CRN recently chaired a fascinating and lively discussion with industry experts on the challenges of establishing effective identity management in today’s increasingly mobile and boundless corporate environment.
But, as the panel discovered, IDM means different things to different people and one of the more pressing issues for companies involved in this space to establish meaningful parameters and definitions so as to help organisations better understand their vulnerabilities as well as the opportunities to improve organisational processes and increase efficiency.
A key theme, of course, is mobility as organisations try to manage the expectations of staff while ensuring that the right polices are in place to strike a balance between freedom and controls. Not only are staff demanding to bring their own devices, they are also now in effect bringing their own identities.
Our panellists also shared some interesting experiences about the relative advantages of deploying identity management solutions at greenfields or legacy sites, while the cloud of course provided an interesting side bar, especially in terms of its potential to help smaller companies develop more cost effective identity management solutions.
Michael Tuton, executive consultant, CGI
Richard Watson, sales director, Oracle A/NZ
Reno Maglitto, identity channel manager, Oracle A/NZ
Craig Maurel, national sales manager, Directory Concepts
Gabriel Haythornthwaite, joint managing director, Redcore
David Walker, Oracle solutions manager, ASG Group
Mark Sammut, practise director, Redcore
John Jones, director, Qubit Consulting
CRN: So Richard, this matter of IDM meaning so many different things to different people. Paint a picture of the current state of the industry for us and explain how companies should think about proceeding.
Richard: IDM is just getting more and more complex. There are drivers around mobility but also governance is a really big driver, information location, information storage. In terms of location, it’s not only about your own application access, but accessing third parties.
If we look at information and information security and identity management from the inside, we start with storage and location of that data and then access to it, and access to it from anywhere anyhow. And when you start asking questions about how to do that, the discussion becomes very, very interesting.
CRN: It’s interesting to consider the mobility challenge and the experiences of customers given that mobility has come upon us so quickly. Banks in particular have been quick off the mark, rolling out banking applications for portable devices and facing all the identity and security challenges that accompany something like that.
Richard: Yes, I think banking and finance has been a leader because they’ve been trying to offload costs for the last 15 or 20 years out of branch networking to the online world, and what we’re seeing now is a lot of catch-up where everyone needs to deal with the value via mobile and internet channels.
So the combination of both is really driving the market to actually deliver more valuable content. And there's now a need for high degrees of security associated with ensuring the integrity of not only data content, but of who is accessing it.
Reno: I think what’s interesting is that the ability to be able to push out in the environment through a mobile device is relatively easy. I think line-of-business would see it as something they can now control, without having to incorporate security – their own security divisions – into that effort. Of course they have to work towards controls and some governance in what they do, but I think most marketing departments, or lines of business, would have their own plans on how they can leverage or how they can plan to leverage mobility.
The question for all of us here is ‘are we seeing this with our customers?’ Are we seeing that we’re changing who we now need to talk to regarding mobility and security and compliance? Is that something that people are seeing? A change in the market in the people that we talk to?
John: We certainly have customers who are doing mobile. To date they’ve used custom solutions, cobbled on top of the older product range, but they’re certainly interested in going to [Oracle] R2 and leveraging all the newer stuff from R2. And we also find this is common with the guys thinking it’s not easy, and getting into the organisation is not quite so straight forward, but yes, there is a huge interest in mobile apps for sure, and social media integration as well.
Reno: So John what are some of the key difficulties that you’ve encountered with deploying mobile solutions?
Jones: One of the key ones from the mobile app itself is tapping into the back-end systems and making sure that they’ve got access to the right sorts of things, you know, through web services or whatever.
Quite often they’re presented through a portal of some sort with this wall of information, but there’s no convenient deployment behind that necessarily. So they need to do that to begin with and then having it secure, so there’s other challenges. There are people at that top end on mobile phones, so there’s that whole persistence thing, ‘remember me’ and on the local asset switch again is app management and ERP management and making sure the device itself is authorised to hold the API. So there’s another level of security there for sure.
CRN: Is it something that’s complex to charge and bill your customers for?
Jones: No, not really. From the organisations that we know are doing it, they don’t necessarily charge for the exercise. There are some things to help paying customers I guess, but it’s just adding some emphasis on top. It’s another way of getting the information of the sorts of things that you might want to. More and more people are using mobile devices for that sort of thing, rather than the web anyway. Unless they do it they can fall behind.
David: I think that we’re getting customers coming from a number of different and sometimes surprising angles with requirements for mobility. We are working with an education body, and they want to simplify everything. We were thinking in terms of giving parents a better way to tell the school that their kids are sick or whatever.
Currently they can SMS, email or call through the CRM channels, but what we found was that schools and parents don’t want to do that. They want to get on the iPhone app, so you know they’re ahead of us.
CRN: Reno, you recently noted a rather startling statistic from Trend Micro, which states that 40 percent of organisations that have initiated BYOD policies have had some kind of security breach. That’s quite astounding.
Reno: It is really. I think the IT department is playing catch-up with the actual business leading the charge in terms of how people now wish to consume IT.
This is the opportunity for partners to go in and make the environments more secure. The question for the partners here is ‘are we seeing mobility show up more in risk reviews in areas where people have failed particular audit reviews?’
Gabriel: I think certainly that our clients are aware of it as a risk factor. I haven’t personally seen any breaches due to the inappropriate adoption of mobility solutions, but I think if you look at our clients, the drivers there are simply that it has gone from something that it would be nice to have, to something which is a must-have.
Initially people thought of it as something we just do to appease Gen Y, we’ve got to adopt it, because that’s what some of our younger, trendier customers are doing. But they’re saying out there ‘we actually need this for our business transactions’. It’s a must-have and everyone wants to have a solution.
Even in federal government we have done some more in that sector and I think that adoption there is primarily about bringing transactions online that were simply not online before. In my experience it’s been a big driver to uptake.
Reno: I think the challenge that we’re going to be faced with is like the access control that we should have had in the 90s where, when people were developing an application, they would invent security controls within the app. I think it’s the same with mobility. As people are working on their mobility strategy, we don’t want them to be building their own security strategy for that particular part of the business, or that particular project. I think we need to guide them down the path of plugging in to the enterprise strategy.
Richard: The abstracted security outside your standard applications stack, or your network stack, or your active directory stack, is critical.
Mobility will only work if you can leverage the same understanding and same profile and mission base of your individual users, whether they be internal users or external users – being able to manage them in an online world is becoming more and more difficult. Unless you actually can build policy and structure around that, you will never be able to deliver the valuable content that you need.
Unless you’ve got the ability to actually understand the context of the user, or the customer, who they are, where they’re coming from, what their commission structure is, what value they have to you as a customer, you’re on the wrong track.
Talking about David’s example in education, whether they be students, a staff member, or combination of all, that is becoming really important, but also at the same time, really challenging for organisations to be able to deliver high value content.
Reno: John Jones, are you seeing your clients managing identity in that mobility space a little differently to how they’re managing identities for the rest of the corporation? Are we starting to see pockets of unique management types just for the mobility space?
John: Yes. People have different target customer bases depending on financial institutions, or telco or whatever it happens to be. They’ll have apps that are targeting specific subsets of the communities for users. They don’t want to put everything you can possibly do under the one app necessarily, so they are certainly thinking that here is a functionality that they want for convenience and also to take the pressure off their help desk or service reps.
David: So things like how they manage the users in their directory, and for vision and deeper vision, and just for basic identity management principles that we touch every day, are they being incorporated into the mobility parts of the business?
John: I’d say so. I mean most organisations move so slowly anyway. They just latch on to the lowest common denominator.
The security question is an interesting one though. I recently saw a customer do penetration testing for the first time with mobile apps. I think there was a trigger point there where it was a new thing for us to do and so they were told there might be a risk, and I’ve never seen them test their website.
But as soon as they raised the mobile app, the first thing that they wanted to do, because it was new and it was going to hit a big market was to do that. So I do see them driving more security testing.
Mark: We do quite a few things in the security industry generally, including security services for a couple of big banks. We get involved with their risk assessments and we’re starting to see small signs of mobility coming out, however it’s a pretty unsure market.
A long time ago there was a big move amongst the middle-tier companies whereby their applications were developed and managed according to different policy layers. I think we are seeing security starting to evolve in the same way. You manage it at a layer with policy and you have different policies for mobile and applications. I think we’re starting to see that. It’s slow going but I think that in probably the next two years we’ll be starting to see risk assessments coming out.
Now most major banks do penetration testing with absolutely everything. Now it’s the tiers outside that and below that, outside the financial sectors that don’t do that kind of thing - so I think risk will drive better security around it as well.
BYOD is of course driving this. Look at Qantas. Rather than provisioning people with laptops, they’re actually giving staff an allowance. That’s in line with what I see on Facebook and the social networks.
It’s about the person and people like to do whatever they want to do, and so I think that companies probably prefer to give an allowance anyway.
That’s where it’s going to get a big push in the next few years. We will see more devices with no SOE (standard operating environment) on them at all.
So, how security, and identity especially, is dealt with in that case is really important, and that’s probably going to force a lot more change than just risk itself
Reno: De-perimiterisation is really a huge driver. If there’s no perimeter, what do you do? The key thing is to protect the information, and focus on the controls, the governance around the information itself and then the second part is know who’s accessing it and build your governance around who are they and what can they do.
Mark: It’s a simple concept that’s so complex when you’re dealing outside a greenfields environment. But even in greenfields environments – say for large national infrastructure projects – you’re often still dealing with legacy thinking, legacy concepts and so forth.
But the key tenet is if there’s no perimeter and people can use whatever device, whatever access point they want, it really doesn’t matter. The key thing that you as an organisation need to focus on is the information itself because that’s your IP, whether it be banking transactions or education content, when you are delivering courses and creating courses, and if you’ve got a security structure around that, ‘who are they?’, and ‘who are your constituents?’ and ‘what can they do?’
It really becomes that simple. If you start focusing on who are they and what can they do, you start to appreciate the security necessity of identity, but also the apps that would deliver business value.
Reno: Michael, have you found it easier to bring value to that client around buying a security policy and governance and solutions? Because actually most of the customers we have that have been in business for many years would say that there is a level of complexity in adopting these technologies, because they’ve got a lot of old systems, and a lot of old processors, but where you’ve got a large account that is greenfield, have you found it easier to do a lot of the things that we’ve been talking about?