAP: Every company that signs a certification agreement in the category “NW-IDM-CON” before December 31st. 2010 will receive a 20 percent discount on the certification fee.

At least you are getting the certification discount;  I suppose you can then sell your connector to others after achieving certification.  I wonder how many “uncertified” connectors will start to circulate that people will write for their own use.   At times it seems that SAP is entirely driven by revenue generation.   I can’t help but wonder how better off they would be if they actually encouraged a vibrant developer community.

I haven’t had a chance to review the kit yet but having worked on custom jobs under 7.0, the documentation has to be better than just javadocs.

Central Control System Risk

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element.  These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system;  is the control console system protected?  Is the back end database on it’s own server or is it part of a shared environment?  Are the updated signatures delivered over a private physical network or at least a separate VLAN?  Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems.  Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems.  They are assigned additional duties without additional personnel or it was left out of the budget.  It can happen to the best.  There have been numerous luminaries in the information security field who have been hacked.    Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc.  you should contract someone who can and then audit them, regularly.

SailPoint Overview Part II

SailPoint began their product with a governance model instead of starting with provisioning.  I think this gives the product a distinct advantage.  Rather being focused entirely on a select group of technical employees and making their lives easier, they instead focused on the business initially and now they are bringing in provisioning elements.  It is much harder to bolt on re-certification and role analysis to an existing product then add provisioning.  I also like their approach to role management which is both top down and bottom up.  As has been pointed out by Gregory in this post, just doing bottom up role mining is a mistake since many people have access they never use.  In the next couple of blog posts I will highlight some specific features of the product.

The Threat is Consistent

Those whom wish you ill or would gladly steal from you care little about the global economic downturn.  They are not sending out fewer exploits as attachments to spam, they have not stopped looking for ways to transfer money from your bank account or use your office PC’s as zombies.  When money is tight you need to defend yourself intelligently.  Your number one priority should be keeping your software patched.  Your second priority should be scanning any externally facing web applications for common vulnerabilities.  If you don’t have the skills, hire someone who does.  Finally,  take the time to educate your employees on safe computing practices.  Again, If you lack the skill bring in a professional trainer.

How Much Security is Enough?

How secure is your company?  Are you spending too much or not enough on security?  How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)

Much of what is spent is to fix an irritation or meet a regulation.  I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive.  When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network.  This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie.  We managed this on a relatively small budget and a user base with admin access over their local machines.  It is possible to have tight security without spending a fortune.  Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat.  The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked.  Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology.  Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.

At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert.  If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.

SailPoint IdentityIQ Quick Overview

I had the opportunity courtesy of CTI to train on the SailPoint IdentityIQ product.  I was impressed with the thoroughness of the product.  They are not narrowly focused but offer the  means of nailing down your application identity certifications while insuring segregation of duties and least privilege.  This product covers the enterprise and is not  just an IT ecosystem like SAP GRC.  If I have a complaint it is that it relies on too much XML when setting up an application.  XML is nearly useless with its insistence that data must be modeled as 1:N.  The brain may love hierarchies but XML with all it’s tags and so little data makes hierarchies a headache to work with.  Their developers seem to sense this too because they have moved some areas around web services to json as opposed to SOAP, an approach I have had my fill of.  If enterprise governance is a requirement for you, and you find yourself failing audits, be sure to check out SailPoint.  <shameless plug>Then call Matt Pollicove (who blogs here from time to time) at CTI when you need help implementing.</shameless plug>

IdM Reader’s Choice Awards

Information Security Magazine Readers Choice awards are out.  For Identity and Access Management it went Microsoft, IBM and RSA.  I think if you asked professionals who have worked with more than one IdM product, you would have a markedly different response.  In many cases readers vote, not based on actual experience, but with a “go with what you know” heuristic, that is, they vote on names they recognize. These kinds of votes are useful if you have to make a choice within 1-2 days.  It’s a safe bet.  If you actually have time to decide and evaluate, it would be malpractice.

The most accurate answer could be had by having people wager on the best product as measured against a set of metrics.  When people are asked to risk their own money, it becomes more than a trivial exercise.